Hospital hacked; private files taken SecurityFocus: Records expose medical history of thousands By Bob Sullivan MSNBC Dec. 6 — A computer intruder broke into a Seattle-area hospital and downloaded thousands of private medical records earlier this year, according to security news Web site SecurityFocus.com. The break-in of University of Washington Medical Center computers occurred this summer, according to SecurityFocus. Among the records viewed: the name, address and Social Security number of over 4,000 cardiology patients, along with each medical procedure the patient underwent. Hospital officials are disputing the story.

SECURITYFOCUS EDITORIAL DIRECTOR Kevin Poulsen — the author of Wednesday’s story — said the computer criminal shared a series of stolen hospital records with him over the past few days.

Along with the cardiology records, Poulsen said the intruder was also able to pilfer information on 700 physical rehabilitation patients. A third file displayed every admission, discharge and transfer within the hospital during a five-month period. Walter Neary, a spokesperson for the hospital, said he wasn’t sure Poulsen’s story was accurate. “The allegation we’re hearing about is not consistent with any known hacker attack we’re aware of,” he said. “If he’s seen any evidence of a very serious federal crime, that belongs in the hands of the FBI.” Neary added that the hospital is under computer attack constantly, and there was a break-in this summer, but hospital technicians believe “no patient records were involved.” Poulsen said the hacker, known as “Kane,” tried to break into a string of hospitals this summer and also managed to crack a university medical center in New York and another in Holland. But neither of those systems allowed access to personal records.

But at the University of Washington Medical Center, the attacker managed to download a wide range of files containing personal health information, according to Poulsen. “Kane” only had access to administrative information, Poulsen said — he did not have access to “clinical” records, which are used by doctors to make medical decisions.

Poulsen said his research for the story revealed that university hospitals — which are often connected to notoriously open university computer systems — are at greater risk to attack.

http://seattlep-i.nwsource.com/cgi-bin/redirect.cgi?url=http://www.msnbc.com/news/499856.asp?0cm=c30

-- Martin Thompson (mthom1927@aol.com), December 06, 2000

Answers

Hospital Records Hacked Hacker easily penetrates hospital net, pilfers thousands of patient records. By Kevin Poulsen December 6, 2000 3:54 PM PT

A sophisticated hacker took command of large portions of the University of Washington Medical Center's internal network earlier this year, and downloaded computerized admissions records for four thousand heart patients, SecurityFocus.com has learned.

The intrusions began in June, and continued until at least mid-July, before network administrators at the Seattle teaching hospital detected the hacker and cut him off. The medical center was purportedly unaware that patient records were downloaded, and elected not to notify law enforcement agencies of the intrusions.

"It's a story of great incompetence," said the hacker, a 25-year-old Dutch man who calls himself "Kane." "All the data taken from these computers was taken over the Internet. All the machines were exposed without any firewalls of any kind."

SecurityFocus.com reviewed portions of the databases the hacker downloaded. One of the files catalogs the name, address, birth date, social security number, height and weight of over four thousand cardiology patients, along with each medical procedure they underwent. Another file provides similar information on seven hundred physical rehabilitation patients. A third file chronicles every admission, discharge and transfer within the hospital during a five- month period.

"I can say we're investigating an incident," said hospital spokesperson Walter Neary. "We are taking it very seriously."

In a telephone interview, Kane said he did not tamper with any hospital data, and described his forays into the hospital's network as a renegade public service aimed at exposing the poor security surrounding medical information. A self-described computer security consultant by trade, the hacker's illicit investigation was inspired by a conversation with a colleague, in which they wondered aloud about how well highly sensitive computers were protected. "The conversation came around to medical data, which is sensitive indeed, and I thought I'd have a look around," said Kane. 'All the machines were exposed without any firewalls of any kind.' -- Kane The hacker said his quest also led him to crack a university medical center in New York, and one in Holland, but that neither of those penetrations gave him significant access.

Dave Dittrich, a well-known security guru and a senior security engineer at the University of Washington, helped the hospital's computer staff evaluate the incident at the time. Dittrich agreed that the intruder's motives appeared to differ from those of the common cyber vandals and web taggers he confronts daily.

"There are much less frequent intrusions where they will be very up front about what they know, to try and scare people into doing something about the problem," said Ditrrich. "This particular incident was more along those lines."

Research Hospitals at Risk The incident highlights the unique vulnerability of university hospitals, which tend to adopt the relaxed security posture of academia. "Private hospitals in general don't have an Internet presence, except for a web page," says Kane. "But universities are traditionally insecure, and they use the same methodologies for their medical centers."

A University of Washington Medical Center IT worker, speaking on condition of anonymity, agreed with the hacker's evaluation, and said there continues to be little support within the center and the university for erecting firewalls between the hospital and the Internet--even after the intrusions.

The worker said that with more effort, the intruder could have gained access to even more sensitive data. Although the hospital deployed personal firewalls after the incident, the worker painted a bleak picture of the hospital's state of network security. "I'm confident that it hasn't happened since then," said the worker. "But that it couldn't happen again? No."

Entered through Pathology Dittrich acknowledged that the university, including the medical center, has no perimeter firewall--but added that he didn't believe a firewall would fix the problem. The sheer size and complexity of the medical center, and the rapid rate at which it embraces new technology, makes it vulnerable. "You can get to a point where you're almost too big too survive," Dittrich said.

The hacker gained initial access through a Linux system in the hospital's pathology department. That system was running the client side of a remote administration tool called VNS, which allowed him access to a Windows NT box. From there he exploited file shares and remote administration relationships, and used trojan horses, to expand his access throughout the network.

According to Kane, some of the backdoors he installed in the network remained in place, undetected, until September--long after administrators thought they had evicted him. "If I've been in over this period of time, how many other people have done it?," asked the hacker.

The University of Washington Medical Center was ranked thirteenth in the nation in U.S. News & World Report's annual list of America's best hospitals.

http://seattlep-i.nwsource.com/

-- Martin Thompson (mthom1927@aol.com), December 06, 2000.