Computer hacking has become part of everyday life for the past few years Internet-connected devices have been hacked left and right, but most of the times, these are harmless so-called Internet of Things appliances, like kettles or fridges. According to the Boston hospital Beth Israel Deaconess, it is attacked about every 7 seconds, 24 hours a day, and the strikes come from everywhere: hacktivists, organized crime, cyberterrorists and even MIT students.
Nearly 1 in 3 Americans deals with some kind of health record compromise, and most of the time they are completely unaware it happened. This means that criminals gain huge amounts of information about people, including their social security numbers, phone numbers, addresses, and even their personal health information. Many of these types of information are much more permanent than even credit card numbers, and last forever. And most of these hacker attacks occur due to the sheer number of vulnerabilities in cybersecurity systems of hospitals.
For example, Sergey Lozhkin, a security researcher for Kaspersky,gave a talk at the Security Analyst Summit (SAS 2016) held in February, Tenerife, Spain, where he presented a case study during which he hacked a local hospital. Lozhkin’s experiment started when he accidentally discovered unprotected medical equipment available online through the Shodan search engine for Internet-connected devices. Digging deeper into the results, he found that a few of the exposed devices were actually from a local nearby hospital.
Then he managed to hack and steal the local network key, which then allowed him to access various medical equipment that was connected to the building’s internal WiFi network. Using the network key, he accessed a tomographic scanner, from where he extracted patient records. The records were dummy data since management knew he was supposed to carry out a test, but the experiment proved its point and showed hospital management that their network was woefully insecure.
However, Lozhkin is a cybersecurity expert and he helped hospital management to fix vulnerabilities in their system, but in the cyber realm, hackers have no such scruples. “Ransomware” — a virus that holds systems hostage until victims pay for a key to regain access — has been deployed at least three times against hospitals this year. The most notable ransomware attack happened just a few months ago: the network of Hollywood Presbyterian Hospital (LA) was out for a weekwhen hackers allegedly demanded more than $3 million in bitcoin payment. In a ransomware attack, hackers infect PCs with malicious software that encrypts valuable files so they are inaccessible, then offer to unlock the data only if the victim pays a ransom.
The hack at Hollywood Presbyterian forced doctors to use pen and paper in the age of computerization. News reports said its fax lines were jammed because normal e-mail communication was unavailable, and some emergency patients had to be diverted to other hospitals. In the end, the hospital paid a ransom of $17,000 to get its files back.
Medical facilities in the area plan to consult cyber security experts on how to protect themselves, the Hospital Association of Southern California said. “Hospitals are certainly now aware of ransomware more than they ever were before, and this has become a very real threat,” said spokeswoman Jennifer Bayer. At least 20 other attacks on healthcare facilities in the past year and hundreds more in other industries that had been kept secret.
Such attacks may all sound like nightmare scenarios, but the experts say they’re becoming almost routine. And hospitals have not made cybersecurity a priority in their budgets. On average hospitals spent about 2 percent on IT, and security might be 10 percent of that. Compare that percentage to the security spending by financial institutions: for example, Fidelity spends 35 percent of its budget on IT.
Moreover, medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked, according to Sinan Eren, who has worked in cybersecurity for government and health-care organizations for two decades.
“It’s not like the financial-services industry, where they train employees how to spot suspicious emails,” said Eren, general manager at Avast Mobile Enterprise. Also, many hospital computer systems are outdated, bulky and in dire need of upgrades or newer software, he said. But such institutions often don’t have — or don’t want to spend — the money to make sweeping changes.
Ransomware is big business for cyber criminals and security professionals. Although ransoms typically are less than the hospital paid, $200 to $10,000, victims of a ransomware known as CryptoWall reported losses over $18 million from April 2014 to June 2015, the FBI said.
Special Agent Chris Stangl, a section chief at the FBI’s cyber division, said in an interview to the Washington Post that ransomware attacks are becoming increasingly prevalent as more and more victims pay up. In a nine-month period in 2014, the FBI investigated 1,838 complaints of such attacks, which cost those targeted more than $23.7 million. In 2015, agents investigated 2,453 complaints, costing targets $24.1 million.
Stangl said the hackers, most of them from Eastern Europe, have increasingly targeted businesses, which are often able to pay more than individuals to unlock data. The hackers “scan the Internet for companies that post their contact information,” then send them email phishing attacks. Unsuspecting employees, Stangl said, are asked to click on what seem to be innocuous links or attachments — perhaps something as simple as a .PDF purporting to be a customer complaint — and before they know it, their computers are infected.
Today such ransomware attacks are largely the work of criminal actors looking for a quick payoff, but the underlying techniques are already part of military planning for state-sponsored cyberwarfare. Government itself, including its most senior intelligence and national security officials are no better off when a single phishing email canredirect their home phone service and personal email accounts. Moreover, the US has been designing crippling cyberattack plans targeting the civilian sector. In case its nuclear negotiations with Iran failed, the US was prepared to shut down the country’s power grid and communications networks.
Imagine a future “first strike” cyberattack in which a nation burrowed its way deeply into the industrial and commercial networks of another state and deployed ransomware across its entire private sector, flipping a single switch to hold the entire country for ransom. Such a nightmare scenario is unfortunately far closer than anyone might think.
counterpunch.org
