As a society, we consider hospitals a place to go for healing or help when we are injured or ill. While the notion of hospitals as a safe place is comforting to most people, the public is sometimes unaware of the cyber security risk posed by a place containing so much interesting information.

The presence of personally identifiable information (PII) always poses a risk, and hospitals are certainly rife with it. In fact, there are multiple types of cybercrime actors who would want to hack into hospital systems, each with a variety of information to go after.

In this post, I will outline a few scenarios where hospital information is at risk, but first let’s quickly cover how hackers get into hospital networks.

There are many, many ways cybercriminals gain access to hospital networks. This year alone, hackers have installed botnets and other nefarious data-stealing software on hospital networks via USB devices to, in some cases, steal very large sums of cash [1]. They have also used spearphising and social engineering techniques to steal passwords and other sensitive information. But, lately, there’s been a bigger threat vector to the core systems and information hospitals use each and every day: control systems.

With the rise of computer systems and computer-controlled equipment in hospitals, and the need to have them work together on a network, there has been an increase in the use of industrial control systems, such as SCADA (supervisory control and data acquisition), within the healthcare sector. SCADA systems present easy opportunities for cybercriminals due to outdated security frameworks, weak default passwords, the use of wireless internet across system boundaries, and direct connections between the SCADA system and the Internet [2,3].

At HackSurfer, we’re seeing an alarming rise in reports of attempts on SCADA systems all around industry and the public utilities. One of the more infamous SCADA attacks was the Stuxnet Worm that spread through Iran’s nuclear facility. That sort of attack may seem far away, but in reality it’s closer to home that you think.

Organized crime, state-sponsored criminals and now hacktivists trying to prove a point are all exploring SCADA as a new way to gain network accesses. Hospitals and their SCADA systems are natural targets, especially in older, smaller facilities where the SCADA security is an afterthought of the wired age.

If a hospital SCADA system is attacked, it could not only lead to malware infection and data theft, but also could put people’s lives in jeopardy. SCADA systems control multiple systems within the hospital from a centralized location. Some of the more common elements in the SCADA system in hospitals include HVAC systems, telecommunications, critical power systems, life support backups, water supply, and operating room controls. Attacks on SCADA systems can result in issues with information flow, loss of system controls, and power or system outages [3]. An attack could impact medical devices, temperatures (i.e. for lab specimens and hospital temperatures used to control the growth of infectious and communicable diseases), and other critical infrastructure needed for patient safety.

SCADA systems also present easy access points for individuals who are experienced (or in some cases not very experienced) at hacking and want access to networks. While taking control of a system that controls air conditioning may not seem pertinent, it allows cyber criminals access to the internal networks in a hospital. A recent attack on a hospital in Washington State was facilitated by a Conficker worm malware infection in computer-controlled medical equipment that spread through am undisclosed number of U.S. hospitals via SCADA networks that had direct internet access [4].

SCADA systems, often outdated and aging, provide a way for hackers to get access to hospital networks where they can get the data, money or information that they are seeking through the installation of serious malware like the Zeus family of botnets, Conficker worm, and other malicious software.

So, what could really happen? Well, on to some possibilities…

What to worry about right now: money and drugs

So, let’s talk about the ever-popular hacktivists. Once a cybercriminal has access to a network, it’s easy to explore other access points to more highly-guarded and sensitive data. This is the premise and the promise behind techniques like spearphishing – get in and then you can get to the good stuff.

As Earl Simcoe reported earlier this year about the unrest in Turkey, the #OccupyGezi movement resulted in the hacking of the Beypazari State Hospital in Turkey. This attack resulted in the hackers stealing the account credentials for administrators, and posting the information to Anonpaste [5-7]. Not only are attacks like these good for political causes, they are also windows of opportunity to identify weaknesses, steal data, sell it and also leave doors open for less activist-minded individuals who can use these credentials for ends other than a political statement. In this day and age, information is itself valuable, but so to is information that leads to more plundering. As US laws such as HIPAA point out, information stored my the medical profession is important and valuable.

And what about organized cybercrime, the main customers of all this information? Recently, a Washington state hospital was the victim of an very organized crime attack which stole $1.03 million dollars directly from the hospital’s payroll account [1]. But what about the not-so direct route?

In the #OccupyGezi campaign, hacktivists take credit for a hack to support political ends, but also get much more. As I discussed previously, PII is profitable on the black market, since it can be used, among other ways, to steal someone’s identity. Using these often poorly-secured SCADA entryways to get to networks, theft of financial information and other corroborating personal data from hospital billing departments makes this kind of sale all the more lucrative. For organized crime, the better able they are to open up new accounts, steal money directly from, say, online banking systems or electronic payment accounts, the more the hacktivist gets paid. All this info and more is available inside even the smallest of community hospitals.

Identity theft is one thing, but, these days, organized crime has a bigger reason to steal information from hospitals: promoting illicit prescription drug rings.

In order to get prescriptions drugs in a large quantity, these rings either need the illegal participation of doctors often via cash or they need to be able to forge prescriptions from doctors for current or nonexistent patients. By stealing account credentials and patient medical record information such as patient numbers and addresses, access to large quantities of prescription medications (mainly analgesics like Oxycodone, or benzodiazepines like Xanax) becomes a lot easier. In many cases, even just knowing who’s taking what and where they leave leads the drug ring organizers to the doors legitimate prescription holders. Once there, it’s easy pickings to either buy or steal the medication or prescriptions. This type of crime is costing us all hundreds of millions a year.

For medical research facilities, the problem is equally as bad. Unlike a traditional hospital where you when you fall and break your arm, research hospitals sometimes provide basic care but are also at the forefront of new medical technologies and treatments.

These hospitals are frequently partnered with research universities or other research institutions. The focus of a research hospital is on clinical research trials of new technology or medications. While research hospitals are still susceptible to having patient medical record information, or financial information stolen they have additional sensitive information associated with research trials.

By gaining access to research trial data, hackers can get information about the results of drug trials, drug compounds, drug side-effects, medical device results, and patent information. Only recently, we saw hackers from China hit Lockheed Martin for stealth aircraft information. They’re not just after data on how to build planes. Companies like Lockheed Martin are also frequently awarded contracts like this one to support US Army medical research initiatives. Imagine if a hacker is able to access a hospital that is testing multiple medications, and steals the formulas. They can then reproduce the medication. Or, much worse, state-sponsored hackers could gain access to data on newly-discovered infectious diseases that could be weaponized and used for harm.

For medical research targets, the actors may not even be “traditional” cybercriminals, but instead may just be acting out practices of good old fashion industrial espionage. Drug compounds for high grossing medications, like erectile dysfunction medications, are a very tempting thing to steal. With the amount of money spent on manufacturing new drug compounds to treat illness, being able to quickly access the formula for a drug in the late stages of testing would be crucial to jump-starting a new line of revenue for a foreign drug company.

To prevent exploits such as these, the healthcare industry needs to stay informed about the types of information that cybercriminals may be after, and how they could access this information by exploiting weaknesses in systems like SCADA.

1. http://krebsonsecurity.com/2013/04/wash-hospital-hit-by-1-03-million-cyberheist/
2. http://www.net-security.org/article.php?id=1814&p=1
3. http://www.academia.edu/1792319/SCADA_Systems_Vulnerabilities_Policies_and_Procedures
4. http://news.cnet.com/8301-1009_3-10226448-83.html
5. http://www.cyberwarnews.info/2013/06/01/beypazari-state-hospital-hacked-data-leaked-by-st0rmyw0rm-for-occupygezi/
6. http://news.softpedia.com/news/Hackers-Breach-Turkish-State-Hospital-in-Support-of-OccupyGezi-357668.shtml?utm_source=twitterfeed
7. http://www.cyberwarzone.com/hackers-breach-turkish-state-hospital-support-occupygezi?utm_source=twitterfeed&utm_medium=twitter
8. http://news.softpedia.com/news/Anonymous-Hackers-Claim-to-Have-Breached-HITRUST-356379.shtml