Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congressman Wants Ransomware Attacks To Trigger Breach Notifications (onthewire.io)

Posted by BeauHD on from the message-received dept.

Trailrunner7 quotes a report from On the Wire: A powerful California congressman is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients. The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department's plan to issue guidance to health care organizations about ransomware attacks. The Office for Civil Rights section of HHS, which has responsibility for health information privacy, will provide guidance on how to handle ransomware attacks, and Lieu is eager to ensure that the guidance specifically addresses how ransomware attacks relate to data breach regulations. "I welcome the news of HHS providing guidance to health providers on a matter that threatens so many hospital IT systems. However, we need to make clear that ransomware is not the same as conventional breaches. The threat to patients from ransomware is typically due to the denial of access to their medical records and medical services. Not only could this be a threat to privacy, but it could result in medical complications and deaths if hospitals can't access patient information," Lieu said in a statement. He sent a letter to the deputy director for health information privacy in the Office of Civil Rights at HHS, Deven McGraw, asking him to instruct health organizations and providers to notify patients of an attack if it results in a denial of access to a medical record or a loss of functionality thats necessary to provide patient care. In the past, Lieu has called for a full congressional investigation into the aforementioned widespread flaw in global phone networks that allows hackers to track anyone's location and spy on their phone calls and text messages. He was also one of the first lawmakers to publicly express his pro-encryption view after a federal judge ordered Apple to help the FBI break into the San Bernardino shooter's iPhone, saying it effectively "forces private-sector companies like Apple to be used as an arm of law enforcement."

73 comments

  1. Recipe for disaster by andreas.hummelbrunne · · Score: 3, Interesting

    This will only lead to even less reports of data breaches as the hospitals try to save face. Also, if something starts with "a powerful congressman", it is typically a bad, not thought through idea, that would've been better kept unmentioned.

    1. Re:Recipe for disaster by Anonymous Coward · · Score: 3, Insightful

      It has nothing to do with hospitals, they are provided systems by external mega-corps. They're the ones that will be shamed, and rightly so.

    2. Re:Recipe for disaster by mysidia · · Score: 3, Insightful

      All ransomware compromises ARE malware compromises, Therefore, any files accessed on that computer during infection, Or data accessible to the operating system and programs running on a compromised computer need to be considered breached data.....

      The same with any malware compromise where exfiltration could possibly have occured.

      The standard of "We have no evidence proving that data was breached" needs to be specifically disallowed as a reason to not send a breach notification.

    3. Re:Recipe for disaster by DarkOx · · Score: 3, Insightful

      I agree. You can only assume the ransom ware is not doing anything other than for cash shake down to get the encryption keys.

      The reality is someone had code execution on your stuff and access to files. Its a breach, I think this is pretty strait forward.

      To suggest otherwise rates right up their with "kinetic military action"

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    4. Re:Recipe for disaster by Anonymous Coward · · Score: 1

      There is no reason to assume. All malware can be decompiled and analyzed to see what it does. If it simply encrypts data and prompts users to pay to get a key, great - no data was accessed and no HIPPA violation occurred. If it ex-filtrates data - well that is a different story and should trigger reporting (and already does). Just because some malware encrypted or deleted files you don't need to assume it did anything else. Find out what it did.

    5. Re:Recipe for disaster by mlw4428 · · Score: 1

      Are you suggesting that hospitals would not follow the law, if this change was made? If that's the case then literally no laws are ever going to be feasible, because there's nothing that forces people to obey them. Rape, murder, theft, and pedophilia laws are all uselss then, correct?

    6. Re:Recipe for disaster by Anonymous Coward · · Score: 0

      This will only lead to even less reports of data breaches as the hospitals try to save face.

      Actually, it's that face-saving that keeps the reports down, this is intended to counter-act that tendency.

      Also, if something starts with "a powerful congressman", it is typically a bad, not thought through idea, that would've been better kept unmentioned.

      And this is simply unsupported conjecture that is meant to make us react emotionally.

      Why don't you stick to good reasoning yourself?

    7. Re:Recipe for disaster by DarkOx · · Score: 2, Insightful

      There is no reason to assume.

      There is every reason to assume.

      You don't know the ransomeware was the only payload, there could be something still there you don't know about.

      You don't know that after the exfil job was completed the software did not self delete those parts of it.

      You don't necessarily know how it got there, and if something else could be delivered the same way in the future.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    8. Re:Recipe for disaster by fuzzyfuzzyfungus · · Score: 1

      The trouble is that one of the things malware can do is clean up after itself: exfiltration is much harder to hide from network logs(if the target actually has any); but unless you are hoping to remain undiscovered indefinitely, why wouldn't your exfiltration agent delete itself after its job is done?

    9. Re:Recipe for disaster by Fire_Wraith · · Score: 1

      By your logic, if someone broke into my bank, but decided for whatever reason not to take anything in my deposit box (even though they could), my bank wouldn't have to tell me. Something doesn't have to be a HIPAA violation to be a data breach, or to trigger those rules.

    10. Re:Recipe for disaster by Dishevel · · Score: 1

      Well, awesome!
      Let us ignore for the moment that you can not spell and take your argument to its logical conclusion.

      Since we are not going to examine the system and just assume that they now have access to the files and report based on the assumption.
      I propose that if a system is in any way connected to the outside world, that system should also be assumed to have been breached. Everyday. Now we no longer have to examine things or have evidence or anything.

      BREACH! BREACH! BREACH!

      The reality is that most systems have lots of different layers of protections. Just because you can get some HR dipshit to click a link and get local files and shares encrypted does not mean that they can bypass everything else and send data out of the network. If you think that the ability to encrypt files on a system is equivalent on all systems to being able to dump a bunch of data out of the network and into the wild, then you have zero IT experience.
      If you have zero knowledge in this situation, then it might be prudent to not broadcast your ignorance over the internet.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    11. Re:Recipe for disaster by Anonymous Coward · · Score: 1

      Yes, it's inconceivable that a program could encrypt many critical files on a system AND connect to port 80 on a random external server AND send a POST request.

      Your IT experience may be nonzero, but it's apparently complex, because it looks from here like the imaginary component is much larger than the real component.

    12. Re:Recipe for disaster by Anonymous Coward · · Score: 0

      >Just because you can get some HR dipshit to click a link and get local files and shares encrypted does not mean that they can bypass everything else and send data out of the network.

      Fac t # 1: The HR person did something to get malware installed;

      Fact # 2: You know that the malware has the potential to destroy data;

      What you don't know is if the malware did anything else, then cleaned up after itself. Something like providing the login credentials of the HR person to a third party, and that third party is now running around in the system, undetected.

    13. Re:Recipe for disaster by Dishevel · · Score: 1

      You think that these systems do not have any security in place.
      You think that these systems are set up so that any random software can initiate connections to servers outside of the corporate network?
      You truly believe that these systems are set up this way. That these rogue chunks of code are allowed to make whatever connections they want?

      In a system like you describe, then you would have to assume that such a system is in fact compromised every sing day.
      Again.
      You have no knowledge of these things. You have no idea how network security works. I can tell you that even at the cab company I worked for that random software could not just connect to some server on the internet because it wanted to. I had a server with tons of credit transactions. You better bet even if soem person walked into the server room and loaded a malicious program on that server ...

      1. It would get found.
      2. If it was not found and wiped, it is not an expected process for requests to the DB and would be blocked.
      3. If it was allowed to access DB data it can only connect to a web facing front end system and that system only accepts communication to and from 2 systems and then only from specific processes from those systems.
      4. If it got to the web facing front end it can only send to my dispatching system or the CC processor. 5. If it still somehow got past everything we do to lock these systems down. (It is a possibility)
      EVERYTHING IS LOGGED TO AN OUTSIDE SERVER. So. No. Getting someone in HR to click on resume.pdf.exe and having their local system and their shares encrypted is not the same as having the ability to send HIPAA or PCI data outside of ones network.
      I hope this clears up any misconceptions you have about how shit works.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    14. Re:Recipe for disaster by Dishevel · · Score: 1

      It is much more difficult to wipe evidence of a hack like that in a secure system. Logging is usually only able to be edited or removed with server root access and even then many systems have remote log servers.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    15. Re:Recipe for disaster by mysidia · · Score: 1

      There is no reason to assume. All malware can be decompiled and analyzed to see what it does.

      No assuming it probably did is the correct action; to do otherwise is to take a biased position irrationally dismissing the real likelihood of many different things having occurred besides what you found.

      Most of the reasons to think "everything that happened has been found" for a real-world system post breach; is along these lines, either:
      (2) You were responsible for that system, or liability or reputation is at stake, so it's re-assuring to think the damage was limited.
      (3) You were responsible for the post-breach analysis: you want the customer to feel good and not doubt your analysis.
      (3) The system was in a pristine lab environment; you can review packet data-level capture logs in detail for the host And decrypt and account for every single bit the system put on the wire from the time of inception, or from the time of first breach at least.

      Code you don't have a copy of cannot be decompiled and analyzed.

      The malware could have been loaded by same or similar initial vector directly into RAM. By the time the ransomware is discovered, that particular payload has already completed, and the RAM sectors it used to occupy were re-used, or somebody rebooted the server since then, because it was sluggish, etc, etc.

    16. Re:Recipe for disaster by mysidia · · Score: 1

      Your arrogance belies your true ignorance in security principles.....
      It doesn't matter what external security systems you think are in place.

      After you have found a breach so deep into your network, then obviously those systems all failed, otherwise you would not have had an intrusion incident on your hands.

      then you would have to assume that such a system is in fact compromised every sing day.

      When you have a network, no.... You don't initiate a breach response or treat it as an incident, as long as the appropriate security controls are in place for risk management, and you have no "signs of compromise". You include detective controls to monitor systems, and if one of them sets off an alarm --- you look for a confirmation of compromise. If you find confirmation of any kind, then that system "HAS A BREACH". Once a system has a breach, then you have to assume every potential action of that system might have been abused by malware.

      Unless you have definitive proof that it did not, then the assumption is anything that could have been leaked has been leaked.

      When you are designing and deploying applications, Yes, you do have to make that assumption to be designing appropriately. Every component of the network other than the one you're building might be compromised, and you have to try to make the best of it. That's secure design.

      If what you suggest is to be believed and done effectively (It's not), then your little cab company has tighter security than most banks.

      Also, the terminals in a cab driver aren't general purpose computers or file servers, they're function-restricted point of sale terminals, right.

      When you talk about "processes" having different access to the network; this is only possible with a Software-Based firewall, which can be sidestepped on the host itself.

      The security procedures are good steps; HOWEVER, they are not nearly 100% effective, And also very often not nearly as effective against a targetted attacker as you imply they could be.

      Hint: If they got the malware into a system in the first place, then "getting out" is not likely to be that big a problem.

      Ah, yes..... the user had to have access to download that malware, which probably came in the form of a downloader, which had to gain access "to make whatever connections they want", in order to receive and deploy the ransomware and other payloads.

      Finally, for the purposes of connecting back out, there are many possibilities. If you're doing an investigation on a system that was malware-compromised; Then you do not have the liberty of safely assuming that they use only techniques you would know about. You do not even have the liberty of assuming they didn't leverage a firewall bug or limitation to get their traffic out without any logging.

    17. Re:Recipe for disaster by Anonymous Coward · · Score: 1

      It has nothing to do with hospitals, they are provided systems by external mega-corps. They're the ones that will be shamed, and rightly so.

      This isn't true. If a breach occurs it is almost always because of an incompetent IT person and/or a person with authority over the IT person who demanded something be bypassed for convenience (such as password limits or expirations.) A properly configured network is typically able to block malware and ransomware before it every makes it to the point of being able to compromise a faulty node within a system. There are some rare exceptions but they are extraordinarily rare and come to light regardless of an individual network being breached, typically well before they are widely enough exploited for anything other than a fortune 500 company to be hit by it.

    18. Re: Recipe for disaster by Anonymous Coward · · Score: 0

      What you don't seem to comprehend is that MOST OF THESE SYSTEMS AREN'T that secure.

      You keep assuming that every system in place is super secure.

    19. Re: Recipe for disaster by Dishevel · · Score: 1

      No.
      What I assume is that they are HIPAA or PCI compliant.
      And. That the person clicking on emails and browsing the web is not logged in as the server root or domain admin.
      There is a world of difference between getting the ability to encrypt local files and having these credentials. Of course as I said earlier. If your HR person is clicking random emails and visiting websites while logged in as server root or domain admin,
      Then you take the next step and do not even wait for ransomware. You are compromised every day and you will never know it.
      It does not have to be super secure. The truth is compliant systems will not be compromised to that level by ransomware. When some one hits you and gets that level of access where they are able to hide their actions because they have root credentials and or domain admin
      are not going to advertise that fact.

      You do realize that if you have full control over ... Kaiser servers ... That is the last thing you are going to do. Right?

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    20. Re:Recipe for disaster by Anonymous Coward · · Score: 0

      Since I have actually seen hospital networks, Yes, I absolutely do believe random software can connect to an outside server and exfiltrate data.

      In the cases TFA is talking about, it has already been proven to have access to data since it was able to encrypt it.

    21. Re:Recipe for disaster by Dishevel · · Score: 1

      Last time. Because I think that educating you is hopeless. Just because you can access and encrypt a network share and local files rarely means you have the type of access that can wipe logs and send info out.
      If you do have that kind of access to a system like that, encrypting files and showing yourself would be fucking stupid. No one with that kind of pwn on your system would do that. Period.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    22. Re:Recipe for disaster by sjames · · Score: 1

      OK, dumdum, I have ACTUALLY tested hospital networks and I know for a fact that any data that a process can read, it can exfiltrate. That is not a conjecture, it is an actual observation.

      Get some real world experience and while you're at it, get some manners.

    23. Re:Recipe for disaster by mysidia · · Score: 1

      The fact that ransomware was able to operate pretty much PROVES that yes it's possible the system makes arbitrary connections out to the internet. One of the first thing ransomware does is generate some key information which goes to their command and control center before files start getting encrypted.

    24. Re:Recipe for disaster by mysidia · · Score: 1

      It is much more difficult to wipe evidence of a hack like that in a secure system.

      Malware often circumvents logging mechanisms. The "cleanup" is the copy of itself to prevent analysis, not logging data. Doing a low-level read on a file and sending the compressed version of the data somewhere else over a DNS tunnel does not produce any log entries on a file server.

    25. Re:Recipe for disaster by Dishevel · · Score: 1

      Copy is logged on the file server. Logins are logged on the file server. Sending is logged in your router, gateway, network devices. Again. There is a difference between saying I do not see proof of a pwn, and having proof that there was no pwn at that level.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    26. Re:Recipe for disaster by Dishevel · · Score: 1

      And that will be logged by the router or gateway or any of the network devices you have set up to look for shady shit happening on your network.
      Again
      If you have none of that shit then you are compromised. Even if you do not have ransom ware alerting you to the fact.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    27. Re:Recipe for disaster by mysidia · · Score: 1

      If you have none of that shit then you are compromised. Even if you do not have ransom ware alerting you to the fact.

      No.... most people have none of that "shit", And it does not mean they are compromised.

      You are confusing "Insecure" and "At risk" with "Known Incident", which is ridiculous and absurd.

      Weak security and lack of detective controls is not the same as already being compromised, full stop.

      Also, even if you have these things; it's not necessarily going to be logged.

      There are ways of evading even network Intrusion Protection devices.
      There are ways of masking traffic, so it won't be logged correctly, or the malicious flows will appear innocuous and blend into all the noise, So that even a thorough fine-comb analysis will not be able to sort the "bad".

      It will probably wind up being tunneled or reflected through another system, Or even sent out a backchannel, for example: the LTE Data service of a smartphone that some employee left careless plugged into their workstation or on the WiFi which can be reached from a compromised host.

  2. Probably for the best by Anonymous Coward · · Score: 5, Insightful

    Ransomware isn't the only thing dropped onto a system in most attacks. And we can't bank on ransomware not ex-filtrating a couple of encrypted documents along the way.

    If the ransomware hit, what other breaches occurred that they weren't aware of?

  3. Terrorists by SeattleLawGuy · · Score: 2

    These people are basically terrorists--they are threatening the lives and well-being of millions of innocent American Civilians. Let's make them a national security priority.

    We have fought wars over less.

    --
    Real lawyers write in C++
    1. Re:Terrorists by Lumpy · · Score: 0

      I completely agree. Senators and Hospital administrators are a threat to america.

      --
      Do not look at laser with remaining good eye.
    2. Re:Terrorists by Jiro · · Score: 1

      Terrorism is doing those things for political purposes. If their motive is money, it isn't terrorism.

      Holding someone hostage during a bank robbery poses the threat of their death, but we don't call it terrorism.

    3. Re:Terrorists by Anonymous Coward · · Score: 0

      No, you fucking idiot. Everything you don't like is not fucking "terrorism." Fuck. You.

    4. Re:Terrorists by SeattleLawGuy · · Score: 1

      Terrorism is doing those things for political purposes. If their motive is money, it isn't terrorism.

      Holding someone hostage during a bank robbery poses the threat of their death, but we don't call it terrorism.

      There has been a lot of debate about the meaning of terrorism over the years; you are right that the lack of a clear political motive suggests this does not fit into most of those definitions. However, I would submit that an asymmetric attack made by people out of uniform deliberately threatening the lives of a large number of civilians should be considered a terrorist attack and should be treated like one.

      --
      Real lawyers write in C++
  4. Half million die in hospital without any breach by Anonymous Coward · · Score: 0

    each and every year already in the US for causes other than the initial "visit". Just going to hospital for ANYTHING puts you at grave risk of dying. It's the third-most common cause of death in the US.

    1. Re:Half million die in hospital without any breach by Anonymous Coward · · Score: 0

      You don't think that's maybe because only ill people go to the hospital?

  5. They aren't already? by Richard_at_work · · Score: 4, Interesting

    I thought a "breach" was "someone gained unauthorised access to data, typically a persons private data"?

    Or has it magically been watered down to "its only a breach if the data has been proven to have made its way off the premises"?

    If the data has been accessed by unauthorised persons, there is no way to be 100% certain that it hasn't made it off premise, so yes, ransomware should be classed as a breach and notifications should be issued! It certainly indicates that the data was not truly secure in the first place, at the very least!

    1. Re:They aren't already? by Anonymous Coward · · Score: 1

      In the past companies hid breaches to prevent them from becoming public, it was a PR issue so most people assumed breaches were rare. Nowadays it probably makes more sense to flip things around and assume every datastore has been compromised. Especially the ones that were built on top of Microsoft Windows infrastructure because of the number of attack vectors available towards that particular OS. Given its proprietary nature it's impossible to build a secure system on top of Microsoft's offerings.

      Second on the list would be *nix installations with exposure to the public internet in any fashion. To state the obvious it breaks down into two issues: the security of the packages used and the custom code around it. The first meaning the use of modules with lots of eyes on it (e.g. apache, postgres, etc.) vs something built on Drupal with dodgy unmaintained add-ons. The second related to quality of code, obvious stuff like SQL injections.

      So yeah, we should assume that no datastore is truly secure, but it's a matter of degree. The underlying technology must be considered when looking at whether a breach automatically implies lack of security. The most popular vector against a *nix installation will be social engineering. Against a Microsoft Windows installation it will be a technical exploitation of its flaws.

    2. Re:They aren't already? by cdrudge · · Score: 1

      It certainly indicates that the data was not truly secure in the first place, at the very least!

      Not necessarily. PHI data may have been encrypted when stored on disk. Ransomware infection re-encrypts data making it unusable for it's intended purpose, but PHI data, even if it managed to leak out, is still protected.

      Another scenario which is probably much more likely is PHI is kept on a secured server. Client computer becomes infected. PHI was never compromised. Does that still trigger a notification?

    3. Re:They aren't already? by mysidia · · Score: 1

      I thought a "breach" was "someone gained unauthorised access to data, typically a persons private data"?

      After a breach, they will use some bullshit excuse like: "We have not found evidence that any customers' data has been downloaded by the intruder."

      And if they did find evidence, the breach notification goes out only to the customers they found specific evidence of the attacker downloading.

    4. Re:They aren't already? by Alwin+Henseler · · Score: 1

      If the data has been accessed by unauthorised persons, there is no way to be 100% certain that it hasn't made it off premise (..)

      There is: if the system(s) in question are air-gapped, or on a LAN that has no external network connections. Malware (ransomware included) could still make its way onto such systems. Let's say through an infected USB stick.

      For real-world scenarios that's mostly a hypothetical case I suspect. While in theory that USB stick could compromise an air-gapped system, retrieve sensitive data, and then upload that data when it (later) gets plugged into another machine that does have internet access, that's more along the line of a highly targeted phishing attack.

      In such a breach the amount of leaked data would be limited by the capacity of said USB stick (and perhaps also its write speed). For an air-gapped system or isolated LAN, if a breach occurs obviously it's worth investigating how that happened. Let's say that's done, a specific 'bad' USB stick is found and its whereabouts are known, then yes it may be possible to say with confidence: breach / infection occurred, but no data leaked out.

      Disgruntled employee that carries infected USB stick & demands some Bitcoins? Sure, possible, but how likely? How often have you heard of such a case? So mostly hypothetical. 'Random' infection through internet, controlled by persons unknown in a far away country, is a much more common scenario I think. In such a case, "compromised" will imply "data may have leaked". An investigation of the capabilities of the specific malware could yield more clues, but 100% certaintly? Indeed not.

    5. Re:They aren't already? by Anonymous Coward · · Score: 0

      What? Absolutely wrong.

      Even airgapped computers with no network connections at all can be programmed to transmit data, be it through imperceptible artifacting on the monitor, out-of-hearing-range sounds over the speakers, or, as another article earlier this week suggested, by changing the spin modes of the CPU fan so they can be interpreted as data.

      The US couldn't wait to brag about this ability after Iran/Stuxnet (whether or not the US is the one who wrote it)

    6. Re:They aren't already? by Fencepost · · Score: 3, Interesting

      Another scenario which is probably much more likely is PHI is kept on a secured server. Client computer becomes infected. PHI was never compromised. Does that still trigger a notification?

      Precisely this. I'll use 3 examples from current clients.

      • First client uses a vendor-hosted EMR system that they access via RDP connection to the vendor servers. There's literally almost nothing on their local network anymore except their timeclock software and web browsers. Even document scans go directly from the scanner to the remote using TSScan or the like. If someone infects a machine on their local network, does it trigger a breach notification?
      • Second client (actually several) uses a mixture of local desktops and terminal services, but everything patient-related is done within the EMR client software, which cleans up after itself when closed. The only patient data that might be on desktops is anything cached locally by the EMR package during that session. The items most likely to be troublesome would be EOB PDFs received from insurance companies, which are accessible from billing user logins. Does a desktop ransomware infection trigger a breach notification?
      • Third client migrated to a fully-hosted browser-based EMR package and again saves very little locally - everything's "in the cloud" for them except incidental office documents. Does a local PC infection trigger a breach?

      We've been fairly fortunate in what customers ended up infected with and have actually arranged things so there's very little impact if customer end-users end up infecting a local desktop via streaming a radio station or the like, but if customers have to report breaches for infections even on systems that don't have patient data stored or accessible that's going to turn into a real headache.

      --
      fencepost
      just a little off
    7. Re:They aren't already? by tlhIngan · · Score: 1

      First client uses a vendor-hosted EMR system that they access via RDP connection to the vendor servers. There's literally almost nothing on their local network anymore except their timeclock software and web browsers. Even document scans go directly from the scanner to the remote using TSScan or the like. If someone infects a machine on their local network, does it trigger a breach notification?

      No, because no patient data ever hit the local PC.

      Second client (actually several) uses a mixture of local desktops and terminal services, but everything patient-related is done within the EMR client software, which cleans up after itself when closed. The only patient data that might be on desktops is anything cached locally by the EMR package during that session. The items most likely to be troublesome would be EOB PDFs received from insurance companies, which are accessible from billing user logins. Does a desktop ransomware infection trigger a breach notification?

      Yes, because was the EMR software running, in which case there was cached user data that was potentially transmitted?

      Or...

      Yes, because unless the EMR software scrubs the local disk, the data can always be recovered by an "undelete" type utility. Thus every patient whose record was accessed by that machine has potentially had their information compromised.

      Third client migrated to a fully-hosted browser-based EMR package and again saves very little locally - everything's "in the cloud" for them except incidental office documents. Does a local PC infection trigger a breach?

      Potentially yes, depending on how "little" we're talking about. Because generally when the information is updated with test results, etc, the document is put onto the PC then uploaded to the EMR website. But the local file is never deleted (you can bet people won't delete it because they forget or are lazy, etc). In which case yes, it's a breach because PHI data was there.

      Only in the first case where no patient information hit any local storage would it not be breached. But once patient information hit the disk, even if it was a temporary cache, all bets are off. Especially if it's updated through a browser and local files were accessed to upload test results, etc. Because few people if ever delete them.

      And think about it this way - if the malware resulted in having to pay to get operations going again (like that hospital that paid $20,000), then there's obviously a breach. Because only in these three scenarios it doesn't matter - you wipe the infected PC and start over - the data is stored elsewhere so recovery is simply a wipe and reinstall away.

      But if you had to pay to continue operations, you're definitely breached.

  6. It's a fine line... by CeasedCaring · · Score: 0

    Ransomware or NSL?

    1. Re: It's a fine line... by Anonymous Coward · · Score: 0

      NSL means what exactly?

    2. Re: It's a fine line... by CeasedCaring · · Score: 1

      NSL == National Security Letter.

  7. HIPAA by tomhath · · Score: 2

    A data breach is bad. But trying to cover it up is a serious crime, I really doubt hospitals would take that chance.

  8. They should make ransomware illegal by Anonymous Coward · · Score: 1

    That would put a stop to it.

  9. How about money for REAL ITSEC? by Lumpy · · Score: 1

    Then let's cover the fact that IT should have more power and Say than administration or the doctors. If John in IT says no you cant have your ipad on the network then its FUCKING NO!

    What is needed is HIPPA regs appended so that the guys in charge of the hospital making the most money are PERSONALLY RESPONSIBLE for any data breaches or attacks. If this is done suddenly IT will be allowed to do their job and isolate critical systems from easy attack vectors.

    --
    Do not look at laser with remaining good eye.
    1. Re:How about money for REAL ITSEC? by Anonymous Coward · · Score: 1

      That's not the sum of IT's job. If the system is unusable they are not doing their job. Face it, IT sucks most of the time: "Just use this unwieldy password, we can't be arsed to implement security that is both more secure as well as easier and fast to use." That's the reality of IT, not some bullshit about not being allowed to lock all computers in a safe.

    2. Re:How about money for REAL ITSEC? by jon3k · · Score: 1

      If John in IT says no you cant have your ipad on the network then its FUCKING NO!

      No iPads but plenty of Microsoft Windows workstations? In a post about ransomware? That's the worst example in history. I wish I could replace every single Windows PC with an iPad. We'd never have another malware infection again.

      What is needed is HIPPA regs appended so that the guys in charge of the hospital making the most money are PERSONALLY RESPONSIBLE for any data breaches or attacks. If this is done suddenly IT will be allowed to do their job and isolate critical systems from easy attack vectors.

      Won't stop a nurse from giving her password to someone else. What you do is hold the clinician accountable, which is exactly what HITECH does.

    3. Re:How about money for REAL ITSEC? by Anonymous Coward · · Score: 0

      The notable fact here isn't relative security between windows or iOS it's the recent history where all the doctors in many hospitals saw the latest tech shiny and forced their IT departments to allow and support them on the network. It's only after this power play is completed that the clinicians realize that iPads are very poor devices for interfacing with medical records and aren't good for many other work related tasks either.

      There's also the whole screenshot problem, where iOS presents an old screenshot of an application on launch to hide the true application start time; this means that there could be a MR in the screenshot cache even though policy dictates there shouldn't be any medical records stored locally.

      These aren't necessarily insurmountable problems, but the "I want it, and I want it now" attitude doesn't allow for due diligence in usability or security tasks.

    4. Re:How about money for REAL ITSEC? by Grishnakh · · Score: 1

      it's the recent history where all the doctors in many hospitals saw the latest tech shiny and forced their IT departments to allow and support them on the network. It's only after this power play is completed that the clinicians realize that iPads are very poor devices for interfacing with medical records and aren't good for many other work related tasks either.

      Huh? I'm an Apple-hater, but I'll happily admit that iPads simply do not have the level of problems with malware that Windows PCs do. The entire reason these hospitals are experiencing ransomware infections is because they're running Windows. That's it. If they stopped running Windows, they wouldn't have ransomware any time soon. And iPads are ubiquitous enough that if they were really that insecure, the malware writers would be going after them as they had with Windows, but you really don't hear of much malware on the iOS platform at all.

      Apple and their iDevices suck for a lot of reasons, but malware isn't one of them. The hospitals would do well to switch to iPads.

    5. Re:How about money for REAL ITSEC? by Anonymous Coward · · Score: 0

      That's not the sum of IT's job. If the system is unusable they are not doing their job. Face it, IT sucks most of the time: "Just use this unwieldy password, we can't be arsed to implement security that is both more secure as well as easier and fast to use." That's the reality of IT, not some bullshit about not being allowed to lock all computers in a safe.

      Security, ease of use, cheap... pick two. You cannot have all three.

    6. Re:How about money for REAL ITSEC? by jon3k · · Score: 1
      iPads are phenomenal devices for healthcare. It's like being able to hold every paper chart in the building in your hand.

      There's also the whole screenshot problem, where iOS presents an old screenshot of an application on launch to hide the true application start time; this means that there could be a MR in the screenshot cache even though policy dictates there shouldn't be any medical records stored locally.

      iOS devices are all encrypted with AES256 and we require them to have passcodes. As soon as the device is lost we remotely wipe it via MDM.

      https://www.apple.com/business...

      Every iOS device has a dedicated AES 256 crypto engine built into the DMA path between the flash storage and main system memory, making file encryption highly efficient.

      There's not a nice way to say this: you have no idea what you're talking about and clearly do not work in healthcare or know anything about the management of iOS devices, especially in the enterprise.

  10. Regardless by Anonymous Coward · · Score: 0

    This should be a wakeup call to all organizations that collect personal data - get your acts together or things like this are what you're going to have to deal with. And they deserve every last regulation.

    Every single data breach was because of incompetence. There are no excuses.

    Because because those incompetent assholes can't do their jobs, people like me are stuck with the consequences.

  11. I Agree With The Naysayers by kackle · · Score: 1

    And, we will start to get such notices from these thousand-computer hospitals so often, that we won't even pay attention to them anymore, especially since there's nothing we can do about it.

    How come I smell the price of an aspirin going up? Thanks again, congress.

  12. Re:Second! by Anonymous Coward · · Score: 0

    Congrats! You came in twoth place.

  13. Who cares? by Anonymous Coward · · Score: 0

    I know, identity theft is serious. However, I have Lifelock and, therefore, am immune from such breaches. So why should I care about this? Maybe those of you wearing tinfoil hats should be concerned but I'll be just fine.

  14. Implying ransomware isn't subtle false flag? by Anonymous Coward · · Score: 0

    Ok Lizard Squad (NSA) and Anonymous (Israel state-sponsored) get out there and mess something up so we can pass more legislation.

    As if the public is crying out to congressmen to stop this giant problem while overlooking that the entirety of Microsoft is spyware.

    Google tracks.

    Facebook profiles.

    There are a lot of others that cross-reference immediately and Facebook goes international thanks to FBI moles.

  15. Re: Second! by Anonymous Coward · · Score: 0

    I know, identity theft is serious. However, I have Lifelock and, therefore, am immune from such breaches. So why should I care about this? Maybe those of you wearing tinfoil hats should be concerned but I'll be just fine. I can be quite confident that my identity is safe and don't have to worry about ransonware and data breaches.

  16. Moot point by Anonymous Coward · · Score: 0

    This is a moot point and a waste of time. New breeds of Ransomware is already exfiltrating data. So yes ransomware will be a breach by the current definition. Ransomware moves faster than the government so all of them will be doing this long before we can change the law. http://www.beckershospitalreview.com/healthcare-information-technology/why-crysis-is-healthcare-s-most-threatening-ransomware-yet.html?utm_source=June+2016+News&utm_campaign=enews+June+2016&utm_medium=email

  17. A powerful California congressman? by Anonymous Coward · · Score: 1

    Shouldn't all congressmen (and congresswomen?) all have the same power?

  18. Let's rename "data breach" to ... by Ihlosi · · Score: 4, Funny

    .. 'involuntary backup'.

  19. Well, for a modest fee... by Anonymous Coward · · Score: 0

    I am sure that for a modest fee the ransom ware pirates will notify him of those they have extorted.

  20. Best defense vs. ransomware = hosts by Anonymous Coward · · Score: 0

    APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%... ask Cryptizard https://it.slashdot.org/commen...

    Less resource use vs. DNS/routers/addons/antivirus (slow you) + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IPs vs. hosts blocking more used domains) & DNS (lighten dns load). Data via 10 security sites.

    Ads rob speed, security (malvertising), privacy (tracking).

    Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns logs/trackers) natively. Hosts != ClarityRay blockable (like addons)

    Works vs. caps & HTTP PUSH w/ firewalls.

    Avg. page = big as Doom http://www.theregister.co.uk/2... & ads = 40% of it.

    APK

    P.S. - Safe https://www.virustotal.com/en/... (per Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi... ) http://www.bing.com/search?q=%...

  21. Re: Second! by Anonymous Coward · · Score: 0

    Post your social then :P

  22. Re: Second! by lhowaf · · Score: 1

    Hey, Lifelock is working - your post shows up as being from "Anonymous Coward!"

  23. Fuck you by Anonymous Coward · · Score: 0

    Fucking lawmaker is like a bully always pushing people around. What a dickhead.