California was forted to take that action after a cyber attack on their computer system. And the cyber attack is focusing attention on what is a growing threat, ircht america tonight Lisa Fletcher warns us. The hollywood hospital is the scene of the crime which once would have been only the thing of the movies. Tal all the signs say, dont use the computers. I said what happened . We got hacked. Infecting its files with ransomware. They in effect file after file after file. Typically theres a key to undo it. The antedote . A series of key strokes which the hospital would receive only after a bitcoin ransom. As moirnt learned hospital hacks dont just compromise your data. They can cause your death. Every gaming console that you can buy at the toy store, the nintendo wii, the x box those have all gone through Cyber Security reviews, probably robust ones. The device you are about to be looked up in a loss probably hasnt had Cyber Security review. The nintendo has more Cyber Security than the infusion machine youre about to be looked up to. Absolutely. The u. S. Military google and microsoft, one of his specialties, hospital equipment. Do you think hospital equipment is vulnerable or do you know hospital equipment is vulnerable . We know it is vulnerable, we have data that shows that. On any given day rio says there can be tens of thousands of devices connected to a network in a typical hospital. Mris to are x rays, infusion pumps, any number can be hacked and made lethal. Thats not something we think could happen. We know it could happen. Weve demonstrated it for Government Agencies and the fda. And he demonstrated it for us. All i have to do is hit enter. These are drug infusion pumps from hospira. Rios has tested most of them. Really it is a mechanical device that is controlled by a computer, pumping action up and down that suppresses a syringe. What vulnerabilities did you discover when you opened these up . These have very bad vulnerabilities. To log on you dont need a password. Basically anybody can log on . Anybody can log on. This is controlling the amount of medicine you are getting into your body. If anyone can alter that, that is not a doctor, thats a bad thing. Were talking about drugs that are pushed directly into your bloodstream. We could manipulate this from a thousand miles away if we wanted to. Anybody who is in the hospital would assume it is operating correctly. Theres no red flag going up. Right. When rios, discovered this vulnerability he asked the manufacturer. The other pumps they sell to people are vulnerable to the same thing they actually refused to figure that out. So you said youve got a security problem with this pump. Yes. Why dont you see if that security problem exists in your other equipment they said no. Yes, they said no. They said were not interested in doing that. Hospira has stopped making this unit, and the fda has issued a security warning. There has been no mandatory recall. We wanted to talk with hospira about their pumps rios discoveries and the federal advisory, they refused and directed us to their new parent company, pfizer. We contacted pfizer and they did not respond to multiple requests for interview. There are no warnings often the device. None. Suggest the device manufactures manufacturers consider the hack issue. But its a suggestion not a requirement. Are Hospital Medical devices being hacked . They are being infected. Widely published reports on va records show that since 2009 hundreds of medical devices at va hose including Lab Equipment and x ray machines were infected by malicious viruses. Right now we havent seen anybody use a medical device to hurt someone that we know of. No medical device last ever been used to harm someone or kill someone that we know of. Rios says it is almost impossible to know. He says theres no tracking software on any of the devices that would leave evidence of a hack. We requested an interview with the fda. They wouldnt sit down and talk to us. But they did answer a couple of questions via email. Including whether there have been any deaths due to hacked medical devices. The fda said it is not aware of any devices that have been purposelpurposely targeted or cd patient harm or death due to Cyber Security vulnerabilities. And added the reality is that bad actors intentionally look for ways to overcome Cyber Security safeguards. I try to focus on the technical aspects but im certainly not naive to realize that medical Device Manufacturers have lots of money, theres lots of lobbyists that influence all types of hearing and health care devices. Its going to cost them money and require them to do things that they have never had to do. Rios says without federal requirements theres no pressure or obligation for companies to invest in Device Security. Case in point, in 2013, rios and a colleague discovered a slew of back door devices, flown by the manufacturer and cannot be changed by the hospital. We know 300 of them across 40 different vendors across a wide range of devices infusion pumps insulin pumps infant incubators, defibrillators, we know passwords for those devices, the hospital cant change those passwords. Obviously that is pretty important. We reported it to davi dhs. The department of homeland security. Any day any hour three could log on to your laptop, you wouldnt accept that but for some reason it is completely acceptable in the medical device world. We dont know why. Two and a half years before, not a single one has been fixed. And here is the kicker rios says not only can the devices be hacked and turned against the very patients they are supposed to be helping but whether hackers access the equipment they are also accessing all your personal data stored in it. With far reaching implications. May be individual data but that could be very important to know that hey they were connected to a particular device this is the type of care they got this is the type of drug they got this is the amount and dose an of dru dosage they got. Somebody could get in there modify your data change your blood type change a dosage level of something change a condition and the doctor wouldnt know the difference, right . If someone changes your mem medical history no one would know it. Thats very dangerous. Last year the fda held the first ever medical Device Security workshop to bring stakeholders together to try to solve some of these problems. But short of laws that require Cyber Security on medical devices, rios fears Patient Safety will remain in jeopardy. What were asking for is, we want medical devices to be at least as secure as your iphone. Its not something thats never been done before. Were just asking you know Device Manufacturers to basically get with the times. Follow up now to Lisa Fletchers report. The fbi confirms the cyber compromise at the hollywood hospital is under investigation but who the culprit or culprits might be is still unknown. Next here america tonights Lisa Fletcher will join us to talk about other Critical Services targeted by cyber attackers. You wont believe just how great the threat is. And later another way hackers may be reaching into your life and what you might be doing to make their crimes easier. And hot on america tonights website now, the concussion gender gap are women athletes as vulnerable as men . The ncaa doesnt even know, but at 9 30 america tonight top investigative reporting, uncovering new perspectives. Everything thats happening here is illegal. Then at 10 00 its reports from around the world. Lets take a closer look. Antonio mora gives you a global view. This is a human rights crisis. And at 11 00 news wrapup. Clear. Concise. Complete. The cyber attack on the hollywood hospital exposed a big fear for medical providers all across the nation. Which raised a big question for all of us. Should we free pay hackers to give back our most of important data . Lisa fletcher, lets talk about ransomware what is that . Ransomware is a type of program, there are a number of them out there, they send you an email that looks legit, it could be from an online retailer or a package deliver service, if you click on the link, the second you click on it, it infects your data. And encrypts it. You cannot access your data until you have the decryption key, where the ransom comes into this. The bad guys and how they want to get paid is still as we said, in bitcoin, which is mysterious, for those of us who are still used to using those pieces of paper. Of course. But bitcoin is the currency of the internet. A lot of these ransoms arent huge. Yes, 17,000 for a whole hospitals data, that doesnt, i mean its a lot of money but for a hospital its not probably a great deal. Why so small . Its part of their whole scheme. They think if they dont ask for a lot of money theyre more likely to get it and they probably are. The thing about these guys, is volume, if you get a dollar from a Million People you have 1 million. Experts suspect there are millions of computers infected worldwide with one type or another of this ransomware. Small amounts of money all the time really adds up. That is how the internet works, it is not just hospital he that are at risk, the medical technology you talked about, these can attack all sorts of us. An amazing number of Police Departments and sheriffs departments have been infected in the last few months. Small ran comes, 500, 600, 700, 800. But many say this is a really bad precedent. These guys take control of the system they ask for money and they automatically get it. I can think of five or six fopped ioffthe top of my head it year. What are they grabbing from the system . They are trying to find valuable files that would be worth the ransom. For example there was a Police Department in alabama a tiny little Police Department and they encrypted all of the mugshot files that the Police Department held digitally. The chief of police said were not going to pay you, forget it. He stood firm. And never got any of the files back. So all of their mug shots have have gone somewhere into the ether. Interesting. America tonights Lisa Fletcher, thank you. What do hackers do . And who is helping them with when youre on hold, your business is on hold. Thats why comcast business doesnt leave you there. When you call, a Small Business expert will answer you in about 30 seconds. No annoying hold music. Just a real person, real fast. Whenever you need them. So your business can get back to business. Sounds like my rides ready. Dont get stuck on hold. Reach an expert fast. Comcast business. Built for business. Glrp weve heard about the dangere vulnerabilities of our medical systems but most often, when we hear about Cyber Threats we worry about the damage to our identities, and the biggest cull pret abou culprit of our information is ourselves. Michael okwu has the story. Where you shop, how old you are, your children, whether you drink too much. You might think that is personal information but you are wrong. These items are bought and sold by data brokers. Their biggest interest is gathering tremendous amounts of data on millions. People. Brian krebs reports on Cyber Security for his blog, krebs on crime. Big data brokers hold the keys to the kingdom. They know where i buy, whether its underwear or toothpaste. Absolutely. They know more about you than you know about you. Adversaries everywhere at the Worlds LargestInformation Security conference in san francisco, the buzz was all about keeping your data safe from malwear, span bots and a number of other issues. But pam dixon says the real threat isnt what hearings and thieves can steal, its also what we hand over about ourselves voluntarily, often unwittingly every single day for free. These people are really good at keeping threats away but that doesnt Mean Companies cant buy and sell our information at will. All that gets pushed into a big giant information soup. And what comes out at the other end is the profiling of individual consumers. Self improvement and healthwellness offers. At her office in san diego dixon shows us some of these profiles or lists many of us end up on. Here is a list that says alcohol drinkers, adult. Do i really want my name on this list if im an alcohol drinker . Dixon says there are scores of lists for sale. Im seeing everything from dry eyes to bedwetting, to canker sores. Here is another one. Substance abuse road to recovery book buyers club. How do they know that gm how d . How do the data brokers know i bought that book . This is a list of buyers in a book buying club, that list is being sold. If you are purchasing a book from that book club thats how theyre getting it. Data brokers are not just getting customer information from retailers, they also mine public records and monitor our public postings on social media, and then theres all that personal information you may provide on Online Survey say on flirt. Com or realaids dom. As good as gold for the brokers and the clients they sell them to. And they know this about me and categorize me in order to make it easier for them to sell me more stuff . To sell your profile to people who want to sell you more stuff, yeah, exactly. Theyre getting the there are personics clusters. Dixon believes that if the result of all this profiling was just targeted in better ads there would be no reason for concern. But thats not what shes worried about. If you are a major employer or health plan you could purchase this list. You dont know for certain that employers are purchasing these lists but the fact is, they can. Thats correct. Thats exactly correct. This is really outside of regulation. There arent any laws that say that employers cant buy these lists and theyre not that expensive. America tonight contacted exact data, chicago based data broker without asking us why we needed them, exact data agreed to sell us all kinds of lists, the names home and email addresses of people who use Online Dating services, individuals who purchase products to fight anxiety, consumers of products for erecognize tile dysfunction. You get the right idea. For 4500, Al Jazeera America could purchase access to deeply private information about tens of thousands of unsoming unsuspecting individuals. Anyone. There is a lot of what ifs you could come up in your mind about what else could happen in that data. But away we do as an industry is make very sure that that data is used for only the purposes of marketing. Chief lobbyist for the trade group that represents data brokers, her job lately, pushing back against critics. The issue is you guys are shadowy secret, fair . Not further from the truth, dma has had a code for 40 years, theres incredible amount of policing going on in this industry. Do you know correct data . Not off the top of my head no. We called exact data and they basically offered to sell us lists of all kinds of private what i think many members of the public would consider to be Sensitive Information, without having to jump too many hoops they were willing to sell it to us so long as we were willing to pay for it. I cant speak to that particular situation but i think theres more to the story very likely. In a case where Marketing Data is being sold and purchased and transferred between companies, our code of ethics would say you can only share that information. It can only be purchased for marketing purposes. It doesnt always happen that way. Take experion a giant in the business and a dma member, the fort knox of consumer information, but in a major lapse that brian krebs was first to report, an identity thief in vietnam was able to gain access to a database containing personal information about 200 million americans of a Company Owned by experion. Expier yofn was selling information they claim unwillingly, im willing to give them the benefit of the doubt to an individual who is claiming to be a u. S. Based private investigator. The person posin posing as an American Private eye was, actually humen gno. In a statement said any imliks implication that there was a breach 200 million records was entirely misleading. While the size may be 200 million that does not mean these records were accessed. To be clear no experion data was accessed. But to brian krebs this situation raises question about power. When an organization has almost no accountability collects some of the most sensitive and voluminous information on people and whether they have a security incident, that jeopardizes the security of that information there really arent any consequences. The question that comes out of this is, how can we feel safe, the public at large, about keeping this Sensitive Information in the hands of data brokers like experion and others . That particular case is one that is ongoing. It is a legal investigation, a Law Enforcement investigation and its possible that if a wrongdoing is its entirely a given that if a wrongdoing is found the company will have to answer for that. One company is attempting to answer critics concerns. In an industry first, data broker axiom, lets you see something it knows about you. This is really the first opportunity we have had ever to look behind the scenes what a data broker has about us. We found out what they know about me. Your date of birth, male, african american, you completed graduate school, you are married, your child is seven years old. This is pretty accurate. That is pretty scary. Why do people need to know that information . Why do they need to know my child and how old she is . Thats disconcerting. Dixon wants them to be more transparent in what they know and who they are selling to. I want to make sure if a if there is some kind of information that is out there on any list that a consumer has the right to say to any data broker, you know what, i want off that list. Michael okwu, al jazeera. How we might be able to protect ourselves. Thats america tonight. Please tell us what you think at aljazeera. Com americatonight. You can talk to us on twitter or facebook and come back. Well have more of america tonight storm. Tomorrow. On target tonight. Addicted in america. Radical ways to help those looked on heroin. Critics claim these methods enable addicts but they could also save a lot of lives. President obama got another reminder of the urgency of dealing with america answer heroin epidemic. It came during a meeting with the nations governors at the white e,