Hackers Demand $3.6 Million From Hollywood Hospital Following Cyber-Attack

An anonymous reader writes: The Hollywood Presbyterian Medical Center has been hit by a cyber-attack and its systems are now being held hostage by hackers that are demanding a ransom of 9,000 Bitcoin, which is about $3.6 million (€3.2 million) in today's currency. Management has forbidden staff to turn on their computers, fearing the attack might spread, and the Radiation and Oncology departments have been completely shut down because they can't use their equipment." The staff were also forced to use fax machines rather than email, and to write down patient data on paper; patients had had to come in in person for results.

Restore from backup

[hawguy]

Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.

Re:Restore from backup

[Antique+Geekmeister]

If you get re-infected within moments by other infected machines, the backups don't help much. I've seen a partner infested this way, and it was horrible.

Re:Restore from backup

[Antique+Geekmeister]

If you don't have the list of softwarekeys, or the licenses, to reinstall from scratch, and if you don't have the staff with the tools to re-image systems swiftly, rebuilding the systems from scratch is a herculean job and you *wiall* lose vital patient data. If you don't have the tools, the systems *will* get re-infected while you're reinstalling them. Been there, done that, it's why i never,run the basic backup systems on Windows.

Re:Restore from backup

Most likely ransomware (which can be very pervasive) and has spread to hospital equipment that was never secured or backed up, no-one thinks to backup data on a pain-pump or a smart-bed, all have software so theoretically can be infected or at least be a hiding place.

Backups may not be enough, might have to do a full wipe of everything connected, while the patient files should be ok so much will be lost because no-one though it would happen. (assuming they have a good backup system, or have practiced an emergency data restore, from experience, managers look at you like your a fool when you mention you need to have a crisis data restore drill and training)

Re:Restore from backup

[MrKrillls]

Is it not possible to wipe a machine totally clean? And thus all the hospital's machines? Or just get new machines and trash all old storage?

Re:Restore from backup

[hawguy]

If you don't have the list of softwarekeys, or the licenses, to reinstall from scratch, and if you don't have the staff with the tools to re-image systems swiftly, rebuilding the systems from scratch is a herculean job and you *wiall* lose vital patient data. If you don't have the tools, the systems *will* get re-infected while you're reinstalling them. Been there, done that, it's why i never,run the basic backup systems on Windows.

It's not really a backup if it can't be used to restore what needs to be restored. I should hope that a hospital is not relying on the backup backup systems of Windows. Data Protection Manager is a bear to set up and configure, but once it's running, they should be able to do bare metal restores without losing anything. The only thing more expensive than an enterprise backup system is not having backups when you need them.

And even if they do lose vital patient data in the restore, they've *already* lost vital patient data because it's locked up with ransomware so it hardly sounds worse than the alternative of pissing around millions of dollars in ransom with no assurance that they'll get all (or even any) of their data back.

Re:Restore from backup

[Nethemas+the+Great]

Hospital IT are far less organized and far less competent on average than you would expect given the nature of the business they're charged with safeguarding. The regulatory environment also disincentivizes timely patching of security vulnerabilities within devices under the stricter regulatory classes. That is to say--in a simplified nutshell--anything involved in the treatment and/or diagnosis of patients.

Re:Restore from backup

Unfortunately, with some modern attacks, no.

In many , but not all cases, the only option is to remove all hardware including network infrastructure, printers etc, and rebuild the entire site from scratch.

This shit can be like laser printer toner - it gets into everything, at a firmware level, and can be virtually impossible to eradicate.

Re:Restore from backup

[Antique+Geekmeister]

Yes. It is. Starting with a copy of "dban", downloaded on a Linux laptop in a local coffee house and applied to to our disks, or using a slimple live Debian or CentOS or even OpenBSD DVD image, can be a start. But getting anything _alive_ that can handle patient data, however, can be pretty iffy. Windows machines can be re-infected in the process of re-installatiion in an infested local environment. Dealing with several hundred such systems that handle doctor's schedules, patients care plans, or handle prescriptions and billing and correspondence and mortgages and health insurance records is an absolute nightmare.

Can you burn your own home to the ground and rebuild from scratch? Certainly. Can you do this with a hospital without kill anyone who regularly scheduled kidney medicine, who is scheduled for surgery on Tuesday, or who needs immunization records or simply needs allergy records before transferring schools? That is a nightmare.

Re:Restore from backup

[KGIII]

I lost data once and only once. Well, a significant amount of data. I've had crashes with not-yet-saved documents that took out trivial amounts but that doesn't even happen any more. You're not only correct, you're spot on.

One other thing to add - without verifying your backup - you have no backup at all. That includes a restoration strategy, that's part of the verification process. That includes having the ability to put a fresh system up, while the system is down, and have it isolated to access tools for recovery (such as updated patches).

My loss of data was infuriating and bizarre. I've been very anal about keeping backups ever since. To this day, even for my personal data, I keep regular updates at disparate locations and provision the same services for my friends. It's all fairly automated at this point but I still test the recovery often enough to know that I shouldn't ever lose any valuable data ever again.

Hardware, software, and bandwidth are cheap. They're cheap enough to be considered ubiquitous and there's no excuse for me to not do this. It is not expensive and doesn't even require physically moving the data on a regular basis. With a little bit of initiative, you can even automate a good portion of it. (I've not really found a good way to do the verification completely automatically from within the OS. I've not yet found one that I can really be certain of so I do verifications on my own.)

Re:Restore from backup

[silas_moeckel]

Why in hell is a printer sitting on the end of an ethernet jack somewhere in any position to compromise anything?

Re:Restore from backup

[sentiblue]

Anything with some kind of operating instructions can be compromised and instructed to do things beyond its operations scope... so yes, a stupid printer can be used as a hacking tool.

Now my opinion about the hackers: They should go steal shit from somewhere else like the bank where there's lots of money. Disrupting a hospital can lead to patient deaths... and when these hackers get caught, they should ALL get death sentences regardless if there has been any patient fatalities.

Re:Restore from backup

[cranky_chemist]

... when these hackers get caught, they should ALL get death sentences regardless if there has been any patient fatalities.

This was an ill-conceived attack on the hackers' part.

If any patient dies in connection with this attack, then it puts murder charges on the table. And the thing about murder is that there's no statute of limitations. Thus, these guys will be looking over their shoulders for the rest of their lives.

All for MAYBE $3.6 million in Bitcoin.

Re:Restore from backup

[rtb61]

It is real easy to clean and machine and get it going, it takes a little time but no problem as long as the bios is intact. The problem is the network must be shut down and all computers taken off. Then the servers are redone and once they are up and tested they go back on the network. Each computer is checked, rebuilt if neccesary and put on the network. Do it in hours, if you have the bodies to do it (one skilled person per computer device on the network), fewer people more hours, days or even weeks of downtime. This is a job for a consolidated FCC and FBI department (sort of a flying squad https://en.wikipedia.org/wiki/...) and as they carry out the repair, pulling some devices even servers permanently off the network as evidence, the build computer forensic information to pursue prosecution, regardless of where in the world the source of the attack was from (either the country pays that penalty or that country pursues the individuals themselves). Fuck with a hospital in that manner and you are in deep, real deep, there ain't no coming back from that ever, you become a lifer.

Re:Restore from backup

[silas_moeckel]

As I said why in hell is a printer in a position to be used as a jumping off board into anything? A printer needs to talk to a well defined set of hosts and only those hosts generally the print/scan servers and not much else.

Re:Restore from backup

[Ol+Olsoc]

Most likely ransomware (which can be very pervasive) and has spread to hospital equipment that was never secured or backed up, no-one thinks to backup data on a pain-pump or a smart-bed, all have software so theoretically can be infected or at least be a hiding place.

Freaky, Just yesterday, I wrote a Hypothetical bit about hackers Breaking and entering an Insulin pump and demanding bitcoin for not having it over-pump, send a person into insulin shock and kill the patient. While it was reviled then, little did I know my only error was in magnitude. I wrote of one person, here the bastards pulled their stunt on an entire hospital.

I dunno - it seems like the exact reason the internet of things is a disaster waiting to happen. Oh wait... it has happened

Re:Restore from backup

[hawguy]

Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.

You also have to consider that its not just workstations that are infected. A server is often just as easily infected once the ransomware is in the domain.

If this reaches the database, and ends up encrypting database files, you could very well be hooped. Its not easy restoring a database at a hospital, when all your backups are connected to the same system that is infected, and thus potentially vulnerable and/or infected already.

Why is restoring a database backup any harder at a hospital compared to any other site? I can restore my SqlServer and Oracle DB's to any point in time from 6 months ago to 6 seconds ago. I can also restore from up to 3 years back, but older backups are meant as point-in-time snapshots and aren't guaranteed to have transaction log chains to bring them up to the current date. Those backups are stored on a mix of on-prem storage (with NAS enforced snapshot that Malware can't touch unless it hacks the NAS), cloud based off-site storage (write-only), and off-site tape rotation.

Its also easy to underestimate the scope of remediation - an entire hospital network might consist of hundreds of workstations that may or may not have up to date or adequate backup systems.

They've already shut down their network, sounds like they have all the time they need.

Most of the time, sys admins at hospitals have very little budget to do things properly, as the scope of applications they must maintain and the number of systems they must be maintained on is astronomical.

Then the hospital administrators should be fired and/or fined for not protecting their data. Missing or corrupt data can cost lives so should be treated as such.

Backups are easier today than ever and there's no excuse for not having them, if you don't want to build your own backup infrastructure then use a cloud service (and yes, with encryption and proper controls even PHI data can be backed up to the cloud under HIPAA)

Re:Restore from backup

[MobileTatsu-NJG]

I'm pretty sure the 'printer toner' reference was in spilling it, not that a toner cartridge was infecting the network. Toner is the office equivalent of glitter.

Re:Restore from backup

[EzInKy]

Hospitals are under severe pressure to decrease the cost of providing effective healthcare. Keeping parasites such as pharmaceutical companies profitable really does exact a cost on society.

Re:Restore from backup

[ColdWetDog]

I keep telling you people. Trying to make an analogy without using automobiles as a reference point is like trying to fry a fish with a tape recorder.

Re:Restore from backup

[ColdWetDog]

No they don't. The reason that we don't patch as much as we should is crappy programming on the vendor's part. Half the systems crash at various patch levels. We can't use Firefox for much these days because it changes so much. We're stuck on three different versions of IE on different machinery. Sucks? Yep. Can it be prevented? Possibly - if you got to build a hospital from scratch. But there is so much tech thrown about in corners and in rooms that were never designed to work with each other and whose designers like the idea of standards because there are so many to choose from. And are too expensive to toss and replace with something that 'is supposed to work'.

It's really amazing that this house of cards actually runs at all.

But the FDA regs have nothing to do with this.

Re:Restore from backup

[hawguy]

Are you willing to spend a couple hundred bucks per printer plus the man-hours to firewall it off and maintain access lists? Even if you are, any competent business manager would decline that request. Some risks should be accepted after cost-benefit have been weighed. The unlucky ones make the news but the other 99.9% stay within budget.

Just supplying a port to the printer costs more that that in any b cigompany, so yeah, spend a few bucks to put it on its own isolated VLAN that only the print servers can talk to. No modern IT department should let their printers on the same subnet as their office computers because there are tons of vulnerabilities in them. We're a pretty small shop (~100 users) and our printers are on their own VLAN because it only took us 10 minutes to do so.

Re:Restore from backup

[sjames]

Even moreso, it's probably easier to get inter-department cooperation and if necessary extradition for murder.

Re:Restore from backup

[hawguy]

No they don't. The reason that we don't patch as much as we should is crappy programming on the vendor's part. Half the systems crash at various patch levels.

Then stop buying the crap - the only reason vendors can get away with selling crap software is because hospitals are buying it. Someone has to step up and say "We're not buying unsupportable crap, either support your software through operating system upgrades, or we're not buying it".

Re:Restore from backup

[Applehu+Akbar]

"If any patient dies in connection with this attack, then it puts murder charges on the table. And the thing about murder is that there's no statute of limitations. Thus, these guys will be looking over their shoulders for the rest of their lives."

I've said it before: If the NSA is as good at mass surveillance as is being claimed, why aren't we seeing them finding ransomware purveyors and strangling them with their own intestines? It would give them the positive publicity they have been waiting for.

Re:Restore from backup

[guruevi]

That's why you make sure you have an up-to-date image and use an OS that doesn't default to open.

Re:Restore from backup

[hvdh]

DICOM Printers for digital X-ray images need a lot of code for the network protocols and actual printing. I've seen some older models which contain a PC inside running Windows NT with software to convert between DICOM on the outside and the actual printer's native interface. Of couse, that machine is on the network, because all the X-ray machines need to print X-rays.

Re:Restore from backup

[SeaFox]

Trying to make an analogy without using automobiles as a reference point is like trying to fry a fish with a tape recorder.

It's not hard to do if your aquarium full of betas.

Re:Restore from backup

[jandersen]

Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.

Speaking as somebody who has worked for far too long with this kind of issues: backups can be a help, but rarely if we're talking a complete wipeout of all systems. For that, you need to have prepared a disaster recovery plan, and if you have done it properly, you can be back in business in a matter of anything down to minutes, depending on how much you invested in this.

But apart from that - we are talking about serious crime here. On one hand there is the obvious crime of endangering the lives of patients for whatever reason, which in my personal view amounts to something more like terrorism; but there is also the question of whether there is (or ought to be) criminal responsibility on the part of the hospital management for not being prepared for a situation like this, when the danger is as well known as it is, and the solution is well understood.

Re:Restore from backup

[Antique+Geekmeister]

That's great, if you've been permitted the resources to set up PXE boot and keep track of assets to install the images only where you have licenses. Unfortunately, getting all the doctor's laptops and home machines that come in via VPN connections updated can be a nightmare. And if the patch isn't already in the image, you can be re-infected by within minutes after re-activation. I'm not trying to say that it's an insoluble problem: Isolating such an infected network and setting up "DMZ's" or "demilitarized zones" for introducing and re-activating isolated services is a good start. But it's not something you can just flip a switch and recover from.

This is also where a good manager hides their network and systems people in a room and guards the door to keep upset staff off their backs while they clean up the mess. It's also where that manager publishes the progress and keeps the staff from being harassed every five minutes with people screaming "My 12 year old can do better than this!" and opening up big security holes just to get their particular task done.

Re:Restore from backup

[mwvdlee]

Because of IT budgets

Re: Restore from backup

Probably because they don't have jurisdiction outside the US.
Damn, that was an easy question. Got anymore dummy?

Re:Restore from backup

[silas_moeckel]

Na was specific to replace the printers to be safe. A printer should not be in a position to compromise anything. All it needs is inbound sessions from a print server. That's a very small exposure window of some sort of exploit.

Re:Restore from backup

[silas_moeckel]

Yes it's on the network but a network should not be a flat thing security wise. Modern gear (ok anything enterprise grade made in the last decade) is perfectly capable of basic ACL's at the port level vlans etc. Modern network security is more than capable of configuring all those layers in an automated fashion. Being on the network and only being able to talk to the xray machines via some specific ports is not much of a risk.

Re:Restore from backup

[silas_moeckel]

Pretty sad that HIPPA has less security requirements and teeth than PCI.

Re:Restore from backup

[Rogue974]

That doesn't work well when you are in the medical field or controls field (like I am) or some other fields as well and have legacy systems in place. You don't have an unlimited number of vendors that can do what you are doing as well. Combine that with huge installed base and you can't simply migrate away.

One of the biggest things I deal with is I have hardware that is running systems that go down once a year or once ever few years for maintenance. Some of the hardware is 40+ years old (we have an upgrade path forward and are updating a lot of it), but the hardware was never designed with network security in mind and the only option for security is upgrade.

The newer offerings by the vendors are better, but the old legacy systems are not so I have to harden my system against the outside world, but if the outside gets in, the hardware is easily compromised.

It will take us about 7 years to upgrade all of our systems because of man power and cost constraints, but until then we have to beef up security as best we can to keep stuff from getting in.

Re:Restore from backup

[gstoddart]

And, of course, one could argue that hacking into a hospital and endangering lives/causing death could fall under the purview of people who investigate terrorism.

And then it becomes something entirely different in terms of the scope of who is coming after you.

Re:Restore from backup

[Krojack]

What if the malware was in the systems for months just sitting dormant thus making the backups tainted as well.

Re:Restore from backup

[Impy+the+Impiuos+Imp]

I wonder if there are any Ultra-level discussions within the NSA, ala Turing, as to whether they should "accidentally" stumble across other info on who the hackers are, or will they let the convoy get hit to not reveal their hand in how deeply they have cracked networks and Bitcoin.

Re:Restore from backup

[Zaowulf]

Because "National security"

Re:Restore from backup

[MobileTatsu-NJG]

Again, I don't think the original post was about the printer being an infection point.

Re: Restore from backup

[slashdotwannabe]

Wrong. The NSA has jurisdiction primarily outside of the USA; it is only relatively recently that they have been authorized to conduct domestic operations.

Re:Restore from backup

[Nethemas+the+Great]

The disincentive comes from the requirements of the FDA for medical device manufacture's whenever they makes updates to their product. In theory filing a 510K for security patches is usually not required. However, given the perceived ambiguity that separates needing to vs. not needing to and the tendency towards being skiddish around the FDA and the punitive club they wield the assumption is usually made that a 510K will be required. This is generally considered an expensive PITA with the net result being that updates are made rather infrequently, and only when a business case can be made to do so.

Re:Restore from backup

[Nethemas+the+Great]

Unfortunately its not as simple as you would like to believe, particularly so for infected modalities. Setting CTs, MRIs, and such aside, malware isn't restricted to the file system. BIOS and other firmware are increasingly becoming targets that present their own rather unique challenges.

Re:Restore from backup

[MobileTatsu-NJG]

I'll buy that. Although I don't know what you'd do to secure a printer that you wouldn't do with any other device on the network. It has to transmit and receive.

Re:Restore from backup

[MrKrillls]

I was guessing it had to follow a scheme like that (not a network guy here.) Labor intensive, a vast and expensive pain in the neck, but doable.

As long as data is backed up. And maybe a bit less painful if IT has a plan for such issues.

Re:Restore from backup

[hawguy]

Pretty sad that HIPPA has less security requirements and teeth than PCI.

Even sadder if a hospital is counting on HIPAA guidelines to secure their network. "Great, we've done the minimum required by HIPAA, a data privacy standard', so surely that means our network is safe!"

Re: Restore from backup

[Applehu+Akbar]

Federal agents claim jurisdiction outside the US when someone on the Internet somewhere plays on a poker site. The NSA, which already has a worldwide remit to look for information it wants, would have no trouble getting a hospital attack classified as a national security case, worthy of special ops. Classify it as terrorism, and we could nuke Mars.

Re:Restore from backup

[LordWabbit2]

That comes with hefty yearly maintenance fees and service contracts. I have never worked on hospital software, but I do work on logistics systems and some of them are so old that they can't get them running on Windows 7 (yes even in compatibility mode). So they might upgrade the hardware, but they have to install Windows XP to get the software to run. Get a new version from the Vendor? Vendor's gone, retired and the company no longer exists. I am busy rewriting part of the system that was home grown because they "lost" the source code about 10 years ago and the system limped on for that long before they decided to spend money rewriting it so they could add functionality and get it working on up to date operating systems. The deciding factor to keep it in house, was that it would be more expensive to buy off the shelf, plus they would have to change the way the business works to fit the off the shelf software (retrain people etc.)

Re:Restore from backup

[edis]

So reasonable. Unless guys are not from a civilized part of the world, no need seen to restate namely.
And this is why they do what they do with more courage, than you can yourself imagine.

Re:Restore from backup

[rtb61]

Not a job for contractors, really a job for a government agency due to the need to conduct computer forensics whilst conducting the repair (this cost is build into the bill for the hackers). Basically they can create the number of professionals on stand by, waiting to do this work, on a regular basis. Network reconstruction and forensics.

Wait

[symes]

So wait until next week when that 9000 BTC is worth $1.50, but not until the week after when it will be worth three times that.

Re:Wait

[0100010001010011]

Find me the last time 9000 BTC was worth $1.50.

Re:Wait

[Dr_Barnowl]

Wish someone would take me back to the time even 1BTC was $1.50

Re:Wait

[U2xhc2hkb3QgU3Vja3M]

Beginning of July 2010.

Sorry

These guys are super assholes for putting patient lives in danger for a few bucks. If there was a reason for extraordinary rendition, this is it.

Re:Sorry

[Nethemas+the+Great]

Don't worry, it's a hospital for the 1%'ers. Eat the rich!

Re:Sorry

[Barny]

Interesting point, but you do realise that to the rest of the world, America is the "1%"?

Re:Sorry

[turbidostato]

"These guys are super assholes for putting patient lives in danger for a few bucks."

In fact yes.

How that hospital's management dared to have their IT forgotten, without proper budget, training, auditing and support for their staff, putting that way patient lives in danger just to save a few bucks?

Re:Sorry

[Kohath]

Not to be a mathhole or anything, but we have 300 million people. Out of 7 billion, that's well over 4%.

Re:Sorry

[Barny]

Hence the quotes :)

You are right though, but it is easy for the rest of the world to look at America and see not the poor and unemployed, but the rich and upper-classes.

Re:Sorry

[lgw]

Why is it that the victims of an attack take all the blame for an attack such as this one?

If you're just walking along, minding your own business and get attacked by surprise, your attacker takes all the blame.

If you're a military sentry waling your patrol and get attacked by surprise, you are to blame, because alertness is your entire job.

If you operate key infrastructure, you're somewhere in between these cases, and some blame attaches to you if you're successfully attacked.

Re:Sorry

[turbidostato]

"Why is it that the victims of an attack take all the blame for an attack such as this one?"

In two words: Due Diligence

"You have absolutely no proof that the IT budget or the IT department in general were the cause of this problem."

Yes, I do: "Management has forbidden staff to turn on their computers, fearing the attack might spread"

No ability to segregate their networks by security/functional realms, no ability to bootstrap their systems in case of catastrophic or widespread failure, no clear disaster recovery plan == incompetence, be it for lack of founding, mismanagement or whatever. We are not talking here about a pop'n mom shop but an important medical center with duties towards their community. Which points us back to above: Due Diligence.

Re:Sorry

[aaarrrgggh]

When you need to replace a $Million machine because the system you have only works with XP, you have a very difficult starting point. When doctors demand remote access to these systems, things get nearly impossible very quickly.

You really need a system designed from the ground up around security rather than Medicare billing codes.

Re:Sorry

[murkwood7]

How dare those IT guys fail, seriously FAIL, to protect against every single, fucking danger there IS! Obviously, they have an UNLIMITED budget, holy f*ck! How dare they.

News for YOU buddy! They, the IT people, didn't cause the problem. Criminal P'sOS did.

How's this for a proposal: If you are caught endangering the health system in an egregious manner and are found guilty, YOU, your immediate ancestors(2, 3 or more parents), AND ALL of your descendants are put to death.

I can support that.

Re:Sorry

[mwvdlee]

It's impossible to build an unhackable IT system.
Especially so for any even remotely sane budget.

Re:Sorry

[turbidostato]

"When you need to replace a $Million machine because the system you have only works with XP"

Yes, that's what happens: incompetence accumulates over time.

"You really need a system designed from the ground up around security rather than Medicare billing codes."

But that's not true either: systems need to be designed around their required function. It's only that their security levels are also part of their required function, not an afterthought.

But, as one of the first posters already said, why should you take proper care of your systems when you can always blame the hackers for their inscrutable sophistication?

Re:Sorry

[turbidostato]

"It's impossible to build an unhackable IT system.
Especially so for any even remotely sane budget"

Maybe that's right, but that's tad far from "so, why even try?"

In this case, how many of these computers need to offer services to the network? I bet barely no one. But then, how is it that they are afraid to turn off their computers -even if they are -gasp! older versions of Microsoft products that any sane mind would have banned in that environment to start with? Because incompetence.

Oh, but the doctors! IT staff have no saying on which kind of scalpel the surgeon uses, doctors have no saying on which IT infrastructure gets to be deployed.

Oh, but then you would be promptly fired because of the doctors! There's a thing called professionalism. Tell the surgeon what scalpel he's going to use and see how fast he's looking for another hospital. That's because he's proud of his profession, the training it took ,and his efforts to achieve his competence level. You do the same or accept your problem is incompetence and lack of professionalism.

Re:Sorry

[dcw3]

Don't worry, it's a hospital for the 1%'ers. Eat the rich!

I've been on /. for quite a few years, and can't recall a more asinine comment than this. Congratulations jackass.

Re:Sorry

[mwvdlee]

Why do you assume they don't even try?

Re:Sorry

[turbidostato]

"Why do you assume they don't even try?"

Because I'm a nice guy.

The alternative is that they failed miserably showing utter incompetence against what seems not much more than a bunch of script kiddies with some internal knowledge.

Who handles their IT?

[beheaderaswp]

I'd like to know who handles their IT?

Contractor? Imports? If they cannot turn their computers on.... are they pulling the drive to access the data on clean airgapped computers?

I'd bet they have a marginal IT staff and a bunch of managers. Would be typical.

Re:Who handles their IT?

[ark1]

In a hospital, Doctors are stars and everything else is a cost center. One exec after another will show up and squeeze those costs further and further.

Re:Who handles their IT?

[rsmith-mac]

Hospital IT is its own kind of hell. Between your normal IT concerns, HIPAA regulations, the fact that most systems aren't modernized, and doctors who are frequently overworked as it is without dealing with the latest IT boondoggle as well, and it makes for a very difficult environment. That they need a better IT organization I don't think is in doubt, but I don't think I could do any better at the job given the environment.

Re:Who handles their IT?

[guruevi]

It actually isn't all that bad for most systems, the worst part of it is that hospitals always tend to 'buy' solutions from "vendors" (aka sales people) in the healthcare space and they manage to screw every single rule, contract and regulation up. HIPAA isn't actually all that bad, it's relatively easy to conform to and consists mainly of out of best practices, the problem is when the FDA gets involved and says you can't update your machine without another round of approval. At that point, you can see why Windows XP, Solaris and old Linux (2.2) are still being ran everywhere.

Re:Who handles their IT?

[mwvdlee]

"Air gap"... is that the thing Wifi signals use to travel?

Re:Who handles their IT?

[reverseclipse]

Yup, Say IT wants to improve core functionality, but medical wants a new shiny feature. Medical gets the new software on aging servers because "it effects patient care."

Re:Who handles their IT?

[Pascoea]

Good thing they sell computers without WiFi hardware in them.

Someone Has Been Watching...

[mlauzon]

"CSI: Cyber"

Because this is similar to season 2 episode 5 entitled "Hack E.R."....

Re:Someone Has Been Watching...

[dfsmith]

"CSI: Cyber" is the best comedy on TV at the moment. Just send %random_deranged_guy to the hospital and he'll find the rogue Smart TV!

Upgrading

[techno-vampire]

TFA didn't say what OS the hospital was using, or if it'd been kept properly updated. I hope, however, that they'll use this as an opportunity to either update all of the computers during the reinstall, or install a more recent version of whatever OS they're using. The same thing goes, of course, for any anti-virus/anti-malware software involved.

Re:Upgrading

[Kjella]

TFA didn't say what OS the hospital was using, or if it'd been kept properly updated. I hope, however, that they'll use this as an opportunity to either update all of the computers during the reinstall, or install a more recent version of whatever OS they're using. The same thing goes, of course, for any anti-virus/anti-malware software involved.

Ahahahaha yeah right, it's not the actual upgrade that is the problem. It's all the medical equipment and niche software that won't work right - or at least isn't certified to work right - if you do that. And they certainly won't rush that process in a crisis. This will be a mad scramble to find and isolate the cause, clean the network and restore systems as best they can to exactly how they were.

Re:Upgrading

[HiThere]

You can be rather certain that the OS is MSWind, and not just MSWind, but multiple different versions of MSWind, with different machines demanding that only some particular version be used. By now they've probably replaced all the MSWind95 and MSWind98 machines, but don't bet they don't have some MSWindNT and MSWind2000 machines. They may even have some DOS machines (which likely aren't restricted to only MSDOS, but could be if they depend on particular RAM locations).

IIUC when they buy an expensive machine, it comes certified to work with a particular version of an OS, and the OS us usually MSWind. But certification is expensive, so they don't get the same model of the machine certified when a new release comes out. And the machines are expensive, so the machines aren't replaced just because a new model is being sold by the manufacturer.

And I know that everytime I've been able to determine which OS was running in a doctor's office, it has been some version of MSWind.

patients had had to come in in person for results

[fustakrakich]

No telephones either, eh?

The criminals just made a huge mistake

[Harlequin80]

They picked the wrong target. If you hit a small business it's easier to pay. If you hit a large business you pay because you don't want people to find out. You hit a hospital though and people could die and it is very very public.

Right about now there will be a whole lot of resources targeted towards finding these people. They are fucked.

Re:The criminals just made a huge mistake

[HiThere]

One may hope so. I'm not sure how that would work, though, if they are attacking from, say, Somalia.

Re:The criminals just made a huge mistake

[Harlequin80]

If that is where they are. But I suspect they are probably somewhere more developed than that and somewhere that the US can exert a fair bit of pressure. It is unlikely to be a state sponsored attack so they won't be getting any support in hiding.

Re:The criminals just made a huge mistake

[cold+fjord]

Drones fly in Somalia.

Re:The criminals just made a huge mistake

[murkwood7]

They picked the wrong target. If you hit a small business it's easier to pay. If you hit a large business you pay because you don't want people to find out. You hit a hospital though and people could die and it is very very public.

Right about now there will be a whole lot of resources targeted towards finding these people. They are fucked.

One can only hope!!!

Re: The criminals just made a huge mistake

[DigiShaman]

Technically, if it's from some KGB endorsed Russian mafia, fuck-all is going to happen. So while it might be an official act of war by Russia to the US, nothing will ever happen in the New Cold War short of a thermonuclear exchange.

Cyber warfare. Get used to it. There won't be justice.

Re:The criminals just made a huge mistake

[m.alessandrini]

I also don't believe that bitcoins are so completely untrackable, especially if you have NSA and the rest at your side.

Re:The criminals just made a huge mistake

[houghi]

If they are stupid enough to operate in the same country or one where extraditing from is easy, they are. If they are in China, Russia or somewhere in Africa, they are relative safe.

Re:The criminals just made a huge mistake

[edis]

China people work hard to supply the world with the things, whatever illusionary they happen to be.
But you must be spot on with the remainder of your statement. Screw terrorists.

Re:The staff were also forced to use fax machines

[Nethemas+the+Great]

FAX machines are routinely employed in the clinical environment, e.g. lab results, prescriptions, diagnostic reports, etc.. The most often cited reason (I don't make this stuff up) security.

Totally off-topic, english people

[holophrastic]

When english fails: "patients had had to come in in person for results".

Could have just said: "patients had to come in person for results". ...and then we actually would have understood it without ten-times the brain power.

Re:Totally off-topic, english people

[radarskiy]

The latter expresses only obligatory mode and past tense, while the former also conveys perfect aspect, i.e. that the obligation was completed.

Re:Totally off-topic, english people

[mwvdlee]

I agree that the original sentence is a bit messy to look at, but it is more correct than your alternative.
Perhaps something like "Patients have had to come in for results in person" would have been nicer.

Re:Totally off-topic, english people

[holophrastic]

How about: "patients had to come in".

Re:Totally off-topic, english people

[mwvdlee]

It does not communicate the same information.

In fact, that sentence implies an entirely different meaning; as if all patients had to come in, not just if they wanted to obtain results.

Re:Totally off-topic, english people

[holophrastic]

it doesn't specify "all". you infered that for no reason.

Linux

[stooo]

Just use Linux :)

Re:Linux

[ihtoit]

good one. Fancy retraining several thousand medical staff?

Re:Linux

[murkwood7]

Just use Linux :)

Why would you think that a 3 word sentence would be ANY answer to ANYBODY'S problem?

Re:Linux

[m.alessandrini]

While it would be better to have everything rebuilt on a better OS, I don't think it's the main culprit. If linux was the predominant OS in the last 30 years, criminals would be attacking it now.

And no mattter how secure an OS can be, I bet this is people's fault: someone opened a malicious attachment, or downloaded some malware while looking for movies or music in some too-good-to-be-true streaming sites.

Society is losing control on computers... I think we need severe education and policies, beside patches and safe configurations.

Re:Linux

[Ash-Fox]

good one. Fancy retraining several thousand medical staff?

Sounds like good money to me.

Re:Linux

[m.alessandrini]

Yes we know the distinction, but the kind of problems highlighted here, and regarding millions people, are because of desktops, this "small" niche that 90% of users actually operate.

Re:Linux

[stooo]

Nope. It's where 90% of the entreprise users operate. Other users have moved to movable and mobile.

Medical 'computers' hit by cyber-attack?

[tetraverse]

"Management has forbidden staff to turn on their computers, fearing the attack might spread, and the Radiation and Oncology departments have been completely shut down because they can't use their equipment."

Hey timothy, what was the name of the Operating System that this 'cyber-attack' runs on? you didn't actually use the word cyber on a technical site?

Re:Take 'em out

Who? The execs who cut IT budgets?

Replace systems entirely

[sentiblue]

IBM and Apple are partnering to create an entire new system for hospital management.

It has an extremely protected back end and a very difficult to infect front-end: The iPad.

I challenge hospitals in this country to do the switch... at least get in with a POC/Beta program.

Re:Replace systems entirely

Anything with IBM involved will be 10 times the price with a timeline to delivery sometime in 2099 if it ever works at all. I would warn any organisation about dealing with such a set of companies (and have done in the case of IBM).

Pay Attention IoT!

[Irate+Engineer]

Isn't health care practically the highest critical tier of the "Internet of Things"? We can't even motivate ourselves to properly secure medical data, literally life and death stuff, even after they get pwned like this. The folks on the IoT bandwagon actually want to hitch more of our daily technology to the Internet, things with even lower security motivation? Sorry, IoT is dumb beyond belief. We really need to be working on air-gapping and unplugging a lot of stuff from the Internet. Some things should never, ever get plugged into the Internet, convenience be damned. For other things, maybe they can be plugged in, if a rock solid security apparatus is in place and you still maintain the ability to recover from a breach, acknowledging that it can still happen.

Re:Pay Attention IoT!

[Ol+Olsoc]

Isn't health care practically the highest critical tier of the "Internet of Things"?

Yes.

We can't even motivate ourselves to properly secure medical data, literally life and death stuff, even after they get pwned like this. The folks on the IoT bandwagon actually want to hitch more of our daily technology to the Internet, things with even lower security motivation?

Hey, you've seen it. If a person even dares to say that the Internet of things is a disaster waiting to happen, they are accused of being luddites, that they want those kids off their lawns, or just hateful of progress.

This is a perfect example of Internet of things and it's inevitible problem. As well, how exactly did life critical systems get plugged into a non-life critical OS. and then put on teh same network that is soon to demand that we allow our computers to be a little more secure by using ad and scriptblockers. Be that as it may at least set up a air gapped system, and structure it like a DoD system.

In Soviet Russia...

[Thor+Ablestar]

I spent about 8 years to convince my boss to never use Windows in equipment control. The only places where Windows XP (not later) is allowed to be are the workstations of different secretaries and specialists which are too old to be retrained. So if some ransomware hits the damage is limited to the computers that are easily reinstalled from scratch.

There is the place where the ransomware can still hit: It's the SAMBA server that has shares that the ransomware can encrypt, but it presumably has a proper backup.

To do so we sometimes had to design and produce our own data collection equipment since the existing one is Windows-only.

Sorry, I have no security clearance to name our preferred OS (not Linux) and a place in the Russian military-industrial complex where I work.

Re:In Soviet Russia...

When we buy a clinical system, we get the controllers that the vendors provide. The choice of OS on the vendor's control systems has barely been a blip on the decision matrix compared to performance, cost, support, and so on.

Re:The staff were also forced to use fax machines

[Known+Nutter]

Typical IT drone...stuck on stage five.

terrible news

[ihtoit]

Here's hoping they have a rolling backup they can just nuke the entire system from orbit and perform a full restore, they'll be back up and flipping off the hackers in a matter of hours...

Oh, wait, it made Slashdot. Must mean nobody had a backup plan.

Fools.

Re:terrible news

[aaarrrgggh]

Just the network side could take weeks to validate. How do you check firmware on workstations? How do you check all of the connected devices?

It takes an insane amount of manpower, and logistically you might be better off just replacing everything.

I think one of the problems is the medical equipment vendors, but they haven't been squeezed enough yet to make their systems secure....

restore vulnerability. Also, proper, tested, incre

[raymorris]

If they had PROPER backups, simply restoring would restore them to the same vulnerable state they were in just before the attack, and the attackers would immediately re-infect. Before restoring, they have to protect the system from being exploited again. They should try to determine how the original attack was carried out and fix that hole. Also, a too-strict intrusion prevention system at the firewall would be a good idea. They can whitelist as required.

That assumes PROPER backups, but most people don't use a proper backup strategy. Most fail one of the following points:

Tested regularly. VERY often, I see that customers backup stopped working months ago and they didn't know it.

Rolling/ incremental. A backup from last night does you no good if ransomware encrypted everything yesterday afternoon. You need to be able to retrieve backups from multiple points in time.

Off site. Fire, burglary, lightning, 3rd party data center problems - all of these cause loss of racks of equipment. If your backup is sitting next to your live server, you've lost both.

Restorable quickly, and fully (bootable from bare metal). Some tape backups take DAYS to restore a single large server, as do some cloud backups.

These are all lessons learned and confirmed from actual experience assisting real customers. I designed the Clonebox system based on these lessons.

Re:The staff were also forced to use fax machines

[ihtoit]

They're also routinely employed in the legal field. Documents sent to the ICJ or the ICJ at The Hague or the ECHR are REQUIRED to be sent by Fax.
It's only recently (the last six years) that the RCJ in London has been accepting documents by email attachment (pretty much since my first visit as an Advocate, where I produced a netbook with the entire casefile on it and after much discussion with the Judge, got him round to the idea that a scanned bitmap compiled into a PDF was pretty much identical to a scanned bitmap used to make a photocopy of a signature).
Source: been there, worn the t-shirt. Several times.

Managers will never learn...

[williamyf]

Even if it is in FileSystemChecKing Harvard Business Review, October 2009, page 38.

http://www.ganino.com/files/Harvard%20Business%20Review%20%282004%20to%202013%29/Harvard%20Business%20Review%202009/10.%20HBR%202009%20Oct.pdf

Re:The staff were also forced to use fax machines

[murkwood7]

Don't forget to pat your ass on the back, there!

Re:Take 'em out

[mwvdlee]

Incompetent people should get fired.
Malicious people should get a entire firing squad.

DBAN

[antdude]

http://www.dban.org/ shows it outdated and have a commercial product now? :(

Enhanced Effect

[cloud.pt]

This is particularly thrilling to hear right after a binge watch of Battlestar Galactica (TRS)'s season 1-2. NO NETWORKING ALLOWED!

Re:Take 'em out

[dcw3]

Incompetent people should get fired.

I suspect you didn't really mean it that way. Competent people weren't always. People don't come out of the box competent. Now, if they've had sufficient time and training, and failed to become so, then fire their asses.

As for "Malicious people should get a entire firing squad.", I'd be happy to pull the trigger on these asshats.

Re: No need to upgrade systems

[Zaowulf]

Why not? Having worked in healthcare for over 10 years I can tell you the systems are astonishingly insecure and outdated. A couple years before I left the industry (2014) we "upgraded" to a "new" system from the late '80's to handle all of our patient billing.

Silver lining?

[Sir_Eptishous]

The way I look at this, the more the better.
The more that important infrastructure gets compromised, the more the public will become aware of how fragile these systems are. We need more publicity like this. It will only be through things like this that will draw attention to how bad the security is for computer systems at places like hospitals, etc;

9000... or 9001?

[kheldan]

The number 9000 suspiciously reminds me of Anonymous.

If it were me: Move all the patients out to another hospital, then nuke every system and peripheral that can possibly be infected, reload everything from backups or from scratch. Either get manufacturers to re-flash firmware, or smash them with a hammer (literally) and replace them. And yes, as others have suggested, if a single patient dies, then the hackers responsible get murder charges tacked on to the rest. If a single patient gets injured, even, they're responsible for all of it. Hell, I'd have to say this probably qualifies as a terrorist attack. Catch 'em and string 'em up, or put 'em in front of a firing squad.

Stop fighting human nature

[Tablizer]

In a hospital, Doctors are stars and everything else is a cost center. One exec after another will show up and squeeze those costs further and further.

Cutting IT budget gives them an almost certain way to look good. The risk of getting the main systems hacked is roughly 1 in 50. It generally goes against human nature to give up a certain chance of looking good in exchange for preventing a 1 in 50 really "bad" event that doesn't outright kill you.

Don't complain about human nature; rather find a way to work with human nature as is. Mandatory security audits may be the only practical way, but it will jack up medical costs for patience.

Re:Bullshit!

[Nethemas+the+Great]

FDA 510K - change to an existing device.

PC load letter

[capsfan100]

Damn printers!

Find the hackers and jail them: 10 years minimum

[ebusinessmedia1]

Hopefully these hackers will be found. In addition, the hospital needs to hire some serious security experts; this never should have happened in the first place.

Would Have Never Happened

[tmjva]

Would have never happened of they had stayed with their trusty HP3000.

Microsoft Windows strikes again!

[tetraverse]

Update on the recent Cyber attack on HPMC

Internet = Bad

[duke_cheetah2003]

This is a good example of why some computer networks should NOT be connected to the internet, in any way, shape or form. This is people's lives we're talking about. If there is any internet access what so ever, it's an unacceptable risk. If there MUST be internet access, it should be tightly controlled by firewalls, ie: whitelisted sites only that staff in the facility need to get to.

This kind of thing should not happen. 100% preventable.

Cyberattack

[DrVasilij]

The terrorists do not stop at nothing, even blackmailed health care institutions, sad....