Technology
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

HVAC System Allegedly Compromised by Hacker—Who is Also a Security Officer

Scott Wallask, for HealthLeaders Media, July 9, 2009

This tale may make you put down your coffee and verify how tightly you protect computer servers at your hospital and any leased facilities.

The FBI arrested a man whom authorities said hacked into a Dallas healthcare building's IT system and was prepared to take over the heating, ventilation, and air-conditioning (HVAC) system. The suspect, who worked as an overnight security officer for the site, allegedly had bigger plans of using the compromised computers to instigate a massive attack on other computers elsewhere.

Consider asking your own security director and emergency planner about this type of scenario, or better yet, have them conduct a drill on it. As you'll see, the details truly meet the popular notion of "pushing the envelope" with drill scenarios.

Actions could have risked patient safety
The security officer in question, Jesse William McGraw of Arlington, TX, is allegedly part of a hacker group called the Electronik Tribulation Army. McGraw—who used online aliases "GhostExodus" and "PhantomExodizzmo"—was ordered held without bail by a judge on July 1, said Kathy Colvin, a spokesperson for U.S. Attorney's Office in Dallas. The government will present its case to a grand jury by the end of the month.

McGraw's immediate actions could have allowed him to shut down the HVAC system at a Dallas building which contains the Carrell Clinic orthopedics facility and North Central Surgical Center. A loss of air-conditioning in the hot Texas weather could have threatened the safety of patients, staff members, and visitors. McGraw "did jeopardize [the HVAC] system," Colvin said. "It's frightening."

McGraw worked at the building as a contracted security officer and was employed by United Protective Services, Inc., in Dallas, according to authorities.

Complaint details YouTube posting
Colvin did not have further information on the investigation available, but the Dallas Morning News posted the criminal complaint against McGraw on its Web site.

A cooperating witness who is a network security researcher allegedly received e-mails from someone in the Electronik Tribulation Army about video posted on You Tube. The video allegedly showed a person—believed to be McGraw—demonstrating how he hacked into the Dallas building's HVAC computer. Further information from an alleged Craigslist post by the suspect, in addition to additional research by the cooperating witness and the Texas Attorney General's Office, led authorities to identify and arrest McGraw, according to the criminal complaint.

Building experiences prior problems
Tenants of the Dallas building told FBI agents that they had experienced some HVAC problems prior to McGraw's arrest. A review of the HVAC computers later showed someone had downloaded malicious software that would allow someone to assume remote control of the HVAC system.

The Carrell Clinic and North Central Surgical Center lease their space in the building. It wasn't immediately clear whether the alleged hacker's actions affected all of the building.

A call by HealthLeaders Media to Tom Blair, administrator at the Carrell Clinic, wasn't returned. However, Blair told the Dallas Morning News that there was no evidence that patient information was compromised by McGraw's actions.

McGraw had given notice to United Protective Services just prior to his arrest.


Scott Wallask is senior managing editor for the Hospital Safety Center. He can be reached at swallask@hcpro.com.

Comments are moderated. Please be patient.