In real-world war, combatants typically don’t attack hospitals. In the cyber realm, hackers have no such scruples. “We’re attacked about every 7 seconds, 24 hours a day,” says John Halamka, CIO of the Boston hospital Beth Israel Deaconess. And the strikes come from everywhere: “It’s hacktivists, organized crime, cyberterrorists, MIT students,” he says. 

Halamka was speaking on a panel about medical hacking at SXSW Interactive along with Kevin Fu, a University of Michigan engineering professor who studies medical device security. Together they told horror stories of major hospital hacks from recent years. Here we bring you the top five, which represent five different types of intrusion:

1. Records → China. Many computers and medical devices in hospitals are running ancient operating systems that are full of security holes, Halamka says, so hospitals don’t connect them to their networks or to the Internet. Beth Israel Deaconess had taken this sensible precaution with a computer storing medical records, and everything was fine until it needed a firmware update. The manufacturer (which Halamka prefers not to identify) sent a technician to do the job. That technician promptly connected the device to the Internet to download the update, then went to lunch.

By the time the technician returned, Halamka says, the machine was so packed with malware that it was no longer functional. Someone had also downloaded about 2000 patient X-rays to a computer somewhere in China.

“Who knew there was a black market for X-rays?” Halamka says. He learned that some Chinese nationals can’t get visas to leave the country because they have infectious lung diseases such as tuberculosis. A clean lung X-ray is therefore a valuable commodity.

​2. DDoS by Anonymous. In 2014, Boston Children’s Hospital was grappling with a controversial case regarding a teenage girl who’d been taken into state custody; doctors there claimed that her ailment was largely psychological and that her parents were pushing for unnecessary treatments. Someone in the hacktivist group Anonymous viewed this as an infringement on the girl’s rights, and decided to punish the hospital with a distributed denial of service (DDoS) attack, flooding the hospital’s servers with traffic to bring them down. 

But Anonymous’s attack was broader than intended, Halamka says: “They didn’t know the IP range of Children’s, so they put a DDoS against the entire subnet, which included Harvard University and all of its hospitals.” Abruptly, all these institutions (including Halamka’s hospital) couldn’t access the Internet. “In the middle of the night, we had to outsource the Harvard network to a company that could handle it,” he says. 

​3. Faking out the doctors. The fake website was nearly perfect, Halamka says. It looked almost exactly like the Mass General Hospital’s payroll portal—only the url was a little different. When doctors received an e-mail instructing them to go to their payroll site to authorize a bonus payment, many of them happily followed the link. They entered their credentials without noticing anything wrong. The hackers who created the fascimile site then used these pilfered credentials to change the doctors’ direct deposit information in the actual payment system—and promptly used the doctors’ hard-earned cash “to buy Amazon gift cards,” Halamka says. MGH no longer allows remote access to the payroll site using only a password. 

​4. The lure of Angry Birds. A nurse at Beth Israel Deaconess was just looking for a little harmless fun, so she downloaded Angry Birds to her Android phone. Unfortunately, she downloaded it from a Bulgarian website that delivered malware along with the game. Later, when she logged into her work e-mail account from her phone, a screen scraper program recorded her login credentials. “Her account was used to spend 1 million spam messages from, causing Verizon to block Harvard as a spammer,” Halamka says.  

​5. Pay up or else. Kevin Fu sees ransomware attacks on hospitals as a growing threat. In these attacks, hackers hijack a computer network, encrypting or otherwise blocking access to the data, then demand a ransom payment in exchange for the data’s release. These hackers target private citizens and major organizations. When they go after hospitals, the outages have major repercussions. Fu says: “They’re unable to deliver patient care in a timely manner.” 

Fu lists a number of hospitals that have suffered ransomware attacks just in the last few months—and that paid up. The most notable: In Los Angeles, a Hollywood hospital’s network was out for a week when hackers allegedly demanded more than $3 million in bitcoin payment. In the end, the hospital paid a ransom of $17,000 to get its files back. Halamka adds that the Hollywood hospital had all its data backed up, but the two databases were connected to each other and to the Internet. An offline backup would have saved them, he notes.     

These attacks may all sound like nightmare scenarios, but the experts say they’re becoming almost routine. And hospitals have not made cybersecurity a priority in their budgets, Halamka says: “In healthcare, we spent about 2 percent on IT, and security might be 10 percent of that.” Compare that percentage to the security spending by financial firms: “Fidelity spends 35 percent of its budget on IT,” he says.  

The Conversation (0)

Restoring Hearing With Beams of Light

Gene therapy and optoelectronics could radically upgrade hearing for millions of people

13 min read
A computer graphic shows a gray structure that’s curled like a snail’s shell. A big purple line runs through it. Many clusters of smaller red lines are scattered throughout the curled structure.

Human hearing depends on the cochlea, a snail-shaped structure in the inner ear. A new kind of cochlear implant for people with disabling hearing loss would use beams of light to stimulate the cochlear nerve.

Lakshay Khurana and Daniel Keppeler

There’s a popular misconception that cochlear implants restore natural hearing. In fact, these marvels of engineering give people a new kind of “electric hearing” that they must learn how to use.

Natural hearing results from vibrations hitting tiny structures called hair cells within the cochlea in the inner ear. A cochlear implant bypasses the damaged or dysfunctional parts of the ear and uses electrodes to directly stimulate the cochlear nerve, which sends signals to the brain. When my hearing-impaired patients have their cochlear implants turned on for the first time, they often report that voices sound flat and robotic and that background noises blur together and drown out voices. Although users can have many sessions with technicians to “tune” and adjust their implants’ settings to make sounds more pleasant and helpful, there’s a limit to what can be achieved with today’s technology.

8 channels

64 channels

Since optogenetic therapies are just beginning to be tested in clinical trials, there’s still some uncertainty about how best to make the technique work in humans. We’re still thinking about how to get the viral vector to deliver the necessary genes to the correct neurons in the cochlea. The viral vector we’ve used in experiments thus far, an adeno-associated virus, is a harmless virus that has already been approved for use in several gene therapies, and we’re using some genetic tricks and local administration to target cochlear neurons specifically. We’ve already begun gathering data about the stability of the optogenetically altered cells and whether they’ll need repeated injections of the channelrhodopsin genes to stay responsive to light.

Our roadmap to clinical trials is very ambitious. We’re working now to finalize and freeze the design of the device, and we have ongoing preclinical studies in animals to check for phototoxicity and prove the efficacy of the basic idea. We aim to begin our first-in-human study in 2026, in which we’ll find the safest dose for the gene therapy. We hope to launch a large phase 3 clinical trial in 2028 to collect data that we’ll use in submitting the device for regulatory approval, which we could win in the early 2030s.

We foresee a future in which beams of light can bring rich soundscapes to people with profound hearing loss or deafness. We hope that the optical cochlear implant will enable them to pick out voices in a busy meeting, appreciate the subtleties of their favorite songs, and take in the full spectrum of sound—from trilling birdsongs to booming bass notes. We think this technology has the potential to illuminate their auditory worlds.

Keep Reading ↓Show less