Intelligent Machines

Hackers Are Homing In on Hospitals

Computer criminals are increasingly capturing valuable information stored on hospital computer networks.

The shift from paper medical records to digital ones brings new security risks.

Cybercriminals are increasingly targeting the computer networks of hospitals—one recently announced theft involved data from 4.5 million people who had received treatment from Community Health Systems (CHS), a company that runs more than 200 hospitals. Malware attacks are on the rise in many industries, but researchers from the security firm Websense say the rate at which attacks on hospitals has grown during the past year is unparalleled.

Data security is often lax within health-care facilities, and hackers are targeting systems that store troves of valuable personal information held in electronic medical records, according to the Websense researchers, who say they’ve observed a 600 percent increase in attacks on hospitals over the past 10 months.

Carl Leonard, senior manager of security research for Websense, says the so-called Heartbleed vulnerability was used in some of the hospital attacks. The bug, whose existence was first revealed to the public in April (two years after it first appeared), is a flaw in a widely used encryption software called OpenSSL. Criminals can exploit the flaw and trick vulnerable computers into revealing information stored in their memory. The Web security firm TrustedSec, citing sources close to the investigation, reports that the hackers who targeted CHS gained access to the network via the Heartbleed vulnerability.

Software vendors released patches immediately after Heartbleed was revealed, but recent research suggests that hundreds of thousands of systems are likely still vulnerable. Though there are many other ways that malware authors can infiltrate networks and steal sensitive information, “the massive number of systems that are susceptible to this vulnerability is unique,” says Websense’s Leonard.

Exacerbating the problem is that data security has not been a top priority for many health-care organizations. The health-care industry spends very little on IT compared to other industries, says John Halamka, chief information officer and dean of technology for Harvard Medical School. “Where do you think you’re going to find the vulnerabilities?” he says.

Whereas individual stolen credit card numbers and Social Security numbers now fetch relatively little in underground identity theft markets, certain personally identifiable information that can be gleaned from health records can be worth hundreds of dollars to uninsured people wanting to pose as someone else to obtain medical care they couldn’t otherwise afford, says Halamka.

Federal authorities and the security firm Mandiant told the U.S. Securities and Exchange Commission that the CHS data theft was carried out by a sophisticated group from China. Though that group has typically been after intellectual property pertaining to medical devices and equipment, this time, according the SEC filing, it stole “nonmedical patient identification data” and no credit card, medical, or clinical information. Yet it is not known what the hackers were seeking.

Want to go ad free? No ad blockers needed.

Become an Insider
Already an Insider? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.