Biggest Ransomware Attack Yet Crippled U.S. Hospitals Last Weekend
from the maybe-TikTok-isn't-our-biggest-problem dept
We've talked a lot about how while the lack of security in Internet of Things devices was kind of funny at first, this kind of apathy towards privacy and security in everyday technology isn't a laughing matter. Whether it's cars being taken over from an IP address up to ten miles away, to the rise in massive new DDoS attacks fueled by your not-so-smart home appliances, security experts have spent the better part of the decade warning us the check for our apathy on this front is coming due. We've (and this includes government agencies) have spent just as long ignoring them.
That's particularly true in the healthcare field, where hackable pacemakers and ransomware-infected hospital equipment is becoming the norm. Earlier this month, a woman died in Germany after a ransomware attack on her hospital delayed life-saving treatment. Though she most certainly probably isn't, she's being declared the first person to be killed by the steady parade of such attacks that have plagued the medical sector for much of this decade.
Last weekend, Universal Health Services, with more than 400 locations in the United States, was hit by one of the biggest ransomware attacks in U.S. history. As a result, the hospital chain was forced to resort to using pens and paper to manage patients after their computer systems ground completely to a halt. Such attacks usually come on the weekend when the hospitals are short staffed, and the results usually aren't pretty:
"Two Universal Health Services nurses, who requested to not be named because they weren’t authorized by the company to speak with the media, said that the attack began over the weekend and had left medical staff to work with pen and paper.
One of the nurses, who works in a facility in North Dakota, said that computers slowed and then eventually simply would not turn on in the early hours of Sunday morning. “As of this a.m., all the computers are down completely,” the nurse said."
This is of course not a new problem. Massively profitable medical organizations routinely underfund their privacy and security IT infrastructure, and the government penalties have been negligible. As a result, for most of this decade security researchers like Brian Krebs have been noting that hospitals are hit with 20 ransomware attacks a day. And of course the problem isn't just in surgical tools and antiquated computer systems, it extends to high tech gear like pacemakers embedded with wireless connectivity, which result in the kind of hackable products make global covert wetwork operatives giddy.
Instead of government, private industry, advocates, and experts working in coalition to create meaningful standards for medical devices and internet of things devices, we instead enjoy wasting calories on tech policy games of Whac-A-Mole in which we freak out about the outrage du jour that may or may not warrant it (see: TikTok). This kind of incoherent, histrionic approach to internet security isn't, if you hadn't noticed, working out particularly well.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, ddos, hospitals, iot, ransomware, security
Companies: universal heath service
Reader Comments
Subscribe: RSS
View by: Time | Thread
I'd really like to know why in the hell their critical systems are connected to the internet... at all. First rule in managing systems with critical infrastructure: Air gap that shit.
Screw the scammers who pulled this stunt but, at the same time, kudos for shining a bright spotlight on these kinds of stupid problems plaguing industries everywhere, particularly ones like hospitals. Too bad no improvements will be made because there's no quarterly profit in it.
[ link to this | view in chronology ]
Re:
Although I've never worked in the sector, my understanding is that healthcare IT is a mess at the best of times. There's a bunch of bespoke systems that never get patched, a bunch of upgrades that can't be done because so much legacy equipment is needed, etc.
I'll be looking forward to a full post mortem breakdown on this, but my guess is that this will be some kind of receptionist / booking system that's left online to deal with email, etc., and something was not properly contained in a DMZ due to some obscure requirement with some legacy system.
"Too bad no improvements will be made because there's no quarterly profit in it."
Sadly, it takes incidents like this for action to be taken, because now some profits have been endangered. But, will it be a problem redesign of systems that prevent a similar incident, or just a patch to whatever backdoor was found on this particular occasion? Sadly, we can all guess which is more likely.
[ link to this | view in chronology ]
Re: Re:
Answer: None of the above!
It's more profitable to turn all of that crap into IoT shit. For everyone involved: the doctors, suppliers, insurances, etc. After all what better way to suck up data on someone for monetization than to tell them they'll die without it!
There is / was rules from the FDA about updating these things. Doing so would require re-certification in some circumstances. Even if that's no longer the case, there will still be plenty of risk adverse, or penny pinching, CEOs and board of directors that won't want to make the investment.
Updates take time, money, and training to roll out. Like anything else with IT, updates are serious business for enterprises. Many won't upgrade until they literally cannot use the old equipment any longer. Even when that happens, they will go out and buy the cheapest thing they can find, that requires the least amount of retraining to use as a replacement. It takes literal decades for non-essential things like security to make it's way into these markets.
Incidents like this won't change anything, which is why they keep happening. Get one of these incidents to bankrupt a company or two, and then maybe you'll see change. Otherwise the blackhats will keep grabbing what they can on the installment plan.
[ link to this | view in chronology ]
Re: Re: Re:
"It's more profitable to turn all of that crap into IoT shit"
No, it's really not at an enterprise level.
"Updates take time, money, and training to roll out"
...but not as much time or money as regular outages due to poor security that leaves the system unable to operate at all.
"Even when that happens, they will go out and buy the cheapest thing they can find, that requires the least amount of retraining to use as a replacement"
You appear to be thinking of consumer items, not enterprise level networks. You need to adjust your thinking to the subject at hand, perhaps?
"Society in-general doesn't care."
They do when their healthcare is shut down.
"Incidents like this won't change anything, which is why they keep happening"
They don't change anything with general public perception. They sure as hell do for the company that's been affected, and for any competitors that actually take note.
[ link to this | view in chronology ]
Re:
It's the same crap we asked 25 years ago about SCADA systems. But everyone keeps doing it, and then complaining about how dangerous the net is at the same time.
[ link to this | view in chronology ]
Re:
The first step to heroically defeating a cyber-attack at the very last second before countless lives are lost to it is to connect the critical system(s) to the internet.
Simply skipping step one would eliminate the core plot of dozens of Hollywood movies.
Unfortunately, far too many corporate executives and government officials seem to use Hollywood movies as their guide to how technology should be implemented.
[ link to this | view in chronology ]
In the US, there is a Federal mandate to move medical records to electronic format. Some of the requirements of that mandate including the ability to easily transfer patient records between providers, pretty well requires Internet access. Things like HIPPA mandate patient privacy but allow disturbing bypasses. Add in the growing tendency of developers to link to third party scripts/libraries to do important processing without checking what that code really does. Don't forget the whole 'Patient is the marketable data product' thing as well. This is going to get far worse before it gets better.
[ link to this | view in chronology ]
Re:
No, it doesn't. You use a secure network to interconnect facilities which have to exchange information. That network should in no instance be reachable from the internet and vice versa. It's not rocket science, but some companies prioritize short-term gains over long-term risk associated with not securing their communications because it costs money.
There's experience to draw from how to achieve this, just look at how financial systems can communicate securely for example.
[ link to this | view in chronology ]
Re: Re:
Medical records don't run the in-room monitors and administrative or medical hardware systems. So yeah, you are absolutely correct.
[ link to this | view in chronology ]
Making money out of misery
You said: "Massively profitable medical organizations routinely underfund their privacy and security IT infrastructure"
Close, but I think we can broaden that to: Massively profitable medical organizations routinely underfund anything important to actual "healthcare", as profits come before all else.
I am ashamed to say I have worked in Healthcare IT, and I was shocked at the inadequate security reviews (threat analysis) of 3rd party software systems. The "epic fails" (pun intended) are a consequence. There is a lack of strong common standards, due to the fragmentation within the industry, so it is all too easy for weaknesses to be engineered in, and there is an almost complete lack of accountability when the fails occur, as they almost inevitably do.
[ link to this | view in chronology ]
Re: Making money out of misery
This is equally true in the "non-profit" healthcare systems as well.
[ link to this | view in chronology ]
Lets not forget the other villains in this mess - Doctors
So far all the angst has been over "medical corporations". Certainly extremist corporate profit is worthy of attention.
However, the last d*mn doctor I consulted explicitly handed my personal medical history to Google. When I said something, I was given the finger.
Moreover, remember many of these "medical corporations" are not huge Google-like Wall Street firms. May are a (IMHO) conspiracies of doctors and lawyers hiding behind a corporate wall, scheming to use health care information for profit. Don't believe me then RTFM, read the documents they give you to sign particularly the ownership docs, I have. Apparently this Federal mandate is being used as the excuse to create these crony medi-legal corporations and they profit by selling health care data.
Currently there appears to be a large propaganda campaign to thank these scum for their efforts in Covid-19. Bosh. Don't you remember the beginning, where only the health care types had access to sanitizers, NIOSH N19 masks and so on. The medical scum were the first to be protected and the rest of us were just out of luck.
This cheapo IT is just more of the same. Doctors, lawyers and corporations (and government officials) put themselves first. The only health care that they concern themselves with is the health of their executive lifestyle.
D*mn the doctors and all the rest of the health care field.
For the record, my experience is that Nurses are as bad. The only civilized people I've met in the health care field are people like the janitors.
[ link to this | view in chronology ]
Re: Lets not forget the other villains in this mess - Doctors
"However, the last d*mn doctor I consulted explicitly handed my personal medical history to Google"
That's a completely different subject.
In your case, a doctor apparently handed your medical data over to someone, which is certainly a breach of standards (and would presumably be an easy lawsuit to win if you have proof). This is a question between you, your doctor and your lawyer.
The case in hand here has absolutely nothing to do with doctors. In fact, even if a doctor was able to get their network infected by ransomware, the immediate question would be why the hell a doctor's login had high enough access rights to bringdown the entire network. Even if a doctor was at fault for the initial breach, it was someone else's responsibility to prevent this kind of damage.
"The medical scum were the first to be protected and the rest of us were just out of luck."
The "medical scum" spend 12+ hours per day surrounded by sick people, and so need more protection than the idiot who just built themselves a fort out of toilet paper. If you struggled to get hand sanitiser, blame the guy who was buying and reselling it at a 1500% markup, not the hospital who still needed to make sure emergency rooms were sanitised.
"Doctors, lawyers and corporations (and government officials) put themselves first"
A very good argument for the US to join the civilised world and have a system that puts healthcare instead of profits first. There's no incentive to sell customer data for profit if nobody's making profit from the data...
"The only civilized people I've met in the health care field are people like the janitors."
Yet, I bet you run to them as soon as you need medical attention...
[ link to this | view in chronology ]
Re: Re: Lets not forget the other villains in this mess - Doctor
The "medical scum" spend 12+ hours per day surrounded by sick people, and so need more protection than the idiot who just built themselves a fort out of toilet paper.
One of the huge reasons for that is so they don't make other people sick. i.e., they are thinking of an anonymous coward's welfare. This is what the purpose of medical masks and sanitizing has always been.
There are tons of reasonable complaints about any aspect of medicine (i have truckloads), but the self-described conspiracy story above doesn't have much to recommend it.
[ link to this | view in chronology ]
Pacemaker
I have a pacemaker and this worries the crap out of me. It connects to a device beside my bed that sends my results to the doctor. They tell me the pacemaker is protected from hacking but I still worry. When I go in for a checkup, they can access the pacemaker remotely and speed up or slow down my heart. That is scary!
[ link to this | view in chronology ]
The fact that I have always taken a proactive approach to my health is a hallmark of my approach, and I haven't looked back since I began doing so many years ago. Whenever I have a reasonable suspicion that anything is amiss with my health, I immediately seek medical attention from a certified physician. I have had a single doctor for many years who has satisfied all of my medical requirements; unfortunately, he has just finished his medical studies and is no longer available to offer me with medical treatment. In order to get better outcomes, I wanted to find a new clinic as well as a medical practitioner who was more qualified. Following a search on the internet, I discovered the website https://bookinghealth.com/blog/diagnoses-and-treatment/diagnosis-and-treatment/695322-why-is-vaccina tion-against-covid-19-in-germany-so-popular-among-people-around-the-world.html , which provided me with a list of clinics that were both convenient for me and had access to the highest level of medical expertise available at the time I needed it. The Bookinghealth team was really helpful and gracious in guiding me in selecting the most skilled and appropriate doctor for my specific situation. I appreciate everything they did for me. I am really appreciative for their assistance. For everything they've achieved, I'm quite appreciative.
[ link to this | view in chronology ]