Slashdot Mirror

← Back to Stories (view on slashdot.org)

Healthcare Organizations Under Siege From Cyberattacks, Study Says

Posted by Soulskill on from the it's-hip-to-ignore-hippa dept.

BigVig209 sends this report from the Chicago Tribune: "A new study set to be officially released Wednesday found that networks and Internet-connected devices in places such as hospitals, insurance companies and pharmaceutical companies are under siege and in many cases have been infiltrated without their knowledge. ... In the report, the groups found from September 2012 to October 2013 that 375 healthcare organizations in the U.S. had been compromised, and in many cases are still compromised because they have not yet detected the attacks. ... 'What's concerning to us is the sheer lack of basic blocking and tackling within these organizations,' said Sam Glines, chief executive of Norse. 'Firewalls were on default settings. They used very simple passwords for devices. In some cases, an organization used the same password for everything.'"

12 of 61 comments (clear)

  1. So much for HIPAA... by Buck+Feta · · Score: 2

    Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.

    --
    I am Audience.
    1. Re:So much for HIPAA... by Opportunist · · Score: 4, Insightful

      The problem is, comply with WHAT? Have you ever read the various "standard compliance requirements"? They're usually worded in a way that leaves holes big enough to move planets through. You'll find a lot of talk about "reasonable" and "adequate" security without any kind of definition whatsoever what these words would mean.

      You will NEVER EVER find something that they could be pinned with, like "leave no default passwords" or "no guest accounts" or even "stateful firewall with [[list of features]]". Never. No chance.

      Of course it's a consultant's dream because no matter what you sell, you're complying. And it's of course no problem for the customer in question to be compliant to rules like that.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:So much for HIPAA... by rhsanborn · · Score: 4, Informative

      Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.

      That's not the case at all. HIPAA makes a distinction between covered entities (usually hospitals, doctors, insurance companies), business associates (people providing services for covered entities such as medical coding, transcription, IT services, etc.) that require access to protected health information, and everyone else who isn't allowed to access protected health information. If a covered entity loses or discloses protected health information, or is breached, that entity is responsible for fines under HIPAA, which are being levied regularly. e.g. http://www.healthcareitnews.co...

    3. Re:So much for HIPAA... by Medievalist · · Score: 2

      No threat of punishment == no compliance.

      Don't worry, there's no lack of authoritarian punishment built into the system.

      But you know, if merely punishing people stopped them from complying with rules we'd be living in paradise. Our punishment-oriented culture serves to gratify the sadism of our rulers, and doesn't really do much to prevent crime. In real life the most effective way to prevent crime is to ensure the availability of rewarding work... and hospital paperwork, I have to tell you, is the opposite of rewarding labor.

  2. Why is C# .Net used for medical devices? by IgnorantMotherFucker · · Score: 2

    Recall that at least the original license agreement for Sun Java specified that it must not be used to operate nuclear power plants. That got a lot of ridicule but was arguably a good idea.

    From time to time I see posts for medical device coding jobs on craigslist and the like. Quite commonly they require one to have experience with C# .Net.

    That doesn't make a whole lot of sense to me. Heart disease runs in my family. If I get a pacemaker, is it going to be running Microsoft Windows?

    --
    Please mail me URLs of software employers.
    1. Re:Why is C# .Net used for medical devices? by Chewbacon · · Score: 3

      Rapid application development perhaps. Hospitals are trying to get these systems up and running for the sake of cash deposits and reimbursement from Uncle Sam and every company who can write software, good or bad, wants a piece of it. And yeah, it may run on windows. One of the fluoroscopes in my lab runs Win2K.

      --
      Chewbacon
      The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
    2. Re:Why is C# .Net used for medical devices? by jythie · · Score: 2

      "Medical devices" covers a lot of area. I suspect things like pace makers are developed using some RTOS while desktop apps designed to connect to devices are written in some commonly used language like C# or Java.

      Though there is probably a lot of pressure due to what kinds of programmers they can find. One thing that pushed LISP out of certain industries, even when it worked really well for individual companies, was difficulty finding experienced programmers.

      Medical devices should probably be programmed using something like Ada, but finding developers for it is getting harder and harder.

  3. Re:Bad news by Opportunist · · Score: 4, Funny

    BSOD just got a very new meaning.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Firewall it. by Karmashock · · Score: 2

    By which I do not mean putting some off the shelf software or hardware between your network and the federal ACA system. Rather, have an isolated system distinct from the rest of your network which interacts with the ACA. Give that system no access to the rest of your network or vice versa except through very tightly controlled protocols. Effectively, assume that machine is compromised or at least in extreme danger of being compromised.

    Then carry on. Worst case, that isolated system will be infiltrated. But since the Federal ACA system is compromised that's nothing special. Your internal network will remain safe from that vector and you can continue to comply with this federal boondoggle.

    Government... we only take them seriously because they threaten to shoot us. No really. Absent threats of violence who would be complying with the ACA at this point? No one. That's all that keeps this bullshit going.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  5. Simple solution by Anonymous Coward · · Score: 2, Insightful

    We need a law (or laws) that place very painful penalties on any business or organization that suffers a data breach through their own negligence.

    The right wingers who run a lot of these businesses just love to talk about the magical results we can get by relying on the free market. Well, let's see them put their money where their mouth is. Currently, they can be sloppy with their IT practices and pay virtually no price even when something goes wrong that causes considerable pain to their customers/users and society at large. It's a classic externalized cost. Internalize it via triple-damages penalties or something similar, and I guarantee that their IT practices will improve dramatically in a matter of weeks.

  6. Re:Bad news by Chris+Mattern · · Score: 2

    Well, that gives a whole new meaning to Time To Live...

  7. Low-level DDOS by ahs_boy · · Score: 3, Interesting

    One of my clients is an umbrella organization for a few local community health centers, and there has been a steady stream of empty POST submissions to their website -- at the rate of about 2/second -- for about 4 straight months now. Virtually every hit is from a unique IP address, so the spoofing is either great, or the botnet is enormous. This is normally a VERY low-traffic site, so the attack constitutes about 99% of their traffic at this point.

    I'm assuming that the timing of the start of the attacks -- just as the Affordable Health Care Act came into effect -- is not a coincidence. It's a brain-dead attack, and easy to mitigate, but I'm a bit dumbfounded that it continues to this day, despite having no effect on the accessibility of their site at all.