Last Tuesday, the security of a hospital in Los Angeles, CA was compromised when ransom-seeking cyber criminals reportedly infected the facility’s computer system with malicious software (otherwise known as malware). The alleged criminals chose malware that is specifically used for cybercrimes involving holding data for ransom—appropriately named ransomware. Using USB drives, the criminals were able to “trick” the medical staff into installing the ransomware on the hospital’s computers. Upon installation, all of the hospital’s data was “locked” with encryption. The criminals then demanded a 9,000 bitcoin ransom, equating to about $3.6 million.
While this incident was a wake-up call for healthcare security, it was also relatively and thankfully benign. Using other malware, cybercriminals are capable of not only locking hospital data, but also using it to cause harm to hospital staff and patients. According to a SOPHOS security article, cybercriminals could potentially use malware to conduct attacks on the following:
- Medical records. Removing somebody’s allergy to penicillin, for example, could injure them if a doctor administers the antibiotic.
- Work orders. For example, altering an instruction to deliver morphine to Patient A instead of Patient B could have catastrophic consequences.
- Hospitals are vulnerable to malicious actors losing or destroying medicine, altering inventory so a healthcare worker administers the wrong medication, or sending the wrong medicine to the wrong patient.
- Orders are vulnerable to being altered, which could result, for example, in the wrong leg being amputated or organs being removed from the wrong patient. Surgery schedules can be altered. Medical records can be changed so that the wrong blood type is transfused into a patient, X-rays are switched, or an anesthesiologist gets the wrong weight, height or age for a patient.
- Blood, organs and other biological material. Attack surfaces include the climate control systems necessary for storage of these crucial materials.
Though the attack this past Tuesday was less harmful and more of a costly annoyance, the next cyberattack on a hospital might not be so forgiving. However, a helpful outcome was that this incident has created a national discussion of cyber threats facing healthcare.
Read more here: https://nakedsecurity.sophos.com/2016/02/26/hospitals-vulnerable-to-cyber-attacks-on-just-about-everything/