Healthcare News & Insights

Lessons from 3 big cybersecurity disasters at hospitals

You don’t want your hospital’s sensitive patient protected health information (PHI) to fall victim to hackers – and risks are everywhere. So your facility must do everything in its power to prevent problems. 

An article from IEE SpectrumThinkstockPhotos-494369297, an engineering and applied science magazine, laid out some of the biggest threats to cybersecurity various hospitals have faced recently – and how your facility can fight back.

Here are three recent cases, along with the lessons they can teach your hospital.

Older systems

Some hospitals may be running older operating systems on certain computers. To minimize security risks, they’ll keep this equipment off their networks so it can’t connect to the Internet.

Boston’s Beth Israel Deaconess did this with one of its machines, but the facility ran into trouble when the computer needed a firmware update. The technician sent to do the job inadvertently connected the computer to the Internet to download the update.

Within a short period of time, multiple malicious programs were downloaded onto the computer, rendering it unusable. Hackers gained access to the data stored on the machine through these programs – a computer in China downloaded 2,000 patient X-rays to be sold on the black market.

Lesson learned: Make sure all computers are running recent, supported version of operating systems, complete with programs to protect them against malware and spam programs.

Fake websites

Hackers will often trick staff so they can get access to sensitive financial information. One scheme that affected Massachusetts General involved potential bonuses for doctors. The scammers created a fake version of the hospital’s actual payroll portal. It looked extremely authentic. The only difference was a few letters in the Web address.

Doctors received an email asking them to log into the fake payroll portal to authorize a bonus payment. Of course, many agreed. They entered in their credentials to get their hands on the cash – but hackers got their hands on the doctors’ information instead. They used it to log into the hospital’s actual payroll portal and reroute doctors’ direct deposits for their paychecks to a different account. Then, they bought Amazon gift cards with the money.

While this scheme targeted providers’ bank accounts, a similarly savvy hacker could try the same tactics to obtain electronic health records (EHR) system user names and passwords.

Lesson learned: Remind staff to always double-check websites for authenticity. It’s also a good idea to put in an extra layer of protection, such as a security question, before providers can log into payroll or EHR systems – particularly if they access these systems offsite.

Malware on mobile devices

Cyber criminals don’t just target computers – they’re also installing malware on to mobile devices in hopes of stealing credentials for accessing secure accounts.

A nurse downloaded the Angry Birds mobile phone game on her Android smartphone to pass the time while she wasn’t working. But rather than get the app from a reputable site like Google or Amazon, she used a Bulgarian site, which infected her phone with malicious software.

Later, she used her phone to check her work e-mail account, and the software saved her credentials and transmitted them to email spammers. They then used her compromised account to send 1 million spam messages.

Although no PHI was stolen, on the off chance she ever discussed patients in work-related emails she sent to colleagues, the hospital she worked for could’ve had a big HIPAA scandal on its hands.

Lesson learned: Tell staff to be cautious when using their personal devices to access email and other hospital network systems (including EHRs). Remind them not to download any programs from suspicious sites – even games, as they could contain hidden software that could infect hospital networks and compromise PHI safety.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.