Feeds

Hospital records hacked hard

Thousands of patients exposed

  • alert
  • submit to reddit

Security for virtualized datacentres

A sophisticated hacker took command of large portions of the University of Washington Medical Centre's internal network earlier this year and downloaded computerized admissions records for four thousand heart patients, SecurityFocus has learned.

The intrusions began in June, and continued until at least mid-July, before network administrators at the Seattle teaching hospital detected the hacker and cut him off. The medical centre was reportedly unaware that patient records were downloaded, and elected not to notify law enforcement agencies of the intrusions.

"It's a story of great incompetence," said the hacker, a 25-year-old Dutch man who calls himself 'Kane'. "All the data taken from these computers was taken over the Internet. All the machines were exposed without any firewalls of any kind."

SecurityFocus reviewed portions of the databases the hacker downloaded. One file catalogues the names, addresses, birth dates, Social Security numbers, heights and weights of over four thousand cardiology patients, along with each medical procedure they underwent. Another file provides similar information on seven hundred physical rehabilitation patients. A third file chronicles every admission, discharge and transfer within the hospital during a five-month period.

"I can say we're investigating an incident," said hospital spokesperson Walter Neary. "We are taking it very seriously."

In a telephone interview, Kane said he did not tamper with any hospital data, and described his forays into the hospital's network as a renegade public service aimed at exposing the poor security surrounding medical information.

A self-described computer security consultant by trade, the hacker's illicit investigation was inspired by a conversation with a colleague, in which they wondered aloud about how well highly sensitive computers were protected. "The conversation came around to medical data, which is sensitive indeed, and I thought I'd have a look around," said Kane.

The hacker said his quest also led him to crack a university medical centre in New York, and one in Holland, but neither of those penetrations gave him significant access.

David Dittrich, a well-known security guru and a senior security engineer at the University of Washington, helped the hospital's computer staff evaluate the incident at the time. Dittrich agreed that the intruder's motives appeared to differ from those of the common cyber vandals and Web taggers he confronts daily.

"There are much less frequent intrusions where they will be very up-front about what they know, to try and scare people into doing something about the problem," said Dittrich. "This particular incident was more along those lines."

The incident highlights the unique vulnerability of university hospitals, which tend to adopt the generally relaxed security posture of academia. "Private hospitals in general don't have an Internet presence, except for a Web page," says Kane. "But universities are traditionally insecure, and they use the same methodologies for their medical centres."

A University of Washington Medical Centre IT worker, speaking on condition of anonymity, agreed with the hacker's evaluation, and said there continues to be little support within the centre and the university for erecting firewalls between the hospital and the Internet -- even after the intrusions.

The worker said that with more effort, an intruder could have gained access to even more sensitive data. Although the hospital deployed personal firewalls after the incident, the worker painted a bleak picture of the hospital's state of network security. "I'm confident that it hasn't happened since then," said the worker. "But that it couldn't happen again? No."

Dittrich acknowledged that the university, including the medical centre, has no perimeter firewall, but added that he didn't believe a firewall would fix the problem. The sheer size and complexity of the medical centre, and the rapid rate at which it embraces new technology, makes it vulnerable. "You can get to a point where you're almost too big too survive," Dittrich said.

The hacker gained initial access through a Linux system in the hospital's pathology department. That system was running the client side of a remote administration tool called VNS, which allowed him access to a Windows NT box. From there he exploited file shares and remote administration relationships and used Trojan horses to expand his access throughout the network.

According to Kane, some of the backdoors installed in the network remained in place, undetected, until September -- long after administrators thought they had evicted him. "If I've been in over this period of time, how many other people have done it?," asked the hacker.

The University of Washington Medical Centre was ranked thirteenth in the nation by US News & World Reports' annual list of America's finest hospitals.

© 2000 SecurityFocus.com. All rights reserved.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.