tv America Tonight Al Jazeera February 23, 2016 2:30am-3:01am EST
and i don't, i don't know what it means. that's what it looks like. it sound and looks impressive at the very least. you can get more at aljazeera.com. you can talk to us on facebook and twitter as well. the headlines are next. and thanks for joining us on "america tonight." i'm joie chen. imagine your health held hospital contaminate. what would it be worth to free your medical records or to protect them from more malicious attacks? a top medical center in california was
forted to take that action after a cyber attack on their computer system. and the cyber attack is focusing attention on what is a growing threat, ircht "america tonight" lisa fletcher warns us. >> the hollywood hospital is the scene of the crime which once would have been only the thing of the movies. >> tal >> all the signs say, don't use the computers. i said what happened? we got hacked. >> infecting its files with ransomware. >> they in effect file after file after file. typically there's a key to undo it. >> the antedote? a series of key strokes which
the hospital would receive only after a bitcoin ransom. as moirnt learned hospital hacks don't just compromise your data. they can cause your death. >> every gaming console that you can buy at the toy store, the nintendo wii, the x box those have all gone through cyber security reviews, probably robust ones. the device you are about to be looked up in a loss probably hasn't had cyber security review. >> the nintendo has more cyber security than the infusion machine you're about to be looked up to. >> absolutely. >> the u.s. military google and microsoft, one of his specialties, hospital equipment. >> do you think hospital equipment is vulnerable or do you know hospital equipment is vulnerable? >> we know it is vulnerable, we
have data that shows that. >> on any given day rio says there can be tens of thousands of devices connected to a network in a typical hospital. mris to are x rays, infusion pumps, any number can be hacked and made lethal. >> that's not something we think could happen. we know it could happen. we've demonstrated it for government agencies and the fda. >> and he demonstrated it for us. >> all i have to do is hit enter. >> these are drug infusion pumps from hospira. rios has tested most of them. >> really it is a mechanical device that is controlled by a computer, pumping action up and down that suppresses a syringe. >> what vulnerabilities did you discover when you opened these up?
>> these have very bad vulnerabilities. to log on you don't need a password. >> basically anybody can log on? >> anybody can log on. this is controlling the amount of medicine you are getting into your body. if anyone can alter that, that is not a doctor, that's a bad thing. we're talking about drugs that are pushed directly into your bloodstream. we could manipulate this from a thousand miles away if we wanted to. >> anybody who is in the hospital would assume it is operating correctly. there's no red flag going up. >> right. >> when rios, discovered this vulnerability he asked the manufacturer. >> the other pumps they sell to people are vulnerable to the same thing they actually refused to figure that out. >> so you said you've got a security problem with this pump. >> yes. >> why don't you see if that security problem exists in your
other equipment they said no. >> yes, they said no. they said we're not interested in doing that. >> hospira has stopped making this unit, and the fda has issued a security warning. there has been no mandatory recall. we wanted to talk with hospira about their pumps rios discoveries and the federal advisory, they refused and directed us to their new parent company, pfizer. we contacted pfizer and they did not respond to multiple requests for interview. >> there are no warnings often the device. none. >> suggest the device manufactures manufacturers consider the hack issue. but it's a suggestion not a requirement. >> are hospital medical devices being hacked?
>> they are being infected. >> widely published reports on va records show that since 2009 hundreds of medical devices at va hose including lab equipment and x ray machines were infected by malicious viruses. >> right now we haven't seen anybody use a medical device to hurt someone that we know of. no medical device last ever been used to harm someone or kill someone that we know of. >> rios says it is almost impossible to know. he says there's no tracking software on any of the devices that would leave evidence of a hack. we requested an interview with the fda. they wouldn't sit down and talk to us. but they did answer a couple of questions via e-mail. including whether there have been any deaths due to hacked medical devices. the fda said it is not aware of any devices that have been purposelpurposely targeted or cd patient harm or death due to cyber security vulnerabilities. and added the reality is that bad actors intentionally look
for ways to overcome cyber security safeguards. >> i try to focus on the technical aspects but i'm certainly not naive to realize that medical device manufacturers have lots of money, there's lots of lobbyists that influence all types of hearing and health care devices. it's going to cost them money and require them to do things that they have never had to do. >> rios says without federal requirements there's no pressure or obligation for companies to invest in device security. case in point, in 2013, rios and a colleague discovered a slew of back door devices, flown by the manufacturer and cannot be changed by the hospital. >> we know 300 of them across 40 different vendors across a wide range of devices infusion pumps insulin pumps infant incubators,
defibrillators, we know passwords for those devices, the hospital can't change those passwords. obviously that is pretty important. we reported it to davi dhs. >> the department of homeland security. >> any day any hour three could log on to your laptop, you wouldn't accept that but for some reason it is completely acceptable in the medical device world. we don't know why. two and a half years before, not a single one has been fixed. >> and here is the kicker rios says not only can the devices be hacked and turned against the very patients they are supposed to be helping but whether hackers access the equipment they are also accessing all your personal data stored in it. with far reaching implications.
>> may be individual data but that could be very important to know that hey they were connected to a particular device this is the type of care they got this is the type of drug they got this is the amount and dose an of dru dosage they got. >> somebody could get in there modify your data change your blood type change a dosage level of something change a condition and the doctor wouldn't know the difference, right? >> if someone changes your mem medical history no one would know it. that's very dangerous. >> last year the fda held the first ever medical device security workshop to bring stakeholders together to try to solve some of these problems. but short of laws that require cyber security on medical devices, rios fears patient safety will remain in jeopardy. >> what we're asking for is, we want medical devices to be at
least as secure as your iphone. it's not something that's never been done before. we're just asking you know device manufacturers to basically get with the times. >> follow up now to lisa fletcher's report. the fbi confirms the cyber compromise at the hollywood hospital is under investigation but who the culprit or culprits might be is still unknown. next here "america tonight's" lisa fletcher will join us to talk about other critical services targeted by cyber attackers. you won't believe just how great the threat is. and later another way hackers may be reaching into your life and what you might be doing to make their crimes easier. and hot on "america tonight's" website now, the concussion gender gap are women athletes as vulnerable as men? the ncaa doesn't even know, but
>> the cyber attack on the hollywood hospital exposed a big fear for medical providers all across the nation. which raised a big question for all of us. should we free pay hackers to give back our most of important data? lisa fletcher, let's talk about ransomware what is that? >> ransomware is a type of program, there are a number of them out there, they send you an e-mail that looks legit, it could be from an online retailer
or a package deliver service, if you click on the link, the second you click on it, it infects your data. and encrypts it. you cannot access your data until you have the decryption key, where the ransom comes into this. >> the bad guys and how they want to get paid is still as we said, in bitcoin, which is mysterious, for those of us who are still used to using those pieces of paper. >> of course. >> but bitcoin is the currency of the internet. >> a lot of these ransoms aren't huge. >> yes, $17,000 for a whole hospital's data, that doesn't, i mean it's a lot of money but for a hospital it's not probably a great deal. why so small? >> it's part of their whole scheme. they think if they don't ask for
a lot of money they're more likely to get it and they probably are. the thing about these guys, is volume, if you get a dollar from a million people you have $1 million. experts suspect there are millions of computers infected worldwide with one type or another of this ransomware. small amounts of money all the time really adds up. >> that is how the internet works, it is not just hospital he that are at risk, the medical technology you talked about, these can attack all sorts of us. >> an amazing number of police departments and sheriffs departments have been infected in the last few months. small ran comes, 500, 600, 700, $800. but many say this is a really bad precedent. these guys take control of the system they ask for money and
they automatically get it. i can think of five or six fopped ioffthe top of my head it year. >> what are they grabbing from the system? >> they are trying to find valuable files that would be worth the ransom. for example there was a police department in alabama a tiny little police department and they encrypted all of the mugshot files that the police department held digitally. the chief of police said we're not going to pay you, forget it. he stood firm. and never got any of the files back. so all of their mug shots have -- >> have gone somewhere into the ether. interesting. "america tonight's" lisa fletcher, thank you. >> what do hackers do? and who is helping them with
glrp >> we've heard about the dangere vulnerabilities of our medical systems but most often, when we hear about cyber threats we worry about the damage to our identities, and the biggest cull pret abou culprit of our information is ourselves. michael okwu has the story. >> where you shop, how old you are, your children, whether you drink too much.
you might think that is personal information but you are wrong. these items are bought and sold by data brokers. >> their biggest interest is gathering tremendous amounts of data on millions.people. >> brian krebs reports on cyber security for his blog, krebs on crime. big data brokers hold the keys to the kingdom. >> they know where i buy, whether it's underwear or toothpaste. >> absolutely. >> they know more about you than you know about you. >> adversaries everywhere -- >> at the world's largest information security conference in san francisco, the buzz was all about keeping your data safe from malwear, span bots and a number of other issues.
but pam dixon says the real threat isn't what hearings and thieves can steal, it's also what we hand over about ourselves voluntarily, often unwittingly every single day for free. >> these people are really good at keeping threats away but that doesn't mean companies can't buy and sell our information at will. all that gets pushed into a big giant information soup. and what comes out at the other end is the profiling of individual consumers. self improvement and health-wellness offers. >> at her office in san diego dixon shows us some of these profiles or lists many of us end up on. >> here is a list that says alcohol drinkers, adult. do i really want my name on this list if i'm an alcohol drinker? >> dixon says there are scores of lists for sale. >> i'm seeing everything from
dry eyes to bed-wetting, to canker sores. >> here is another one. substance abuse road to recovery book buyers club. >> how do they know that gm how d?how do the data brokers know i bought that book? >> this is a list of buyers in a book buying club, that list is being sold. if you are purchasing a book from that book club that's how they're getting it. >> data brokers are not just getting customer information from retailers, they also mine public records and monitor our public postings on social media, and then there's all that personal information you may provide on online survey say on flirt.com or realaids dom. as good as gold for the brokers and the clients they sell them to. >> and they know this about me and categorize me in order to make it easier for them to sell
me more stuff? >> to sell your profile to people who want to sell you more stuff, yeah, exactly. >> they're getting the -- there are personics clusters. >> dixon believes that if the result of all this profiling was just targeted in better ads there would be no reason for concern. but that's not what she's worried about. >> if you are a major employer or health plan you could purchase this list. >> you don't know for certain that employers are purchasing these lists but the fact is, they can. >> that's correct. that's exactly correct. this is really outside of regulation. there aren't any laws that say that employers can't buy these lists and they're not that expensive. >> "america tonight" contacted exact data, chicago based data broker without asking us why we needed them, exact data agreed to sell us all kinds of lists, the names home and e-mail addresses of people who use
online dating services, individuals who purchase products to fight anxiety, consumers of products for erecognize tile dysfunction. you get the right idea. for $4500, al jazeera america could purchase access to deeply private information about tens of thousands of unsoming unsuspecting individuals. anyone. >> there is a lot of what ifs you could come up in your mind about what else could happen in that data. but away we do as an industry is make very sure that that data is used for only the purposes of marketing. >> chief lobbyist for the trade group that represents data brokers, her job lately, pushing back against critics. >> the issue is you guys are
shadowy secret, fair? >> not further from the truth, dma has had a code for 40 years, there's incredible amount of policing going on in this industry. >> do you know correct data? >> not off the top of my head no. >> we called exact data and they basically offered to sell us lists of all kinds of private what i think many members of the public would consider to be sensitive information, without having to jump too many hoops they were willing to sell it to us so long as we were willing to pay for it. >> i can't speak to that particular situation but i think there's more to the story very likely. in a case where marketing data is being sold and purchased and transferred between companies, our code of ethics would say you can only share that information. it can only be purchased for
marketing purposes. >> it doesn't always happen that way. take experion a giant in the business and a dma member, the fort knox of consumer information, but in a major lapse that brian krebs was first to report, an identity thief in vietnam was able to gain access to a database containing personal information about 200 million americans of a company owned by experion. >> expier yofn was selling information they claim unwillingly, i'm willing to give them the benefit of the doubt to an individual who is claiming to be a u.s. based private investigator. >> the person posin posing as an american private eye was, actually humen gno. in a
statement said any imliks implication that there was a breach 200 million records was entirely misleading. while the size may be 200 million that does not mean these records were accessed. to be clear no experion data was accessed. but to brian krebs this situation raises question about power. >> when an organization has almost no accountability collects some of the most sensitive and voluminous information on people and whether they have a security incident, that jeopardizes the security of that information there really aren't any consequences. >> the question that comes out of this is, how can we feel safe, the public at large, about keeping this sensitive information in the hands of data brokers like experion and others? >> that particular case is one that is ongoing. it is a legal investigation, a
law enforcement investigation and it's possible that if a wrongdoing is -- it's entirely a given that if a wrongdoing is found the company will have to answer for that. >> one company is attempting to answer critics' concerns. in an industry first, data broker axiom, lets you see something it knows about you. >> this is really the first opportunity we have had ever to look behind the scenes what a data broker has about us. >> we found out what they know about me. >> your date of birth, male, african american, you completed graduate school, you are married, your child is seven years old. >> this is pretty accurate. >> that is pretty scary. why do people need to know that information? >> why do they need to know my child and how old she is? >> that's
disconcerting. >> dixon wants them to be more transparent in what they know and who they are selling to. >> i want to make sure if a if there is some kind of information that is out there on any list that a consumer has the right to say to any data broker, you know what, i want off that list. >> michael okwu, al jazeera. >> how we might be able to protect ourselves. that's "america tonight." please tell us what you think at aljazeera.com/americatonight. you can talk to us on twitter or facebook and come back. we'll have more of "america tonight" storm. tomorrow. >> our american story is written everyday. it's not always pretty, but it's real... and we show you like no-one