Why Are Hackers Increasingly Targeting the Healthcare Industry?

Slashdot reader Orome1 shares an article by Bitdefender's senior "e-threat analyst," warning about an increasing number of attacks on healthcare providers: In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identity theft. This personal data often contains information regarding a patient's medical history, which could be used in targeted spear-phishing attacks...and hackers are able to access this data via network-connected medical devices, now standard in high-tech hospitals. This is opening up new possibilities for attackers to breach a hospital or a pharmaceutical company's perimeter defenses.

If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security... The majority of healthcare organizations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection.
The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."

of course

[turkeydance]

that's where the money is today.

Re:of course

[Fire_Wraith]

It's a combination of three things, most of which have been touched on in various posts by others here:

1: There's a lot of money in it.
2: The healthcare industry can't afford downtime or failures, so they pay up quickly.
3: Insurance covers a lot of it.
4: Generally poor security practices make it easier, on top of all that (typical of an industry that hasn't been targeted a lot in the past, their security is focused on other things, to the extent they have it).

So in summary, it's a relatively large/easy target, with lots of money, that can't afford downtime. The only surprising thing is that it took this long to become a target.

Re:of course

[Fire_Wraith]

And by three, I mean four.

You know what they say - there are only two hard things in computer science: cache invalidation, naming things, and off by one errors. ;)

Re:of course

[NotQuiteReal]

Nobody expects the Spanish Inquisition!

Re:of course

[FatdogHaiku]

And by three, I mean four. You know what they say - there are only two hard things in computer science: cache invalidation, naming things, and off by one errors. ;)

Did you used to work with these guys?
https://www.youtube.com/watch?v=oJZ2m6_T1wc

Re:of course

[Archfeld]

"...Then thou must count to three. Three shall be the number of the counting and the number of the counting shall be three. Four shalt thou not count, neither shalt thou count two, excepting that thou then proceedeth to three. Five is right out. Once the number three, being the number of the counting, be reached..."

Re:of course

[jellomizer]

You have a few more things.
Integrated environment nearly every system talks to the other. The Registration system talk to the Health Record System which talks to the lab systems and back to the Health System and to the billing system... That is the simple work flow for an office visit. Normally your data is being passed to a dozen independent systems.
Healthcare typically is about 10 years behind the time in technology there is a lot of old equipment out there that slows down the others the tight integration is a big issue in this. That multimillion dollar MRI which runs off of Windows XP will not be upgraded because it works fine however the other systems can only be upgraded if no compatibility is broken. It takes years of planning to upgrade even simple application.
Crummy vendors, most vendors focus only on one part of the system and don't care much about integration. But they know once you buy in you will be stuck for the long haul. So they use the slimmest sales people they can get to push their crap on healthcare industries. Because they know the politics.
The politics in healthcare are tough very hierarchal often with MD on top. IT without MD on staff tends to be under treated. As uneducated staff just the same as the people work in the cafeteria. Our conserned are often not listened to they dictate stupid solution to follow because they read it in a book. They setup IT to fail. This brings in the vendors who position themselves as smarter than the instructions IT staff and play on the hire ups egos and push there solutions across.
It is not a few simple thing to improve security it is the whole institution

Re:of course

[arglebargle_xiv]

Actually, as the original article shows, the money seems to be in selling security services to hospitals. There's some general scaremongering about unnamed bogeymen targeting hospitals, and then a long discussion about how much you should be spending on security services, for example from Bitdefender, one of whose people wrote the article.

Re:of course

[dbIII]

The politics in healthcare are tough very hierarchal often with MD on top. IT without MD on staff tends to be under treated. As uneducated staff just the same as the people work in the cafeteria

An insight into that attitude was demonstrated a few years ago on Slashdot with the stories about the doctor who collected other people's linux kernel patches getting into an argument with Linus Torvalds.

Re:of course

[TheCarp]

> Generally poor security practices make it easier

This. Something people don't get about hospitals.... they LOVE IT. They are IT adopters, big time. You don't hear about the tech they adopt, because they are too busy adopting it to tell you about it. They have one fucking goal: Healthcare, and they aim to meet it.

When I worked in tech support for a hospital, I took tickets for desktop PCs sitting at bench that used to be used to solder core memory.

Security was never their concern until very very late. Their concern was always getting the job done. Their concern was that they have all these patients and know all these things that they could make better if they just had more data, just had better storage, just had...

These guys are not just using new systems, they have a massive technological legacy that they can't just shut down. They are not monolithic institutions under strong CEOs, they are massive sprawling systems of department heads and decision makers, all with their own budgets, own staff, own priorities. Their systems exist in data centers....and under desks, in utility rooms, in ERs and ORs, all over the place.

Its a huge mess. Its a huge mess because of years and years of history.

Re:of course

[Chocolate+Teapot]

This is why Boris is backing this new system.

Re:of course

[rrazian]

HIPAA makes this easy--high liability. Relatively low skill=quick to pay off.

Because the people in charge are idiots

[guruevi]

It's as simple as that. Hospitals, like (or due to) governments often go for the cheapest option where security is an afterthought. Once you are embedded with the cheapest vendor, you are locked in forever because the contract never demands open hardware or software and thus once the install is done, the vendor disappears and the sub-par it staff has no clue what to do to make anything work besides just opening the entire thing up.

If you go with a big-name vendor and actually contract support for a device with the likes of Siemens or GE or Philips, they will often install their own gateways right into your network for remote technician access. They are likewise, poorly secured since changing protocols or passwords is often inconvenient (again, sub par it staff on either side) and anyone gaining access to any point of the network will often have unauthenticated access to a number of institutions.

Re:Because the people in charge are idiots

[Shadow99_1]

It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.

Re:Because the people in charge are idiots

[JoeMerchant]

I was going to say "low hanging fruit."

There's a lot of easy targets in healthcare, in part because so many hospital IT departments are so f-ing paranoid that they lock down their networks to a point of near dysfunctionality, especially in places like operating rooms. So, device makers, not wanting to add to the security frustrations, tend to rely a bit on that network paranoia and keep their device security relatively simple - who wants to be sent out to a customer site to help work through a security issue with the device, right?

Plus - big money, plus - splashy scare factor grabs the press' attention, plus - FDA just woke up about "cyber security" not too long ago (first "guideline" published late 2013).

Re:Because the people in charge are idiots

[Firethorn]

Once you are embedded with the cheapest vendor, you are locked in forever because the contract never demands open hardware or software and thus once the install is done, the vendor disappears and the sub-par it staff has no clue what to do to make anything work besides just opening the entire thing up.

That and they're buying equipment to be used for 10-20 years, and the computer systems of even 10 years ago were barely planned to be connected to a network, much less the internet.

Meanwhile, the computer systems connected and integrated into such devices are considered medical equipment, and certification was on the basis of 'as installed', IE no patches, no upgrades. It's only in the last few years that the FDA changed this to that in order to remain certified that the computers need to be patched or kept up to date. Add in weird legacy interfaces, and you have a real hassle.

As you say - the vender has to release or at least approve of the patches, and they'd much rather sell you new equipment.

Re:Because the people in charge are idiots

It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.

This!

Th real insidious problem here is that above those two techs in the hierarchy the decisions are being mad by bean counters who have no technical competency. These organizations would do better to promote one of the 2 techs to being the designer or manager of the organization so that they can apply their experience to correcting and closing security holes rather than the managerial raises being based on "I saved you x million dollars here so give me a raise!". If I had a nickel for every organization that I have worked for that was being run by someone with less than an associates degree level of education in IT, I would have enough money to retire, twice!

Re:Because the people in charge are idiots

It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.

This!

Th real insidious problem here is that above those two techs in the hierarchy the decisions are being mad by bean counters who have no technical competency. These organizations would do better to promote one of the 2 techs to being the designer or manager of the organization so that they can apply their experience to correcting and closing security holes rather than the managerial raises being based on "I saved you x million dollars here so give me a raise!". If I had a nickel for every organization that I have worked for that was being run by someone with less than an associates degree level of education in IT, I would have enough money to retire, twice!

MOD THIS UP!
In addition to this, I have noticed that tech in general are almost never promoted into management, despite the fact that they would be the absolute best qualified people to correct these problems. The management is usually someone with an MBA from some cheap college and no experience beyond that or god forbid someone with only a high school diploma. This has to change unless they want these problems to continue forever.

Re:Because the people in charge are idiots

Well no surprise that /. can't do so much as mod up the obvious answer to a simple problem. They have that in common with the people at the root of this problem in the industry, namely the hiring managers who keep NOT putting IT experts into management positions post haste in order to fix the gaping security holes in the medical industry! Seriously guys spend a mod point, mod this up and realize that the parent posters are right, we need IT experts in management who have a grasp of the problem and how to fix it, not some idiotic MBA who is writing his own raises for doing nothing. DO IT NOW!

Re:Because the people in charge are idiots

[encad]

It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.

Most Companies for Medical Equipment should do that as well.
The security measures on most, even permanently connected stuff, was abysmal. I am not an expert on IT Security, but there were enough glaring holes that even I could easily see them.

Since a lot of this tech got a common sight security by obscurity won't work there as good as it did five years ago....

Most hospitals here have quite extensiv IT Staff, still close to none in management. Reason for that are real tough data protections laws and the possibilty of jail sentences for the managment in case of extensiv breaches.

Seems pretty cut and dried, if you ask me

[mark-t]

Because it's been shown that they will pay.. From a fiduciary standpoint, it is probably has the highest profit-to-effort ratio.

easy one

[PopeRatzo]

Why Are Hackers Increasingly Targeting the Healthcare Industry?

Because they're horrible human beings. Real shitstains who would throw a puppy off a bridge for a quarter. Many are probably bedwetters. All sociopaths. May they die horrible deaths and then be forgotten.

Re:easy one

[rmdingler]

To be fair, it was a quarter ounce of bud and no one liked that puppy anyway.

Re:easy one

[PopeRatzo]

They are after your bank account, and emptying your bank account from a hospital is not worse than emptying it from an e-commerce site.

Sure it is. They're going after the bank accounts of sick people.

The real evil here are all the people who legally exploit the system by overpricing essential drugs, equipment and services because the insurance will pay, insurance themselves for changing monster premiums for said monster fees and paying only after being threatened by a lawyer, who is the final link of this rotten chain.,

No argument here. But stealing from sick people is stealing from sick people. I also hope the profiteers in the health industry die horrible deaths and we finally go to a single-payer, universal system.

Re:easy one

[DarkOx]

So just to be clear less ok to steal from some people then others. Does that spectrum run all the way to it being actually ok to steal from some people?

If someone is healthy wealthy and strong enough, are others morally entitled to rip them off? If everyone ripped them off would they still be wealthy?

I was taught it wrong to take things that don't belong to you and are not freely given.

Re:easy one

[PopeRatzo]

So just to be clear less ok to steal from some people then others. Does that spectrum run all the way to it being actually ok to steal from some people?

Yes.

http://screenrant.com/wp-conte...

Seriously, though if you believe that stealing a loaf of bread to feed your family is the same as stealing the crutches of a crippled man, your parents taught you morals all wrong.

Re: easy one

[GuB-42]

Hate to tell you this, but there isn't a single person named "hackers" here.

We're talking about many thousands of vastly different people with wildly different mindsets on any subject you can think of.

Sure, but I assumed we were talking about the usual "black hat" motivated by financial gain. And I think GP referred to them too "Real shitstains who would throw a puppy off a bridge for a quarter". I suppose that, for example, a hacker using exploits to reveal the wrongdoings of a hospital is not what GP had in mind.
About hackers killing people, we often here stories about how they could kill but very few, if any, actual cases. So I assumed that in general, hackers aren't killers.

Re:easy one

[DarkOx]

No that isn't the same. The reason is not the baker or grocery store owner is some rich guy though. The issue is your need and own desperation. A lot usual mores go out the window when your survival is at stake. Its not normally ethical to use violence against someone but if you are forced to defend yourself from violence it certainly is; same thing.

So yes if you are stealing to prevent yourself and loved ones from starvation, fine you get some kind of a pass, providing you are only stealing what it takes to meet your immediate need. So yes you may purloin a loaf of bread in some circumstances but it hard to image any circumstance where its even remotely okay to execute some kind of complex hightech medical fraud scheme.

Re:easy one

[vernonB]

Although you gotta admit -- the scene from the TV show Homeland in which they assassinate a guy (who had it coming) by hacking his pacemaker was pretty cool.

Silly question

[Dunbal]

Why did Somali pirates attack international shipping?

Because it worked and shipping companies were paying their ransom. Likewise for hospitals. Hospitals are dumb enough to pay which makes them a target for more attacks.

Easiest question ever

[sjbe]

Why the healthcare industry? Easy. There is lots of valuable information and money to be made by doing so and frankly the healthcare industry is a soft target if there ever was one. Their IT systems typically have security as an afterthought if they consider it at all. They don't tend to hire the best and brightest IT people and the results prove it. They are hamstrung by regulations that legally prohibit them from updating equipment for security reasons even when it needs it. The people that run medical practices (typically doctors) are not IT people and generally have a poor understanding of the issues involved. And there is a treasure trove of valuable information, access to drugs and other stuff that criminals can make a fortune from.

Re:Easiest question ever

[JoeMerchant]

The healthcare systems are a flipping nightmare from an interoperability standpoint - so many things all trying to hang together in a single functional ecosystem, so little in the way of true standards (HL7, DICOM, yeah like saying you speak an "Eastern Language" something between Farsi and Mandarin.)

In those systems are records that literally are "worth money," so, yeah, low hanging fruit.

This is what we want

[ebonum]

Put lots of data in one place, it becomes a target.
There seem to be a belief that by using e-records, it will save your life. In an emergency, your records are immediately available. Now you have conflicting goals. 1) Open access (even if you are unconscious) for medical professionals everywhere all the time and 2) locked-down, secure systems.
What we get is a system where medical professionals can't get access to your records when they do need them. The quality of record keeping drops significantly because the systems are completely user unfriendly. And hackers hit the jack-pot when they crack one system because 1000's to 100's of thousands of records are all in one place.
I'll take paper records thank you. Hard to steal. Impossible to hack. If I see another doctor, I know where they are. All it takes is a phone call. If I had a severe problem such as an allergy to a common medicine that could kill me, I'd wear one of those bracelets with my name, condition and doctor's name. EMT's are trained to check for them. I already wear one when cycling with name, blood type and home address.

Re:This is what we want

[JaredOfEuropa]

I'm not against electronic medical records, though I do see the potential security issues. But it's not hackers I am most worried about, it's medical staff with legitimate access, who have no business nosing around my records but do so anyway. It happens a lot more than you'd think, not too long ago there was a big stink here about policemen going through all manner of records they had no business peeking into. Bored cops reading up on celebrities, or checking records on their ex or recent date. And in case of medical data there is a solution for that: any time someone pulls my data, I am notified (by email or whatever): who requested my data, what is their function and who is their employer, and what is their stated purpose of the request. Exactly this kind of audit trail was proposed for our new centralised medical records database, and guess who opposed it? That's right: the medical insurance companies (who should not get access to any of that data unless by explicit permission)

Re:This is what we want

[ebonum]

Agree with you 100%.

Re:This is what we want

[ColdWetDog]

And about thirty minutes after you started that, you would put that email address in your spam folder. You'd get more hits than a Slashdot article on Hilary Clinton. We are constantly opening your file - doing financial audits, do pharmacy audits, checking for overdue records, checking to see if you are overdue for an appointment, checking the status of an insurance claim (twenty times a day), counting the number of diabetics, counting the number of people who need tetanus shots.

All manner of reports all of the time.

Only a completely OCD Slashdotter would even think this is a good idea. But knock yourself out. It's just one more report, we do lots of them.

Re:This is what we want

[JaredOfEuropa]

doing financial audits, do pharmacy audits, checking for overdue records, checking to see if you are overdue for an appointment, checking the status of an insurance claim (twenty times a day), counting the number of diabetics, counting the number of people who need tetanus shots.

You shouldn't have to access my personal medical records for that, I'm not talking about generic hospital administration stuff. In fact over here you're not even allowed to access medical records for any of those reasons, the best you get is anonymized aggregated data. Hospitals do keep a lot of additional data in order to keep their books in order, but even so that information is still classed extremely sensitive, and they're not about to open up that data to other parties like insurance companies (though insurers have pushed for wider access to that data as well).

Re:This is what we want

[swb]

I have a friend who works in IT in a hospital system, managing the middleware that translates between hospital systems. He says its really heavily audited and even the middleware troubleshooting system where you can pull HL7 records out of the queue to figure out why they're not working is audited.

Pulling records at random without audit information being logged, while not technically impossible for him, is very difficult and basically impossible for anyone not operating at the IT level. Even then he says the only way he can see stuff is when doing troubleshooting -- either raw HL7 data when he's trying to fix something or the patient records related to the troubleshooting, which are then audited and he says that they do cross-reference tickets with IT access audit trails.

End user access is audited and he says people do get fired for unsanctioned lookups.

Because of the slope of the tradeoffs

[tlambert]

Because of the slope of the tradeoffs.

Security is always a tension between making the data safe vs. making it usable.

In the case of health care, if the data isn't usable: people die.

So in any situation where a human may route around security so that someone doesn't die: they do so. It leaves the system riddled with security holes, but on whole: functional for the intended purpose of keeping people alive.

Keeping the data useful is also why these companies are fairly quick to pay the ransoms, and (I'd like to think) why the ransomers are willing to take pennies on the dollar from them, but not from, say, a bank.

I think this is about a third of it

[s.petry]

Two things missing from your summary. First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance. All of this data makes it simple to steal your identity, which ties into our second item.

Second item: Profit. In addition to using your prescription coverage for codeine, big ticket items are being charged to people because identity theft is so easy. Within the last month or so,. two people hit with tens of thousands of dollars in co-pay for major surgery, and another was hit with fees from a transplant. All of which were done to other people. A bit of investigation determined that the people bought insurance on the black market for their procedures. The better the insurance being stolen, the higher price it retrieves. Shame on the US for using a SSN for nearly everything.

Re:I think this is about a third of it

The healthcare industry has *always* held massive amounts of data on you. Of all the sweeping changes made by ACA, this is not one of them.

Re:I think this is about a third of it

[tomhath]

Of all the sweeping changes made by ACA, this is not one of them

He didn't say ACA. Much of it was mandated by HIPAA, but it's really due to malpractice lawsuits. A healthcare provider needs to document everything and keep it essentially forever, including billing information in case they get charged with fraud.

Re:I think this is about a third of it

[Gr8Apes]

First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance.

They've always done this. And it's always been available to the government. They might have needed a warrant, but it's available.

All of this data makes it simple to steal your identity, ... Within the last month or so,. two people hit with tens of thousands of dollars in co-pay for major surgery, and another was hit with fees from a transplant. All of which were done to other people.

Seems like an easy thing to get out of. Did I have a transplant? No? You billed the wrong person. Also seems like a very simple thing to track down the guilty party, especially with something like a transplant that requires specialized long term oversight and care. A last note, tens of thousands of copay for a single incident is pretty crappy insurance.

Re:I think I've seen this already.

[Rei]

If prescription dispensing can be practically hacked, the possibilities are disturbing. Because they not only could kill people; they'd also know who they were killing, and could target specific people. Even high profile ones.

You ever try to tell a DOCTOR to do anything ?

[Crashmarik]

Good luck getting them to comply with security policy or keeping any policy in place that one objects to.

Re:You ever try to tell a DOCTOR to do anything ?

[geekmux]

Good luck getting them to comply with security policy or keeping any policy in place that one objects to.

Oh, they don't want to listen? Fine.

Tell them their liability insurance is going to go up by 20% every year until they do fucking listen.

Only way ANYONE listens is when you speak directly to their wallet.

Re: You ever try to tell a DOCTOR to do anything ?

[Crashmarik]

Good for you. It's always nice to meet a good able in a barrel of bad ones.

You would not believe
1 how many open WiFi access points there are in doctors offices.
2 how many workstations without default logins/ username only
3 how often file attachments to emails are opened.
4 in your own field of radiology how often insecure methods are demanded for image viewing.

Yes it does happen often and there is little IT people can do about it because it looks like a good gamble.
Time is money and the risky practices are often faster therefor profitable till they blow up.

Re: You ever try to tell a DOCTOR to do anything ?

[Crashmarik]

Oh and IT asleep in a bed late at night ? Check the timestamps. There's lots of nasty stereotypes that are applicable to I.T. but having regular hours isn't one of the.

Re:You ever try to tell a DOCTOR to do anything ?

[just+another+AC]

Good luck getting them to comply with security policy or keeping any policy in place that one objects to.

Oh, they don't want to listen? Fine.

Tell them their liability insurance is going to go up by 20% every year until they do fucking listen.

Only way ANYONE listens is when you speak directly to their wallet.

And they will just pass that on.

Don't like the paying the price? Feel free to get worse / die while price shopping then.

The stick is not the answer here. Systems engineering needs to step up and accommodate them in this case

Health care people just don't care

[Sarusa]

I've worked a bit with the health industry (not as a career, thank god, that would be soul crushing), and outside of government health care has the worst IT and worst security I've ever seen. Because they just don't care unless it impacts their bottom line.

All those health apps that doctors and nurses uses, and all those devices? Yeah, they have terrible security because the hospitals don't make it a priority and they just don't care either. Class C medical devices that are PCs running windows XP with active USB ports? You bet.

Your online records? Those are handled by outsourced people running cobbled together Ruby scripts that take 30 hours to process 24 hours worth of data in plaintext csv (I use that because I've seen it)- they certainly don't care about security. Your insurance company? They certainly don't give a damn whether you live or die as long as they're raking in the cash.

All they care about is preserving the appearance of not violating HIPAA because that might cause them some grief.

in related news

[TimMD909]

Why haven't they been?

Simple

[Opportunist]

It's a soft target with lots of interesting information.

Re:I think I've seen this already.

[geekmux]

If prescription dispensing can be practically hacked, the possibilities are disturbing. Because they not only could kill people; they'd also know who they were killing, and could target specific people. Even high profile ones.

You bring a strong point here. I wonder if anyone will wake up to security concerns when cyber-attack turns into cyber-murder?

Even more of a disturbing thought; what happens when a life insurance company hires someone to "accidentally" send an overdose of medication to make a patient look like they've committed suicide to avoid a payout? (sadly, greed knows no bounds)

If these aren't enough reasons to take the damn hardware offline, I don't know what is. The answer certainly isn't cutting back on hospital staff to the point where all of this automation is necessary, but this is certainly a catch-22 with the way liability is being painted these days.

Why Are Hackers Increasingly Targeting....

[dejitaru]

because they have horrible security and greater information.

Why are hackers targeting the healthcare industry?

[Yvan256]

Because they're used to viruses and infections?

The answer is simple

[GaAs+oldAce]

Because it is trivially easy to break into the medical industry systems while their IT security is being designed by MBA managers with impotent and clueless security policies. Anyone here ever tried to apply for one of these management positions? Anyone here ever worked in the medical industry's IT division and realized that it was a dead end job if you are an IT worker? You are never going to get into the management there because they don't promote people from IT into management positions. It does not take a lot of thought to see the problem and the hackers know this. So what is the response from the hiring mangers here? I bet nothing because they are not into solving problems, just letting them continue and complaining about them.

Re:Again?

[ATMAvatar]

Maybe it seems like it was only a few months ago that we heard about hospital security issues because that's when a hospital fell victim to ransomware.

Re:I think I've seen this already.

[ColdWetDog]

You space cadets are taking way to much meth. The usual Slashdot paranoia (which is one klick South of Area 51) is really pretty tame compared to this.

No, they're not trying to OD somebody on insulin to get their life insurance payout, they're trying to extort money from the hospital or steal patient financial and medical info to extort money from somebody else.

They want to make money, just like everybody else.

Re:Why are hackers targeting the healthcare indust

[Yvan256]

Only if they got paid enough money by the drug companies.

Re:I think I've seen this already.

[geekmux]

...They want to make money, just like everybody else.

Over time, your assumptions will find it harder and harder to identify "They".

The answer is quite obvious

[stinky+wizzleteats]

Fake medical bills.

The fact that you don't know how many medical bills you'll get, from whom, or what the total will be creates huge opportunities for fraudulent medical billing. You find out when someone was in a hospital and for what, then send them a fake bill for a couple grand for (insert bullshit reason here). Then harass the living shit out of them until they agree to settle for half of what you originally asked for.

Medical Data Hacking a Myth

[spiritwave]

This problem has to be a myth.

Each time I enter the healthcare industry, I have to fill out the same "wonderful" multi-page form by including basic personal information and health history therein.

So what data is being hacked?

Yes, I'm being facetious, if that fails to go without saying.

Re:Medical Data Hacking a Myth

[cwsumner]

... Each time I enter the healthcare industry, I have to fill out the same "wonderful" multi-page form by including basic personal information and health history therein.

So what data is being hacked? ...

They have your data, they just want to see if you are the same person and if you can remember it. It's a test! 8-P

Re:they can and they don't care about patients?

[desdinova+216]

I thought there were only 3 die hard movies.

Not their business

[cwsumner]

The doctors and other personnel consider "data should be free", for their work, and security is not in their area of expertise. They consider patients first, which is good, but they don't believe that the patients also need the security. It is in the way, so they push it aside and forget it.

It is basically a lack of training in the medical collages.

Why? Seems obvious

[ebvwfbw]

I have to wonder if this is simply a LEO phishing attempt. I'd think we'd all know why they're doing it. They've told us according to the articles I've read. It's a punch in the nose to bloody it so they'll actually do their jobs. You know, actually patch machines, keep software up to date, things like that. A number of hospitals, they're version of windows is real old, not updated, easy pickins. One article said they even told the hospital many times over three years about it. Didn't move them at all. Ok, so scare the crap out of them.

Takes that sometimes. Some people in management are really big into denial. Can't/won't happen to them, etc.

Re: You ever try to tell a DOCTOR to do anything

[Crashmarik]

Fantastic! That's great news that the IT folks are available when I'm taking care of patients. What words would you use to describe the 2 pager system I have to use to reach them, with zero standards for turnaround time or actual assistance. And you can keep the ticket number to your self - trying to read me a 20 character code confuses my job for yours.

Well I am laughing and I'll tell you either get better IT staff or pay the ones you have enough to be on call 24/7

P.S. You're a radiologist. When the fuck do you take care of patients ? You're writing up opinions on MRI's and XRays.

Liar

[s.petry]

If you don't like the label don't perform the act.

Less than 20 years ago we had to hand carry files, lab results, and images from doctor to doctor. "Always" is complete horse shit, and as we have moved to everything being on-line crimes have increased due to opportunity.

The on-line convenience for some has impact to everyone. I'd be willing to bet you can see it if you just opened your eyes.

Re:Liar

[Gr8Apes]

Take your meds.

Hand-carrying files doesn't mean the gov couldn't get their hands on the data, it reinforces that yes, they indeed could get data that was there to get. Very little is not subject to a court order. Medical records are not an exception.

Considering I have done work in the health-care industry, I'm well aware of what the online "convenience" means, and how shoddy current privacy protections are. And even then, I still have to go grab my paperwork from various locales to give to my new doc, so apparently this online convenience doesn't even deliver that promised convenience. I'm actually glad it doesn't, yet.

Still a liar, take your own meds

[s.petry]

Generally speaking the Government was prevented from accessing your health care data by law. It was not until the government mandated and regulated recent history that they had access to your data.

Exceptions were people in the Government system, such as Welfare/Veterans, etc... Many veterans avoided Government doctors for exactly that reason.

Instead of claiming someone else needs meds, evaluate your own lack of truth and desire to defend your lies.

Re:Still a liar, take your own meds

[Gr8Apes]

You still don't get it. I think you're arguing an unstated semantic point here. If your statement is the government now has easy unfettered and full access to your medical history, that's a different statement and one I'd respond that while they technically can have that level of access, but in reality the access is fettered by a whole set of incompatible and crappy systems that only marginally talk to each other, at least in my experience.

That the gov has always been able to get access if there was a (legal) need, which was my statement, is still true.

Re:Still a liar, take your own meds

[s.petry]

My point is absolutely factual, you are arguing that recent trends of making everything digital and on-line data have "always" been the norm. Your view is factually incorrect on all accounts. It was not quite 2 decades ago that everything was in paper and film. Very little was digital in terms of patient data. I had a full reconstruction of my shoulder and had to hand carry MRIs, Xrays, and folders full of data between my Orthopedic Surgeon and the Hospital because it was illegal for them to make copies and give them to another institution. Patient Client privilege prevented people from copying your data before everything went "digital", and the Government was not an exception. Courts would rarely rule in favor of the Government obtaining medical data because of Patient Client law.

You failing to observe extremely recent history is not an excuse to be a liar. You scummy liar!

s.petry the troll (best case scenario)

[Gr8Apes]

To recap:

First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance.

They've always done this. And it's always been available to the government. They might have needed a warrant, but it's available.

Your reading comprehension leaves something to be desired, or there's something worse afoot with you. To make this absolutely clear, I stated the following:

They've always done this.

to clearly and, yes, pedantically state what that means, since your comprehension of said quotes above seems severely lacking this can be transformed into a plain fully qualified self-standing sentence:

The health care industry has always held massive amounts of data on a patient

I do not believe there's any question that they've done this for most of the past century (as in 100 years). This is not a current thing. Have you not visited a health care provider over the past several decades?

Since this data exists, and has existed, are you arguing that somehow it was not available to the government? If so, please make your case. I'd love to read in what bizarre universe documents held by a non legal third party are not subject to a warrant in the US. In fact:

Until 1996 there was no federal protection of privacy in medical records; and state laws varied widely. That changed with HIPAA.

Which granted isn't an authoritative source but certainly lends some credence to the fact that you need to support your assertions as the implication is that HIPAA is the exact opposite of your stance. You can also see that earlier, the Federal Rules of Evidence, which became law in 1975, do not have any provision for privacy of medical records nor Physician Patient privileges. I have no idea what this imaginary Patient Client law is.... Perhaps you could cite it?

So, are you wrong, an idiot, a troll, or something worse?