Slashdot Mirror

← Back to Stories (view on slashdot.org)

5 Major Hospital Hacks: Horror Stories From the Cybersecurity Frontlines (ieee.org)

Posted by BeauHD on from the exposed-damage-control dept.

the_newsbeagle writes: We don't often get insider accounts of hacks against major institutions like hospitals because they immediately go into damage control mode. But at a SXSW talk, a couple of experts told tales out of school. The experts, [John Halamka, CIO of the Boston hospital Beth Israel Deaconness, and Kevin Fu, a University of Michigan engineering professor, recounted incidents in which hackers downloaded patient X-rays to China, took down entire networks, fooled Harvard doctors, and more.

67 comments

  1. Well duh by Lead+Butthead · · Score: 1

    Critical systems shouldn't be exposed to outside world. Duh.

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
    1. Re:Well duh by houstonbofh · · Score: 1

      Did you read the article? The X-ray was not supposed to be, but someone messed up. And that is the problem. The systems are so bad that a small mistake can have MAJOR consequences. There is no margin for error.

    2. Re:Well duh by Bing+Tsher+E · · Score: 1, Interesting

      What was the damage done by the x-rays being sent to China?

      No, not contrived and complex scenarios. Not slippery slopes. What was the actual damage?

    3. Re:Well duh by Anonymous Coward · · Score: 0

      X-rays are digital, so are medical notes, prescriptions, appointments etc etc etc etc.

      ALL of these need to be available in all sections of the hospital to a greater and lesser degree.
      So we now have all of this on the intranet.

      But local GPs , private specialists , pharmacists health insurers, etc can/need to access this and other information too, so stuff is being shared outside the hospital system

      Saying it should not be exposed is clearly unworkable.

    4. Re:Well duh by Barny · · Score: 2

      You didn't read the story. The system that holds the data isn't on the network. But a tech needed to upgrade the firmware on it so hooked it online and had lunch while the firmware downloaded. He came back to find the computer riddled with malware and the data already exfiltraited.

      --
      ...
      /me sighs
    5. Re:Well duh by Architect_sasyr · · Score: 2

      I know we talk about how long it takes a machine to get infected but hot damn these hospitals must be loading these machines up behind no firewalls at all to get to the internet. I would have to actually make conscious efforts to do that just to punch past the usual NAT, let alone everything else. What the hell are these people doing??

      --
      Me failed English...
      FreeBSD over Linux. If my comments seem odd, this may explain...
    6. Re:Well duh by Hunter-Killer · · Score: 2

      Don't underestimate the power of incompetence. If I had to guess, port forwarding is hard if you don't know what you're doing, and if you set up a 1-to-1 NAT statement and permit everything to that IP, you'll expose more than just the port you were concerned with. Many people will fiddle with something until it works, and "wide open" works.

      We just had a third-party tech take something like 10 failed attempts and a month and a half to set up port forwarding for a single port. I suspect the business model is to find non-technical customers, and hope they never catch on.

    7. Re:Well duh by Anonymous Coward · · Score: 0

      You have no idea how scary tech illiterate many (most?) hospital IT staff are. From taking months to install a copy of Windows on a racked server to accidentally the RAID because someone replaced the wrong drive to any number of stories involving EPO buttons - it's painfully obvious that hospitals skimp quite a bit on their IT budgets and hiring process.

    8. Re:Well duh by sjames · · Score: 1

      There's the first failure. Everyone and his dog routinely requires network access to do updates. Often they won't even document what ports/IPs are required.

    9. Re:Well duh by houstonbofh · · Score: 2

      I know we talk about how long it takes a machine to get infected but hot damn these hospitals must be loading these machines up behind no firewalls at all to get to the internet. I would have to actually make conscious efforts to do that just to punch past the usual NAT, let alone everything else. What the hell are these people doing??

      He opened up IE to download the patch and the homepage was MSN, with adds... That is how long.

    10. Re:Well duh by Mr+D+from+63 · · Score: 1

      Critical systems shouldn't be exposed to outside world. Duh.

      The most critical systems, those that control medical devices, weren't exposed.

    11. Re:Well duh by Mashiki · · Score: 1

      Looks like they did read the story. Critical systems shouldn't be online, and what did you just say?

      But a tech needed to upgrade the firmware on it so hooked it online and had lunch while the firmware downloaded.

      Idiot puts it online...stop making excuses for bad design and stupid techs.

      --
      Om, nomnomnom...
    12. Re: Well duh by Anonymous Coward · · Score: 0

      Actually, very little. You see, x-rays usually get sent to call center in India and Pakistan. Very little of x-ray diagnosis is done in the US. Especially when the doctor here has little training on reading systems. Even though the x-ray film is produced here, copied here, it's not read at that hospital.

    13. Re:Well duh by eam · · Score: 1

      According to the article, the people in China wanted healthy lung xrays because they could sell the images to infected people who would use them to prove that they don't have infectious lung disease, even though they do. That allows them to travel and share their infection with people in other places.

      Personally, I would consider that to be actual damage. I'd rather not wait to see an infection spread before we decide to be concerned.

    14. Re: Well duh by Anonymous Coward · · Score: 0

      Oh, he should of had his update already on a USB, or DVD? Or in the system awaiting the specialists time. That's not how it works in a university sponsored system. That tech, was the harried student learning the system. And it was a system that had unimportant data, the staff was probably busy doing their annual fund raising, so who was there to oversee the operation. The head nurse, should she be as qualified in it, as the it pro?

    15. Re: Well duh by Anonymous Coward · · Score: 0

      You're going to the wrong hospitals.

    16. Re: Well duh by Coren22 · · Score: 1

      Not sure what hospital you go to, but this is actually common practice in most hospitals in the US.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    17. Re: Well duh by WindBourne · · Score: 1

      Depends on whose X-ray it is. If somebody important and shows say cancer, China can use info to put said person in position, with one of own backing em. If person does not have family, but is old, it can be used to find healthy duplicate that then is modified with plastic surgery. Information is power.

      --
      I prefer the "u" in honour as it seems to be missing these days.
    18. Re:Well duh by Anonymous Coward · · Score: 0

      Boy, one of my co-students works for almost 20 years for a major medical electronics company. You knew this company if I told the name. He is a competent C++ developer.

      I asked him about cyber security of medical devices and his response was as a$$holy-as-can-be. Something to the effect of "we give a fuck as long as the regulator will allow us to do". Absolutely NO sense of proactive security thinking, security concepts or the like. He would not even say" we have a firewall".

      So if you ever get a drug overdose by an electronic device (because you were an anti war protestor or something), you know how they did it.

      This world is highly crooked and the top 1%ers are just the top crooks. Folks like my co-student are their cheap and dutiful minions. Equally crooked.

    19. Re:Well duh by godel_56 · · Score: 1

      I know we talk about how long it takes a machine to get infected but hot damn these hospitals must be loading these machines up behind no firewalls at all to get to the internet.

      The network was supposed to be air gapped, but a clueless contract tech came in and connected it up anyway.

  2. No one buys a smoke alarm... by houstonbofh · · Score: 1

    No one buys a smoke alarm until after they have had a fire. The simply do not see the risk, and do not trust the people telling them about it. I see it all the time with my clients...

    1. Re:No one buys a smoke alarm... by Luthair · · Score: 1

      I think its more than that, much like Home Depot they're hiring people who are not qualified to manage IT security and infrastructure.

    2. Re:No one buys a smoke alarm... by Anonymous Coward · · Score: 0

      And even IF they wanted to hire people who knew security they wouldn't last long.

      Even in a regular IT company saying "no" is not going make you popular.

    3. Re:No one buys a smoke alarm... by rmdingler · · Score: 1
      Home builders and subcontractors are required by code to install smoke detectors in all new construction, remodel, and pertinent commercial upgrades to your premises.

      Think seat belts and motorcycle helmet laws...You can't leave the protection of the masses to their own good judgement.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    4. Re:No one buys a smoke alarm... by Anonymous Coward · · Score: 0

      We have had smoke alarms since they were commercially available for homeowner installation.
      Try using an example that (1) makes sense, (2) is applicable, and (3) is correct.
      Dummy!

    5. Re:No one buys a smoke alarm... by Anonymous Coward · · Score: 0

      I have never had a fire and I own a smoke alarm.

      Err... I also own and use a hardware firewall - in my house. So, there's that.

      KGIII as AC 'cause I done runned out of point posts again! That there limit of fifty ain't fitten for man or beast.

    6. Re:No one buys a smoke alarm... by Anonymous Coward · · Score: 0

      That REALLY is a matter of location. My State has no such provisions - Maine. There is a helmet law but only for your first year and only below a certain age - 21 as I recall. I didn't have to re-test, it's already on my license. The State beside me is NH. They don't even have a seatbelt law if you're over the age of 18. They don't have a helmet law for people over the age of 18, not even for first year permit riders.

      It's a whole different bowl of wax, depending on where you live. I own some rental properties - those must be outfitted with smoke detectors and those must have their batteries checked yearly. (I have it done on the same day they do inspections. Single properties, I just give them a month of cheap rent and they sign a paper saying they'll do it themselves. I've only got a few of those and they're all managed too. Well, except for two of them and both of those are only "technically" rented.)

      At any rate, it varies a whole lot by area - it may even vary by county or city borders. I'm seem to recall you live in the US but my memory is crappy. I mean really crappy.

      Anyhow, this is KGIII. I ran out of posts again. That stupid 50 posts per day limit is supposed to be going away. It has not done so. I've got a reply typed out to your other post, in another tab, so I'll send that in the morning. I won't see any replies to this. ;-) (Yes, I'm that lazy and closing this tab when I'm done with it.)

  3. Solution found, needs to be adopted... by ka9dgx · · Score: 3, Informative

    The solution to this problem is known, but nobody seems to know about it...

    https://en.wikipedia.org/wiki/...

    1. Re:Solution found, needs to be adopted... by Gravis+Zero · · Score: 1

      the problem isn't that we don't know how to make good security, the problem is they are not willing to pay for good security.

      --
      Anons need not reply. Questions end with a question mark.
    2. Re:Solution found, needs to be adopted... by ka9dgx · · Score: 1

      No... it's not about money... it's people don't understand the difference between POLA and the way things are done now... until that changes, no amount of money is going to help.

    3. Re:Solution found, needs to be adopted... by Goonie · · Score: 1
      Have you ever met a surgeon?

      To indulge in some gross stereotyping here, they have huge egos that exceed their (very considerable) talents, and little appreciation that anything that doesn't involve medicine, or indeed surgery, is important.

      They also tend to end up running hospitals.

      If you tell a surgeon running a hospital that you need to inconvenience him (and it's usually a him) and his fellow surgeons to solve a "problem with the computers", they will ignore you. They are also right - anything that interferes with their ability to do surgery is a huge waste of resources.

      An infosec person implementing the "principle of least privilege" is almost certainly going to grossly inconvenience surgeons in the process, to ends that are not at all obvious to most of them. Along the way they will, at the very least, inconvenience patients. Therefore, the infosec person will get told precisely where to stick their principle of least privilege.

      --

      Any sufficiently advanced technology is indistinguishable from a rigged demo
      --Andy Finkel (J. Klass?)
    4. Re:Solution found, needs to be adopted... by Gravis+Zero · · Score: 1

      people don't understand the difference between POLA and the way things are done now

      the problem is that they don't understand the issue (nor want to) which in turn is why they refuse to invest in proper security. it is the lack of a feedback mechanism (pain/sound/etc) to indicate something is going wrong that allows them to continue on until they are completely fucked. effectively you have a person being told they are on the verge of a stroke and then replying that they don't need treatment because they feel fine. it's only until after they have a stroke that they want help.

      --
      Anons need not reply. Questions end with a question mark.
    5. Re:Solution found, needs to be adopted... by Anonymous Coward · · Score: 0

      I know this is going to sound either impossible or pithy to the point of useless and, of course, I apologize ahead of time - but hear me out...

      What you (or someone) needs to do is make it simple. Remember, security is not absolute. It can not be absolute. It will not be absolute. If a system is usable by a human, if it even turns on, it likely has security issues - almost no exceptions. It's about what goals you want to take and what risks you're willing to accept to reach them.

      Now, I know that was pithy as all hell and damned near impossible to implement. I was the security IT guy by necessity for a long time at my business. I learned a great deal and this was a time when the 'net was akin to the Wild West - early-to-late 1990s. When we found someone we could trust and had the skills that I'd then learned where needed, I stole 'em from a local ISP. Yup. I straight up poached 'em. I have no shame and he appreciated the pay and was comfortable with the responsibility.

      So, don't get me wrong here, I know enough about what I'm saying to understand the complexity of what it *was* like. I've also stayed up-to-date, well enough, to have an inkling of what I speak of. I'm also well aware that there's a huge difference between what I currently do (admin a few boxes, some remote, and helping a few other people get up to speed as best as I'm able) and what is needed here.

      What I'd suggest is some very, very heavy filtering - such that there is replication and that there's isolation. It needn't be air-gapped. An IDS, firewall, authentication on certain sections of the network - including hardware authentication, can go a long ways. One could probably even do some sort of proximity authentication, even coupled with voice, and then make DAMNED sure there's a fail-over in place if those methods of authentication go down. There should, perhaps, be an audited account that allows anyone situated physically to authenticate in a sterile environment - such as a nurse being able to physically enter credentials but it shouldn't ever crash beyond that point - that needs to be redundant and in-place, all the time.

      Then, outside of those areas, you can be a bit more tight with what you allow. There's ways to push things into networks and allow only single-way communications with varied user privileges. It will be complicated but it's feasible. You can even go so far as to enforce things like an isolated network to remote hospitals, there's no reason for them to be on the World Wide Web - unless you're being cheap. Fiber is still dark in lots of areas, use it.

      I can go on and get into more details but the gist of it is that it can be *more* secure. Nothing can be 100% secure. It needs to be simple, effective, and 100% reliable for medical use. There can be no reboot. Then, you need to stop and think about what, exactly, systems even need to be "online." You need to think about what data needs to be stored and why it needs to be stored in the format that it is stored at. That's going to be damned hard - there's no way it's going to be easy. There's no fucking way it's going to be easy but it can be done, I'm positive of this. I'm positive that there are tools available to make it much easier than it used to be. I'm positive that the attacks have grown more sophisticated. So, there's that.

      At any rate, it can be done. It has been done, to some extent, and there are a few places with fairly good policies, practices, and records. I think the urge to make everything electronic is overrated. There are lots of things that are important and should be available, by some mechanism, but there are lots of things that simply do not need to be online.

      Read through the article - I haven't. I'm willing to bet, without looking, that at least some of them broke some very simple rules and put some things online that didn't need to be. I don't even have to read the article to know I'm right. I'll blindly bet on it. Well, I would but nobody would pay me. They've already read the article and, if they didn't, that's

    6. Re:Solution found, needs to be adopted... by ka9dgx · · Score: 1

      You've got a lot of hard won experience, I'll give you that... but the problem is a whole new layer, deeper than you're used to thinking about. Imagine if you built a old style fort, moved your troops in, and generally felt secure.... only to find out the bricks it was built out of were actually blocks of C4, and any one of them could send the whole place up in a flash.

      If you can imagine that scenario... you know what computer security is really like, no matter how careful you are. Because Windows, Mac-OS, Linux, and pretty much every non-mainframe OS out there runs every line of code with the full privileges of a user account at all times, there's no way for a user to limit the scope of what a program does at run time.

      The solution is to use an operating system that is designed from the ground up to simply ask which files the user wishes to operate on, instead of blindly trusting the program to do the right thing. This makes it possible for the user to limit side effects by design, which then makes it possible to have end nodes that are reasonably secure... which makes it possible to have real security.

      I still don't see the change to things like Genode happening for at least 10 more years.

    7. Re: Solution found, needs to be adopted... by Anonymous Coward · · Score: 0

      On the verge of a stroke, is now, or fifty years in the future. To absorb malware on a system, is instantly, the moment they hooked. So it, the malware, must be running 24/7 on an adjacent system. Still on one of their servers. I wonder if their it took the next step? Investigated their system entirely. Even their latents and power one, for problems.

    8. Re:Solution found, needs to be adopted... by lcall · · Score: 1

      I think OpenBSD takes the most pragmatic approach here and it is available and works well today. Basically the code is reliable and more secure & predictable than anything else known for a desktop or server OS, in the default install, and then for anything you add or change, you can consider its impact on security and act accordingly, separating privileges by user account, choosing risk vs. reward when using non-audited packages, etc, etc. Only 2 remote holes in the default install since about 1995, IIRC.

      Hardware is another matter though.

      --
      A Free, fast personal organizer for touch typists: onemodel
    9. Re:Solution found, needs to be adopted... by Anonymous Coward · · Score: 0

      There is a shift key on your keyboard. Not using it makes you look stupid.

    10. Re:Solution found, needs to be adopted... by KGIII · · Score: 1

      See, I really think that least privilege is a good start. I know that's not the case if the nurse can play minesweeper and visit Facebook. Yeah, they're gonna be pissed. Then, it really has to be functional. It has to be functional all the time - and redundant, perhaps several layers of redundancy. Use that to YOUR advantage. They can't login? They get a dumb device and someone enters the results from charts into the computers later. Sorry, learn to carry your card and remember the password, Doctor. You too, nurse - your job now includes that such is sanitary and a part of his tool set. Make sure it is there - use that to your advantage too. You now have two or three factor identification.

      I can go on... The code should be small, light, and dedicated. Features that do not get used don't get turned off, they don't get included. No, that application doesn't need an HTTP server when it can communicate over more authenticated methods. Couple that with the identifications already being given with the device (they're physically there oftentimes) use that as the time to make that a part of security too. Guests want wireless? Sure... Err... That system should, quite literally, not even use any of the same *hardware* that the hospital's stuff runs on.

      Need I go on? I will not accept that it can not be done. I know it can be. There's a lot that's on the network and using protocols it doesn't need. There are a whole lot of features that are nice to have but are not needed. There are records that are nice to have immediately available with access from a very disparate group. That can be locked down, it's doable. Credentials have to be shown - make it so. Lock it to hardware, authenticate and whitelist and whitelist only. Allow only certain permissions, use a separate file-system for inbound rights, merge as needed/sanitized/authenticated - allow no write access anywhere from beyond that isolated spot. You can even tie it to remote hardware but that won't add much protection if it's their end that's compromised. It'll look good on a checkbox but I can think of better ways to authenticate that hardware that require multiple forms of authentication and needn't be connected to anything other than their own local system (with similar permissions and network).

      There's no reason to even issue IPs outside of a certain sector and then control who hands out those addresses. Go with IPv6. Now you've closed the entry routes from remote, at the least privilege. Stuff from outside the network gets routed to null. Screw it, another country wants to join? You put them at a gateway and they all enter through that. Again, each place using the proper security. It doesn't really matter if they don't, they can't do much to you if you keep your shit locked down and away from them. Don't give remote issues and even use the opportunity to secure the physical realm.

      It *is* hard. It does mean that they're not general purpose computers. They're limited devices and they SHOULD be. If they don't need it, they shouldn't have it. It really doesn't matter, too much, what operating system you use - but you're damned well going to want a mixed environment. Not for security, that's fucking stupid. You want a mixed environment because some things are easier to accomplish on varied operating systems. The communications protocols should be standard and simple. It's easier to filter simple and it's more robust. If you can get away with pushing bits out over a friggen' physical port instead of wireless then do it! If it can be written to, at all, then authenticate it. If it can send traffic, then make sure it can only send traffic to where it has to go - and at that end, have nothing else but that.

      You've got virtual machines, you've got containers, you've got jails, you've got firejail for Linux, you've got all these tools. I have faith in you. And no, no I won't come work for you. No, not even for that much. I'm retired, I kind of hate computers anyhow. Well, I did for a lot of years. I didn't even own one until I was pretty old by most

      --
      "So long and thanks for all the fish."
  4. Disappointed by Anonymous Coward · · Score: 1

    Looking at the first part of the headline "5 Major Hospital Hacks", I was expecting an article showing me 5 creative/unknown ways to improve my hospital stay.

    Oh well, back to Buzzfeed...

    1. Re:Disappointed by fustakrakich · · Score: 1

      I was kinda hoping for a Freddy Krueger comeback...

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Disappointed by Anonymous Coward · · Score: 0

      Major hack: If you're going to be in hospital for more than an overnight stay see whether you can bring your own sheets. Hospital will change the bedding but it's the cheapest possible and there's usually a plastic sheet underneath for obvious reasons - this means the patients often leave with the equivalent of nappy rash.

  5. Confidentiality and privacy were breached. by Anonymous Coward · · Score: 1

    What was the damage done by the x-rays being sent to China?

    Medical information is considered confidential and private. This confidentiality and privacy was obviously breached if the information unexpectedly, and without the consent of the patient and/or the patient's doctor(s), was transferred to China. From there it could easily be made public.

    Even if nothing ever happens with the medical information, the mere fact that confidentiality and privacy were breached is more than enough damage to get very upset about.

    1. Re:Confidentiality and privacy were breached. by Anonymous Coward · · Score: 0

      But you haven't answered his question. What was the actual damage?

      Someone seeing your X-ray is not damage, just because you don't like it. If you want to go down that road, I'm "damaged" every time someone says something that offends me.

      What was the actual damage to the person whose X-ray was sent to China? Not making up hypothetical situations.

    2. Re:Confidentiality and privacy were breached. by Barny · · Score: 1

      To that person? Not a lot. To countries around the world trying to stop Chinese nationals from slipping past border control with horrible diseases that all these x-rays show them as not having...

      --
      ...
      /me sighs
    3. Re:Confidentiality and privacy were breached. by myid · · Score: 5, Informative

      Right. According to the IEEE article,

      Someone had also downloaded about 2000 patient X-rays to a computer somewhere in China.

      “Who knew there was a black market for X-rays?” Halamka says. He learned that some Chinese nationals can’t get visas to leave the country because they have infectious lung diseases such as tuberculosis. A clean lung X-ray is therefore a valuable commodity.

    4. Re:Confidentiality and privacy were breached. by Barny · · Score: 1

      Yup, I read the article. Sorry, a shock I know, but hey, it sometimes happens :D

      --
      ...
      /me sighs
  6. How to spoof a wireless insulin pump? by khz6955 · · Score: 1

    "At a recent Black Hat conference, a diabetic man demonstrated how to spoof a wireless insulin pump, causing a life-threatening situation"

    How about designing a wireless insulin pump that can't be accessed by unauthorized devices?

    1. Re:How to spoof a wireless insulin pump? by matt_hs · · Score: 2

      I work at a hospital. In some fashion, for reporting into the EHR, pumps need to be available on the network. However, there's no reason they shouldn't be read-only. If a dosage is going to be changed, it ought to be modifiable only at the control panel. Good medical practice says you adjust the dosage and observe the patient immediately afterward. To do that, you need to be at the patient's bedside -- and thus, at the pump.

    2. Re:How to spoof a wireless insulin pump? by Goonie · · Score: 1
      Because it's not a matter of hacking together a patch, running the unit tests, uploading to production and waiting to see if it crashes.

      This stuff has to run the gauntlet of companies, regulators, and customers who have NFI about infosec, but do have some idea of the consequences of rushing untested changes into devices which quite literally keep people alive from minute to minute.

      --

      Any sufficiently advanced technology is indistinguishable from a rigged demo
      --Andy Finkel (J. Klass?)
  7. Heathcare IT? Ugh. by Hunter-Killer · · Score: 1

    I work for an EMR vendor. FYI, the HITECH Act obligates companies to disclose breaches only in situations where PHI (patient data) is accessed. Our infrastructure could be co-opted into a Russian Bitcoin mining farm, but as long as patient data isn't touched, we don't have to let anyone know.

    What a lot of people don't realize is that many clinics are small businesses. Small businesses tend to make small business decisions. Doctors won't replace those workstations running Windows XP or Vista if they plan to retire in a few years--that's wasted money. We've noticed that not maintaining support contracts for critical infrastructure is a popular cost-saving measure as well.

    Penny pinchers are a problem, as is entrusting responsibility to Billy Bob at Local Computer Guy's and Cable TV Repair's. Yes Billy, we can tell you haven't made a successful backup in six months, and the UPS at the customer site has been failing for twelve. No Billy, it's not ok to leave those ports exposed on the Internet. People rag on the cloud being someone else's computer, but cutting Billy out of the loop is a net positive.

    1. Re:Heathcare IT? Ugh. by Merk42 · · Score: 1

      I was most recently at a very large hospital, and they were entering my information into a computer running Windows XP. They had upgraded other facilities, so it's not penny-pinching in general, I guess just IT is low o the priority?

    2. Re: Heathcare IT? Ugh. by Anonymous Coward · · Score: 0

      It's wrong to say billy-bob. Unless Billy Bob owns the local hospital, or the state run disability agency. It's not just small business. The same principle of operation goes on everywhere. The most for the least.

    3. Re:Heathcare IT? Ugh. by jbmartin6 · · Score: 1

      Exactly. I worked for a hospital, and there was a huge breach of data related to doctors and nurses PII. They felt they didn't need to report anything, eventually one of the residents tattled to a local newspaper and it became a minor story.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    4. Re:Heathcare IT? Ugh. by sjames · · Score: 1

      By the same token, they went with Billy because Joe, who would have fixed the backups and the UPS battery, costs more. Of course he costs more because he does more.

      Billy probably used to cost more too, but he needed enough contracts to feed his family so he gave the customers what they want.

    5. Re:Heathcare IT? Ugh. by painandgreed · · Score: 1

      I was most recently at a very large hospital, and they were entering my information into a computer running Windows XP. They had upgraded other facilities, so it's not penny-pinching in general, I guess just IT is low o the priority?

      IT a low priority, not really. They all pay plenty for their EMR and other systems. Desktop support? That does often end up being the red headed step child of IT. For the past twenty years, healthcare has been deploying more and more computers, practically as fast as they can, and only replacing them when they fail or can't do the job anymore. In the last ten years, they really haven't failed that much and still do their job fine. The XP to Win7 has probably been the first enterprise wide upgrade that was demanded for working machines. Now, their desktop support groups need to start replacing good computers with newer computers while still deploying more computers as they have been doing as all their other work hasn't gone away.

      Still, what is more likely is that some vendor system is holding the department back. All these computers have been deployed because all the different departments are going from paper to electronic and communicating with all the other systems. So your clinical devices need to talk to the departmental information systems, which have to talk to the EMR which has to talk to the HIS which has to talk to the billing system. Since most hospitals are doing pretty much the same things, they all use some of the few leaders who make those systems at a variety of levels of complexity. Is one of those systems requires Win XP, probably because it needs an older version of IE, nobody can upgrade. That needed upgrade may be a large project that will take this years capital budget and take two years because vendors rarely add features to current version rather than just roll them up into newer versions so they can use that to sell to other hospitals. So, once you decide to upgrade, you're talking about new hardware, often requiring new server space, new interfaces, new training, etc. Once that is done, then they can go to the next critical upgrade project. Heaven help you if a project falls behind or some unplanned upgrade needs to happen. Add in that this constant upgrade treadmill is still relatively new to hospitals on an enterprise level and many of the upper management were running the hospitals back when departments handled their own IT or there was no IT to be handled. So, the current ten year upgrade plan wasn't really planned for ten years ago.

  8. But maybe you *are* damaged by offence by Anonymous+Brave+Guy · · Score: 1

    If you want to go down that road, I'm "damaged" every time someone says something that offends me.

    You are potentially damaged every time someone says something that offends you. Your life is a little bit worse as a result of their action. However, in the case of offensive speech, the other party would also be damaged if they were gagged to protect your sensibilities, while you might also benefit in other ways as a result of being exposed to the initial offensive idea. Most Western societies have decided, to varying degrees, that the damage caused by accepting offensive speech is less than the damage caused by restricting freedom of speech and sharing of new ideas, and so their laws side with the lesser evil in most cases.

    This is not some inherent universal truth, a black and white matter of right and wrong. In much of Europe, for example, holocaust denial is illegal. In most Western nations, defamation is considered harmful and can be punished by law. In particular, defamation typically doesn't require that some concrete harm has been caused to the victim; we understand that telling lies that misrepresent the good character of another human being has the potential to cause them great harm in the future, and that is enough.

    The real trouble with these arguments about "actual damage" is that many issues around rights and freedom and liberties, including respect for privacy, are matters of principle and generality. In the limit, if no-one has any privacy any more, then no-one can really think or act independently any more either. Our fundamental ability to behave as we wish by default has been destroyed and we are merely part of some global machine, required to conform, never pushing boundaries, never exploring radical new ideas, never growing as a person or advancing humanity as a species and culture. You can't point to any one incremental invasion of privacy and say it was the straw that broke the camel's back, yet the camel was still broken.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    1. Re:But maybe you *are* damaged by offence by Anonymous Coward · · Score: 0

      You are potentially damaged every time someone says something that offends you.

      Can you explain that? I'm not trying to be confrontational, I'm genuinely curious.

    2. Re:But maybe you *are* damaged by offence by Anonymous+Brave+Guy · · Score: 1

      I consider the pursuit of happiness to be a worthy goal in its own right. Almost by definition, happiness is about being in a situation you like. Someone offending you probably reduces your happiness, and thus harms you, albeit perhaps only in a very small way.

      The analogy I sometimes use in these discussions is mild violence. Walk through any city centre late on a Friday night, and you can see that at least some people's natural human response to being offended involves punching the person who offended them. Most of us would agree that this is not normally acceptable behaviour, and so would the law.

      However, a casual punch thrown in a drunken brawl on a Friday night probably won't cause any permanent physical harm to the person who takes the hit. They probably aren't going or be unable to work the next week, or otherwise lose money. They probably won't be prevented from doing anything they were otherwise going to do on the Saturday. They're probably just going to suffer a bit of pain, a bit of embarrassment, and a minor injury from which their body will make a full recovery within a few days.

      In other words, the only long-term harm, and arguably the most significant part of the damage as a whole, is mental. It's about whether someone deserves not to feel pain or threatened or victimised, because these things are unpleasant. How then is this so different to causing purely emotional distress, in whatever form that may take?

      My personal view is that in many ways it isn't, and thus the moral difference between punishing deliberately causing offence and punishing minor acts of physical violence is more about the other consequences. As a subjective moral position, I don't consider the satisfaction someone gets from punching someone who offended them to be more important on balance than someone's right not to get punched and by extension not to fear being punched. I do consider that freedom of expression is more important on balance than not being offended.

      Of course, these are just my personal views about greater and lesser evils, not some sort of objective truth about right and wrong. I'm quite sure some people would disagree and say that someone who took a punch after deliberately being deeply offensive just got what they deserved, and while I tend not to agree with them and probably neither does the law in most places, who is to say their position is incorrect? Indeed, in a way theirs is an even stronger position than mine, because it implies that the damage caused by the offence is equivalent or greater in some sense to the harm caused by a minor act of violent retribution.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  9. No patient harmed by GuB-42 · · Score: 2

    The 5 "horror stories" are just regular hacks that happened in an hospital context. Nothing along the lines of "hacking insulin pumps to kill patients". TFA doesn't mentions any health-related harm. Only the potential problems caused by the resulting delays are mentioned.

    Here are the "horror stories"
    1- Stolen (as in copied) X-ray pictures
    2- DDoS causing temporary internet outage
    3- Doctors getting scammed for Amazon gift cards
    4- Spam sending malware causing a temporary ban of the hospital mail servers
    5- The most serious one : a ransomware caused the hospital network to be down for 1 week, and cost another $17000

    1. Re:No patient harmed by sjames · · Score: 1

      That last one probably DID harm patients. They were so bogged down without their IT systems that they had to stop accepting 911 patients for a week. That means people needing help NOW had to wait a little longer while they were taken to a more distant hospital. There's a reasonable probability that there were more incidents of late or wrong medication as well. It's hard to assess exactly who might have been harmed and how much from that.

    2. Re:No patient harmed by Anonymous Coward · · Score: 0

      Good $diety - if only people thought about infosec security with as much passion, it might actually save lives!

  10. Make it HURT by Bruce66423 · · Score: 1

    Sadly the only way to alter behaviour is to create an environment where misbehaviour results in sanctions. This means that patient data escaping from a clinic should result in the suspension of your licence to practice medicine if you are a small clinic, and stupid fines if you are large. And a reward for whistle blowers who report it - with a discount on the fines if the mistake is reported promptly. Allow companies to insure against the fines - but encourage the insurers to test their clients...

  11. Mass General? by jbmartin6 · · Score: 1

    I was interested more details on the Mass General incident with their payroll portal. But I could not find any references to it outside of this mention. Has anyone had better luck, or better searching skills?

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  12. That's SELinux, which is now reasonably convenient by raymorris · · Score: 1

    > OS out there runs every line of code with the full privileges of a user account at all times, there's no way for a user to limit the scope of what a program does at run time.

    > The solution is to use an operating system that is designed from the ground up to simply ask which files the user wishes to operate on, instead of blindly trusting the program to do the right thing

    That change from giving permissions to the user (discretionary access control) to instead assigning them to the program + user (mandatory access control) is what SELinux does. The admin basically sets "program X, when run by user Y, can access files labeled Z, read only". When it first came out it was a pain in the butt. Nowadays the RPM packages typically have good policies included, so it's nearly transparent. There is a bit of a learning curve for admins, and better (easier) tools and documentation would be helpful.

  13. Also: Hygiene by Anonymous Coward · · Score: 0

    Totally useless and a nuisance on these surgeon-gods. Makes a hell lot of sense, your shit-thinking, Hillary.

  14. Re:That's SELinux, which is now reasonably conveni by ka9dgx · · Score: 1

    Having an admin set up a static set of privileges on each and every program isn't a sustainable approach... what's needed for general purpose use is called the "power box", in which the operating system directly asks the user about which files to open, etc... instead of trusting the application to do it.

    Users can generally decide correctly what files to access, etc.. you don't have to have an admin do it.