Hackers Demand $3.6 Million From Hollywood Hospital Following Cyber-Attack

An anonymous reader writes: The Hollywood Presbyterian Medical Center has been hit by a cyber-attack and its systems are now being held hostage by hackers that are demanding a ransom of 9,000 Bitcoin, which is about $3.6 million (€3.2 million) in today's currency. Management has forbidden staff to turn on their computers, fearing the attack might spread, and the Radiation and Oncology departments have been completely shut down because they can't use their equipment." The staff were also forced to use fax machines rather than email, and to write down patient data on paper; patients had had to come in in person for results.

Restore from backup

[hawguy]

Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.

Re:Restore from backup

[Antique+Geekmeister]

If you get re-infected within moments by other infected machines, the backups don't help much. I've seen a partner infested this way, and it was horrible.

Re:Restore from backup

[Antique+Geekmeister]

If you don't have the list of softwarekeys, or the licenses, to reinstall from scratch, and if you don't have the staff with the tools to re-image systems swiftly, rebuilding the systems from scratch is a herculean job and you *wiall* lose vital patient data. If you don't have the tools, the systems *will* get re-infected while you're reinstalling them. Been there, done that, it's why i never,run the basic backup systems on Windows.

Re:Restore from backup

Most likely ransomware (which can be very pervasive) and has spread to hospital equipment that was never secured or backed up, no-one thinks to backup data on a pain-pump or a smart-bed, all have software so theoretically can be infected or at least be a hiding place.

Backups may not be enough, might have to do a full wipe of everything connected, while the patient files should be ok so much will be lost because no-one though it would happen. (assuming they have a good backup system, or have practiced an emergency data restore, from experience, managers look at you like your a fool when you mention you need to have a crisis data restore drill and training)

Re:Restore from backup

[Antique+Geekmeister]

Yes. It is. Starting with a copy of "dban", downloaded on a Linux laptop in a local coffee house and applied to to our disks, or using a slimple live Debian or CentOS or even OpenBSD DVD image, can be a start. But getting anything _alive_ that can handle patient data, however, can be pretty iffy. Windows machines can be re-infected in the process of re-installatiion in an infested local environment. Dealing with several hundred such systems that handle doctor's schedules, patients care plans, or handle prescriptions and billing and correspondence and mortgages and health insurance records is an absolute nightmare.

Can you burn your own home to the ground and rebuild from scratch? Certainly. Can you do this with a hospital without kill anyone who regularly scheduled kidney medicine, who is scheduled for surgery on Tuesday, or who needs immunization records or simply needs allergy records before transferring schools? That is a nightmare.

Re:Restore from backup

[KGIII]

I lost data once and only once. Well, a significant amount of data. I've had crashes with not-yet-saved documents that took out trivial amounts but that doesn't even happen any more. You're not only correct, you're spot on.

One other thing to add - without verifying your backup - you have no backup at all. That includes a restoration strategy, that's part of the verification process. That includes having the ability to put a fresh system up, while the system is down, and have it isolated to access tools for recovery (such as updated patches).

My loss of data was infuriating and bizarre. I've been very anal about keeping backups ever since. To this day, even for my personal data, I keep regular updates at disparate locations and provision the same services for my friends. It's all fairly automated at this point but I still test the recovery often enough to know that I shouldn't ever lose any valuable data ever again.

Hardware, software, and bandwidth are cheap. They're cheap enough to be considered ubiquitous and there's no excuse for me to not do this. It is not expensive and doesn't even require physically moving the data on a regular basis. With a little bit of initiative, you can even automate a good portion of it. (I've not really found a good way to do the verification completely automatically from within the OS. I've not yet found one that I can really be certain of so I do verifications on my own.)

Re:Restore from backup

[cranky_chemist]

... when these hackers get caught, they should ALL get death sentences regardless if there has been any patient fatalities.

This was an ill-conceived attack on the hackers' part.

If any patient dies in connection with this attack, then it puts murder charges on the table. And the thing about murder is that there's no statute of limitations. Thus, these guys will be looking over their shoulders for the rest of their lives.

All for MAYBE $3.6 million in Bitcoin.

Re:Restore from backup

[Applehu+Akbar]

"If any patient dies in connection with this attack, then it puts murder charges on the table. And the thing about murder is that there's no statute of limitations. Thus, these guys will be looking over their shoulders for the rest of their lives."

I've said it before: If the NSA is as good at mass surveillance as is being claimed, why aren't we seeing them finding ransomware purveyors and strangling them with their own intestines? It would give them the positive publicity they have been waiting for.

The criminals just made a huge mistake

[Harlequin80]

They picked the wrong target. If you hit a small business it's easier to pay. If you hit a large business you pay because you don't want people to find out. You hit a hospital though and people could die and it is very very public.

Right about now there will be a whole lot of resources targeted towards finding these people. They are fucked.

Re:Sorry

[Barny]

Interesting point, but you do realise that to the rest of the world, America is the "1%"?

Pay Attention IoT!

[Irate+Engineer]

Isn't health care practically the highest critical tier of the "Internet of Things"? We can't even motivate ourselves to properly secure medical data, literally life and death stuff, even after they get pwned like this. The folks on the IoT bandwagon actually want to hitch more of our daily technology to the Internet, things with even lower security motivation? Sorry, IoT is dumb beyond belief. We really need to be working on air-gapping and unplugging a lot of stuff from the Internet. Some things should never, ever get plugged into the Internet, convenience be damned. For other things, maybe they can be plugged in, if a rock solid security apparatus is in place and you still maintain the ability to recover from a breach, acknowledging that it can still happen.

Re:Replace systems entirely

Anything with IBM involved will be 10 times the price with a timeline to delivery sometime in 2099 if it ever works at all. I would warn any organisation about dealing with such a set of companies (and have done in the case of IBM).