Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Cybercriminals are increasingly targeting the computer networks of hospitals—one recently announced theft involved data from 4.5 million people who had received treatment from Community Health Systems (CHS), a company that runs more than 200 hospitals. Malware attacks are on the rise in many industries, but researchers from the security firm Websense say the rate at which attacks on hospitals has grown during the past year is unparalleled.

Data security is often lax within health-care facilities, and hackers are targeting systems that store troves of valuable personal information held in electronic medical records, according to the Websense researchers, who say they’ve observed a 600 percent increase in attacks on hospitals over the past 10 months.

Carl Leonard, senior manager of security research for Websense, says the so-called Heartbleed vulnerability was used in some of the hospital attacks. The bug, whose existence was first revealed to the public in April (two years after it first appeared), is a flaw in a widely used encryption software called OpenSSL. Criminals can exploit the flaw and trick vulnerable computers into revealing information stored in their memory. The Web security firm TrustedSec, citing sources close to the investigation, reports that the hackers who targeted CHS gained access to the network via the Heartbleed vulnerability.

Software vendors released patches immediately after Heartbleed was revealed, but recent research suggests that hundreds of thousands of systems are likely still vulnerable. Though there are many other ways that malware authors can infiltrate networks and steal sensitive information, “the massive number of systems that are susceptible to this vulnerability is unique,” says Websense’s Leonard.

Exacerbating the problem is that data security has not been a top priority for many health-care organizations. The health-care industry spends very little on IT compared to other industries, says John Halamka, chief information officer and dean of technology for Harvard Medical School. “Where do you think you’re going to find the vulnerabilities?” he says.

Whereas individual stolen credit card numbers and Social Security numbers now fetch relatively little in underground identity theft markets, certain personally identifiable information that can be gleaned from health records can be worth hundreds of dollars to uninsured people wanting to pose as someone else to obtain medical care they couldn’t otherwise afford, says Halamka.

Federal authorities and the security firm Mandiant told the U.S. Securities and Exchange Commission that the CHS data theft was carried out by a sophisticated group from China. Though that group has typically been after intellectual property pertaining to medical devices and equipment, this time, according the SEC filing, it stole “nonmedical patient identification data” and no credit card, medical, or clinical information. Yet it is not known what the hackers were seeking.

3 comments. Share your thoughts »

Tagged: Computing, Web, Mobile, malware, hacking, cybersecurity, electronic medical records, cybercriminals

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me