The consequences can be catastrophic when cyber criminals blackmail hospitals. Experts are warning hospitals that they're not doing enough to protect their patients' data.
BERLIN — Most of the patients of the Lukas Hospital were unaware that their hospital had fallen victim to a dangerous cyber attack. The hospital, located in the western German city of Neuss, had to deal with an unprecedented and unexpected catastrophe after hackers managed to smuggle a Trojan into the hospital database via an email.
The malware threatened to encrypt all data, which forced the hospital to turn off every single server and computer in its system. The hospital received a clear message from the still-unknown attackers: You will only be given the code to decipher the encryption if you pay a ransom. A real hostage situation — albeit a digital one.
Experts are constantly warning us about the dangers the Internet can pose. And Neuss is not the only hospital to have suffered such a fate, with several other German hospitals reported to be the victims of hacker attacks in the last few weeks. It seems that the immediate crisis management was successful, seeing as there are no indications that sensible data has been taken forcibly.
But these incidents give rise to fear of a particular kind, cyber threats worthy of a science fiction drama: the evil pharmaceutical company that steals patients' data for their own benefit; the faceless criminals that steal data of famous patients to blackmail them for millions; the hackers able to turn respiratory or anaesthetic machines off via remotely controlled programs. "Data protection is not present in many of our hospitals," says Karl Lauterbach, spokesperson for health policies of Germany's Social Democratic party. "It is actually surprising that nothing major has happened yet."
But the hackers are becoming more and more aggressive. Members of the software underworld are designing newer and more complex viruses, Trojans and bugs to be sold on the black market. Even criminals with very little IT experience can utilize these for extortion, data theft and sabotage. Bespoke malware can be purchased for only a few hundred euros — and the damage it causes can reach in the millions.
It did not take extravagant programming skills to attack the centralized computer system of the Lukas Hospital. A simple email and an encryption program attached to it were sufficient. According to information obtained by Die Welt, local law enforcement is working under the assumption that the attack was carried out with the newest version of the TeslaCrypt malware.
Pay in bitcoin
The emails sent usually only contain the date and time in the subject line, which makes it impossible for antivirus software to filter out the "infected" email. If you open the attachment, you unwittingly install a program on your computer that can take down entire systems. After this has been done, the affected party usually receives a ransom demand. If you want to regain access to all your systems and files, you are to make a transfer of a specific amount in bitcoin cryptocurrency.
Such events are increasingly causing alarm at security agencies. On Dec. 23, a cyber attack paralyzed the computer systems of 27 transformer stations in Ukraine, resulting in 700,000 people in 100 cities being left without electricity for hours. The attackers of TV5 Monde did not only take over the French TV channel's website, Facebook and Twitter accounts but also temporarily brought all broadcasting to a complete halt. A year ago, hackers operating in Kazakhstan were reported to have manipulated currency transactions for a few minutes through the "Corkow" Trojan and thereby influenced the ruble exchange rate.
But it is the health system that may be the most vulnerable to such attacks. Connecting the patient electronically in surgery, in hospital and at home is already underway — but the data is not properly protected. Experienced hackers can enter medical equipment in hospitals remotely and carry out sabotage. Even machines that control the medication of ICU patients could be manipulated remotely.
Hospitals assure that they take security very seriously but experts insist that action needs to be taken. "IT is a means to an end in most hospitals," says Thomas Jäschke, director of the Institute for Security and Data Protection in the Healthcare System. German hospitals only invest half of what other industries spend in their IT security: only 3.7 billion euros in 2015, according to U.S. market research institute Gartner.
But manufacturers of medical equipment are also responsible for the lapses in security. Anaesthetic and X-ray machines often do not even include the simplest of security measures, such as passwords.
Now the German government wants to introduce a new law to combat this, obliging operators of critical structures such as energy suppliers and hospitals to report cyber attacks and to guarantee a minimum in IT security.
Meanwhile, the Lukas Hospital in Neuss has managed to eradicate the latest virus and is slowly rebooting its systems without having had to pay the ransom. But the disease of cyber crime is bound to return.