Ransomware takes Hollywood hospital offline, $3.6M demanded by attackers
csoonline.comVery interesting article about the subject from November 2015: It’s Way Too Easy to Hack the Hospital, http://www.bloomberg.com/features/2015-hospital-hack/
Hospital equipment is a sector where we need to push strongly for open solutions. Besides their own security, they are putting people's life in danger. An informed citizen should have a way to check the running software and that the equipment is working properly. An example is X-ray equipment. In some cases, patients have been exposed to strong doses of radiations because of malfunctioning equipment for more than 1O years. Nobody checked. And then you add the risk of hacking.
Hospital equipment is a sector where we need to push strongly for open solutions. Besides their own security, they are putting people's life in danger.
It's a sector where there needs to be a push for software/hardware quality, period! One of my former coworkers from years ago used to write software for medical equipment. The software ran on the cheapest Windows boards the company could find. There was no standardization apart from window dressing. Attitude of management was to just get it out the door, and it would be fine.
Having worked in hospitals doing network security: They are terribly insecure. They really are a prime example of bad bureaucracy and proprietary software making everything horrible, despite the best of intentions.
YMMV of course.
This goes beyond network security. Most hospital systems, including hardware and software, are insecure. One of the main reason for this is that hospital staff, especially doctors and nurses, tend to be atrociously bad at technology. One hospital we used to work with had removed passwords on their EMR software for all users because the chief of surgery always forgot his. Their reasoning was that inability to remember passwords slowed people down, and the EMR software was "internal anyway" so what could be the worst case scenario of not having passwords?
Well, there's too sides to this. You can say they're bad at technology, but why hasn't technology made it possible to sign in with voice recognition or some other speedy and foolproof method? I don't want a doctor switching her attention from diagnostic and treatment questions (which, let us not forget, are rather complicated and challenging in their own right, especially in an urgent care situation) in order to comply with some absent programmer's idea of how security ought to work. Why is typing in a password considered the only acceptable method of system access, given the fact of physical hospital security and so on? Why do technologists like yourself think everyone else should adapt to your standards rather than inventing something that meets the particular needs and circumstances of the clients?
One of the main reason for this is that hospital staff, especially doctors and nurses, tend to be atrociously bad at technology.
I remember that med students were early adopters of ePocrates in the Palm PDA era. I think it's more that they are atrociously bad at technology, unless it's particularly useful to them.
inability to remember passwords slowed people down
It would slow people down a lot. Someone needs to sell some sort of zero effort authentication technology for hospitals. (One where a supervising nurse could quickly auth the chief of surgery, because that sort of guy is going to forget his token/device.)
Speech recognition? It's hands free and harder to brute-force than a fingerprint.
The internet of things... what could possibly go wrong?
Very good point.
It reminds me a comment from the Usenet, a long ago: "if your VCR is still blinking 12:00 then Linux is not for you".
Most people playing with technology don't know what they're doing. Giving them more power means giving them more danger.
Basically every piece of hardware with a clock in my house is blinking, yet I'm fine with Linux. The problem isn't that it's too hard to set, but usually they will get unplugged at some point, and you have to set the clocks again. It gets boring very fast.
Somebody should make a simple alarm clock with wifi to sync time via NTP. I guess once you open that can of worms, most alarm clocks add other features, too.
You don't need NTP. There are lots of clocks which can synchronise to radio signal, which is much easier and doesn't require internet connection.
This was quite low, even for a ransomware attack. What's next, daycare centers?
How do you figure? If I'm targeting digital data for ransom, I'm going after the easiest targets. I don't care if it's hospital records, online obituary guestbook, daycare records, a memorial Facebook account - anything that gives me what I'm looking for. This goes doubly so for how notoriously insecure (relatively speaking) hospitals are.
Even criminals tend to have some moral standards. They are not all complete sociopaths. For instance, go to jail for murdering an adult male and you will be accepted and perhaps even respected by other prisoners. Go to jail for murdering a child and you will be despised and quite possibly abused by the other prisoners.
Even criminals tend to have some moral standards. They are not all complete sociopaths.
I've met a lot of "techie-trash" who even outwardly portray themselves as sociopathic, as if that made them seem smart and cool. Hell, I've been meeting people like that since the 90's! (They are a very slim minority of the tech populace, but their lack of self-awareness makes them tend to be very visible.)
so who's gonna serve the HIPAA violation sentence?
HIPAA does require a lot of security. Having been a HIPAA architect, in reality no one in the industry cares since few are ever even accused of anything much less convicted. It's a toothless gums law.
Why are you sure there was a HIPAA violation? HIPAA includes disaster recovery plan, which is what they should be doing now.
I guess it wasn't a great plan if it's a week in and they're still dealing with it, but still...
Well, there are plenty provisions under the security chapter, funnily enough now that I look at it again (been long time) it seems both 'accountability' (tracking every media in and out) and 'protection from malicious software' are not listed as required. duh.
The emergency mode operation plan is however listed as required, and this place was basically shut for a week.
I remembered it being more stringent that what it really is.
Yes, I'd love for HIPAA to say: if we're talking about a medical centre, you've got to be able to snapshot and reimage within X hours with data loss of less than Y hours. One can dream...
Part of the problem is that HIPAA must be easy for small private practices as well as massive hospitals to follow.
Another standard may be needed for the larger businesses.
Totally agree, but in 2016 that doesn't take much: spin up two instances in different AWS datacenters and fail between them and you have Disaster Recovery. Regularly operate in each datacenter and you have Sustained Resiliency. A small business probably won't have staff to maintain such a solution but surely this is a space for a nice niche startup?
> in 2016 that doesn't take much: spin up two instances in different AWS datacenters and fail between them and you have Disaster Recovery
Things that look simple on the surface are often not easy to implement in practice - especially when you're not starting with a green field.
Why am I not starting with a greenfield? In my example I did mention a niche start up.
That won't work you'd need the whole datacwnter to comply with the security restriction you can't just have the data in a place where you don't know whom can access
That's not true actually. You can be HIPAA compliant while storing data on AWS. https://aws.amazon.com/compliance/hipaa-compliance/
Part of the problem is that HIPAA must be easy for small private practices as well as massive hospitals to follow.
We're at the point where some company could sell a comprehensive software package for small practices that includes disaster recovery.
Assuming it's CryptoLocker style malware, they're probably one of the few hospitals fully satisfying the encryption requirements of HIPAA at the moment.
Frackin' toasters. The old man told us to keep those computers off the network.
"They're through the fourth firewall!"
Exactly what happened? Most hospitals use proprietary electronic medical record systems. These are layered constructs of different networks requiring different passwords and VPNs for their different functions. Is there an actual url that one can visit to verify this? Did the internet archive capture this in a snapshot I can see? Or is this smack that a neighboring hospital is pushing to capture market share in this era of declining reimbursements and increasing regulation?
Probably locked down the physical machines at the hospital.
>Most hospitals use proprietary electronic medical record systems. These are layered constructs of different networks requiring different passwords and VPNs for their different functions.
That's idealistic. Usually they're giant pieces of shit.
So really the data is unaffected. Just the OS on the client machines is borked and throwing up a scare screen. If that is the case, they can 'just' reimage the machines from backups. I agree, the EMRs are repurposed shit , but honed to an incredibly complex and fine edge.
I'm sure they'll just pass the cost (either of the ransom, or of the missed profits) onto the patients.
It's Hollywood, option the movie rights.
Next summer we'll see how many explosions can be worked into a movie "based on a true story" about cybercrime.
..rather than, say, not pay nurses their salaries for a while?
Heaven forbid that top executives ever have to take a pay hit.
I never understood this attitude.
Most executives are either life long doctors, or worked their way up the corporate ladder. I don't understand why people who work hard to get to these positions are suddenly vilified as being somehow overpaid?
Take for example the CEO at Cedars-Sinai Health System in LA. They guy has held his CEO position for 17 years and worked his way up thought the ranks. He also went to school and got an undergrad and masters degree. He started in 1979 as an assistant admin and took the top job in 1994. So after 15 years of working his way up to CEO, he's should somehow not be paid in accordance with what other Health Care CEO's are getting paid?
If you want a villain, look at the system that's broken, or the government regulations, but seriously, get off the executives back for fucks sake. They aren't "gifted" CEO spots, they had to work hard to get there, and most have done amazing things for the industry.
I think the idea is that they can afford to take a hit on their income. A nurse or patient doesn't have as much flexibility.
So instead of targeting random people in opportunistic attacks, the malware writers had a very clear target here. It's like "spearansomware". I only wonder why it took them so long to get to this idea.
It didn't, they've been doing this to police departments for nearly a year at least.
http://www.darkreading.com/attacks-breaches/police-pay-off-r...
not sure if they are being specifically targeted, or hospital networks are easy targets, but i work with a vendor who supports this hospital.
this is the 3rd major healthcare org hit with this in like past 3 weeks. last one just got hit last week.
RIS/HIS/PACS/EHR/any systems all hit, with like 80-90% of network equipment compromised
wow, talk about a lack of morals, I wonder how many years he would get if he is caught for endangering so many lives.
Doesn't sound like a major hospital. The major hospital in Hollywood is Cedars-Sinai, IIRC.
And that matters because? Real people needing real treatment are being affected... Major hospital or not.
It gives insight in to the probable investment in, maturity and/or scale of infrastructure. Unlike your emotional rah-rah there.
Hollywood Presbyterian Medical Center has 434 beds and around 1500 employees. That's pretty decent.
Cedars-Sinai is indeed about twice the size, but that's mostly because Cedars-Sinai is extraordinarily large.