Hackers Are Homing In on Hospitals
Cybercriminals are increasingly targeting the computer networks of hospitals—one recently announced theft involved data from 4.5 million people who had received treatment from Community Health Systems (CHS), a company that runs more than 200 hospitals. Malware attacks are on the rise in many industries, but researchers from the security firm Websense say the rate at which attacks on hospitals has grown during the past year is unparalleled.
Data security is often lax within health-care facilities, and hackers are targeting systems that store troves of valuable personal information held in electronic medical records, according to the Websense researchers, who say they’ve observed a 600 percent increase in attacks on hospitals over the past 10 months.
Carl Leonard, senior manager of security research for Websense, says the so-called Heartbleed vulnerability was used in some of the hospital attacks. The bug, whose existence was first revealed to the public in April (two years after it first appeared), is a flaw in a widely used encryption software called OpenSSL. Criminals can exploit the flaw and trick vulnerable computers into revealing information stored in their memory. The Web security firm TrustedSec, citing sources close to the investigation, reports that the hackers who targeted CHS gained access to the network via the Heartbleed vulnerability.
Software vendors released patches immediately after Heartbleed was revealed, but recent research suggests that hundreds of thousands of systems are likely still vulnerable. Though there are many other ways that malware authors can infiltrate networks and steal sensitive information, “the massive number of systems that are susceptible to this vulnerability is unique,” says Websense’s Leonard.
Exacerbating the problem is that data security has not been a top priority for many health-care organizations. The health-care industry spends very little on IT compared to other industries, says John Halamka, chief information officer and dean of technology for Harvard Medical School. “Where do you think you’re going to find the vulnerabilities?” he says.
Whereas individual stolen credit card numbers and Social Security numbers now fetch relatively little in underground identity theft markets, certain personally identifiable information that can be gleaned from health records can be worth hundreds of dollars to uninsured people wanting to pose as someone else to obtain medical care they couldn’t otherwise afford, says Halamka.
Federal authorities and the security firm Mandiant told the U.S. Securities and Exchange Commission that the CHS data theft was carried out by a sophisticated group from China. Though that group has typically been after intellectual property pertaining to medical devices and equipment, this time, according the SEC filing, it stole “nonmedical patient identification data” and no credit card, medical, or clinical information. Yet it is not known what the hackers were seeking.
Geoffrey Hinton tells us why he’s now scared of the tech he helped build
“I have suddenly switched my views on whether these things are going to be more intelligent than us.”
Meet the people who use Notion to plan their whole lives
The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.
Learning to code isn’t enough
Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.
Deep learning pioneer Geoffrey Hinton has quit Google
Hinton will be speaking at EmTech Digital on Wednesday.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.