Slashdot Mirror
Why Are Hackers Increasingly Targeting the Healthcare Industry? (helpnetsecurity.com)
Slashdot reader Orome1 shares an article by Bitdefender's senior "e-threat analyst," warning about an increasing number of attacks on healthcare providers:
In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identity theft. This personal data often contains information regarding a patient's medical history, which could be used in targeted spear-phishing attacks...and hackers are able to access this data via network-connected medical devices, now standard in high-tech hospitals. This is opening up new possibilities for attackers to breach a hospital or a pharmaceutical company's perimeter defenses.
If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security... The majority of healthcare organizations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection.
The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."
If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security... The majority of healthcare organizations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection.
The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."
that's where the money is today.
It's as simple as that. Hospitals, like (or due to) governments often go for the cheapest option where security is an afterthought. Once you are embedded with the cheapest vendor, you are locked in forever because the contract never demands open hardware or software and thus once the install is done, the vendor disappears and the sub-par it staff has no clue what to do to make anything work besides just opening the entire thing up.
If you go with a big-name vendor and actually contract support for a device with the likes of Siemens or GE or Philips, they will often install their own gateways right into your network for remote technician access. They are likewise, poorly secured since changing protocols or passwords is often inconvenient (again, sub par it staff on either side) and anyone gaining access to any point of the network will often have unauthenticated access to a number of institutions.
Custom electronics and digital signage for your business: www.evcircuits.com
You keep on using that word...
because that's where the money is.
Because it's been shown that they will pay.. From a fiduciary standpoint, it is probably has the highest profit-to-effort ratio.
File under 'M' for 'Manic ranting'
It's a great place to get cash to pay off your insurance bill.
They have a lot of it.
Because they're horrible human beings. Real shitstains who would throw a puppy off a bridge for a quarter. Many are probably bedwetters. All sociopaths. May they die horrible deaths and then be forgotten.
You are welcome on my lawn.
The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."
It was an episode of Law and Order, the wrong insulin dose was dispensed by a machine.
This would have been in the first few seasons, even before Briscoe and Logan.
Why did Somali pirates attack international shipping?
Because it worked and shipping companies were paying their ransom. Likewise for hospitals. Hospitals are dumb enough to pay which makes them a target for more attacks.
Seven puppies were harmed during the making of this post.
Two words.... Easy Pickings.
I hope the OP didn't think that those that choose to wrought ill will upon an industry with admittedly piss-poor security practices actually cares if their efforts impact or end a human life? The offensive force here doesn't care about the outcome, only that they have incredibly easy access to low-hanging fruit =P
Not too dis-similar from the movie Live Free or Die Hard (2007)...
John McClane: Hey, what's a fire sale?
Matt Farrell: It's a three-step... it's a three-step systematic attack on the entire national infrastructure. Okay, step one: take out all the transportation. Step two: the financial base and telecoms. Step three: You get rid of all the utilities. Gas, water, electric, nuclear. Pretty much anything that's run by computers which... which today is almost everything. So that's why they call it a fire sale, because everything must go.
Once Matt saw what really happened he showed regret. Hopefully it doesn't have to go that far for these perpetrators to realize they can directly or indirectly take a real human toll.
Why the healthcare industry? Easy. There is lots of valuable information and money to be made by doing so and frankly the healthcare industry is a soft target if there ever was one. Their IT systems typically have security as an afterthought if they consider it at all. They don't tend to hire the best and brightest IT people and the results prove it. They are hamstrung by regulations that legally prohibit them from updating equipment for security reasons even when it needs it. The people that run medical practices (typically doctors) are not IT people and generally have a poor understanding of the issues involved. And there is a treasure trove of valuable information, access to drugs and other stuff that criminals can make a fortune from.
Put lots of data in one place, it becomes a target.
There seem to be a belief that by using e-records, it will save your life. In an emergency, your records are immediately available. Now you have conflicting goals. 1) Open access (even if you are unconscious) for medical professionals everywhere all the time and 2) locked-down, secure systems.
What we get is a system where medical professionals can't get access to your records when they do need them. The quality of record keeping drops significantly because the systems are completely user unfriendly. And hackers hit the jack-pot when they crack one system because 1000's to 100's of thousands of records are all in one place.
I'll take paper records thank you. Hard to steal. Impossible to hack. If I see another doctor, I know where they are. All it takes is a phone call. If I had a severe problem such as an allergy to a common medicine that could kill me, I'd wear one of those bracelets with my name, condition and doctor's name. EMT's are trained to check for them. I already wear one when cycling with name, blood type and home address.
I'd love to see a nessus scan of my local hospital's network. It would be a good laugh for the guy NOT in charge of patching!
It's so easy.
I haven't tried but I imagine I could get access to every patient's electronic records at the hospital I go to in under 12 hours.
The medical staff seem to have little to no concern for security/privacy outside of HIPAA laws.
Because of the slope of the tradeoffs.
Security is always a tension between making the data safe vs. making it usable.
In the case of health care, if the data isn't usable: people die.
So in any situation where a human may route around security so that someone doesn't die: they do so. It leaves the system riddled with security holes, but on whole: functional for the intended purpose of keeping people alive.
Keeping the data useful is also why these companies are fairly quick to pay the ransoms, and (I'd like to think) why the ransomers are willing to take pennies on the dollar from them, but not from, say, a bank.
Every 2-3 months a security firm releases such a report. This time is BitDefender, last winter it was Kaspersky (seriously, just look it up), prior to that it was Symantec, before that it was Core Security.... we get it, IoT medical crap is vulnerable... find something else to yell "the sky is falling" about
How come healthcare facilities are being infected with cryptolocker instead of suffering actual hacking attempts? Emailing viruses to random HR executives doesn't constitute as hacking.
Two things missing from your summary. First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance. All of this data makes it simple to steal your identity, which ties into our second item.
Second item: Profit. In addition to using your prescription coverage for codeine, big ticket items are being charged to people because identity theft is so easy. Within the last month or so,. two people hit with tens of thousands of dollars in co-pay for major surgery, and another was hit with fees from a transplant. All of which were done to other people. A bit of investigation determined that the people bought insurance on the black market for their procedures. The better the insurance being stolen, the higher price it retrieves. Shame on the US for using a SSN for nearly everything.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
I recently received a letter from my health insurance company telling me all of my records from non-primary care providers, including both my psychiatrist's office and my therapist's office, were being sent to my primary care's office under the guise of better treatment from said primary care doctor. This is something that I explicitly do not want, as my mental health issues are not something I seek or expect my physical health services to treat, can be information overload, and at worst put all of my records in a single place that could be breached and everything down to my prior suicidal episode could be forever out in the wild of the Internet. If that happens, who is to say whatever laws will protect me from being denied future employment because of it?
The entire concept of a primary care doctor is a pretty fantasy. That relationship is entirely transactionary, I can't imagine he's ever proactively looking though updates, nor would I want him to be.
captcha: paranoia
Good luck getting them to comply with security policy or keeping any policy in place that one objects to.
I've worked a bit with the health industry (not as a career, thank god, that would be soul crushing), and outside of government health care has the worst IT and worst security I've ever seen. Because they just don't care unless it impacts their bottom line.
All those health apps that doctors and nurses uses, and all those devices? Yeah, they have terrible security because the hospitals don't make it a priority and they just don't care either. Class C medical devices that are PCs running windows XP with active USB ports? You bet.
Your online records? Those are handled by outsourced people running cobbled together Ruby scripts that take 30 hours to process 24 hours worth of data in plaintext csv (I use that because I've seen it)- they certainly don't care about security. Your insurance company? They certainly don't give a damn whether you live or die as long as they're raking in the cash.
All they care about is preserving the appearance of not violating HIPAA because that might cause them some grief.
It is the low hanging fruit
Why haven't they been?
Why hook up to the internet at all?
Not just healthcare, a lot of other situations where lives can be lost if something is hacked. I'm thinking damns, traffic lights, oh, you can make your own list.
About 10 years ago I dropped a car off to be serviced at a dealer (yeah, I know. I avoid dealers as much as possible). When I arrived there was pandemonium. Their computer system was down. I had the temerity to ask someone to simply generate my bill with a pen and paper. They wouldn't even try.
But, and here is a good question, a lot of tasks have little or no benefit to being done in a computerized enivron.* But we've all drunk the koolaide, eh?
Then, to top it off, a lot of other entities, government, insurance, other Big Companies require things to be computerized. HIPPA for example.
It's as if for 20 years we've all been making cars that are vulnerable to being hacked. Oops! Here we go again.
It's a soft target with lots of interesting information.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
because they have horrible security and greater information.
Because they're used to viruses and infections?
While Willie Sutton may not have actually said it, the statement is still true. Criminals turn to where the money is easiest to make.
Because it is trivially easy to break into the medical industry systems while their IT security is being designed by MBA managers with impotent and clueless security policies. Anyone here ever tried to apply for one of these management positions? Anyone here ever worked in the medical industry's IT division and realized that it was a dead end job if you are an IT worker? You are never going to get into the management there because they don't promote people from IT into management positions. It does not take a lot of thought to see the problem and the hackers know this. So what is the response from the hiring mangers here? I bet nothing because they are not into solving problems, just letting them continue and complaining about them.
but shouldn't they know how to treat and prevent them?
Only if they got paid enough money by the drug companies.
Personally, I blame Obamacare.
I'm an American. I love this country and the freedoms that we used to have.
"It is likely that future cyber-attacks could lead to the loss of human life."
It must be the Muslims
Fake medical bills.
The fact that you don't know how many medical bills you'll get, from whom, or what the total will be creates huge opportunities for fraudulent medical billing. You find out when someone was in a hospital and for what, then send them a fake bill for a couple grand for (insert bullshit reason here). Then harass the living shit out of them until they agree to settle for half of what you originally asked for.
Hospitals have to keep a lot of data on patients that can't be sold or monetized. All the IT, protocols, auditing and security surrounding personal data is pure infrastructure that private healthcare wants to spend as little as possible on. Countries that depend on private healthcare, also suffer regulatory capture ensuring the industry can do the minimum and spend the minimum possible, for some level of data storage service.
This problem has to be a myth.
Each time I enter the healthcare industry, I have to fill out the same "wonderful" multi-page form by including basic personal information and health history therein.
So what data is being hacked?
Yes, I'm being facetious, if that fails to go without saying.
Sines of Impending Sines
The doctors and other personnel consider "data should be free", for their work, and security is not in their area of expertise. They consider patients first, which is good, but they don't believe that the patients also need the security. It is in the way, so they push it aside and forget it.
It is basically a lack of training in the medical collages.
Fantastic! That's great news that the IT folks are available when I'm taking care of patients. What words would you use to describe the 2 pager system I have to use to reach them, with zero standards for turnaround time or actual assistance. And you can keep the ticket number to your self - trying to read me a 20 character code confuses my job for yours.
I have to wonder if this is simply a LEO phishing attempt. I'd think we'd all know why they're doing it. They've told us according to the articles I've read. It's a punch in the nose to bloody it so they'll actually do their jobs. You know, actually patch machines, keep software up to date, things like that. A number of hospitals, they're version of windows is real old, not updated, easy pickins. One article said they even told the hospital many times over three years about it. Didn't move them at all. Ok, so scare the crap out of them.
Takes that sometimes. Some people in management are really big into denial. Can't/won't happen to them, etc.
Fantastic! That's great news that the IT folks are available when I'm taking care of patients. What words would you use to describe the 2 pager system I have to use to reach them, with zero standards for turnaround time or actual assistance. And you can keep the ticket number to your self - trying to read me a 20 character code confuses my job for yours.
Well I am laughing and I'll tell you either get better IT staff or pay the ones you have enough to be on call 24/7
P.S. You're a radiologist. When the fuck do you take care of patients ? You're writing up opinions on MRI's and XRays.
If you don't like the label don't perform the act.
Less than 20 years ago we had to hand carry files, lab results, and images from doctor to doctor. "Always" is complete horse shit, and as we have moved to everything being on-line crimes have increased due to opportunity.
The on-line convenience for some has impact to everyone. I'd be willing to bet you can see it if you just opened your eyes.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Generally speaking the Government was prevented from accessing your health care data by law. It was not until the government mandated and regulated recent history that they had access to your data.
Exceptions were people in the Government system, such as Welfare/Veterans, etc... Many veterans avoided Government doctors for exactly that reason.
Instead of claiming someone else needs meds, evaluate your own lack of truth and desire to defend your lies.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
You need a hacker to go to for all of your cyber issues, then robertcartercasting on outlook mail is the one you should consult or text +1 928-323-3115
First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance.
They've always done this. And it's always been available to the government. They might have needed a warrant, but it's available.
Your reading comprehension leaves something to be desired, or there's something worse afoot with you. To make this absolutely clear, I stated the following:
They've always done this.
to clearly and, yes, pedantically state what that means, since your comprehension of said quotes above seems severely lacking this can be transformed into a plain fully qualified self-standing sentence:
I do not believe there's any question that they've done this for most of the past century (as in 100 years). This is not a current thing. Have you not visited a health care provider over the past several decades?
Since this data exists, and has existed, are you arguing that somehow it was not available to the government? If so, please make your case. I'd love to read in what bizarre universe documents held by a non legal third party are not subject to a warrant in the US. In fact:
Until 1996 there was no federal protection of privacy in medical records; and state laws varied widely. That changed with HIPAA.
Which granted isn't an authoritative source but certainly lends some credence to the fact that you need to support your assertions as the implication is that HIPAA is the exact opposite of your stance. You can also see that earlier, the Federal Rules of Evidence, which became law in 1975, do not have any provision for privacy of medical records nor Physician Patient privileges. I have no idea what this imaginary Patient Client law is.... Perhaps you could cite it?
So, are you wrong, an idiot, a troll, or something worse?
The cesspool just got a check and balance.