The Health of Hospital IT
Imagine that you’re sitting in a row of somewhat uncomfortable beige plastic chairs in the emergency room of your local hospital. Somewhere you didn’t expect to be today when you woke up. As you wait, you notice a nurse rush out to the nurse’s station and have a hasty conversation with one of her colleagues. soon after you hear an unexpected announcement over the intercom. “If you have an injury that requires an x-ray, our machines are down. We have to transfer you to a nearby hospital. Our systems are infected with ransomware”. As crazy as that sounds, it comes very close to reality
In January of 2018, things came to a screeching halt at an Indiana hospital when ransomware infected the hospital’s IT infrastructure. The night before the hospital reported the infection, the ransomware quickly spread through the email, health records and internal operating systems.
The infection was so rapid they could do nothing to stop it, and reportedly the malware renamed the 1400 files it infected to “I’m Sorry”. The hacker gained access to the hospital’s IT by logging into the network with a third party vendor credentials. The next day, the hospital was forced to pay $55,000 to retrieve the files. The hospital was lucky because the hackers did hand over the decryption keys after the ransom was paid. In some cases, this doesn't happen.
Two years earlier in February 2016, the Hollywood Presbyterian Medical Center was hacked with the “Locky” ransomware. Similar to WannaCry and Petya, Locky seems to be targeted toward US hospitals. In this case 17,000 dollars was paid for a decryption key. Before 2016 was over, three more US hospitals had been hit with ransomware and since then many others have been breached as well. Which led to this year, when things took an even more sinister turn.
This April, researchers at Ben-Gurion University's Cyber Security Labs in Israel found vulnerabilities in computerized tomography (CAT) scanners as well as in magnetic resonance imaging (MRI) scanners. These vulnerabilities could give hackers the ability to add or remove cancer from scans, thereby misdiagnosing a patient. Even experienced radiologists believed the manipulated photographs were genuine.
However, this goes even beyond changing MRI or CAT scanner images: with a simple computer network bridge and a fake WiFi access point, hackers can manipulate 3D body scans in real time to change diagnoses in patients. But hospital medical equipment isn’t the only type of medical devices that are at risk.
White hat hackers, people who research vulnerabilities in systems for the purpose of getting them fixed, have been ringing the alarm bell for a full decade on pacemakers and insulin pumps. If malicious hackers are able to change the dosage and voltage of these devices, they can put patient’s lives in danger. The programs used to run some of these devices are based around the now defunct operating system Windows XP, which is still used to control many medical implants. Most companies have moved away from the operating system and upgraded to more current programs, but as time goes on and medical devices age, there is a higher risk for them to tampered with if not kept properly patched.
In October of 2018, the American Hospital Association cited a rising trend in data breaches at health care organizations, going from 199 in all of 2010 to 154 in just the first six months of 2018. One of the main causes for the increase in attacks is the ease with which the extremely valuable data is stolen. According to the report, hospitals commonly use legacy technology systems that are “not well protected, accounted for, or encrypted.” They also cite that “many organizations lack the resources and expertise to implement efficient and effective cybersecurity safeguards.”
There are sectors of the medical industry that need vast improvement in the field of IT, to remain as healthy as the patients it supports.