5 Major Hospital Hacks: Horror Stories From the Cybersecurity Frontlines (ieee.org) 67
the_newsbeagle writes: We don't often get insider accounts of hacks against major institutions like hospitals because they immediately go into damage control mode. But at a SXSW talk, a couple of experts told tales out of school. The experts, [John Halamka, CIO of the Boston hospital Beth Israel Deaconness, and Kevin Fu, a University of Michigan engineering professor, recounted incidents in which hackers downloaded patient X-rays to China, took down entire networks, fooled Harvard doctors, and more.
Well duh (Score:2)
Critical systems shouldn't be exposed to outside world. Duh.
Re: (Score:2)
Re: (Score:1, Interesting)
What was the damage done by the x-rays being sent to China?
No, not contrived and complex scenarios. Not slippery slopes. What was the actual damage?
Confidentiality and privacy were breached. (Score:1)
Medical information is considered confidential and private. This confidentiality and privacy was obviously breached if the information unexpectedly, and without the consent of the patient and/or the patient's doctor(s), was transferred to China. From there it could easily be made public.
Even if nothing ever happens with the medical information, the mere fact that confidentiality and privacy were breached is more than enough damage to get very upset
Re: (Score:2)
To that person? Not a lot. To countries around the world trying to stop Chinese nationals from slipping past border control with horrible diseases that all these x-rays show them as not having...
Re:Confidentiality and privacy were breached. (Score:5, Informative)
Right. According to the IEEE article,
Someone had also downloaded about 2000 patient X-rays to a computer somewhere in China.
“Who knew there was a black market for X-rays?” Halamka says. He learned that some Chinese nationals can’t get visas to leave the country because they have infectious lung diseases such as tuberculosis. A clean lung X-ray is therefore a valuable commodity.
Re: (Score:2)
Yup, I read the article. Sorry, a shock I know, but hey, it sometimes happens :D
But maybe you *are* damaged by offence (Score:2)
If you want to go down that road, I'm "damaged" every time someone says something that offends me.
You are potentially damaged every time someone says something that offends you. Your life is a little bit worse as a result of their action. However, in the case of offensive speech, the other party would also be damaged if they were gagged to protect your sensibilities, while you might also benefit in other ways as a result of being exposed to the initial offensive idea. Most Western societies have decided, to varying degrees, that the damage caused by accepting offensive speech is less than the damage cau
Re: (Score:2)
I consider the pursuit of happiness to be a worthy goal in its own right. Almost by definition, happiness is about being in a situation you like. Someone offending you probably reduces your happiness, and thus harms you, albeit perhaps only in a very small way.
The analogy I sometimes use in these discussions is mild violence. Walk through any city centre late on a Friday night, and you can see that at least some people's natural human response to being offended involves punching the person who offended them
Re: (Score:2)
Not sure what hospital you go to, but this is actually common practice in most hospitals in the US.
Re: (Score:1)
According to the article, the people in China wanted healthy lung xrays because they could sell the images to infected people who would use them to prove that they don't have infectious lung disease, even though they do. That allows them to travel and share their infection with people in other places.
Personally, I would consider that to be actual damage. I'd rather not wait to see an infection spread before we decide to be concerned.
Re: Well duh (Score:2)
Re: (Score:3)
You didn't read the story. The system that holds the data isn't on the network. But a tech needed to upgrade the firmware on it so hooked it online and had lunch while the firmware downloaded. He came back to find the computer riddled with malware and the data already exfiltraited.
Re: (Score:3)
Re: (Score:3)
Don't underestimate the power of incompetence. If I had to guess, port forwarding is hard if you don't know what you're doing, and if you set up a 1-to-1 NAT statement and permit everything to that IP, you'll expose more than just the port you were concerned with. Many people will fiddle with something until it works, and "wide open" works.
We just had a third-party tech take something like 10 failed attempts and a month and a half to set up port forwarding for a single port. I suspect the business model is
Re: (Score:3)
I know we talk about how long it takes a machine to get infected but hot damn these hospitals must be loading these machines up behind no firewalls at all to get to the internet. I would have to actually make conscious efforts to do that just to punch past the usual NAT, let alone everything else. What the hell are these people doing??
He opened up IE to download the patch and the homepage was MSN, with adds... That is how long.
Re: (Score:2)
I know we talk about how long it takes a machine to get infected but hot damn these hospitals must be loading these machines up behind no firewalls at all to get to the internet.
The network was supposed to be air gapped, but a clueless contract tech came in and connected it up anyway.
Re: (Score:2)
There's the first failure. Everyone and his dog routinely requires network access to do updates. Often they won't even document what ports/IPs are required.
Re: (Score:2)
Looks like they did read the story. Critical systems shouldn't be online, and what did you just say?
But a tech needed to upgrade the firmware on it so hooked it online and had lunch while the firmware downloaded.
Idiot puts it online...stop making excuses for bad design and stupid techs.
Re: (Score:2)
Critical systems shouldn't be exposed to outside world. Duh.
The most critical systems, those that control medical devices, weren't exposed.
No one buys a smoke alarm... (Score:2)
Re: (Score:2)
Re: (Score:2)
Think seat belts and motorcycle helmet laws...You can't leave the protection of the masses to their own good judgement.
Solution found, needs to be adopted... (Score:4, Informative)
The solution to this problem is known, but nobody seems to know about it...
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
the problem isn't that we don't know how to make good security, the problem is they are not willing to pay for good security.
Re: (Score:2)
No... it's not about money... it's people don't understand the difference between POLA and the way things are done now... until that changes, no amount of money is going to help.
Re: (Score:2)
people don't understand the difference between POLA and the way things are done now
the problem is that they don't understand the issue (nor want to) which in turn is why they refuse to invest in proper security. it is the lack of a feedback mechanism (pain/sound/etc) to indicate something is going wrong that allows them to continue on until they are completely fucked. effectively you have a person being told they are on the verge of a stroke and then replying that they don't need treatment because they feel fine. it's only until after they have a stroke that they want help.
Re: (Score:2)
To indulge in some gross stereotyping here, they have huge egos that exceed their (very considerable) talents, and little appreciation that anything that doesn't involve medicine, or indeed surgery, is important.
They also tend to end up running hospitals.
If you tell a surgeon running a hospital that you need to inconvenience him (and it's usually a him) and his fellow surgeons to solve a "problem with the computers", they will ignore you. They are also right - anything tha
Re: (Score:2)
You've got a lot of hard won experience, I'll give you that... but the problem is a whole new layer, deeper than you're used to thinking about. Imagine if you built a old style fort, moved your troops in, and generally felt secure.... only to find out the bricks it was built out of were actually blocks of C4, and any one of them could send the whole place up in a flash.
If you can imagine that scenario... you know what computer security is really like, no matter how careful you are. Because Windows, Mac-OS,
Re: (Score:1)
I think OpenBSD takes the most pragmatic approach here and it is available and works well today. Basically the code is reliable and more secure & predictable than anything else known for a desktop or server OS, in the default install, and then for anything you add or change, you can consider its impact on security and act accordingly, separating privileges by user account, choosing risk vs. reward when using non-audited packages, etc, etc. Only 2 remote holes in the default install since about 1995, I
That's SELinux, which is now reasonably convenient (Score:2)
> OS out there runs every line of code with the full privileges of a user account at all times, there's no way for a user to limit the scope of what a program does at run time.
> The solution is to use an operating system that is designed from the ground up to simply ask which files the user wishes to operate on, instead of blindly trusting the program to do the right thing
That change from giving permissions to the user (discretionary access control) to instead assigning them to the program + user (ma
Re: (Score:2)
Having an admin set up a static set of privileges on each and every program isn't a sustainable approach... what's needed for general purpose use is called the "power box", in which the operating system directly asks the user about which files to open, etc... instead of trusting the application to do it.
Users can generally decide correctly what files to access, etc.. you don't have to have an admin do it.
Re: (Score:2)
See, I really think that least privilege is a good start. I know that's not the case if the nurse can play minesweeper and visit Facebook. Yeah, they're gonna be pissed. Then, it really has to be functional. It has to be functional all the time - and redundant, perhaps several layers of redundancy. Use that to YOUR advantage. They can't login? They get a dumb device and someone enters the results from charts into the computers later. Sorry, learn to carry your card and remember the password, Doctor. You too
Disappointed (Score:1)
Looking at the first part of the headline "5 Major Hospital Hacks", I was expecting an article showing me 5 creative/unknown ways to improve my hospital stay.
Oh well, back to Buzzfeed...
Re: (Score:1)
I was kinda hoping for a Freddy Krueger comeback...
How to spoof a wireless insulin pump? (Score:1)
How about designing a wireless insulin pump that can't be accessed by unauthorized devices?
Re: (Score:2)
Re: (Score:2)
This stuff has to run the gauntlet of companies, regulators, and customers who have NFI about infosec, but do have some idea of the consequences of rushing untested changes into devices which quite literally keep people alive from minute to minute.
Heathcare IT? Ugh. (Score:2)
I work for an EMR vendor. FYI, the HITECH Act obligates companies to disclose breaches only in situations where PHI (patient data) is accessed. Our infrastructure could be co-opted into a Russian Bitcoin mining farm, but as long as patient data isn't touched, we don't have to let anyone know.
What a lot of people don't realize is that many clinics are small businesses. Small businesses tend to make small business decisions. Doctors won't replace those workstations running Windows XP or Vista if they plan to
Make it HURT (Score:2)
Re: (Score:2)
Re: (Score:2)
I was most recently at a very large hospital, and they were entering my information into a computer running Windows XP. They had upgraded other facilities, so it's not penny-pinching in general, I guess just IT is low o the priority?
IT a low priority, not really. They all pay plenty for their EMR and other systems. Desktop support? That does often end up being the red headed step child of IT. For the past twenty years, healthcare has been deploying more and more computers, practically as fast as they can, and only replacing them when they fail or can't do the job anymore. In the last ten years, they really haven't failed that much and still do their job fine. The XP to Win7 has probably been the first enterprise wide upgrade that was d
Re: (Score:2)
Re: (Score:2)
By the same token, they went with Billy because Joe, who would have fixed the backups and the UPS battery, costs more. Of course he costs more because he does more.
Billy probably used to cost more too, but he needed enough contracts to feed his family so he gave the customers what they want.
No patient harmed (Score:3)
The 5 "horror stories" are just regular hacks that happened in an hospital context. Nothing along the lines of "hacking insulin pumps to kill patients". TFA doesn't mentions any health-related harm. Only the potential problems caused by the resulting delays are mentioned.
Here are the "horror stories"
1- Stolen (as in copied) X-ray pictures
2- DDoS causing temporary internet outage
3- Doctors getting scammed for Amazon gift cards
4- Spam sending malware causing a temporary ban of the hospital mail servers
5- The most serious one : a ransomware caused the hospital network to be down for 1 week, and cost another $17000
Re: (Score:2)
That last one probably DID harm patients. They were so bogged down without their IT systems that they had to stop accepting 911 patients for a week. That means people needing help NOW had to wait a little longer while they were taken to a more distant hospital. There's a reasonable probability that there were more incidents of late or wrong medication as well. It's hard to assess exactly who might have been harmed and how much from that.
Mass General? (Score:2)