Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Demand $3.6 Million From Hollywood Hospital Following Cyber-Attack (softpedia.com)

Posted by timothy on from the little-things-like-that dept.

An anonymous reader writes: The Hollywood Presbyterian Medical Center has been hit by a cyber-attack and its systems are now being held hostage by hackers that are demanding a ransom of 9,000 Bitcoin, which is about $3.6 million (€3.2 million) in today's currency. Management has forbidden staff to turn on their computers, fearing the attack might spread, and the Radiation and Oncology departments have been completely shut down because they can't use their equipment." The staff were also forced to use fax machines rather than email, and to write down patient data on paper; patients had had to come in in person for results.

13 of 212 comments (clear)

  1. Restore from backup by hawguy · · Score: 4, Insightful

    Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.

    1. Re:Restore from backup by Antique+Geekmeister · · Score: 4, Insightful

      If you get re-infected within moments by other infected machines, the backups don't help much. I've seen a partner infested this way, and it was horrible.

    2. Re:Restore from backup by Antique+Geekmeister · · Score: 4, Insightful

      If you don't have the list of softwarekeys, or the licenses, to reinstall from scratch, and if you don't have the staff with the tools to re-image systems swiftly, rebuilding the systems from scratch is a herculean job and you *wiall* lose vital patient data. If you don't have the tools, the systems *will* get re-infected while you're reinstalling them. Been there, done that, it's why i never,run the basic backup systems on Windows.

    3. Re:Restore from backup by Nethemas+the+Great · · Score: 4, Interesting

      Hospital IT are far less organized and far less competent on average than you would expect given the nature of the business they're charged with safeguarding. The regulatory environment also disincentivizes timely patching of security vulnerabilities within devices under the stricter regulatory classes. That is to say--in a simplified nutshell--anything involved in the treatment and/or diagnosis of patients.

      --
      Two of my imaginary friends reproduced once ... with negative results.
    4. Re:Restore from backup by Antique+Geekmeister · · Score: 4, Insightful

      Yes. It is. Starting with a copy of "dban", downloaded on a Linux laptop in a local coffee house and applied to to our disks, or using a slimple live Debian or CentOS or even OpenBSD DVD image, can be a start. But getting anything _alive_ that can handle patient data, however, can be pretty iffy. Windows machines can be re-infected in the process of re-installatiion in an infested local environment. Dealing with several hundred such systems that handle doctor's schedules, patients care plans, or handle prescriptions and billing and correspondence and mortgages and health insurance records is an absolute nightmare.

      Can you burn your own home to the ground and rebuild from scratch? Certainly. Can you do this with a hospital without kill anyone who regularly scheduled kidney medicine, who is scheduled for surgery on Tuesday, or who needs immunization records or simply needs allergy records before transferring schools? That is a nightmare.

    5. Re:Restore from backup by KGIII · · Score: 5, Insightful

      I lost data once and only once. Well, a significant amount of data. I've had crashes with not-yet-saved documents that took out trivial amounts but that doesn't even happen any more. You're not only correct, you're spot on.

      One other thing to add - without verifying your backup - you have no backup at all. That includes a restoration strategy, that's part of the verification process. That includes having the ability to put a fresh system up, while the system is down, and have it isolated to access tools for recovery (such as updated patches).

      My loss of data was infuriating and bizarre. I've been very anal about keeping backups ever since. To this day, even for my personal data, I keep regular updates at disparate locations and provision the same services for my friends. It's all fairly automated at this point but I still test the recovery often enough to know that I shouldn't ever lose any valuable data ever again.

      Hardware, software, and bandwidth are cheap. They're cheap enough to be considered ubiquitous and there's no excuse for me to not do this. It is not expensive and doesn't even require physically moving the data on a regular basis. With a little bit of initiative, you can even automate a good portion of it. (I've not really found a good way to do the verification completely automatically from within the OS. I've not yet found one that I can really be certain of so I do verifications on my own.)

      --
      "So long and thanks for all the fish."
    6. Re:Restore from backup by cranky_chemist · · Score: 4, Insightful

      ... when these hackers get caught, they should ALL get death sentences regardless if there has been any patient fatalities.

      This was an ill-conceived attack on the hackers' part.

      If any patient dies in connection with this attack, then it puts murder charges on the table. And the thing about murder is that there's no statute of limitations. Thus, these guys will be looking over their shoulders for the rest of their lives.

      All for MAYBE $3.6 million in Bitcoin.

  2. Wait by symes · · Score: 4, Funny

    So wait until next week when that 9000 BTC is worth $1.50, but not until the week after when it will be worth three times that.

  3. Who handles their IT? by beheaderaswp · · Score: 4, Informative

    I'd like to know who handles their IT?

    Contractor? Imports? If they cannot turn their computers on.... are they pulling the drive to access the data on clean airgapped computers?

    I'd bet they have a marginal IT staff and a bunch of managers. Would be typical.

    --
    Another consultant who stuck it out.

    "We are the Priests, of the Temples of Syrinx..."
  4. The criminals just made a huge mistake by Harlequin80 · · Score: 4, Insightful

    They picked the wrong target. If you hit a small business it's easier to pay. If you hit a large business you pay because you don't want people to find out. You hit a hospital though and people could die and it is very very public.

    Right about now there will be a whole lot of resources targeted towards finding these people. They are fucked.

  5. Re:Sorry by Barny · · Score: 4, Insightful

    Interesting point, but you do realise that to the rest of the world, America is the "1%"?

    --
    ...
    /me sighs
  6. Replace systems entirely by sentiblue · · Score: 4, Interesting

    IBM and Apple are partnering to create an entire new system for hospital management.

    It has an extremely protected back end and a very difficult to infect front-end: The iPad.

    I challenge hospitals in this country to do the switch... at least get in with a POC/Beta program.

  7. Pay Attention IoT! by Irate+Engineer · · Score: 4, Insightful

    Isn't health care practically the highest critical tier of the "Internet of Things"? We can't even motivate ourselves to properly secure medical data, literally life and death stuff, even after they get pwned like this. The folks on the IoT bandwagon actually want to hitch more of our daily technology to the Internet, things with even lower security motivation? Sorry, IoT is dumb beyond belief. We really need to be working on air-gapping and unplugging a lot of stuff from the Internet. Some things should never, ever get plugged into the Internet, convenience be damned. For other things, maybe they can be plugged in, if a rock solid security apparatus is in place and you still maintain the ability to recover from a breach, acknowledging that it can still happen.

    --

    Left MS Windows for Linux Mint and never looked back!

    Vote for Bernie in 2016!