Slashdot Mirror

← Back to Stories (view on slashdot.org)

Healthcare Organizations Under Siege From Cyberattacks, Study Says

Posted by Soulskill on from the it's-hip-to-ignore-hippa dept.

BigVig209 sends this report from the Chicago Tribune: "A new study set to be officially released Wednesday found that networks and Internet-connected devices in places such as hospitals, insurance companies and pharmaceutical companies are under siege and in many cases have been infiltrated without their knowledge. ... In the report, the groups found from September 2012 to October 2013 that 375 healthcare organizations in the U.S. had been compromised, and in many cases are still compromised because they have not yet detected the attacks. ... 'What's concerning to us is the sheer lack of basic blocking and tackling within these organizations,' said Sam Glines, chief executive of Norse. 'Firewalls were on default settings. They used very simple passwords for devices. In some cases, an organization used the same password for everything.'"

40 of 61 comments (clear)

  1. So much for HIPAA... by Buck+Feta · · Score: 2

    Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.

    --
    I am Audience.
    1. Re:So much for HIPAA... by Opportunist · · Score: 4, Insightful

      The problem is, comply with WHAT? Have you ever read the various "standard compliance requirements"? They're usually worded in a way that leaves holes big enough to move planets through. You'll find a lot of talk about "reasonable" and "adequate" security without any kind of definition whatsoever what these words would mean.

      You will NEVER EVER find something that they could be pinned with, like "leave no default passwords" or "no guest accounts" or even "stateful firewall with [[list of features]]". Never. No chance.

      Of course it's a consultant's dream because no matter what you sell, you're complying. And it's of course no problem for the customer in question to be compliant to rules like that.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:So much for HIPAA... by jythie · · Score: 1

      There is where having a department doing auditing and certification would do the trick. I know people bristle at the idea of centralized bureaucracies , but this is a time where having some group (like CERT) in charge of training auditors and preforming the certifications.

      Years ago when I worked in a lab that needed to be HIPAA certified, our upstream contractor (a hospital) had people who`s job it was to make sure our setup meet the needs otherwise we would not get the data, and yep, we met them. I could see this basic pattern scaling up.

    3. Re:So much for HIPAA... by rhsanborn · · Score: 4, Informative

      Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.

      That's not the case at all. HIPAA makes a distinction between covered entities (usually hospitals, doctors, insurance companies), business associates (people providing services for covered entities such as medical coding, transcription, IT services, etc.) that require access to protected health information, and everyone else who isn't allowed to access protected health information. If a covered entity loses or discloses protected health information, or is breached, that entity is responsible for fines under HIPAA, which are being levied regularly. e.g. http://www.healthcareitnews.co...

    4. Re:So much for HIPAA... by jbmartin6 · · Score: 1

      "Regularly" is vague. HIPAA was passed in what, 1996? The first fines weren't levied until after 2010. So I think the parent's point is still valid, the act was pretty toothless as far as consequences for quite some time. The ratio of incidents to fines is still very heavily in favor of the careless. If you had a choice between paying $2 million in security or a remote chance of a $1 million fine, which would you take?

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    5. Re:So much for HIPAA... by Medievalist · · Score: 2

      No threat of punishment == no compliance.

      Don't worry, there's no lack of authoritarian punishment built into the system.

      But you know, if merely punishing people stopped them from complying with rules we'd be living in paradise. Our punishment-oriented culture serves to gratify the sadism of our rulers, and doesn't really do much to prevent crime. In real life the most effective way to prevent crime is to ensure the availability of rewarding work... and hospital paperwork, I have to tell you, is the opposite of rewarding labor.

    6. Re:So much for HIPAA... by hawkinspeter · · Score: 1

      If you're going to be so uppity about someone's mistake, then at least spell "embarrased" correctly (and put a hyphen in "semi-literate"). I appreciate the attempt to improve people's writing skills, but you're doing it in a way that makes you look like an arse.

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  2. One password. by Savage-Rabbit · · Score: 1

    In some cases, an organization used the same password for everything.'"

    That's not negligence, it's just the Navy keeping up with the times and implementing Single-Sign-On.

    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
    1. Re:One password. by oodaloop · · Score: 1

      Glad to see you're keeping up with the times, being that this article is about healthcare and not the Navy.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    2. Re:One password. by cold+fjord · · Score: 1

      The Slashdot editors exploited their superior agility and got inside his posting decision cycle. His defeat is now assured.

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    3. Re:One password. by oodaloop · · Score: 1

      and got inside his posting decision cycle

      You mean his OODALOOP?????

      Ha Ha Ha Ha!!

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  3. Why is C# .Net used for medical devices? by IgnorantMotherFucker · · Score: 2

    Recall that at least the original license agreement for Sun Java specified that it must not be used to operate nuclear power plants. That got a lot of ridicule but was arguably a good idea.

    From time to time I see posts for medical device coding jobs on craigslist and the like. Quite commonly they require one to have experience with C# .Net.

    That doesn't make a whole lot of sense to me. Heart disease runs in my family. If I get a pacemaker, is it going to be running Microsoft Windows?

    --
    Please mail me URLs of software employers.
    1. Re:Why is C# .Net used for medical devices? by gl4ss · · Score: 1

      no but the ui is going to be written in c#.

      (...so that it'll be deprecated in a few years)

      --
      world was created 5 seconds before this post as it is.
    2. Re:Why is C# .Net used for medical devices? by Chewbacon · · Score: 3

      Rapid application development perhaps. Hospitals are trying to get these systems up and running for the sake of cash deposits and reimbursement from Uncle Sam and every company who can write software, good or bad, wants a piece of it. And yeah, it may run on windows. One of the fluoroscopes in my lab runs Win2K.

      --
      Chewbacon
      The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
    3. Re:Why is C# .Net used for medical devices? by melikamp · · Score: 1

      From time to time I see posts for medical device coding jobs on craigslist and the like. Quite commonly they require one to have experience with C# .Net. That doesn't make a whole lot of sense to me. Heart disease runs in my family. If I get a pacemaker, is it going to be running Microsoft Windows?

      This is yet another symptom of a very common disease: enter computers, and all of the sudden medical professionals simply ignore patient privacy and security. May be it's for the lack of understanding on the part of individual doctors, but then where are their governing bodies looking? They are selling us out. They must be corrupt three times over.

      Last time I went to a doctor for a regular checkup, I almost asked her: are my responses private? [Yes, I assume] Then why the bloody hell are you typing them into a Windoze? You are sharing them with Microsoft and its affiliates as you are typing them in front of me, so where do they go when I am not looking? I didn't confront her, though, opting instead to be very discrete about my medical condition.

    4. Re:Why is C# .Net used for medical devices? by jythie · · Score: 2

      "Medical devices" covers a lot of area. I suspect things like pace makers are developed using some RTOS while desktop apps designed to connect to devices are written in some commonly used language like C# or Java.

      Though there is probably a lot of pressure due to what kinds of programmers they can find. One thing that pushed LISP out of certain industries, even when it worked really well for individual companies, was difficulty finding experienced programmers.

      Medical devices should probably be programmed using something like Ada, but finding developers for it is getting harder and harder.

    5. Re:Why is C# .Net used for medical devices? by jellomizer · · Score: 1

      Why use C#? Well it is actually rather simple. In many areas they are easier to find developers, then with Java or C.
      Microsoft Products don't suck as much as Slashdot makes them out for. Windows 2000 onward have been very stable, and for the past decade I have seen more Linux Kernel Crashes than Blue Screens of Death. Making your product in C# vs Java isn't that big of a deal, the real issue that I find, is that you are Stuck on Windows, and that sucks because you may want to be flexible with your next upgrade, and at least be able to stick it to Microsoft the next time you renegotiate your licences. (Well all our key apps are Java, if you don't lower your license rate by 20% then we figure it will be cheaper to migrate it all to Linux)

      Healthcare has this other problem. It has been 10 years behind the rest of the technology. You go events pushing state of the art healthcare technology and you see it is stuff that other industries have been using for year. Right now their big push is adding Business Intelligence to their software.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re:Why is C# .Net used for medical devices? by maple_shaft · · Score: 1

      Right now their big push is adding Business Intelligence to their software.

      If you ask any IT upper manager or executive in a US health system what Business Intelligence is then if they can give you any answer at all it is some recited drivel fed them by the plethora of vendors selling snake oil at the last HIMS conference.

      Having nearly a decade of experience working as a software engineer for healthcare ISV's and healthcare systems, I have earned a bit of a perspective to why healthcare IT struggles behind nearly every other industry. To understand why things are dysfunctional and why such organizations are teeming with incompetence you need a bit of history into how many of these healthcare systems came to be.

      These large non-profit organizations didn't spring up overnight, they usually started as a loose agreement between a university medical school in need of bright medical professionals for research and teaching, and a number of different hospitals that always have a need for top medical talent. These resulted in a loose confederation of hospitals. When healthcare became big business then the ranks of many of these healthsystems started to be run by MBA's and other executives with more of a business background. At this point things began to be more centralized and federated by consolidating all of the IT resources in the different facilities into one place. Many of these people though used to be nurses or were self educated kids who really knew nothing about IT outside of installing software on a doctors workstation in a small community hospital. Through tenure many of these people rose through the ranks and became the very managers and executives that run many of these healthsystems today.

      So now we have a world today where non-profit health systems reaping MASSIVE profits and having MASSIVE budgets need reasons and excuses to spend so much of their money or else they risk losing their non-profit status. Incompetent management that is in over their head, highly political system of rank and advancement, duct-taped together legacy systems from a number of different hospitals with medical records, money-hungry vendors cashing in on easy sales for "Business Intelligence" and "Analytics" software packages that either don't work or aren't needed, and grueling death march projects that at times seem like a government jobs program with no other reason to exist than to spend money because the board of trustees in these health systems can only take so much of the profits.

      This is all really a massive bubble propped up by massive amounts of money that must be spent, run by people who don't know what they are doing.

    7. Re:Why is C# .Net used for medical devices? by Anonymous Coward · · Score: 1

      You are sharing them with Microsoft and its affiliates as you are typing them

      This is called "paranoia". It's a medical condition.

      opting instead to be very discrete about my medical condition

      So you won't tell your doctor about your paranoia, but you'll tell a random group of people on Slashdot?

      Face it, you're squarely in "wingnut" territory. Microsoft does not keep copies of your data unless you send it to one of their services. They don't care that you're paranoid because it doesn't make them any money. They also don't care about anything else you do or don't do. Nobody is paying attention to you or "spying" on you. You're not that important. Nothing about you is valuable to them. At a certain point, continued paranoid behavior crosses into the realm of narcissism. At that point, everyone laughs at you, not just near you.

    8. Re:Why is C# .Net used for medical devices? by ljw1004 · · Score: 1

      C#' is an ISO standard that runs (great) on ios, android, desktop Linux, netduino, as well as windows

    9. Re:Why is C# .Net used for medical devices? by flyingfsck · · Score: 1

      Hell, an RTOS in a pacemaker makes me shudder. The first pacemaker used a single transistor.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
  4. Re:Bad news by Opportunist · · Score: 4, Funny

    BSOD just got a very new meaning.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Re:Where's me beta? by Cenan · · Score: 1

    Stop posting AC timothy

    --
    ... whatever ...
  6. Firewall it. by Karmashock · · Score: 2

    By which I do not mean putting some off the shelf software or hardware between your network and the federal ACA system. Rather, have an isolated system distinct from the rest of your network which interacts with the ACA. Give that system no access to the rest of your network or vice versa except through very tightly controlled protocols. Effectively, assume that machine is compromised or at least in extreme danger of being compromised.

    Then carry on. Worst case, that isolated system will be infiltrated. But since the Federal ACA system is compromised that's nothing special. Your internal network will remain safe from that vector and you can continue to comply with this federal boondoggle.

    Government... we only take them seriously because they threaten to shoot us. No really. Absent threats of violence who would be complying with the ACA at this point? No one. That's all that keeps this bullshit going.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  7. Simple solution by Anonymous Coward · · Score: 2, Insightful

    We need a law (or laws) that place very painful penalties on any business or organization that suffers a data breach through their own negligence.

    The right wingers who run a lot of these businesses just love to talk about the magical results we can get by relying on the free market. Well, let's see them put their money where their mouth is. Currently, they can be sloppy with their IT practices and pay virtually no price even when something goes wrong that causes considerable pain to their customers/users and society at large. It's a classic externalized cost. Internalize it via triple-damages penalties or something similar, and I guarantee that their IT practices will improve dramatically in a matter of weeks.

    1. Re:Simple solution by jythie · · Score: 1

      the problem is, within that philosophical system (I can not call it economic, that set of economic theories were debunked decades ago) the customers would be the ones to punish the company by going somewhere else and there are no "external costs", the only thing that matters is what on their side of the interface and everything outside that the market magically fixes.

    2. Re:Simple solution by rhsanborn · · Score: 1

      There is a law, it's called HIPAA. Healthcare organizations are very cognizant of HIPAA and do work to avoid breaches of healthcare data. The Department of Health and Human Services does hand out significant fines for breaches. http://www.hhs.gov/ocr/privacy... Additionally, for large breaches, healthcare organizations are required to notify prominent news media, which arguably has a larger financial impact than the fines themselves.

    3. Re:Simple solution by maple_shaft · · Score: 1

      That doesn't work in many areas where many of these healthcare systems have a practical monopoly in their respective regions. There is often no other choice for customers (Let it be known I find that term offensive, they are really patients). They really aren't broken up because they are also "non-profit" which is lately becoming an ethically dubious term for many health systems.

    4. Re:Simple solution by jythie · · Score: 1

      *nods* and even when there are choices in a particular region, often one's health coverage makes the choice for them, and forgoing one's employer provided health care and going to the individual market is often a bad economic choice for individuals or families. So the barrier to voting with one's dollars becomes very high.

  8. Not surprising by jbmartin6 · · Score: 1

    I've been there. The organizations just don't care, it is more important to keep doctors happy. There is very little appreciation for IT and its value. And since there are limited consequences for breaches, there is no motivation to change.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  9. We are constantly under attack by hsmith · · Score: 1

    We are a healthcare startup and we get the usual metasploit attacks, but more important we are phished like crazy.

    The information is valuable and because it is, healthcare firm staff will be easy pickings for being targets.

    They simply don't know what they are doing (for instance, there is a 90% chance your doctor is using SMS/MMS to communicate about patients)

  10. I'm guessing its insurance companies. by mark_reh · · Score: 1

    Who else would benefit from knowing your health info? Drug companies could spam you with ads, I suppose, but insurance companies have the most to gain by denying coverage to the "accident prone, chronically ill, and those who might inherit propensities for certain health problems. For health insurers, this has supposedly been fixed under Obamacare, but like taxes, there are many lawyers looking for loopholes and they will certainly find them. And what about life insurance? Those guys would love to have all your medical records...

    1. Re:I'm guessing its insurance companies. by CrimsonAvenger · · Score: 1

      but insurance companies have the most to gain by denying coverage to the "accident prone, chronically ill, and those who might inherit propensities for certain health problems.

      Which is illegal under the ACA, hence irrelevant.

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    2. Re:I'm guessing its insurance companies. by mark_reh · · Score: 1

      Right. And rich people pay income taxes like the rest of us, too.

  11. Re:Bad news by Chris+Mattern · · Score: 2

    Well, that gives a whole new meaning to Time To Live...

  12. Nothing to see here! by erroneus · · Score: 1

    This story doesn't indicate that this is largely the NSA collecting information in support of further executive adjustments to the Afraudable Care Act. This is just how they operate. "It's better to beg for forgiveness than to get permission or follow legislation. It's even better to deny that you did it than to beg for forgiveness." --Eric Holder

  13. Low-level DDOS by ahs_boy · · Score: 3, Interesting

    One of my clients is an umbrella organization for a few local community health centers, and there has been a steady stream of empty POST submissions to their website -- at the rate of about 2/second -- for about 4 straight months now. Virtually every hit is from a unique IP address, so the spoofing is either great, or the botnet is enormous. This is normally a VERY low-traffic site, so the attack constitutes about 99% of their traffic at this point.

    I'm assuming that the timing of the start of the attacks -- just as the Affordable Health Care Act came into effect -- is not a coincidence. It's a brain-dead attack, and easy to mitigate, but I'm a bit dumbfounded that it continues to this day, despite having no effect on the accessibility of their site at all.

  14. NSA by Lawrence_Bird · · Score: 1

    just wants to know which terrorists are going to the hospital and for what treatment. ordinary citizens have nothing to fear, it is only collecting meta-data about your bloodwork, x-rays, mri's......

  15. Sorry about the busted grammar by Medievalist · · Score: 1

    sed 's/complying with/breaking/' <previous post >coherent post

    That'll teach me to use preview mode... oh well, at least the link worked.

  16. Interesing, but I wonder..... by sgt_doom · · Score: 1

    An acquaintance of mine, several years back, worked at a medical coding company called Meddata (based out of Ohio, I believe, and owned by a private equity/leveraged buyout firm) which kept having computer problems, which their inept and incompetent IT sleazoids were unable to prevent. She monitored their systems inhouse, and ascertained that they were being hacked at mercilessly, within the USA region. It didn't take her long to figure it out: the executives there, from a previous company but now in top levels at Meddata, had screwed over numerous people at their previous company (there was, and may still be, a dedicated web site to the lawsuits against that outfit), and people were attempting revenge. Sometimes, it really is that simple.