Experts: Cyberattacks threaten hospitals

Cyberterrorism seminar © UC Regents
Cyberterrorism strategies are discussed at Northern California Hospital Cyberterrorism Seminar.

Posted August 11, 2010

Hospitals computer systems are under attack by hackers seeking to steal information, manipulate records or just cause mayhem — and the cost can be high in cancelled operations, delayed test results, and disrupted patient care.

Just ask Bill Fawns, chief information officer at Kern Medical Center, Bakersfield. In late July, the hospital he works at was hit with a virus attack that crippled computer systems and temporarily forced doctors and nurses to switch back to pencils and paper instead of electronic records.

On Aug. 6, Fawns spoke about the episode at the Northern California Hospital Cyberterrorism Seminar at UC Davis. Some 350 representatives from hospitals and other medical facilities, law enforcement, fire departments and state and federal agencies attended this first-of-its-kind meeting. The audience also heard from FBI and Secret Service agents who have investigated cybercrime and experts in medical informatics and cybersecurity.

Hospitals: Soft targets

"Hospitals are a soft target where a cyber attack can cause a lot of damage quite easily," said Lt. Nader Oweis of the UC Davis Police Department, who organized the meeting along with Special Agent Brian Buckley of the FBI office in Sacramento and Jerry Street, emergency planner for the UC Davis Health System.

The aim of the meeting was to raise awareness of the threat, the organizers said.

"Sometimes it seems something devastating has to happen before people get it," Buckley said. "Well, I don't want to read the news reports afterwards."

Claire Pomeroy © UC Regents“Just as concerning is the risk of a cyberattack on a hospital, clinic, or public health department's technology infrastructure that threatens their ability to care for patients or respond to health emergencies.”
— Claire Pomeroy

"Cyberterrorism and ‘cyberwar’ are concerns the public usually associates with financial or government institutions warding off thieves or state-sponsored espionage," said Claire Pomeroy, vice chancellor of human health sciences, CEO of the UC Davis Health System and dean of the UC Davis School of Medicine, in opening the meeting. "But health care institutions increasingly are the targets of theft or manipulation of data, including patient financial and medical records. Just as concerning is the risk of a cyberattack on a hospital, clinic, or public health department's technology infrastructure that threatens their ability to care for patients or respond to health emergencies."

Pomeroy said that UC Davis has made it a priority to understand where sensitive information is stored, used and accessed, and to keep it secure.

Kern Medical Center's problems began on July 26, when printers throughout the hospital began to print reams of gibberish. By next morning, there were widespread problems — computers were slow in booting up, refusing to load programs and filling up with pornography. By 3 p.m., the hospital had to return to paper records, Fawns said.

Fortunately, patient care systems were less affected, and Fawns' team was able to bring them back online after about six hours. But cleaning and restoring administrative and other systems took several more days. At the time of the seminar, 10 days after the incident began, administrative systems were about 80 percent restored, he said.

'Down for a year'

FBI Special Agent Eric Brelsford described a similar attack on a Chicago-area hospital in 2006 that affected everything from cancer treatments to prescriptions.

"The hospital was down for a year, essentially," Brelsford said.

The problem was traced to a piece of malicious software, or "malware" that had invaded the hospital's network, probably when a user clicked a link or opened an attachment in an email message. The malware was intended to recruit computers into a network or "botnet" of computers controlled by hackers.

The FBI traced the malware to a man in Texas, who had created the botnet of up to 38,000 computers and then sold it to a contact in Turkey for $4,000.

Photo of computer screen with computer virus © iStockphoto
One hospital's problem was traced to a piece of malicious software, or "malware" that had invaded the hospital's network, probably when a user clicked a link or opened an attachment in an email message.

Allyn Lynd of the Dallas FBI talked about a 2009 case that came to light because a hospital security guard bragged online about breaking into his hospital's network. He even posted a video of himself doing it, complete with 'Mission Impossible' soundtrack.

That got a laugh from the audience, but it was no laughing matter for the hospital. The hacker had broken into the computers controlling the air conditioning, causing it to fail for hours at a time in temperatures over 100 degrees Fahrenheit.

"Nobody actually got hurt, but there was huge potential for harm," Lynd said. "It's like a drunk driver who only means to drive drunk, but ends up killing someone."

Social security numbers, birth dates

Medical information is also a rich target for thieves. In Indiana, another security guard stole a server full of patient information from a medical insurance underwriter's office and tried to extort funds in exchange for not revealing personal data, reported Emily Odom of the FBI office in Indiana.

"Health care information has the golden combination for hackers — social security numbers and birth dates," said Rick Lichtenfels, Deputy Director of the Department of Homeland Security's Control Systems Security Program.

Peter Yellowlees, professor of psychiatry and director of the graduate program in health informatics at UC Davis, said that the UC Davis Health System is entirely dependent on electronic records, which offers great benefits in patient care. But this information also has to be kept secure.

Since the beginning of 2010, the UC Davis Health System's firewalls have repelled over a million attacks, or 200 an hour, Yellowlees said.

Waves of timed attacks

Greg Hoglund, CEO of HBGary, a computer security firm based in Sacramento, presented a scenario for a cyber attack launched by terrorists against the nation's hospital system.

The software tools described in Hoglund's scenario all exist and are available for sale online, he said. He showed how a hacker could easily harvest information about a hospital's network, such as names and addresses of servers, online.

In Hoglund's scenario, hackers used "phishing" emails to introduce four separate packages of malware into hospital networks. Once planted, these would trigger in sequence a few days apart.

Dr. Peter Yellowlees © UC Regents
Peter Yellowlees, director of the Health Informatics Graduate Program, addresses the audience at the Northern California Hospital Cyberterrorism Seminar.

The first would infect patient record databases and alter doctors' orders, medication doses and other information, spreading confusion and possibly causing illness and deaths. A few days later, the next program would trigger, interfering with portable devices that nurses use to record patient information.

The third wave would attack the software in intensive care units monitors, altering the data display and switching off alarms. Some of these monitors run on the same operating system as commercial handheld devices, Hoglund said. The fourth and final wave would infect the software controlling drug infusion pumps and similar devices.   

By day 16, the nation's hospitals would be in chaos, said Hoglund, who drew part of his scenario from the collapse of medical systems in New Orleans after Hurricane Katrina.

"This is very real — the bad guys would buy the pieces and just work on them a little bit," he said. "It's amazing someone hasn't pulled this off yet."

Computer control systems such as infusion pumps bring great benefits but they also bring security risks, Lichtenfels said. The next generation of medical devices will include computerized controls, for example in prosthetic limbs. Researchers have already demonstrated that they can interfere with such controls in wireless pacemakers, cars and other products.

"If a doctor can get to it, I guarantee a bad guy can," he said.

There are no borders in cybercrime. Secret Service Agent Richard Latulip gave an overview of the three-year undercover investigation that took down a stolen credit card network. The investigation ranged from San Diego, Eastern Europe, Dubai, Hong Kong and Thailand. Suspects were apprehended and jailed in the U.S. and Turkey.

Undermines confidence

A security breach can cause a company to fold, Latulip said. Credit card processors caught up in the fraud were obligated to reimburse victims' banks, and some went out of business as a result.

Ultimately, the threat to hospitals from cyber attacks may come as much from undermining confidence in the security and privacy of patient information as from direct harm to individuals, Yellowlees said.

"Trust is key in health care, and anything that could break that trust is a big deal," he said.

The participants and speakers also participated in a breakout tabletop exercise. Participants were given a scenario and discussed responses to exercise questions based on their current policies, plans and procedures and the seminar presentations.

Funding for the seminar was provided by a grant from the Department of Homeland Security, through the FBI's Infragard program, to UC Davis. Catering was sponsored by Kaiser and Catholic Healthcare West hospital preparedness grant funds.