Murder by Mouseclick: Hackers Targeting Hospitals Aren't Just the Stuff of Horror Novels

Israel, the U.S. and Britain have already been hit, and the health industry is woefully unprepared

Tel Aviv's Assuta Hospital.
Tel Aviv's Assuta Hospital. Moti Milrod

The automated pump system at the Phoenix, Arizona hospital, which shows the dosage of medicine being intravenously administered to the patient, showed that all was well. In practice, though, the patient had been massively overdosed. In another case, a CPR machine shocked a patient to death, though its monitor showed nothing.

Happily, none of that is real. Both incidents were simulated, with real “patients” whose systems were “hacked.” The “hackers” were cyber-security experts working at the behest of a congressional committee that ordered them to simulate hacker attacks on hospital equipment. The simulation this June in Phoenix was the first of its kind.

Why did the committee order such a thing? Because real attacks like that have already happened, in the United States, Britain and Israel. No lives have been lost yet, but the industry is woefully unprepared. What the simulation proved is that hackers can easily kill with the click of a mouse.

“This simulation showed that it is possible to afflict human life on cyber,” says Yishai Wertheimer, head of data security at the accounting firm of KPMG Somekh Chaikin, and a 20-year veteran in the cyber world. “We are increasingly relying on computerized systems, and we believe them,” he adds.

The biggest known attack on hospitals so far happened in the U.K. on May 12 this year. No less than 65 hospitals, 20% of all hospitals in the country, were paralyzed by a global cyberattack, one of the largest and worst in the history of data security. A malicious virus tore through the internet, hitting business and government institutions in about 100 countries. The purpose: a ransom, payable in Bitcoin crypto-currency, in exchange for fixing the network paralysis.

The virus, a ransomware aptly called WannaCry, was sent via e-mail. Opening the message caused the virus to spread rapidly, paralyzing the organization’s computer network.

Ironically, WannaCry was based on software developed by the U.S. National Security Agency, called Eternal Blue, which leaked to the internet in April and was turned into an effective tool for hackers.

U.K. hit hardest

The worst damage it did was to the British health system. Shortly after the attack began, workers posted pictures of locked computer monitors, on which appeared a demand for payment of $300 via Bitcoin exchange for lifting the lock.

New patient admission systems and patient screening collapsed, as did the emergency phone line. Treatments were canceled, urgent surgery postponed, medical teams were unable to connect computer systems, emergency rooms were unable to function. Some patients had to be moved to other hospitals in the area. Britain’s National Health Service advised the sick to go to hospital only in case of a life-threatening event. Doctors complained on social networks of being helpless.

Afterwards, the British government allocated £50 million ($65 million) to improving data security in the national health system. But the truth is that the NHS had ignored repeated warnings by security experts over the past year that the security systems protecting their computers and medical equipment were obsolete and vulnerable to cyberattack.

There was a precedent. In early 2016, a private hospital in Hollywood, Los Angeles, paid $17,000 in ransom by Bitcoin to a single hacker who disabled its systems. More recently, on June 27, a month and a half after the WannaCry debacle, a medical center in Pennsylvania run by Heritage Valley Health Systems confirmed that at least one surgery had been canceled due to hacking.

On June 29, Israel joined the statistics: A cyberattack hit four hospitals in the north: Rambam in Haifa, Poriya in Tiberias, Haemek in Afula and Ziv in Safed. About 50 computers were affected. The attack was deflected by the computer department at the Health Ministry in collaboration with the National Cyber Authority.

These attacks targeted the administrative systems, not the medical equipment. But that could change.

“The medical sector is one of the most exposed and vulnerable to attack,” says Wertheimer. “First of all, the hospitals significantly rely on computerized records. Secondly, on average, the medical systems are obsolete, so it is relatively difficult to maintain them.”

Thirdly, the global medical system is perennially short of resources and has to prioritize. In the U.S., many hospitals don’t even have a data systems manager, says Wertheimer. Data in the medical world is weakly protected and the security breaches there are just waiting to be exploited.

In the case of hospitals, proper data security demands especially heavy investment, Wertheimer explains. It costs even more than protecting, say, a bank, because of the sheer complexity of the system, especially since much of it consists of old equipment plus maintenance.

Banks care deeply about customers feeling that their money is safe, so they’ll invest what it takes in data security, he continues. (And they have the money.)

“But a hospital has other goals: to save lives and give medical care, so this issue is not a top priority,” he notes. “In fact, around the world, the state of data security in hospitals is determined by the strength of regulation, because the hospital has no economic interest in protecting the computer systems, so it depends on the regulator.”

He points out that the attack that disabled the U.K. hospitals hadn’t targeted them specifically, “which just goes to show how bad the impact of a targeted attack could be,” Wertheimer says. “If a hospital has to close its ER for two days, patients are rerouted to a hospital that is functioning. But if they manage to paralyze hospitals throughout a region, people may get hurt.”

Attacks on medical records, usually for ransom, may involve stealing user information databases, including credit card and bank account details. Hackers can get a lot of money selling medical records – tens of dollars per record. For comparison, credit card records alone can only be sold for a few dollars each.

Even if the hacker isn’t paid off, the financial damage can be immense because of the expense of handling the incident: You have to report to each person that his information has leaked, investigate the attack, hire lawyers and more.

Hacking into medical equipment is a whole other story. Hacking here can kill, and the motive could be something different too: to terrorize for political reasons.

Muscles flexed

“There have been attacks where the attackers flexed their muscles – like the Russian hackers’ attack that disabled a Ukrainian power station, after the invasion of Crimea, for a few days. Half the city was in the dark for days. To date there haven’t been attacks of this type on hospitals. Maybe that’s because attacking medical systems is perceived as a D-day weapon, something terrorist organizations are afraid to do, but willing to carry out on the day of order.

But Wertheimer stresses that the concern is about something that hasn’t happened yet. How likely is it to happen? Who knows. Until now terror organizations opted for headlines by hacking the likes of Sony, telecoms companies, governments, banks, credit card companies, but not hospitals.

In fact, the whole cyber world is in an explosive spot. The Americans, for one, have already announced that for them, cyber-attack is grounds for returning fire, he says. Yet a terror organization could decide to try for a showcase assault by targeting medical equipment. Key to deflecting an attack like that is speed of detection and response, Wertheimer says.

Ironically, perhaps, the safest place in massive cyber-attacks is the Third World, where many hospitals don’t have computer systems in the first place.

There are plenty of entities motivated to attack Israel; the question is their ability, Wertheimer says. Of course they can outsource. So while American hospitals may be worrying about protecting their medical records (and patient confidentiality) while leaving the worry about equipment for another day, Israel hasn’t got that luxury. The Health Ministry is on the case: It set standards for data security in the health care system. Inevitably, there are holes in the system, but the awareness is there.