Pittsburgh Hospital Hit by Attack as Malware Strength Grows

Enterprise attacks happen constantly. Anytime, anywhere, a malicious incursion can hit, and its impact can wreak havoc on a business. Unfortunately, attackers spare nobody in their intrusions. Therefore, it’s not just big businesses that can fall into the crosshairs of cyber criminals, but also public services like hospitals.

A recent attack on a large university-connected hospital has called attention to an increasing trend among hackers to target healthcare providers due to their lack of enterprise security.

More broadly, the hospital attack points to the increasingly vicious criminality among hackers, and the close connection between cybercrime and organized crime. Fortunately, there is a solution to dealing with the insidious nature of such attacks. The answer lies in better business security.

University of Pittsburgh Medical Center Falls Victim to Breach

According to TweakTown, the University of Pittsburgh Medical Center has become the latest university-connected victim of a data theft, with an attack that ended up compromising information of 27,000 employees. The intrusion has left the UPMC scrambling to regain control of its internal infrastructure, and hoping that its employees remain safe.

A statement from UPMC spokesperson Gloria Kreps said that, “We want to assure our patients that no patient information was breached. We are continuing to work with the IRS, Secret Service and FBI to determine the source of the breach.”

The past few months have been marred by a series of similar incursions on educational institutions. In March, we reported that universities in North Dakota and Oklahoma had fallen victim to attacks aimed at extracting student information that could potentially be used to breach bank accounts.

More recently, an attack against Iowa State was carried out that resulted in Social Security information being compromised for 49,000 current and previous students.

Attacks such as these should place universities on high alert, particularly because if student or patient files is compromised, it can not only lead to monetary or information thefts, but also a significant loss of public trust toward the breached educational institution. Maintaining trust, therefore, is another reason why universities must remain vigilant in implementing enterprise security safeguarding measures that keep the bad guys out.

And as a recent article pointed out, hospitals — and medical devices in particular — stand at a huge risk of being hacked.

Report: Medical Devices Present Breach Platform For Hackers

According to boingboing, the ease with which cybercriminals can invade a hospital system is in large part due to the lack of security among various medical devices. This finding was gleaned through research conducted on things like defibrillators, insulin pumps and MRIs.

What researchers found was a gaping security hole in these devices due in part to a major but fixable problem: easy passwords. Far from having the identity-guarding wall one would expect of sophisticated medical machinery, these devices tended to have easily breachable passwords, and backup imaging from the devices was found to have no password at all, meaning that highly private patient information like X-ray results was being stored in a basically transparent platform.

The host of potential consequences that can arise from weakly guarded medical mechanisms are wide-reaching and severe. A hacker who breaks into a defibrillator, for instance, can then commandeer control and administer or withhold electric shocks at their leisure. This is certainly a scary prospect, but hospitals can perform a relatively easy fix by making sure all information-generating devices are regulated by strict security measures.

Hacker Connection to Organized Crime Increases Need for Security Even More

In addition to the risks posed by their own vulnerabilities, university-connected hospitals may very well find themselves dealing with a more powerful criminal hacking infrastructure. According to DARKReading, a recent series of attacks were carried out by an organized crime group against a series of U.S. enterprises.

The attacks netted monetary returns ranging from $50,000 to $1 million.

With the recent surge of attacks against university organizations, who’s to say this crime group — wherever it is — won’t next direct its attention to a U.S. hospital. It is easy to imagine a situation, for instance, where a cybercriminal breaks into a hospital system and proceeds to hold highly privileged patient information for ransom.

Hospitals and other university organizations must make every effort to prevent such incursions. This includes securing medical devices with device certificates to authenticate the identity of that device to prevent unauthorized access or malicious control. Device certificates may often be maintained and managed by a proven certificate management solution.


Entrust provides identity-based security solutions that empower enterprises, consumers, citizens and websites in more than 5,000 organizations spanning 85 countries. Entrust's identity-based approach offers the right balance between affordability, expertise and service. With more than 125 patents granted and pending, these world-class solutions include strong authentication, physical and logical access, credentialing, mobile security, fraud detection, digital certificates, SSL and PKI.

1 Comment

Add to the Conversation