Skip to Content

Hackers Are Homing In on Hospitals

Computer criminals are increasingly capturing valuable information stored on hospital computer networks.
September 2, 2014

Cybercriminals are increasingly targeting the computer networks of hospitals—one recently announced theft involved data from 4.5 million people who had received treatment from Community Health Systems (CHS), a company that runs more than 200 hospitals. Malware attacks are on the rise in many industries, but researchers from the security firm Websense say the rate at which attacks on hospitals has grown during the past year is unparalleled.

Data security is often lax within health-care facilities, and hackers are targeting systems that store troves of valuable personal information held in electronic medical records, according to the Websense researchers, who say they’ve observed a 600 percent increase in attacks on hospitals over the past 10 months.

Carl Leonard, senior manager of security research for Websense, says the so-called Heartbleed vulnerability was used in some of the hospital attacks. The bug, whose existence was first revealed to the public in April (two years after it first appeared), is a flaw in a widely used encryption software called OpenSSL. Criminals can exploit the flaw and trick vulnerable computers into revealing information stored in their memory. The Web security firm TrustedSec, citing sources close to the investigation, reports that the hackers who targeted CHS gained access to the network via the Heartbleed vulnerability.

Software vendors released patches immediately after Heartbleed was revealed, but recent research suggests that hundreds of thousands of systems are likely still vulnerable. Though there are many other ways that malware authors can infiltrate networks and steal sensitive information, “the massive number of systems that are susceptible to this vulnerability is unique,” says Websense’s Leonard.

Exacerbating the problem is that data security has not been a top priority for many health-care organizations. The health-care industry spends very little on IT compared to other industries, says John Halamka, chief information officer and dean of technology for Harvard Medical School. “Where do you think you’re going to find the vulnerabilities?” he says.

Whereas individual stolen credit card numbers and Social Security numbers now fetch relatively little in underground identity theft markets, certain personally identifiable information that can be gleaned from health records can be worth hundreds of dollars to uninsured people wanting to pose as someone else to obtain medical care they couldn’t otherwise afford, says Halamka.

Federal authorities and the security firm Mandiant told the U.S. Securities and Exchange Commission that the CHS data theft was carried out by a sophisticated group from China. Though that group has typically been after intellectual property pertaining to medical devices and equipment, this time, according the SEC filing, it stole “nonmedical patient identification data” and no credit card, medical, or clinical information. Yet it is not known what the hackers were seeking.

Keep Reading

Most Popular

conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other
conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other

Forget dating apps: Here’s how the net’s newest matchmakers help you find love

Fed up with apps, people looking for romance are finding inspiration on Twitter, TikTok—and even email newsletters.

digital twins concept
digital twins concept

How AI could solve supply chain shortages and save Christmas

Just-in-time shipping is dead. Long live supply chains stress-tested with AI digital twins.

still from Embodied Intelligence video
still from Embodied Intelligence video

These weird virtual creatures evolve their bodies to solve problems

They show how intelligence and body plans are closely linked—and could unlock AI for robots.

computation concept
computation concept

How AI is reinventing what computers are

Three key ways artificial intelligence is changing what it means to compute.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.