Hospitals Now Seeing 20 Ransomware Attacks Per Day On IT Infrastructure

from the delayed-lobotomy dept

Thu, Nov 10th 2016 6:22am — Karl Bode

We've talked a lot about how while the lack of security in Internet of Things devices was kind of funny at first, it quickly became less funny as the dramatic scope of the problem began to reveal itself. Whether it's cars being taken over from an IP address up to ten miles away, to the rise in massive new DDoS attacks fueled by your not-so-smart home appliances, folks like security expert Bruce Schneier have made it abundantly clear the check is coming due.

That's particularly true in the healthcare field, where hackable pacemakers and ransomware-infected hospital equipment is becoming the norm. In fact, hospitals in England recently had to cancel hundreds of surgeries in order to "isolate and destroy" a virus that was running amok across the hospital's IT systems:

"We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," the NHS wrote on its website. "All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions."

In the kind of transparency that often is the hallmark of these kinds of attacks, the hospital in question (the National Health Service's Northern Lincolnshire and Goole Foundation Trust in the UK) couldn't be bothered to explain the precise nature of the attack. But security expert Brian Krebs notes it's likely part of the growing trend of ransomware attacks on hospitals that cripple administrative and surgical systems until the hospital is willing to pay a bitcoin ransom:

"Earlier this year, experts began noticing that cybercriminals were using ransomware to target hospitals — organizations that are heavily reliant on instant access to patient records. In March 2016, Henderson, Ky.-based Methodist Hospital shut down its computer systems after an infection from the Locky strain of ransomware. Just weeks before that attack, a California hospital that was similarly besieged with ransomware paid a $17,000 ransom to get its files back.

According to a recent report by Intel Security, the healthcare sector is experiencing over 20 data loss incidents per day related to ransomware attacks. The company said it identified almost $100,000 in payments from hospital ransomware victims to specific bitcoin accounts so far in 2016.

Twenty data loss incidents...per day, many of which aren't disclosed and have an exponential impact on human lives and privacy. Ultimately, as other researchers have noted, it's inevitable that as not-particularly-smart devices gain market share around the world, we'll begin to see more and more attacks on vital infrastructure. Another reason why before we get busy offensively waging the cyber, we need to make damn sure existing infrastructure is protected.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: attacks, cybersecurity, hospitals, iot, ransomware

19 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 10 Nov 2016 @ 6:31am

Thank you bill gates. No wonder Microsoft prohibits use of Windows in their own offices.
[ link to this | view in chronology ]
- Anonymous Coward, 10 Nov 2016 @ 7:03am
  
  Re:
  Look, I work in IT and no doubt Microslop has it's fair share of issues but this is hardly Microslops fault.
  
  This is a shared issue between all IT professional. In any given enterprise there is maybe one or two people that actually give a flying fuck about real security. Everyone else, including the 'Security/Compliance Department', really does not give a damn or does but lacks the fundamental expertise on how to address it. More than 1/2 of all Enterprises FUNDAMENTALLY do not understand security.
  
  The mantra is get the product out, up and running with the bare minimum amount of resources and time necessary to get it functional with a BIG sale hopefully at the end. Just about any security that is tacked on is usually an after thought.
  
  I have yet to see a single product, other than a couple I have designed that started with Security being the first or near the first part of the program.
  [ link to this | view in chronology ]
  - orbitalinsertion (profile), 10 Nov 2016 @ 7:22am
    
    Re: Re:
    It's also true that MS does not warrant their products to be used in any critical systems. So networking Windows and critical infrastructure together is against MS advice, and also stupid. Just like connecting critical infrastructure, including SCADA systems, to the internet.
    
    What is even more hilarious is that hospitals being insecure is surely a HIPAA violation. Never mind a threat to the lives and welfare of patients. And as hospitals are generally now parts of mega-system healthcare, it should be easy to hold corporate central accountable.
    
    Well i guess it is easier to make sure our armed forces can malware-attack other countries. That will help, i am sure.
    [ link to this | view in chronology ]
    - Anonymous Coward, 10 Nov 2016 @ 7:36am
      
      Re: Re: Re:
      Did at stint in a Energy company too... SCADA systems have no security. It truly is shocking what can easily be done if someone with the knowledge suddenly became nasty minded.
      
      Most healthcare places break HIPAA all the time. Unless you have a closet where you can discuss things with your DR, Pharmacist, or their assistants just a little bit of eavesdropping can take you far. Just walking by most desks with a hidden high quality camera with everything just sitting out in the open is pretty bad.
      
      Society is really just a hapless and lazy group of nubs that are too lazy to give it any serious consideration. For every numb nut that says, no one is going to waste time with that there are 10 people wasting their time with that!
      [ link to this | view in chronology ]
  - Anonymous Coward, 10 Nov 2016 @ 12:52pm
    
    Re: Re:
    
    Everyone else, including the 'Security/Compliance Department', really does not give a damn or does but lacks the fundamental expertise
    
    "Compliance" tells you all you need to know. They might verify that their system configurations comply with internal policies and mandates from government/insurers, and maybe that the policies correspond to "industry best practices". But "best practices" are generally awful, and nobody's checking whether the policy-compliant systems are actually secure. Lots of large organizations have a single password/key that would give you full access to everything in the company, for example. A single point of failure is risky: even if it's well-protected and the policy says it's fine, it's a huge target and often not a necessary risk.
    [ link to this | view in chronology ]
- Anonymous Coward, 10 Nov 2016 @ 7:29am
  
  Re:
  Are we really still blaming Bill Gates for stuff that has to do with Microsoft?
  
  Thanks, Steve Jobs, for yet more adapters on the new MacBooks.
  [ link to this | view in chronology ]
  - orbitalinsertion (profile), 10 Nov 2016 @ 9:08am
    
    Re: Re:
    Well, Gates really set a culture that hasn't changed much, and set the foundations of an OS that really hasn't changed much either. But yeah i am not sure why Gates is still invoked. Or Monkey-Boy Ballmer for that matter. Particularly in situations where a general-purpose OS shouldn't be in use anyway.
    [ link to this | view in chronology ]
Anonymous Coward, 10 Nov 2016 @ 7:00am

NEVER pay a ransom
Ransomware attacks would largely disappear over night if the idiots stopped paying the ransom in the first place. People wouldn't be building ransomware if some idiots weren't paying them for doing it and infecting their systems.

Sure some would still try to infect hospitals just to be malicious, and they'd still need to invest a bunch in securing their systems, but the numbers of attacks would definitely drop.
[ link to this | view in chronology ]
- Anonymous Coward, 10 Nov 2016 @ 7:36am
  
  Re: NEVER pay a ransom
  "Never pay a ransom" is easy to say but the alternative is to lose all your patient records and allow your business to fold due to your entire IT system collapsing, leaving (potentially) hundreds of hospital workers jobless and (potentially) thousands of patients without healthcare.
  
  Sure, in such a situation you should've had an offsite backup and some kind of real-time caching, but nobody actually implements that (though they should).
  [ link to this | view in chronology ]
  - Ben (profile), 10 Nov 2016 @ 8:08am
    
    Re: Re: NEVER pay a ransom
    If you are running a hospital/enterprise computer system, you *are* doing backups. You are doing daily/weekly/monthly rotation backups. You should *not* be losing more than a single day's data should the worst happen. A large hospital/enterprise system would also have in place disaster management plans even in the case of when the worst does happen.
    
    I place the most blame on email systems which permit links to be "followed." Yes there are also attachments to blame, but links are, I believe, the primary route for infecting computers; there should be a policy switch for turning that *OFF* across all mail readers.
    [ link to this | view in chronology ]
    - TRX (profile), 10 Nov 2016 @ 8:10am
      
      Re: Re: Re: NEVER pay a ransom
      Been there, done that,
      
      Management typically views backups as an utter and complete waste of money. After all, the system never got trashed before, so obviously it will never happen in the future. Shouldn't you be doing something constructive?
      
      "Uptime is like air. Nobody notices until it's gone."
      [ link to this | view in chronology ]
      - orbitalinsertion (profile), 10 Nov 2016 @ 9:10am
        
        Re: Re: Re: Re: NEVER pay a ransom
        Or, the system has only been trashed five times before. Whatever. Won't happen again. But if it does, it's just the cost of business and i can blame someone else or hide the fact that it happened.
        [ link to this | view in chronology ]
- Anonymous Coward, 10 Nov 2016 @ 12:45pm
  
  Re: NEVER pay a ransom
  
  Sure some would still try to infect hospitals just to be malicious
  
  Have we seen any evidence of this? People are always attributing attacks like these to malice, but it doesn't seem true. We've seen curious hackers, undirected or badly-programmed worms, and profit-motivated criminals. But actual malice seems rare; it's happened, but normally against individuals or political targets, not hospitals.
  [ link to this | view in chronology ]
orbitalinsertion (profile), 10 Nov 2016 @ 7:15am

It's kind of funny how everything in hospitals had to be "Y2K Compliant" and what a big deal people made over it in general, but since the rise of serious criminal malware markets people really don't seem to get any of it or give a hoot. And that is nothing new, but the seriousness of it with the spread of IoT and generically networking lots of devices that have been around for ages without such... still seems to go rather more unnoticed.

Maybe because it is real and doesn't have enough doom and conspiracy flavouring? Or the right sort? I just don't understand why people prefer to react to imaginary threats instead of real ones. Even when it is malware and criminal hacking, they have all sorts of weird ideas and fears, but you can't get them to change behavior or harden their devices against real problems.
[ link to this | view in chronology ]
- Ben (profile), 10 Nov 2016 @ 11:41am
  
  Re:
  Y2K was a deadline and people really behave differently when there are deadlines (just ask a student!)
  
  HIPAA was a deadline and healthcare industries scrambled and fought to be ready when it went into effect.
  
  HHS (or whomever is in charge of hospital regs) needs to define repercussions for hospitals not taking security (and backups) seriously. Not sure what the effect will be with the new administration, but it is certainly something that needs to get done *now*.
  [ link to this | view in chronology ]
Anonymous Coward, 10 Nov 2016 @ 7:57am

They only care about their bottom line, this is simply the way a for profit industry works.
[ link to this | view in chronology ]
TRX (profile), 10 Nov 2016 @ 8:08am

"Don't be silly, your medical records are perfectly safe, and there's no way any outsider can get into any of our internet-connected medical equipment. Have you talked to your therapist about your paranoia?"

"But our vendors and their equipment must be able to communicate at will, in order to provide the highest possible standards of service!"

"What do you mean, a five-user pack of Norton Antivirus won't cover the entire hospital?!"

"Senior management gets annoyed with passwords, so we don't use them, except with equipment that requires one, in which case it is "1-2-3-4-5".
[ link to this | view in chronology ]
Frost (profile), 13 Nov 2016 @ 12:23pm

Well, what do you expect?
It's capitalism. One very successful way to get more money, which means you get more freedom also, is to steal it. You can extort people, rob people or defraud people - and these are all done because there is strong incentive to do so.

The system is innately broken as it encourages this kind of thing. It's everyone against everyone else, so again, why would anyone be surprised? Only by switching to a cooperation based social system where people have their needs met as a matter of course will we finally design crime away.

That said, malware can be mitigate almost entirely. Just disable all Office documents that have unsigned macros, make it impossible for the mail app to open executables and disable windows scripting host on the computer and you're malware proofed. If hospitals can't manage to do these things, they have incompetent admins or more likely highly incompetent leadership.

And any equipment manufacturer who has a system that can be infected with malware should be sued into oblivion for failing to create a safe device.
[ link to this | view in chronology ]
Saikiran (profile), 2 Oct 2019 @ 12:10am

ONUS Hospitals
Nice Article,
Thank You for your valuable word..
This article is very helpful, as well as if you want more information about ORTHOPEDIC Please click here
https://onushospitals.com
[ link to this | view in chronology ]