Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Network Security The Internet China Databases Encryption Privacy Software News Hardware Technology Your Rights Online

5 Major Hospital Hacks: Horror Stories From the Cybersecurity Frontlines ( 67

the_newsbeagle writes: We don't often get insider accounts of hacks against major institutions like hospitals because they immediately go into damage control mode. But at a SXSW talk, a couple of experts told tales out of school. The experts, [John Halamka, CIO of the Boston hospital Beth Israel Deaconness, and Kevin Fu, a University of Michigan engineering professor, recounted incidents in which hackers downloaded patient X-rays to China, took down entire networks, fooled Harvard doctors, and more.
This discussion has been archived. No new comments can be posted.

5 Major Hospital Hacks: Horror Stories From the Cybersecurity Frontlines

Comments Filter:
  • Critical systems shouldn't be exposed to outside world. Duh.

    • Did you read the article? The X-ray was not supposed to be, but someone messed up. And that is the problem. The systems are so bad that a small mistake can have MAJOR consequences. There is no margin for error.
      • Re: (Score:1, Interesting)

        What was the damage done by the x-rays being sent to China?

        No, not contrived and complex scenarios. Not slippery slopes. What was the actual damage?

        • by Anonymous Coward

          What was the damage done by the x-rays being sent to China?

          Medical information is considered confidential and private. This confidentiality and privacy was obviously breached if the information unexpectedly, and without the consent of the patient and/or the patient's doctor(s), was transferred to China. From there it could easily be made public.

          Even if nothing ever happens with the medical information, the mere fact that confidentiality and privacy were breached is more than enough damage to get very upset

        • by eam ( 192101 )

          According to the article, the people in China wanted healthy lung xrays because they could sell the images to infected people who would use them to prove that they don't have infectious lung disease, even though they do. That allows them to travel and share their infection with people in other places.

          Personally, I would consider that to be actual damage. I'd rather not wait to see an infection spread before we decide to be concerned.

        • Depends on whose X-ray it is. If somebody important and shows say cancer, China can use info to put said person in position, with one of own backing em. If person does not have family, but is old, it can be used to find healthy duplicate that then is modified with plastic surgery. Information is power.
    • Critical systems shouldn't be exposed to outside world. Duh.

      The most critical systems, those that control medical devices, weren't exposed.

  • No one buys a smoke alarm until after they have had a fire. The simply do not see the risk, and do not trust the people telling them about it. I see it all the time with my clients...
    • by Luthair ( 847766 )
      I think its more than that, much like Home Depot they're hiring people who are not qualified to manage IT security and infrastructure.
    • Home builders and subcontractors are required by code to install smoke detectors in all new construction, remodel, and pertinent commercial upgrades to your premises.

      Think seat belts and motorcycle helmet laws...You can't leave the protection of the masses to their own good judgement.

  • by ka9dgx ( 72702 ) on Wednesday March 16, 2016 @08:12PM (#51711885) Homepage Journal

    The solution to this problem is known, but nobody seems to know about it... []

    • the problem isn't that we don't know how to make good security, the problem is they are not willing to pay for good security.

      • by ka9dgx ( 72702 )

        No... it's not about money... it's people don't understand the difference between POLA and the way things are done now... until that changes, no amount of money is going to help.

        • people don't understand the difference between POLA and the way things are done now

          the problem is that they don't understand the issue (nor want to) which in turn is why they refuse to invest in proper security. it is the lack of a feedback mechanism (pain/sound/etc) to indicate something is going wrong that allows them to continue on until they are completely fucked. effectively you have a person being told they are on the verge of a stroke and then replying that they don't need treatment because they feel fine. it's only until after they have a stroke that they want help.

    • by Goonie ( 8651 )
      Have you ever met a surgeon?

      To indulge in some gross stereotyping here, they have huge egos that exceed their (very considerable) talents, and little appreciation that anything that doesn't involve medicine, or indeed surgery, is important.

      They also tend to end up running hospitals.

      If you tell a surgeon running a hospital that you need to inconvenience him (and it's usually a him) and his fellow surgeons to solve a "problem with the computers", they will ignore you. They are also right - anything tha

  • by Anonymous Coward

    Looking at the first part of the headline "5 Major Hospital Hacks", I was expecting an article showing me 5 creative/unknown ways to improve my hospital stay.

    Oh well, back to Buzzfeed...

  • "At a recent Black Hat conference, a diabetic man demonstrated how to spoof a wireless insulin pump, causing a life-threatening situation"

    How about designing a wireless insulin pump that can't be accessed by unauthorized devices?
    • I work at a hospital. In some fashion, for reporting into the EHR, pumps need to be available on the network. However, there's no reason they shouldn't be read-only. If a dosage is going to be changed, it ought to be modifiable only at the control panel. Good medical practice says you adjust the dosage and observe the patient immediately afterward. To do that, you need to be at the patient's bedside -- and thus, at the pump.
    • by Goonie ( 8651 )
      Because it's not a matter of hacking together a patch, running the unit tests, uploading to production and waiting to see if it crashes.

      This stuff has to run the gauntlet of companies, regulators, and customers who have NFI about infosec, but do have some idea of the consequences of rushing untested changes into devices which quite literally keep people alive from minute to minute.

  • I work for an EMR vendor. FYI, the HITECH Act obligates companies to disclose breaches only in situations where PHI (patient data) is accessed. Our infrastructure could be co-opted into a Russian Bitcoin mining farm, but as long as patient data isn't touched, we don't have to let anyone know.

    What a lot of people don't realize is that many clinics are small businesses. Small businesses tend to make small business decisions. Doctors won't replace those workstations running Windows XP or Vista if they plan to

    • Sadly the only way to alter behaviour is to create an environment where misbehaviour results in sanctions. This means that patient data escaping from a clinic should result in the suspension of your licence to practice medicine if you are a small clinic, and stupid fines if you are large. And a reward for whistle blowers who report it - with a discount on the fines if the mistake is reported promptly. Allow companies to insure against the fines - but encourage the insurers to test their clients...
    • by Merk42 ( 1906718 )
      I was most recently at a very large hospital, and they were entering my information into a computer running Windows XP. They had upgraded other facilities, so it's not penny-pinching in general, I guess just IT is low o the priority?
      • I was most recently at a very large hospital, and they were entering my information into a computer running Windows XP. They had upgraded other facilities, so it's not penny-pinching in general, I guess just IT is low o the priority?

        IT a low priority, not really. They all pay plenty for their EMR and other systems. Desktop support? That does often end up being the red headed step child of IT. For the past twenty years, healthcare has been deploying more and more computers, practically as fast as they can, and only replacing them when they fail or can't do the job anymore. In the last ten years, they really haven't failed that much and still do their job fine. The XP to Win7 has probably been the first enterprise wide upgrade that was d

    • Exactly. I worked for a hospital, and there was a huge breach of data related to doctors and nurses PII. They felt they didn't need to report anything, eventually one of the residents tattled to a local newspaper and it became a minor story.
    • by sjames ( 1099 )

      By the same token, they went with Billy because Joe, who would have fixed the backups and the UPS battery, costs more. Of course he costs more because he does more.

      Billy probably used to cost more too, but he needed enough contracts to feed his family so he gave the customers what they want.

  • by GuB-42 ( 2483988 ) on Thursday March 17, 2016 @07:09AM (#51713815)

    The 5 "horror stories" are just regular hacks that happened in an hospital context. Nothing along the lines of "hacking insulin pumps to kill patients". TFA doesn't mentions any health-related harm. Only the potential problems caused by the resulting delays are mentioned.

    Here are the "horror stories"
    1- Stolen (as in copied) X-ray pictures
    2- DDoS causing temporary internet outage
    3- Doctors getting scammed for Amazon gift cards
    4- Spam sending malware causing a temporary ban of the hospital mail servers
    5- The most serious one : a ransomware caused the hospital network to be down for 1 week, and cost another $17000

    • by sjames ( 1099 )

      That last one probably DID harm patients. They were so bogged down without their IT systems that they had to stop accepting 911 patients for a week. That means people needing help NOW had to wait a little longer while they were taken to a more distant hospital. There's a reasonable probability that there were more incidents of late or wrong medication as well. It's hard to assess exactly who might have been harmed and how much from that.

  • I was interested more details on the Mass General incident with their payroll portal. But I could not find any references to it outside of this mention. Has anyone had better luck, or better searching skills?

"The algorithm to do that is extremely nasty. You might want to mug someone with it." -- M. Devine, Computer Science 340