Hospitals Now Seeing 20 Ransomware Attacks Per Day On IT Infrastructure
from the delayed-lobotomy dept
We've talked a lot about how while the lack of security in Internet of Things devices was kind of funny at first, it quickly became less funny as the dramatic scope of the problem began to reveal itself. Whether it's cars being taken over from an IP address up to ten miles away, to the rise in massive new DDoS attacks fueled by your not-so-smart home appliances, folks like security expert Bruce Schneier have made it abundantly clear the check is coming due.That's particularly true in the healthcare field, where hackable pacemakers and ransomware-infected hospital equipment is becoming the norm. In fact, hospitals in England recently had to cancel hundreds of surgeries in order to "isolate and destroy" a virus that was running amok across the hospital's IT systems:
"We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," the NHS wrote on its website. "All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions."In the kind of transparency that often is the hallmark of these kinds of attacks, the hospital in question (the National Health Service's Northern Lincolnshire and Goole Foundation Trust in the UK) couldn't be bothered to explain the precise nature of the attack. But security expert Brian Krebs notes it's likely part of the growing trend of ransomware attacks on hospitals that cripple administrative and surgical systems until the hospital is willing to pay a bitcoin ransom:
"Earlier this year, experts began noticing that cybercriminals were using ransomware to target hospitals — organizations that are heavily reliant on instant access to patient records. In March 2016, Henderson, Ky.-based Methodist Hospital shut down its computer systems after an infection from the Locky strain of ransomware. Just weeks before that attack, a California hospital that was similarly besieged with ransomware paid a $17,000 ransom to get its files back.Twenty data loss incidents...per day, many of which aren't disclosed and have an exponential impact on human lives and privacy. Ultimately, as other researchers have noted, it's inevitable that as not-particularly-smart devices gain market share around the world, we'll begin to see more and more attacks on vital infrastructure. Another reason why before we get busy offensively waging the cyber, we need to make damn sure existing infrastructure is protected.
According to a recent report by Intel Security, the healthcare sector is experiencing over 20 data loss incidents per day related to ransomware attacks. The company said it identified almost $100,000 in payments from hospital ransomware victims to specific bitcoin accounts so far in 2016.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: attacks, cybersecurity, hospitals, iot, ransomware
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
This is a shared issue between all IT professional. In any given enterprise there is maybe one or two people that actually give a flying fuck about real security. Everyone else, including the 'Security/Compliance Department', really does not give a damn or does but lacks the fundamental expertise on how to address it. More than 1/2 of all Enterprises FUNDAMENTALLY do not understand security.
The mantra is get the product out, up and running with the bare minimum amount of resources and time necessary to get it functional with a BIG sale hopefully at the end. Just about any security that is tacked on is usually an after thought.
I have yet to see a single product, other than a couple I have designed that started with Security being the first or near the first part of the program.
[ link to this | view in chronology ]
Re: Re:
What is even more hilarious is that hospitals being insecure is surely a HIPAA violation. Never mind a threat to the lives and welfare of patients. And as hospitals are generally now parts of mega-system healthcare, it should be easy to hold corporate central accountable.
Well i guess it is easier to make sure our armed forces can malware-attack other countries. That will help, i am sure.
[ link to this | view in chronology ]
Re: Re: Re:
Most healthcare places break HIPAA all the time. Unless you have a closet where you can discuss things with your DR, Pharmacist, or their assistants just a little bit of eavesdropping can take you far. Just walking by most desks with a hidden high quality camera with everything just sitting out in the open is pretty bad.
Society is really just a hapless and lazy group of nubs that are too lazy to give it any serious consideration. For every numb nut that says, no one is going to waste time with that there are 10 people wasting their time with that!
[ link to this | view in chronology ]
Re: Re:
"Compliance" tells you all you need to know. They might verify that their system configurations comply with internal policies and mandates from government/insurers, and maybe that the policies correspond to "industry best practices". But "best practices" are generally awful, and nobody's checking whether the policy-compliant systems are actually secure. Lots of large organizations have a single password/key that would give you full access to everything in the company, for example. A single point of failure is risky: even if it's well-protected and the policy says it's fine, it's a huge target and often not a necessary risk.
[ link to this | view in chronology ]
Re:
Thanks, Steve Jobs, for yet more adapters on the new MacBooks.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
NEVER pay a ransom
Sure some would still try to infect hospitals just to be malicious, and they'd still need to invest a bunch in securing their systems, but the numbers of attacks would definitely drop.
[ link to this | view in chronology ]
Re: NEVER pay a ransom
Sure, in such a situation you should've had an offsite backup and some kind of real-time caching, but nobody actually implements that (though they should).
[ link to this | view in chronology ]
Re: Re: NEVER pay a ransom
I place the most blame on email systems which permit links to be "followed." Yes there are also attachments to blame, but links are, I believe, the primary route for infecting computers; there should be a policy switch for turning that *OFF* across all mail readers.
[ link to this | view in chronology ]
Re: Re: Re: NEVER pay a ransom
Management typically views backups as an utter and complete waste of money. After all, the system never got trashed before, so obviously it will never happen in the future. Shouldn't you be doing something constructive?
"Uptime is like air. Nobody notices until it's gone."
[ link to this | view in chronology ]
Re: Re: Re: Re: NEVER pay a ransom
[ link to this | view in chronology ]
Re: NEVER pay a ransom
Have we seen any evidence of this? People are always attributing attacks like these to malice, but it doesn't seem true. We've seen curious hackers, undirected or badly-programmed worms, and profit-motivated criminals. But actual malice seems rare; it's happened, but normally against individuals or political targets, not hospitals.
[ link to this | view in chronology ]
Maybe because it is real and doesn't have enough doom and conspiracy flavouring? Or the right sort? I just don't understand why people prefer to react to imaginary threats instead of real ones. Even when it is malware and criminal hacking, they have all sorts of weird ideas and fears, but you can't get them to change behavior or harden their devices against real problems.
[ link to this | view in chronology ]
Re:
HIPAA was a deadline and healthcare industries scrambled and fought to be ready when it went into effect.
HHS (or whomever is in charge of hospital regs) needs to define repercussions for hospitals not taking security (and backups) seriously. Not sure what the effect will be with the new administration, but it is certainly something that needs to get done *now*.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"But our vendors and their equipment must be able to communicate at will, in order to provide the highest possible standards of service!"
"What do you mean, a five-user pack of Norton Antivirus won't cover the entire hospital?!"
"Senior management gets annoyed with passwords, so we don't use them, except with equipment that requires one, in which case it is "1-2-3-4-5".
[ link to this | view in chronology ]
Well, what do you expect?
The system is innately broken as it encourages this kind of thing. It's everyone against everyone else, so again, why would anyone be surprised? Only by switching to a cooperation based social system where people have their needs met as a matter of course will we finally design crime away.
That said, malware can be mitigate almost entirely. Just disable all Office documents that have unsigned macros, make it impossible for the mail app to open executables and disable windows scripting host on the computer and you're malware proofed. If hospitals can't manage to do these things, they have incompetent admins or more likely highly incompetent leadership.
And any equipment manufacturer who has a system that can be infected with malware should be sued into oblivion for failing to create a safe device.
[ link to this | view in chronology ]
ONUS Hospitals
Nice Article,
Thank You for your valuable word..
This article is very helpful, as well as if you want more information about ORTHOPEDIC Please click here
https://onushospitals.com
[ link to this | view in chronology ]