Slashdot Mirror
5 Major Hospital Hacks: Horror Stories From the Cybersecurity Frontlines (ieee.org)
the_newsbeagle writes: We don't often get insider accounts of hacks against major institutions like hospitals because they immediately go into damage control mode. But at a SXSW talk, a couple of experts told tales out of school. The experts, [John Halamka, CIO of the Boston hospital Beth Israel Deaconness, and Kevin Fu, a University of Michigan engineering professor, recounted incidents in which hackers downloaded patient X-rays to China, took down entire networks, fooled Harvard doctors, and more.
The solution to this problem is known, but nobody seems to know about it...
https://en.wikipedia.org/wiki/...
You didn't read the story. The system that holds the data isn't on the network. But a tech needed to upgrade the firmware on it so hooked it online and had lunch while the firmware downloaded. He came back to find the computer riddled with malware and the data already exfiltraited.
...
I know we talk about how long it takes a machine to get infected but hot damn these hospitals must be loading these machines up behind no firewalls at all to get to the internet. I would have to actually make conscious efforts to do that just to punch past the usual NAT, let alone everything else. What the hell are these people doing??
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
I work at a hospital. In some fashion, for reporting into the EHR, pumps need to be available on the network. However, there's no reason they shouldn't be read-only. If a dosage is going to be changed, it ought to be modifiable only at the control panel. Good medical practice says you adjust the dosage and observe the patient immediately afterward. To do that, you need to be at the patient's bedside -- and thus, at the pump.
Don't underestimate the power of incompetence. If I had to guess, port forwarding is hard if you don't know what you're doing, and if you set up a 1-to-1 NAT statement and permit everything to that IP, you'll expose more than just the port you were concerned with. Many people will fiddle with something until it works, and "wide open" works.
We just had a third-party tech take something like 10 failed attempts and a month and a half to set up port forwarding for a single port. I suspect the business model is to find non-technical customers, and hope they never catch on.
I know we talk about how long it takes a machine to get infected but hot damn these hospitals must be loading these machines up behind no firewalls at all to get to the internet. I would have to actually make conscious efforts to do that just to punch past the usual NAT, let alone everything else. What the hell are these people doing??
He opened up IE to download the patch and the homepage was MSN, with adds... That is how long.
Right. According to the IEEE article,
Someone had also downloaded about 2000 patient X-rays to a computer somewhere in China.
“Who knew there was a black market for X-rays?” Halamka says. He learned that some Chinese nationals can’t get visas to leave the country because they have infectious lung diseases such as tuberculosis. A clean lung X-ray is therefore a valuable commodity.
The 5 "horror stories" are just regular hacks that happened in an hospital context. Nothing along the lines of "hacking insulin pumps to kill patients". TFA doesn't mentions any health-related harm. Only the potential problems caused by the resulting delays are mentioned.
Here are the "horror stories"
1- Stolen (as in copied) X-ray pictures
2- DDoS causing temporary internet outage
3- Doctors getting scammed for Amazon gift cards
4- Spam sending malware causing a temporary ban of the hospital mail servers
5- The most serious one : a ransomware caused the hospital network to be down for 1 week, and cost another $17000