Malware attacks Georgia Hospital, have we learnt the lesson?

The medical industry is historically one of the sectors that has benefited more than others for the introduction of technology. Devices allow ever more complex operations every day to millions of patients and to medical equipments, from health conditions monitoring to remote surgery. Informations systems manage massive amounts of sensitive information, making them available to medical staff and users through computer networks of various kinds. The introduction of mobile devices has finally been received with great enthusiasm … patient data always at hand and with them the opportunity to interact for any need, from an examination booking to a medical record querying.

But what is the downside? To a such robust boost of technology not corrispond the same effort on security side. The most frequently used applications in this area are vulnerable to every kind of attack. Fully exposed to attacks of various kinds are on the agenda. We observe a completely lacks of awareness on how critical can be a cyber attack for medical structures. No matter if the weapon used is a virus, or DDOS attack conducted, needless to discuss the possibility of an intentional attack rather than an accident linked to human distraction, the result could be catastrophic, and there are lives at stake. Systems and technologies in health should be preserved like the military. Unthinkable to go into hospitals being able to connect an external devices to the main network operating undisturbed. This is a common scenarios in many Italian structures.

Consider also that recent incidents, including hacking of Sony’s PlayStation Network and the  RSA security breach have demonstrated that even well protected networks are vulnerable to external attacks of ever-increasing sophistication. To give an idea of the phenomenon let analyze official data related to incidents, in the last two years alone, personal medical information of over 7.8 million people have been exposed, an in a striking case have been stolen 1.7 million records from an unlocked van of a records management company.

Although the Health Insurance Portability and Accountability Act, or HIPAA by law, that medicla information must be held in private, but during the ordinary operations this data are managed in clear, that require every precaution to ensure that the information we come across is kept secure.

Same simple rule to follow to ensure minimul security requirements:

  • encrypting any files that might contain sensible information
  • accessing databases and servers over secure connections (i.e. using VPN)
  • extracting and locally storing only strictly anonymized data
  • ensuring the physical security of your computer and access to critical departments

Database exposed, patient information at risk of theft. In an extreme simplification we can summarize the types of accidents classified them based on the injured party:

  • attacks / incidents to the information systems that expose sensitive information of patients
  • attacks on computer, control systems and other medical equipments

Both occurrences are extremely dangerous. The disclosure of sensitive information could jeopardize the lives of an individual and his relationship to society. The knowledge of a disease could be used for different purposes ignoble and might lead to discrimination against individuals.

Damages, incidental and volunteers, to information systems and control systems could pose a serious risk the lives of patients. For example, the failure of the control system of medical gas inside a structure could cause death in patients undergoing surgery.
Similar incidents may be conducted as real military actions to undermine the enemy defense systems and rescue.
We can discuss for hours on this scenarios illustrating potential effects of an accident such as those mentioned, but what is really interesting to our discussion is to consider this sector critical in the strategies of cyber defense. We have not just consider medical structures like critical infrastructure to preserve but we must to exercise control and implement effective security measures. Personnel should be sufficiently prepared and inside the structures are indispensable new figures, prepared to deal with cyber threats. The costs of training will certainly be offset by the limitation of losses in case of accident.

It is news of the day that a Malware in a Georgia hospital’s computer system has forced it to turn away patients, highlighting the problems and vulnerabilities of computerized systems confirming all our worrysomes. The malware infection has occurred to the Gwinnett Medical Center last Wednesday, shorting out the main information system with obvious repercussions on the work of departments of the hospital soon rendered inoperative. Fortunately the ospital was out of control just for one day but it still isn’t in the clear, since the source of the outbreak isn’t known and the malware hasn’t been identified.

The problem was caused by a worm infection, which would have spread rapidly across the internal network and the problem may has been caused by something as simple as a USB drive brought into the facility by an employee.
The case discussed is not the first!

But as hackers continually penetrate computer systems in critical infrastructure like power facilities, water plants and government contractors, hospitals may also be vulnerable points of attack.

The actual situation include hospitals in those structure that are considered critical in each national cyber defence plan, however there is to much to do. Not prepared and vulnerables structures, personnel not trained are a common denominator for the healthcare sector. Hospitals are considered a soft target where a cyber attack can cause a lot of damage easily. The attack can be moved is silent way with devasting consequeces.

The message is clear, let’s hurry before it’s too late, before to mourn human lives, the victims of our negligence.

Pierluigi Paganini

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

3 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

17 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

23 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.