Hospitals are at a high risk of cyberattacks, but patients don't realize it:
Information technology experts are worried about increasing rates of ransomware attacks on healthcare organizations. Most patients, though, don't know they're happening, according to a new survey.
Southern Ohio Medical Center, a not-for-profit hospital in Portsmouth, Ohio, canceled appointments for today and is diverting ambulances after it was hit by a cyberattack on Thursday. It's part of a series of escalating attacks on healthcare organizations in the past two years — a trend that could have serious consequences for patient care.
But while information technology experts are well aware that the risk of cyberattacks that compromise patient data and shut down computer systems is on the rise, patients don't seem to be, according to a new report by cybersecurity company Armis. In fact, over 60 percent of people in the general public surveyed in the new report said they hadn't heard of any cyberattacks in healthcare in the past two years.
That's despite a doubling of cyberattacks on healthcare institutions in 2020, high-profile incidents like the attack on hospital chain Universal Health Services, and a major threat from groups using the ransomware Ryuk. The magnitude of attacks during the COVID-19 pandemic shocked experts, who said that ransomware gangs were targeting hospitals more aggressively than they had before. Unlike attacks on banks or schools, which are also common, these attacks have the potential to directly injure people.
Related Stories
Arthur T Knackerbracket has processed the following story:
Cybersecurity firm Palo Alto Networks warned over the weekend of an ongoing hacking campaign that has already resulted in the compromise of at least nine organizations worldwide from critical sectors, including defense, healthcare, energy, technology, and education.
To breach the orgs networks, the threat actors behind this cyberespionage campaign exploited a critical vulnerability (CVE-2021-40539) in Zoho's enterprise password management solution known as ManageEngine ADSelfService Plus which allows remotely executing code on unpatched systems without authentication.
The attacks observed by Palo Alto Networks researchers started on September 17 with scans for vulnerable servers, nine days after the US Cybersecurity and Infrastructure Security Agency (CISA) warned it detected exploits used in the wild and one day after a joint advisory was published by CISA, the FBI, and the United States Coast Guard Cyber Command (CGCYBER).
Exploitation attempts began on September 22 after five days of harvesting info on potential targets who hadn't yet patched their systems.
"While we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised," the researchers said.
"Through global telemetry, we believe that the actor targeted at least 370 Zoho ManageEngine servers in the United States alone. Given the scale, we assess that these scans were largely indiscriminate in nature as targets ranged from education to Department of Defense entities."
Even though the researchers are working on attributing these attacks to a specific hacking group, they suspect that this is the work of a Chinese-sponsored threat group known as APT27 (also tracked as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse).
(Score: 2, Funny) by Anonymous Coward on Wednesday November 17 2021, @08:39PM (10 children)
Some extra computers for reading email & watching Youtube, ARE cheaper than paying ransom for your entire databases.
(Score: 4, Interesting) by Anonymous Coward on Wednesday November 17 2021, @08:52PM (4 children)
I can tell you 'WHY'... middle managers. I have had a couple of these power idiots in my career. "I want to be able to see this on my BlackBerry." So IT open a hole in the security for this; then a month later another, and another. Until your shield of steel looks like a chicken fence.
(Score: 0) by Anonymous Coward on Wednesday November 17 2021, @10:03PM (2 children)
A one-way mirror of the main server on a separate system would appease the idiots without opening a hole. Everyone and their dog could hack & encrypt the thing to their hearts' content... till a scheduled reboot from a read-only device pulls a new clean copy of the database.
(Score: 1, Redundant) by Runaway1956 on Thursday November 18 2021, @02:55AM (1 child)
Curious - what does it take to build a "one-way mirror"? Just define it please, and maybe I will agree with you.
But, I think I would prefer complete isolation of infrastructure and critical systems. The lard-ass hospital administrator can physically haul his lame ass inside the hospital perimeter to make his inquiries. I view anything less as criminal mischief, criminal negligence, malfeasance, or similar.
(Score: 3, Informative) by tangomargarine on Thursday November 18 2021, @04:54AM
Glass, and a layer of reflective metal?
Oh, you were probably referring to the network metaphor huh. It seemed pretty clear that what they were describing was basically a RAID 1 setup that gets periodically restored over itself. (Or some similar thing before you object to my exact phrasing.)
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Wednesday November 17 2021, @11:46PM
That's why you need to separate your reporting and querying functions. An industrial process can broadcast process state, but must not accept any form of input, including even the simple selection of a particular field.
Querying should be done by a service that listens to the broadcast process state, optionally stores it, performs any necessary munging, and most crucially, is the sole exposure to inputs. This prevents your critical process from expoaure to that security hole, and makes your middle manager feel "empowered" (despite being the threat in this scenario).
Changes to process state--inputs to the process!--should be communicated face-to-face, if you actually want real security and not theater. Deep fakes are making social engineering even more of a threat. At least with face-to-face, you only need to cope with compromised or malicious personnel.
(Score: 5, Insightful) by VLM on Wednesday November 17 2021, @09:05PM (2 children)
"The radiologist wants to VPN in to consult from home to save patients lives" And his laptop at home either never gets patched or only gets patched when he connects from home every two years on average and/or he uses that laptop for other things or its on a network with other things (powned IOT devices or smart tvs who knows)
(Score: 2, Insightful) by Anonymous Coward on Wednesday November 17 2021, @09:17PM (1 child)
and these idiotic whores always use some proprietary shit vpn software and Windows.
(Score: -1, Flamebait) by Anonymous Coward on Wednesday November 17 2021, @09:25PM
Take your meds apk, the hatred for your mother is leaking again.
(Score: 2) by RS3 on Wednesday November 17 2021, @10:35PM (1 child)
Or use "walled gardens" - run the apps in a VM / container.
(Score: 1, Informative) by Anonymous Coward on Wednesday November 17 2021, @10:56PM
Escape from a VM is an everyday occurrence these days, and real hardware is not that much costlier than VM licenses.
(Score: 3, Interesting) by krishnoid on Wednesday November 17 2021, @08:48PM (2 children)
Is this more the work of individual groups or do they have some external backing? Also, are the ones in (e.g.) socialized medicine countries being attacked too?
Going *way* out on a limb here, it could appear that medical care establishments in a country that doesn't socialize medicine, could make them look more like private businesses [youtu.be], perhaps making them a more apparently reasonable target.
(Score: 2) by Frosty Piss on Thursday November 18 2021, @12:40AM (1 child)
In the United States, “medical care establishments” ARE private *for profit* businesses.
(Score: 2) by krishnoid on Thursday November 18 2021, @04:39AM
Hence my question about whether this is happening to medical institutions in countries with socialized medical care.
(Score: 4, Interesting) by VLM on Wednesday November 17 2021, @08:49PM (4 children)
From the linked article:
I have a buddy who works at a electronic medical record company (big famous one) and its not an issue for them. All the defensive ideas people immediately think of, and plenty more, are already implemented.
Two ways a cyber attack DOES work against a hospital:
1) Flood the network. If whatever shitty instant message system they use, turbo spams the LAN until the perfectly working EMR is unreachable, well, at a system level it doesn't work. Kill the Windows10 box that the web browser runs on and it doesn't matter how secure the server is if they got nothing onsite that can access it. And PCI/DSS ass covering means it'll take days/weeks to get new hardware or image all the old hardware, even though "in a real emergency we could buy 100 ipads and put them on the wifi in about an hour" but doing that without fifteen certification signatures and 22 change mgmt committee meetings means everyone involved will be fired even if nothing bad happens as a result. So better to shut down than to get fired...
2) Business automation. "we do all our scheduling in Excel and the fileserver is down" "Medicare (or something) requires us to file within X hours and the MS Word to FAX gateway is down so unless we're converting to only charity work..." "Technically we can operate but with the fileserver down we can't store FAX receipts of docs we send to insurance so if they figure that out they'll 'lose' our paperwork and again we're not converting to only charity work so ..." "The hospital as a business or even as a medical provider is functional, but the hospital as a physical building is in big trouble because the HVAC system runs on windows and we got powned so the temperature inside is rapidly becoming the temperature outside..." "The fire alarm monitoring system in security dept runs on windows and that one PC got powned and if city health inspectors found out we were running a hospital without working fire suppression..." "The battery for the UPS for the VOIP PBX is dead so no phones in the entire facility so shut down (admittedly not cyber cyber cyber but could just as well have been the UPS monitoring PC that got powned)"
(Score: 2) by VLM on Wednesday November 17 2021, @08:59PM (3 children)
Oh a third one he told me about that's a pretty major problem:
3) From the same idiots that thought security was an addon you just checkmark and recompile, brought on by shitty TV shows there's an idea that a little red LED turns on the chassis to let you know systems are powned. So the HVAC controller running window 98 finally gets powned and its on the same LAN as the EMR, now the cyber crisis team steps in and freezes everything until legal is done doing forensics on the HVAC controller and magically its "proven" somehow that the EMR isn't powned, nor the VOIP phones, nor the fileservers... and how do you "prove" that? Can anyone here tell me how you'd "know" that your fileserver didn't get powned in a way nobody knows about yet, or it just happened 30 seconds ago or ... And at the same time resources are diverted away trying to explain to highly non-technical business people why a virus that only attacks W98 and has been known about for around 23 years now, probably has NOT infected the unix based record system or the RTOS based xray controller or WTF else. Then again there's docs "proving" that they decommissioned the last W98 box decades ago but here it is powned so how do you "know" that theres not another W98 box out there running the radiation therapy lab or something and its about to kill a patient?
I bet in the linked example they shut down for reason #3. Some useless piece of shit webserver that hasn't been used or accessed since 2010 got powned and now everyone is terrified that everything ELSE might also be powned. OR maybe their mail server got powned and we won't hear about the new virus for awhile, but its out there and did it infect the CAT scan imager, who knows?
(Score: 3, Informative) by MostCynical on Wednesday November 17 2021, @10:42PM (1 child)
medical equipment with attached pc for control, installed 10 years ago, state-of-the-art multi-million dollar machinery or just an inventory system for the pharmacy... proprietary software not updated since the day it was installed (and now no longer supported)
find if this is a stand-alone device - but images, scans, and scripts need to be transferred between devices and the rest of the hospital.. so we need 'holes' - shared file storage space, apis, "transfer modules", and then ... the device is effectively connected to the www..
"chase the sun" diagnosis (sending scans and files to a specialist somewhere else on the planet, who happens to be awake at 2am your local time) is great - but attachments and all that proprietary interface stuff also require more holes in the firewalls... (or Big Doctor needs system to work.. and yet another port is opened)
Air-gapping the systems is too hard (even one extra step is resented by medical staff "trying to save lives") - so they will just use a USB thumb drive and move stuff...
fixing humans is hard
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by bzipitidoo on Friday November 19 2021, @04:25AM
One ingredient you all left out, for US hospitals, is HIPAA. HIPAA is the goto excuse for why a hospital can't do something. Use open source? Might violate HIPAA! Upgrade a system? Not if the new system isn't certified as HIPAA compliant!
(Score: 0) by Anonymous Coward on Thursday November 18 2021, @04:47AM
your credibility is somewhat undercut by you apparently not knowing how to spell this super old slang term
(Score: 0) by Anonymous Coward on Wednesday November 17 2021, @08:59PM (2 children)
Guess I'll die.
(Score: 0) by Anonymous Coward on Wednesday November 17 2021, @09:08PM (1 child)
Not our fault you chose to be born with a faulty $organ, and we've been artificially keeping you alive for the past X months.
(Score: 0) by Anonymous Coward on Thursday November 18 2021, @03:01AM
Sad to say, but also true. Our ancestors just died all the time from stuff that is a freak accident nowadays. When it comes to security, culture has to change, and it will probably take all of us allive right now dying for real native advanced technological culture to arise. We can remember a time before having an antenna jacked in to your brain was normal.
(Score: 1, Redundant) by VLM on Wednesday November 17 2021, @09:26PM
Similar to other recent famous virus reporting (LOL), if you only got 5 new cases to drum up propaganda about, you report the percentage increased by 500% to increase fear. Noticed the report of go language related hospital cyberattacks went up by a very suspiciously even numbered percentage 500% in the linked article, and I'd bet money that means it went from 1 lifetime case to 6 lifetime cases.
That's why 60% haven't heard of anything, there's relatively speaking nothing to report LOL.
(Score: 0) by Anonymous Coward on Wednesday November 17 2021, @11:27PM
Anyone looked at the pager traffic in their area lately?
...and I mean the traffic content being broadcasted in plaintext.
(Score: 2) by MostCynical on Thursday November 18 2021, @12:27AM
most of the 'general public' don't know about IT - at all.
Bank customers don't know how vulnerable banking systems are - or how many attacks there are..
Online shoppers... really all web users the same
Would it be better if they did? Would it could panic?
People should know about keeping themselves safe on thew web - how much tinfoil will we need? People who really understand the issues don't even surf the web - wget is the only way they see websites - and online banking and payment 'apps'? Forget it!
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by tangomargarine on Thursday November 18 2021, @04:44AM (1 child)
FTFY
Pretty much any part of the world that runs on computers is just waiting for some particularly stupid/sociopathic person to hack it and crash the whole thing.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Interesting) by canopic jug on Thursday November 18 2021, @07:24AM
Furthermore, attacks are attacks synonymous with breaches only on M$ systems. Remove M$ from the equation and the number of attacks will cease to matter, only the small fraction that actually succeed. We need to go back to designing network-based infrastructures more like they were in the 1980s [mit.edu]: don't trust the network, not even the LAN, and assume the network is always compromised and designed the communications methods and protocols accordingly. For if you have even one M$ box on your production environment, it is already compromised in more ways than one.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Thursday November 18 2021, @04:47PM
What do you suggest the patients would do if they knew?