Cyber ​​Pandemic: Computer Attacks in Healthcare

There is no other industry that could be considered as more noble and selfless than healthcare. This is such a humanitarian sphere that even in conflict situations, its representatives are obliged to respect and protect you in any way possible. It is hard to believe that someone would like to undermine the public importance of health care, not to mention the fact that someone deliberately carries out cyber attacks against medical organizations.

Money is what drives the world, but, unfortunately, the specifics of the industry are not important for them. Money is the main motivation for the majority of cyber criminals who were able to discover a “storehouse” of vulnerabilities in health care.
')
Health care is focused on other vital issues, perhaps for this reason, medical organizations for a long time did not pay enough attention to their IT security. As a result, this industry is provided with high-tech solutions with an insufficient level of IT security, which is very disturbing.

Dangerous environment

Cipher operators have become one of the most common threats today — another example of the fact that money is the main driver for cyber criminals. The attack on those who possess valuable information, and who are willing to pay the ransom - all this made cryptographers the perfect weapon. We have seen attacks against certain industries. In fact, the interest of hackers in some sectors of the economy, for example, finance, is quite obvious: empty bank accounts. Even when the victim is a bank, the goal is the same as we recently observed in the case of the Central Bank of Bangladesh. Other industries cannot suffer from the direct theft of money, but the goal is still clear.

As was shown in the recent white paper “Hotel Hackers” , cyber attacks on shops, service companies and hotels allowed them to infect their POS terminals in order to steal money from the bank cards of their customers. However, in health care the motive is not so obvious. In many countries, it is not customary for patients to use bank cards to pay for medical services, because they are paid by insurance companies. Yet hospitals are increasingly becoming victims of cyber attacks.

Why have hospitals become the target of cyber criminals?

According to the US Department of Civil Rights, during 2015, 253 security holes were recorded in the health sector, resulting in more than 112 million records stolen. According to IBM, this sector of the economy in 2015 more often than other industries was subjected to cyber attacks. Health care is the heart of the technological revolution. The industry goes to the storage of all information in electronic form, which is undoubtedly beneficial for patients and hospitals. This information is available online and is useful if the patient has a doctor who can read the history of the disease. This convenience at the same time gave rise to a serious security problem for the entire industry. Medical information is very valuable and highly sensitive, so the one who controls it can get rich.

In some countries you can sell this stolen information, and there are even companies that are interested in buying such data (research centers and insurance companies). Then, of course, there is a “black market” where medical information may be more valuable than bank card information. Medical documents contain a huge amount of personal information that can be used as a “master key” for future attacks. For example, high-ranking individuals who are especially careful about their privacy and do not disclose personal information on the Internet, social networks, etc. Even they cannot prevent their records from being stored in medical center files. If this confidential information falls into the wrong hands, their personal data will no longer be secret.

Another example would be access to confidential information at pharmaceutical centers, when companies are willing to pay big money for the opportunity to “steal” a patent from a competitor. Or the possibility of obtaining personal information belonging to the doctor for the illegal discharge of a prescription. Case histories, test results, email addresses, passwords, social security numbers, confidential information of employees, patients and companies: all this is very valuable information. The problem is that medical organizations are protected by outdated security systems.

History of lucrative attacks

Red Cross (USA)

In 2006, a Red Cross employee in St. Louis (USA) stole identifiers and information about three blood donors. The consequences could be much more serious, because this employee had access to data from more than 1 million donors.

Temple Street Children's University Hospital (Ireland)

A year later, in Ireland, two servers were stolen from Temple Street Children's University Hospital, containing data from nearly 1 million patients, including their full name, date of birth, and reasons for missing classes.

Hospitals and clinics of the University of Utah (USA)

In 2008, hospitals and clinics at the University of Utah (USA) reported the theft of 2.2 million patients. The data was stored on film carriers, which were left in the car of one of the employees of the external contracting company. In this case, the employee did not follow the established procedures for transporting information, and therefore personal information was stolen from more than 2 million people.


So far, we have discussed only specific, not mass attacks. However, the situation has changed over the years. According to a study published by the Ponemon Institute, over the past 5 years, the number of attacks in healthcare has increased by 125% . Cyber ​​attacks have become the main cause of information loss. This is a matter of concern, especially considering that 91% of the organizations reviewed in this study were attacked at least once in the last 2 years, which resulted in data loss. 40% admitted that during this period they faced five or more cases of data loss.

Insurance company Anthem (USA)

One of the most serious attacks in this sector happened in February 2015. Anthem, the second largest insurance company in the United States, suffered from an attack that resulted in the theft of 80 million patient records that contained critical data (social security numbers).

In addition to the theft of information with its subsequent sale, you should also pay attention to attacks with cryptographers, which cause direct economic damage to their victims. Hospitals, pharmaceutical and insurance companies have a huge amount of valuable information. Cyber ​​criminals turned their close attention to them. They are constantly looking for new opportunities to access this information.

Presbyterian Medical Center in Hollywood (USA)

In February 2016, the Presbyterian Medical Center in Hollywood (Los Angeles, USA) declared an internal danger "because their employees were left without access to medical records of patients, e-mail and other systems.

As a result, some patients could not receive proper treatment and were sent to other hospitals. Cyber ​​criminals demanded a ransom of $ 3.7 million. As a result, the head of the center agreed with them and paid about 17 thousand dollars to get the stolen files.

Baltimore MedStar Health (USA)

The following month, MedStar Health from Baltimore (USA) also admitted that they had to shut down some of their hospital systems as a result of a similar attack.

Henderson Metthodist Hospital (USA)

The Henderson Hospital (Kentucky, USA) was another victim. In this case, there is unconfirmed information that a ransom of $ 17,000 was paid, although it is assumed that much more was actually paid.

Prime Healthcare Management

A major US provider of medical services, Prime Healthcare Management, Inc., has also become a victim of cyber attacks. Two of their hospitals (Chinese Valley Medical Center and Desert Valley Hospital) were attacked, causing a network outage, and many other facilities affected by the same attack. In this case, the company did not pay the ransom.

Cases in Germany

US hospitals are not the only targets: German hospitals were also victims of attacks.
According to the Deutsche Welle international TV and radio company, several hospitals in Germany have suffered from cryptographers, among them Lukas Hospital in Neuss and Klinikum Arnsberg in North Rhine-Westphalia. None of them paid a ransom.

Cardiology Hospital in Kansas (USA)

It should be noted that the payment of the ransom in the examples above did not guarantee the return of information. A striking example of this is the cryptographer's attack on the cardiology hospital in Kansas (USA) in May 2016. The head of the hospital decided to pay the ransom, but the hackers, realizing the value of the data, asked for more money to restore the remaining information. The hospital did not make the second payment.

All these cases clearly show that the health sector should heed its own advice.

The reality of science fiction

As shown in the examples above, these types of attacks are fully capable of stopping the operation of the hospital, closing access to files and taking sensitive information hostage. In addition, there is something that can seriously affect each of us. Almost all medical equipment (for example, pacemakers, tomographs, x-rays, infusion pumps, respirators, etc.) is connected to the network. It is quite possible that these medical devices can be hacked. In 2013, former US Vice President Dick Cheney reported that his doctors had turned off the wireless connection to his pacemaker because they saw that there was a high probability of a remote attack on his device. A year earlier, Barnaby Jack, a New Zealand hacker, showed security conference participants how remotely a pacemaker could be broken, which resulted in a life-threatening electric shock. Barnaby invented an attack that could hit all pacemakers within a radius of 15 meters.

He also showed how it is possible to remotely change the operating parameters of a portable insulin pump used by diabetic patients at a distance of up to 90 meters, as a result of which she can inject a lethal insulin dose to a patient. Jack died a week before he was ready to demonstrate the breaking of an artificial heart. At the Black Hat Conference 2013, he would show how to change the operating parameters of these implants.



Richard Rios also devoted himself to finding vulnerabilities in medical devices. Because of a polyp in his airways, this researcher ended up at Stanford Hospital for two weeks. During this time, Rios realized that his bed was connected to a computer. She had belts that raised his legs and an infusion pump that injected medication daily. Without leaving the ward, he researched and found up to 16 networks and 8 Wi-Fi access points. After lying in bed for several days, he got up and went to the exit to stretch his legs. During this short walk, he discovered a computerized medication dispenser. The entire responsibility for distributing the drugs rested entirely on the computer that the doctor and nurses ran using the coded identification card.
Before noticing the device, Richard already realized that this system had vulnerabilities: a password that was rigidly embedded in the source code of the program, allowed others to “play” with a medicine dispenser .

Together with his partner, Terry McCorkl, Richard discovered over 300 vulnerable devices in 40 health care companies. Rios is confident that these vulnerabilities still exist. In his zeal to demonstrate the dangers of these vulnerabilities, Richard Rios was able to show that he could remotely manipulate medical pumps used in hospitals around the world .

He hacked several of these devices to raise the level of doses to deadly values. Rios warned that this could be done on more than 400,000 such pumps around the world, which remain vulnerable. Almost at the same time, several analysts from TrapX Security (San Mateo, California, USA) began tracking vulnerable devices in more than 60 hospitals. They infected hundreds of devices using a program that replaced part of the original operating system on these devices.

The infected machines remained fully functional, so no one noticed the problems, but during these 6 months, TrapX tracked all the work of the networks of these hospitals. Among the devices they accessed were also X-ray machines, blood test machines, pumps, and, of course, computers used by hospital staff. Many such computers had unsupported operating systems that are more vulnerable, such as Windows XP or Windows 2000.

The fact that the antivirus protection of most of these hospitals did not detect the introduction of TrapX suggests that their devices are not well protected. They remained infected until TrapX Security sounded the alarm.

How could these attacks be avoided?

We have seen criminals carry out attacks to steal sensitive information, medical records, pharmaceutical research, or data from policyholders. We have seen how they easily find out email addresses, passwords and social security numbers. Or, as coders, in order to earn money, they steal important information that can paralyze the work of all hospitals.

Avoiding these attacks is a difficult task. But it is necessary to take concrete actions: allocate resources and develop policies to improve the security of devices, data and people.

The first key and decisive recommendation is to use an IT security solution with advanced protection capabilities that can detect and eliminate potential threats.

Many attacks were successful due to lack of control over everything that happens in computer systems.
We recommend using a model capable of controlling all active processes on devices connected to the corporate network. Having full visibility of what is happening, you can control any abnormal behavior in the systems and act before any incident occurs.

To protect against modern threats and targeted attacks, you must have a system that ensures the confidentiality of information, protection of data, business reputation and IT assets.

Adaptive Defense 360 ​​is the first and only information security service that combines one of the most effective traditional antiviruses with the most advanced protection and the ability to classify all executable processes.

The product is able to detect malicious programs and strange behavior that are not detected by other protection services, by classifying all running and executing processes. Due to this, the solution is able to provide protection against known malware, as well as against zero-day attacks, persistent threats of increased complexity (APT), and targeted attacks. You will always know what is happening with your every file and process. Detailed graphs show everything that happens on the network: the chronology of threats, the flow of information, how active processes behave, how malware gets into the system, where it happens, with whom, how threats get access to information, etc. Adaptive Defense 360 ​​allows you to easily detect and close vulnerabilities, as well as prevent unwanted elements (navigation tools, adware, additional components, etc.).

You can evaluate the capabilities of Adaptive Defense 360 ​​using a demo console (without the need to install the product).

The demo console is designed to demonstrate the Adaptive Defense 360, which already has certain information on user settings, profiles, etc., which allows you to evaluate the console in a mode as close as possible to real work.

Access demo console
Login: DRUSSIAN_FEDERATION_C14@panda.com
Password: DRUSSIAN # 123

Note: Reset changes in the settings of products that are made when viewing the demo console, occurs daily.