Horror stories: When cybercriminals attack hospitals

With the recent wave of cyberattacks to healthcare systems, let's take time to talk about the consequences from such attacks. Below are some horror stories of cyberattacks to healthcare systems and the ramifications from these attacks.

1. The black market for X-rays. Due to numerous security holes, many hospital devices are not connected to the internet for protection. Beth Israel Deacon took this sensible approach with a computer storing their medical records. However, a serious problem occured when the system was due to a firmware update. The manufacturer sent a technician to do the job, unknowingly the technician conneted the device to the internet to do the update then left for lunch. When he came back the computer, it was so packed was malware that it was no longer functional. It turns out that someone from China had downloaded about 2,000 patient X-rays. Apparently, there is a huge black market for clean X-ray images. Chinese nationals can't get visas to leave the country because they have infectious lung diseases, like tuberculosis. This means, a clean x-ray image is an extremely valuable commodity.

2. Massive Online Traffic Jam. Back in 2014 Boston's Children Hospital was involved in a highly publicized lawsuit involving the psychological treatment of a teenage girl. Unfortunately for the hospital, the hacktivist group, Anonymous, decided to punish the hospital. Anonymous used a Distributed denial of service (DDoS) attack, jamming the hospital's server with so much traffic that they had to be shut down. The attack was so widespread that it affected the entire IP range of Children's, this included Harvard University and all of its hospitals. Overnight, Children's had to outsource the Harvard network to a company to handle the overload.

3.   Faking out the doctors. Doctors at Mass General Hospital were sent an email with instructions to go to the hospital's payroll portal, where they can enter payroll information to collect a bonus. The only problem was the portal was completely fake. Once the doctors entered in their financial information, the hackers used the information to change the direct deposit source to their own banks. The result ended in lots of purchases from Amazon and forcing Mass General Hospital to change how they pay their doctors.

4. The lure of Angry Birds. A nurse at Beth Israel Deaconess was looking for a little harmless fun. She decided to download the Angry Birds game to her Android Phone. Unfortunately, for her the website that she downloaded the game from was from Bulgaria. The site embedded malware into the game. When she used the phone to access her work e-mail, the malware recorded the login credentials and used it to send out a massive spam campaign (over 1 million emails sent) from harvard.edu. It was so bad that Verizon had to block Harvard as a spammer.

5.  Pay up or else.  Ransomware has been on the rise lately and healthcare systems have become prime targets for these type of attacks. As an example, we wrote about the case of Hollywood Presbyterian Center, where hackers held the entire hospital IT system hostage, till they got paid, which the hospital reluctantly did. Considering all the pain points within a healthcare IT system and how undermanned most hospital systems are, expect more of these stories to occur.

About Paubox: Paubox is a provider of seamless encrypted HIPAA compliant email.