White Hats Hack 12 U.S. Hospitals, Find Patient Data Highly Vulnerable | Hacked: Hacking Finance


White Hats Hack 12 U.S. Hospitals, Find Patient Data Highly Vulnerable

Posted on .

White Hats Hack 12 U.S. Hospitals, Find Patient Data Highly Vulnerable


This article was posted on Tuesday, 22:35, UTC.

Patient and hospital records are at serious risk of hacking attacks, according to a two-year study of healthcare facilities by Independent Security Evaluators, based in Baltimore, Md. The 71-page study assessed security at 12 hospitals, two health data facilities, two medical devices from one manufacturer, and two web applications. The assessment took place over a two-year period.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Evaluators attacked medical organizations in controlled settings. The attacks included compromising drug dispensers, patient monitoring systems and check-in kiosks. The attacks on drug dispensers took place after infections using USB sticks that were left on hospital premises. Such attacks carried out by malicious attackers could have resulted in death or patient injury, the study noted.

Deadly Attacks Are Possible

“We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report,” the study noted.


// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

The study’s goal was to create a blueprint for medical facilities to follow in reaching full security readiness. The research was driven by an analysis of different healthcare systems, applications and budgets. Research included interviews with hospitals, data centers, medical device manufacturer employees, and industry thought leaders on ISE’s advisory board.

“These findings illustrate our greatest fear: patient health remains extremely vulnerable,” the report stated. “The findings show an industry in turmoil: lack of executive support, insufficient talent, improper implementations of technology, outdated understanding of adversaries, lack of leadership, and a misguided reliance upon compliance.”

The two biggest security flaws in the healthcare industry are: 1) the focus is almost completely on protecting patient records, and 2) the existing measures address only unsophisticated adversaries.

Adversaries cited include individuals and small groups, political groups, organized crime, terrorists and nation states.

What’s At Stake For Attackers

Adversaries attack health care facilities because the assets available have high value to them.

Motivations for attacks in health care facilities differ.

An adversary interested in selling large quantities of identifiable information found in electronic health records will attempt to compromise the records of any patient because the records have fairly equal value. Such attacks are untargeted.

Less common is the adversary targeting the electronic health records of a specific individual or group. The value in exploiting this information could be much greater on a per-record basis. Defending against the different types of attacks should be approached differently.

Attacks can also be unsophisticated or advanced. Unsophisticated attacks leverage known vulnerabilities —those that have been previously disclosed in the afflicted systems— or are easily detected with automated tools. Advanced attacks are those leveraging “0-day” vulnerabilities in applications.

None of the hospitals investigated separated information security (IS) from information technology (IT). All IS responsibility fell within IT. This presents a problem since the two departments have conflicting directives (closedness and restriction for IS, openness and functionality for IT).

In many cases, lowest level staff made decisions for deploying and configuring the technology when such decisions should be made at the department level.

Also read: Hackers target healthcare industry because of low security guarding valuable information

Hospitals Lacked Protocols

Hospitals lacked defined, implemented and/or auditable policies. They also lacked network awareness, audit procedures, logging and monitoring procedures, and suffered from insecure network architecture and insufficient access controls.

Facilities exhibited extensive use of legacy systems, weak controls regarding remote access, custom-built, non-security assessed software, and used vendor provided, non-security assessed software.

Ted Harrington, executive partner at ISE, said everything the researchers examined had critical security issues carrying implications on patient health, according to Forbes. While he considered it risky to say everything has issues, everything the researchers examined had flaws. If they had unlimited resources and time, he said they could probably find ways to attack patient health in any aspect of health care.

The findings contribute to an expanding source of evidence pointing to poor security at medical facilities. A large number of medical devices have been considered vulnerable in the past year.

A range of cancer screening technology used easily-crackable passwords in July 2015. Sergey Lozhkin, a senior researcher at Kaspersky Labs, showed how easily he was able to penetrate a Moscow-based hospital’s defenses were by breaking in via the Wi-Fi, a controlled environment.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.

Feedback or Requests?

Lester Coleman

Lester Coleman

Lester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.

There are no comments.

View Comments (0) ...
The team:
Dmitriy Lavrov
Dmitriy Lavrov is a professional trader, technical analyst and money manager with 10 years of trading experience. He covers Forex, Commodities and Cryptocurrencies. He is among the top 10 most Read More
Jonas Borchgrevink
Jonas Borchgrevink is the founder of Hacked.com and CryptoCoinsNews.com. He is a serial entrepreneur, trader and investor. He shares his own personal journey on Hacked.com. // -- Discuss and ask Read More
Mate Csar
Trader and financial analyst, with 10 years of experience in the field. An expert in technical analysis and risk management, but also an avid practitioner of value investment and passive Read More
Mati Greenspan
Senior Market Analyst at Etoro.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Important: Never invest Read More
Rakesh Upadhyay
Rakesh Upadhyay is a Technical Analyst and Portfolio Consultant for The Summit Group. He has more than a decade of experience as a private trader. His philosophy is to use Read More
Pamela Meropiali
Account Manager
Pamela Meropiali is responsible for users on Hacked.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Read More
Joseph Young
Joseph Young is a finance and tech journalist & analyst based in Hong Kong. He has worked with leading media and news agencies in the technology and finance industries, offering Read More
Microsoft co-founder and former CEO Bill Gates has voiced his…