Eighteen USB sticks were taken into a hospital. They were dropped on multiple floors of the building, left in places where they were likely to be found by hospital staff. Within 24 hours, at least one of them had been plugged into a nurse’s station, infecting it with malware. Hackers were soon able to get into the hospital’s network and take over medicine-dispensing devices. If they’d wanted, they could have caused hundreds of people to overdose. Death was a literal keystroke away.
But those fatal commands were never entered. The attack was orchestrated by benevolent white hat hackers as part of a multi-year, multi-institution study into the vulnerabilities of hospitals and their devices. The study, released by Independent Security Evaluators in February, showed just how easy it would be for a motivated hacker to get into a hospital’s computer system and cause potentially deadly damage.
The same month the report came out, hackers taking over a hospital went from a hypothetical possibility to a reality.
For upwards of 10 days in early February, the nurses and doctors of Hollywood Presbyterian Medical Center in Los Angeles were locked out of their computer systems, meaning everything from nurse’s stations to electronic medical records to MRI machines were unusable. With all electronic communications stopped, hospital employees relied on pencil and paper to record test results and other medical information. Fax machines were the only reliable communication technology. No patients were forcibly over-dosed, but some patients did have to be moved to different facilities. Life-saving test results were unable to move across the 434-bed hospital’s systems.
It was all the result of a relatively simple trick: Hackers infected the hospital with malware that locked down the files on affected devices with a warning that the files would be deleted unless a ransom was paid. The hackers likely got in by emailing an employee and tricking him or her into clicking a link or downloading an infected file. If they had wanted to, the attackers probably could have inflicted serious damage on the hospital’s patients. In the end, though, they only wanted money. The hospital paid the ransom of 40 Bitcoins– about $17,000–and regained access to their systems.
Between April 2014 and the end of 2015, the FBI received 4,291 reports of ransomware attacks. Losses over that period totaled nearly $50 million.
As more of our world becomes networked and connected to the internet, the potential is growing for hackers to take control of public-serving institutions and wreak havoc. Hospitals, schools, and police departments are among the numerous organizations around the world hit by ransomware. A December 2015 study by a cybersecurity firm found that government and education networks are four times as likely to be infected with malware or ransomware than other entities. The hackers behind these attacks are rarely caught.
From hospitals to city governments to electric utilities, many of the institutions and infrastructures we rely on every day are vulnerable to attacks that could easily transition from simple ransom demands to deadly terrorism. The risks are immense. And many say not enough is being done to ensure the public’s safety.
Hospitals, in many ways, are obvious and easy targets for hackers trying to make money. The detailed personal information on hospital systems can have high resale values. And experts say that the large amount of data flowing across numerous computer systems and medical devices means there are many potential points of vulnerability.
Ransomware attacks like the one that locked the networks at Hollywood Presbyterian Medical Center are increasing in frequency and in cost. CryptoLocker, a common form of ransomware that first appeared in August 2013, is estimated by the FBI to have infected more than half a million victims, who paid roughly $27 million in just six months. Another ransomware, CryptoWall, is estimated to have resulted in more than $325 million in damages worldwide. Between April 2014 and the end of 2015, the FBI told me it received 4,291 reports of ransomware attacks. Losses over that period totaled $47,907,523.84.
Ransomware is just the beginning, says James Scott, senior fellow at the Institute for Critical Infrastructure Technology. There’s far more money to be made by malicious actors who steal data, as in the January 2015 hack of the health insurance company Anthem that resulted in the exposure of 80 million people’s records. Scott says electronic medical records are currently for sale in Dark Web forums for $10 to $50 each. Medicare records, which are rarer, start at around $400 each.
“Hospitals and the health sector as a whole have had pretty lackadaisical cyber security hygiene,” Scott says. “They really haven’t evolved with the rest of the critical infrastructures in the U.S. by [hiring] an information security team as opposed to just an IT guy.”
Hospitals haven’t been especially eager to admit when they’ve been attacked, but others aside from Hollywood Presbyterian have been targeted in the past. In April 2014, Boston Children’s Hospital was the target of a series of distributed denial of service attacks, as well as attempted security breaches. The attacks, allegedly encouraged by the group Anonymous in response to a controversy over the hospital’s handling of a complicated child custody issue, took the hospital’s website and various computer systems offline for about a week. And less than a month after the attack on Hollywood Presbyterian, two hospitals in Germany suffered similarly disruptive ransomware attacks.
Dealing with malware like ransomware can be as simple as loading system backups or, less attractively, paying the ransom—as many victims do (even police departments). The FBI was previously reported to have companies and organizations to just pay the ransom. But FBI cyber division chief Chris Stangl now advises against this, telling us, “The FBI does not condone payment of ransom because payment of extortion monies may encourage continued criminal activity and lead to other victimizations or be used to facilitate serious crimes.”
At least with ransomware, you know you’re infected, because your computer tells you. Other malicious software can be more stealthy, operating unbeknownst to system users, stealing data, compromising systems, or, in the hospital setting, taking over active medical devices.
“We’re probably going to see more and more of this,” says Engin Kirda, a cyber security expert and professor at Northeastern University’s College of Computer and Information Science. “And suppose these devices are being used to treat people. Something like that scares me because you don’t know if they’ve been infected.”
The healthcare industry, by and large, is playing catch up in terms of cyber security, according to Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society.
Electronic medical records are currently for sale in Dark Web forums for $10 to $50 each. Medicare records start at around $400 each.
“Healthcare for many years, for decades, has been in the mindset of, ‘Let’s be compliant, let’s satisfy Joint Commission [a healthcare accrediting organization], let’s satisfy HIPAA [the Health Insurance Portability and Accountability Act] and the regulators,'” she says. For all but the biggest players, cyber security has been an afterthought, at best. “In the last three to four years we’ve had very sophisticated attacks, cyber-wise. And that was certainly our wake up call.”
The research firm Forrester recently predicted that hackers would release ransomware specifically directed at medical devices in 2016. The Independent Security Evaluators study showed that through both physical USB plants and remote attacks, hackers could take over heart defibrillators, insulin pumps and machines that emit radiation.
Cyber security in hospitals is struggling to keep up with these threats. Security experts like James Scott argue for more investment in security systems and personnel at hospitals. But that’s not all. His think tank recently issued a paper that calls for better security too among medical device manufacturers. But the real problem, according to the paper, is the Food and Drug Administration, whose policies don’t go far enough to make sure device manufacturers are proactively addressing cyber security issues.
The agency’s voluntary guidelines are “just standards, not regulatory,” says Scott. “It’s like, ‘Do it, don’t do it, whatever.’ It’s a ho-hum mentality.”
This mentality is changing, albeit slowly. In February 2013, President Barack Obama issued an executive order calling for the establishment of a set of voluntary standards and guidelines to help organizations prevent and avoid cyber attacks. A year later, the National Institute of Standards and Technology released a Framework for Improving Critical Infrastructure Cybersecurity. And in December, the Cybersecurity Act of 2015 was enacted. It includes a specific section focused on cyber security in health care, and calls for the creation of a task force to develop best practices for the health care industry. Lee Kim says this is a positive step.
She’s hopeful these moves will help more organizations cover the basics of improved cyber security and help health care organizations guard themselves from the vast majority of attacks. In the meantime, hospitals, medical centers, medical device manufacturers and health insurance providers are all doing their best to secure themselves—or at least that’s the hope.
“It’s not just a healthcare problem,” Kim says. Critical infrastructures from utilities to traffic lights to municipal personnel databases are fumbling through the same jungle of cyber security unknowns. And as more and more of our physical world becomes networked and connected to the internet–the embedded sensors in our streets, the Internet of Things in our kitchen appliances, the “smart” city all around us–there’s a sharply growing potential for cyber attacks that have not just digital but dangerously physical ramifications.
Hospital insecurity is a symptom of a wider digital disease.
In 2013, Cesar Cerrudo flew a lightweight drone over an unnamed city that could have taken over the city’s traffic lights, causing chaos on its roads. The CTO of the security firm IOActive, Cerrudo had discovered a vulnerability in the wireless transfer of data between traffic sensors and the traffic light control system used by at least 10 countries and 40 cities in the U.S., including New York, Los Angeles, Washington D.C. and San Francisco.
A little extra traffic might not seem like a major cyber attack, but as Cerrudo lays out in a recent report, the increasingly wired “smart city” has a growing number of vulnerabilities that could be exploited to jeopardize large amounts of data, city operations and even the physical performance of a city’s infrastructure. From street lights to the electricity grid, numerous city systems are tied into centralized controls that are increasingly vulnerable to attacks.
“We are putting software inside of everything and connecting it to the internet,” Cerrudo says. “So you’re providing attackers more possibilities to attack a system or a device.”
An August 2015 report from the Department of Homeland Security’s Office of Cyber and Infrastructure Analysis lays out just a few of the ways this could all go terribly wrong, from hijacking autonomous cars to causing subway trains to smash into each other to shutting down the power grid—which has already happened in Ukraine.
Cerrudo says more attacks on physical systems are likely, and many places are not prepared to prevent them, whether because of insufficiently secured hardware and devices or poor cyber security protocols. “The more technology a city uses, the more vulnerable to cyber attacks it is,” Cerrudo’s report notes. “So the smartest cities have the highest risks.”
For now, hackers are likely to be more interested in money-making ventures like stealing medical records and holding hospital computers for ransom. But even if cyber criminals don’t shift their focus to physically tampering with urban infrastructure, relatively simple ransomware may prove just as effective at hindering city services and dramatically disrupting day-to-day life.
It cost $17,000 for the Hollywood Presbyterian Medical Center to get their ransomed computer systems back. We don’t know yet what it would cost to unlock a city’s traffic lights, public transit system, or electricity grid. But we may soon find out.