4 Ways to Hack a Hospital
It was late on a Tuesday evening, and the MedStar Southern Maryland Hospital Center looked like a time capsule.
Without an operational computer system, secretaries, nurses and doctors darted through hallways and up and down elevators, trading patient records on paper. Hospitals keep paper records for precisely such occasions — if a computer system fails, it can’t bring the whole facility to a halt — but these backups aren’t perfect copies of their digital counterparts, nor can they be entirely up-to-date. As MedStar nurses told The Washington Post:
[T]he paper charts are far less comprehensive than those kept in digital form. They can be missing vital pieces of patient information: complete medical histories, every drug prescribed, allergies to medicine and treatment plans.
It’s very risky to provide care with incomplete information. So MedStar personnel began trying to make up the difference by organizing, labeling and filling in gaps in the paper records. That process introduced its own issues. As one nurse recalled, some charts lacked identification, introducing the risk that two patients’ data could be mixed up.
“There are a lot of people who have never done paper charting before, so it was a little chaotic for them. I think the biggest fear that I had when I was working yesterday was the big opportunity for error.”
For all the hubbub over patient records, at least there were workarounds. Other functions of the facility were more difficult to replicate, causing direct risks to patient health. With their scheduling system down, for example, MedStar began turning away patients with appointments for surgical procedures and radiation therapy. Lab results were taking longer than usual to process, affecting the patients already in the building. A nurse told WaPo about one patient whose lab tests were being held up for hours. The nurse had to administer powerful antibiotics until, finally, the results came in, at which point it became clear:
“The medication should have been stopped eight hours earlier.”
One might assume that all this chaos, all this risk to health and safety of innocent people, must have been caused by some remarkable, unstoppable event. In fact, all it took was two people. Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, locked up MedStar’s computer network with SamSam ransomware.
They were not believed to have a connection with Iran’s government. Just a couple of ordinary guys.
It’s strange that something so important as a hospital would be vulnerable to middling cybercriminals. But MedStar is less the exception than the rule — this same story, with almost all the same details, has been repeated time and time and time and time and time and time and time again.
Many have suggested that the rise in attacks is a byproduct of the COVID-19 pandemic. Perhaps there is some minor connection, however the data suggests that 2020 would’ve seen a high number of incidents regardless of hospital overcrowding. And in some cases, COVID has even dissuaded attackers with some sense of morality.
The real reason hospitals have been hit so hard comes down to two factors. First, they’re very profitable targets. With the health and safety of hundreds of people on the line, hospitals usually can’t avoid paying healthy ransoms.
Second, and perhaps more surprisingly: hospitals are easy marks. There are all kinds of paths through which to hack a hospital, some not particularly challenging even for ordinary cybercriminals.
Let’s consider a few ways hackers can get ransomware into hospital networks:
1. Regular Employees
In 2019, researchers from Brigham and Women’s Hospital in Boston wanted to know how effective phishing emails are in breaching hospitals. They looked at six facilities from around the U.S. that had, at some point in recent years, conducted phishing simulations on their own employees.
The way these simulations typically work is that a third-party service sends mock emails to employees of an organization. The employees don’t know that an experiment is occurring, they simply receive an email that might look something like this (where ‘X’ indicates the name of the company):
From: X Support <X-webmail@gmail.com>
Subject: Email Quota Exceeded Attention X
Your X.edu inbox has exceeded the email storage limit currently permitted under Hospital guidelines. You are running out of storage and may not be able to send or receive email your mailbox has been upgraded. Please click [here] to upgrade your mailbox.
Thanks,
X Assistant System Administrator
All along, the vendor tracks whether the employees fall for their trick or don’t.
The Brigham and Women’s study analyzed 95 different simulations among its six healthcare institutions — 2,971,945 emails in all. So, in three million tries, how often were employees duped?
422,062 emails were clicked, for an average of 14.2%. In other words, hospital employees can be expected to click one out of every seven malware-laced emails that arrive in their inboxes.
That kind of success rate explains why the majority of attacks against hospitals begin with a dirty email.
The target of a phishing campaign is rarely ever the individual who receives the initial email. Rather, with the malware embedded in a PDF or hyperlink, attackers can steal credentials, data, plant remote access malware or ransomware, move laterally in the network, or simply use the phished employee’s email account to send further emails to personnel higher up the food chain.
2. Software Vulnerabilities
Updating software may be the simplest, most basic step in maintaining rudimentary cybersecurity. Updates come with patches for known vulnerabilities, so not having them gives hackers a clear path in.
At a hospital, though, even this simple necessity can be a problem.
For one thing, hospitals operate 24/7, 365 days a year. Unlike your phone or laptop, medical machines don’t take breaks. Therefore, the need to update systems comes in direct conflict with the need to provide consistent, unceasing patient care.
Healthcare tech also tends to skew old. MRI machines, for example, aren’t like iPhones — they’re difficult to replace, and expensive to buy. They’re reliable, though, so what ends up happening is they stay in use for not just years, but decades. From the facility’s perspective that’s ROI, but from a cyber perspective that’s a risk. An MRI machine from the ’90s can’t stand up to today’s threats, especially because the Windows OS it’s running has probably been discontinued for years already.
Last year, Palo Alto Networks surveyed the frequency of operating systems in enterprise and healthcare IoT devices. They found that 83% of devices run on tech that is not just insecure and outdated, but outright discontinued.
It’s understandable that a big, expensive MRI machine from the 90s might be running outdated Windows. What’s less explicable is why the same problems pop up even on ordinary computers. On a hospital desktop you’re more likely to find insecure and outdated software, or old versions of browsers.
Or, for a real sense of just how bad the problem is, consider this: as recently as 2017, nearly four out of five hospitals were still using pagers.
3. Connected Medical Devices
Hackers can’t breach what they can’t reach. Even an insecure device is safe if it’s isolated.
But a surprising number of even essential medical machines — pacemakers, blood infusion systems and the like — are internet-connected. In fact they’re not just internet-connected, they’re discoverable and accessible to anyone who cares to look for them.
The result is a deadly mix: machines with outdated operating systems, running unpatched software, discoverable on the open web.
Planting ransomware on a medical device can be very dangerous. Imagine a pacemaker, infusion or oxygen machine that stops working until a ransom is paid.
The more likely scenario is that a hacker would use the vulnerable device as a gateway to a broader attack. Like a phishing email to a secretary, using the weakest link in the network as the entrypoint for a much wider-ranging attack. It’d work because hospital networks tend to be “flat” — interconnected but poorly segmented.
For more information on just how vulnerable medical devices are, click here.
4. Building Automation
One of the most underrated considerations in medical care is the facilities themselves. So many considerations need to go into designing the kind of place where doctors and nurses can do good work. You need air ventilation to avoid disease spread, and HVAC to keep everyone comfortable. Elevators need to be plentiful and fast, so that patients and medical professionals don’t get stuck in the wrong place at the wrong time. Alarm systems and CCTV cameras are necessary for security and management, and the need for running water and electricity is a given.
To reduce costs and keep everything running smoothly, hospitals employ building automation systems (BAS; or building management systems, BMS). Building automation centralizes all the things that make a building run. And they can do fancy things, too. As noted in the ultra-specific publication Health Facility Management Magazine:
“Examples include patient-scheduling applications that can tell the BAS that a room is occupied and to reset lights, pressurization and temperature controls to optimize energy use. Another common application is specialized interfaces for nursing staff that allow them to easily switch room pressurization among positive, negative and neutral to ensure patient health and minimize the spread of germs in patient areas.
[. . .]
Space occupancy triggers from the clinical systems are used to initiate energy conservation strategies in the most energy-intensive areas of a hospital. [. . .] In addition, patients can control their microclimate through an intelligent mobile interface.”
The benefits of BAS are undisputed. However, these systems are very centralized and interconnected — juicy targets — and vendors tend to focus more on efficiency than security.
Gilad Zinger — Senior Manager and OT Security specialist at PwC’s Cybersecurity & Privacy Impact Centre — works with hospital automation systems. Last summer he told a story on my podcast, about a client that used pneumatic tubes to transfer blood samples between floors of their hospital. The tubes were internet-connected, without any kind of cybersecurity in place:
Think about the consequences of this machine. If someone gets inside of this pneumatic machine — it is connected to the internet — it will be able to change the paths of the tubes. So you’re a doctor and you send a tube with blood to one floor — if the hacker can hack it, he can send it to another floor. And he can change all the results of the blood tests[.]
[. . .]
And I haven’t [even] talked about just stopping the machine.
What’s the Solution?
There are all kinds of other means by which hackers can defeat hospitals. There’s device theft, brute-force attacks that take advantage of weak passwords, espionage and insider attacks. Sometimes malware like WannaCry comes along which, by its sheer power, blows through half the world in a day or two. Whatever the particular circumstances may be, one thing is for certain:
IT security solutions will never be enough.
That’s what most guidelines in this niche focus on: cyber hygiene, network monitoring, HIPAA compliance, more hiring, employee training and so on. All of these (especially training) are important, but none are sufficient for securing hospitals. That’s because hospitals are critical infrastructure. Health and safety is on the line. Thus, they need to be treated less like enterprises and more like nuclear facilities, or the energy grid.
You’d never catch unpatched software, or critical devices with open internet connections at a nuclear power plant (at least, not at any nuclear power plant you’d be comfortable within 1,000 miles of). When you’ve got centrifuges spinning at 1,500 revolutions a second, it’s understood that compromise is not an option. It is not a business risk, it is not a possibility that can be weighed against the costs of investing in security. Whatever the cost, it must be as close to impossible as possible for a hacker to reach control systems.
Securing hospitals like nuclear facilities would require huge investments and a change in culture over time. Medical professionals would have to compromise on some degree of convenience, and security vendors would have to figure out how to make that compromise as minimal as possible, so as to not reduce quality of care.
Ultimately, though, the shift will have to be made. The consequences of getting hospital security wrong aren’t just losing data, or revenue, but delaying cancer treatments and diverting ambulances.
On September 11th of last year, EMTs in Dusseldorf, Germany rushed to pick up a 78 year-old woman experiencing an aneurysm. From Wired:
What began as a routine pick-up took a nasty turn when they called the local university hospital to inform staff of their impending arrival. They were told that the accident and emergency department was closed, so they couldn’t accept the patient.
Instead, the ambulance was directed to Helios University Hospital in Wuppertal, 32 kilometres away, which delayed the patient’s treatment by an hour. She died shortly after.
Healthcare facilities are the best targets in cybersecurity. They tend to be vulnerable in more ways than one, and the price of a ransom hardly ever outweighs the danger in a shutdown. Even after COVID-19 fades away, the pandemic that is hospital ransomware will rage on.
