Slashdot Mirror
Healthcare Organizations Under Siege From Cyberattacks, Study Says
BigVig209 sends this report from the Chicago Tribune:
"A new study set to be officially released Wednesday found that networks and Internet-connected devices in places such as hospitals, insurance companies and pharmaceutical companies are under siege and in many cases have been infiltrated without their knowledge. ... In the report, the groups found from September 2012 to October 2013 that 375 healthcare organizations in the U.S. had been compromised, and in many cases are still compromised because they have not yet detected the attacks. ... 'What's concerning to us is the sheer lack of basic blocking and tackling within these organizations,' said Sam Glines, chief executive of Norse. 'Firewalls were on default settings. They used very simple passwords for devices. In some cases, an organization used the same password for everything.'"
Rapid application development perhaps. Hospitals are trying to get these systems up and running for the sake of cash deposits and reimbursement from Uncle Sam and every company who can write software, good or bad, wants a piece of it. And yeah, it may run on windows. One of the fluoroscopes in my lab runs Win2K.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
The problem is, comply with WHAT? Have you ever read the various "standard compliance requirements"? They're usually worded in a way that leaves holes big enough to move planets through. You'll find a lot of talk about "reasonable" and "adequate" security without any kind of definition whatsoever what these words would mean.
You will NEVER EVER find something that they could be pinned with, like "leave no default passwords" or "no guest accounts" or even "stateful firewall with [[list of features]]". Never. No chance.
Of course it's a consultant's dream because no matter what you sell, you're complying. And it's of course no problem for the customer in question to be compliant to rules like that.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
BSOD just got a very new meaning.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.
That's not the case at all. HIPAA makes a distinction between covered entities (usually hospitals, doctors, insurance companies), business associates (people providing services for covered entities such as medical coding, transcription, IT services, etc.) that require access to protected health information, and everyone else who isn't allowed to access protected health information. If a covered entity loses or discloses protected health information, or is breached, that entity is responsible for fines under HIPAA, which are being levied regularly. e.g. http://www.healthcareitnews.co...
One of my clients is an umbrella organization for a few local community health centers, and there has been a steady stream of empty POST submissions to their website -- at the rate of about 2/second -- for about 4 straight months now. Virtually every hit is from a unique IP address, so the spoofing is either great, or the botnet is enormous. This is normally a VERY low-traffic site, so the attack constitutes about 99% of their traffic at this point.
I'm assuming that the timing of the start of the attacks -- just as the Affordable Health Care Act came into effect -- is not a coincidence. It's a brain-dead attack, and easy to mitigate, but I'm a bit dumbfounded that it continues to this day, despite having no effect on the accessibility of their site at all.