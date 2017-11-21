Hospitals are at a high risk of cyberattacks, but patients don't realize it:
Information technology experts are worried about increasing rates of ransomware attacks on healthcare organizations. Most patients, though, don't know they're happening, according to a new survey.
Southern Ohio Medical Center, a not-for-profit hospital in Portsmouth, Ohio, canceled appointments for today and is diverting ambulances after it was hit by a cyberattack on Thursday. It's part of a series of escalating attacks on healthcare organizations in the past two years — a trend that could have serious consequences for patient care.
But while information technology experts are well aware that the risk of cyberattacks that compromise patient data and shut down computer systems is on the rise, patients don't seem to be, according to a new report by cybersecurity company Armis. In fact, over 60 percent of people in the general public surveyed in the new report said they hadn't heard of any cyberattacks in healthcare in the past two years.
That's despite a doubling of cyberattacks on healthcare institutions in 2020, high-profile incidents like the attack on hospital chain Universal Health Services, and a major threat from groups using the ransomware Ryuk. The magnitude of attacks during the COVID-19 pandemic shocked experts, who said that ransomware gangs were targeting hospitals more aggressively than they had before. Unlike attacks on banks or schools, which are also common, these attacks have the potential to directly injure people.
Cybersecurity firm Palo Alto Networks warned over the weekend of an ongoing hacking campaign that has already resulted in the compromise of at least nine organizations worldwide from critical sectors, including defense, healthcare, energy, technology, and education.
To breach the orgs networks, the threat actors behind this cyberespionage campaign exploited a critical vulnerability (CVE-2021-40539) in Zoho's enterprise password management solution known as ManageEngine ADSelfService Plus which allows remotely executing code on unpatched systems without authentication.
The attacks observed by Palo Alto Networks researchers started on September 17 with scans for vulnerable servers, nine days after the US Cybersecurity and Infrastructure Security Agency (CISA) warned it detected exploits used in the wild and one day after a joint advisory was published by CISA, the FBI, and the United States Coast Guard Cyber Command (CGCYBER).
Exploitation attempts began on September 22 after five days of harvesting info on potential targets who hadn't yet patched their systems.
"While we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised," the researchers said.
"Through global telemetry, we believe that the actor targeted at least 370 Zoho ManageEngine servers in the United States alone. Given the scale, we assess that these scans were largely indiscriminate in nature as targets ranged from education to Department of Defense entities."
Even though the researchers are working on attributing these attacks to a specific hacking group, they suspect that this is the work of a Chinese-sponsored threat group known as APT27 (also tracked as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse).
(Score: 0) by Anonymous Coward on Wednesday November 17, @08:39PM (4 children)
Some extra computers for reading email & watching Youtube, ARE cheaper than paying ransom for your entire databases.
(Score: 1, Informative) by Anonymous Coward on Wednesday November 17, @08:52PM
I can tell you 'WHY'... middle managers. I have had a couple of these power idiots in my career. "I want to be able to see this on my BlackBerry." So IT open a hole in the security for this; then a month later another, and another. Until your shield of steel looks like a chicken fence.
(Score: 2) by VLM on Wednesday November 17, @09:05PM (2 children)
"The radiologist wants to VPN in to consult from home to save patients lives" And his laptop at home either never gets patched or only gets patched when he connects from home every two years on average and/or he uses that laptop for other things or its on a network with other things (powned IOT devices or smart tvs who knows)
(Score: 0) by Anonymous Coward on Wednesday November 17, @09:17PM (1 child)
and these idiotic whores always use some proprietary shit vpn software and Windows.
(Score: 0) by Anonymous Coward on Wednesday November 17, @09:25PM
Take your meds apk, the hatred for your mother is leaking again.
(Score: 3, Interesting) by krishnoid on Wednesday November 17, @08:48PM
Is this more the work of individual groups or do they have some external backing? Also, are the ones in (e.g.) socialized medicine countries being attacked too?
Going *way* out on a limb here, it could appear that medical care establishments in a country that doesn't socialize medicine, could make them look more like private businesses [youtu.be], perhaps making them a more apparently reasonable target.
(Score: 2) by VLM on Wednesday November 17, @08:49PM (1 child)
From the linked article:
I have a buddy who works at a electronic medical record company (big famous one) and its not an issue for them. All the defensive ideas people immediately think of, and plenty more, are already implemented.
Two ways a cyber attack DOES work against a hospital:
1) Flood the network. If whatever shitty instant message system they use, turbo spams the LAN until the perfectly working EMR is unreachable, well, at a system level it doesn't work. Kill the Windows10 box that the web browser runs on and it doesn't matter how secure the server is if they got nothing onsite that can access it. And PCI/DSS ass covering means it'll take days/weeks to get new hardware or image all the old hardware, even though "in a real emergency we could buy 100 ipads and put them on the wifi in about an hour" but doing that without fifteen certification signatures and 22 change mgmt committee meetings means everyone involved will be fired even if nothing bad happens as a result. So better to shut down than to get fired...
2) Business automation. "we do all our scheduling in Excel and the fileserver is down" "Medicare (or something) requires us to file within X hours and the MS Word to FAX gateway is down so unless we're converting to only charity work..." "Technically we can operate but with the fileserver down we can't store FAX receipts of docs we send to insurance so if they figure that out they'll 'lose' our paperwork and again we're not converting to only charity work so ..." "The hospital as a business or even as a medical provider is functional, but the hospital as a physical building is in big trouble because the HVAC system runs on windows and we got powned so the temperature inside is rapidly becoming the temperature outside..." "The fire alarm monitoring system in security dept runs on windows and that one PC got powned and if city health inspectors found out we were running a hospital without working fire suppression..." "The battery for the UPS for the VOIP PBX is dead so no phones in the entire facility so shut down (admittedly not cyber cyber cyber but could just as well have been the UPS monitoring PC that got powned)"
(Score: 2) by VLM on Wednesday November 17, @08:59PM
Oh a third one he told me about that's a pretty major problem:
3) From the same idiots that thought security was an addon you just checkmark and recompile, brought on by shitty TV shows there's an idea that a little red LED turns on the chassis to let you know systems are powned. So the HVAC controller running window 98 finally gets powned and its on the same LAN as the EMR, now the cyber crisis team steps in and freezes everything until legal is done doing forensics on the HVAC controller and magically its "proven" somehow that the EMR isn't powned, nor the VOIP phones, nor the fileservers... and how do you "prove" that? Can anyone here tell me how you'd "know" that your fileserver didn't get powned in a way nobody knows about yet, or it just happened 30 seconds ago or ... And at the same time resources are diverted away trying to explain to highly non-technical business people why a virus that only attacks W98 and has been known about for around 23 years now, probably has NOT infected the unix based record system or the RTOS based xray controller or WTF else. Then again there's docs "proving" that they decommissioned the last W98 box decades ago but here it is powned so how do you "know" that theres not another W98 box out there running the radiation therapy lab or something and its about to kill a patient?
I bet in the linked example they shut down for reason #3. Some useless piece of shit webserver that hasn't been used or accessed since 2010 got powned and now everyone is terrified that everything ELSE might also be powned. OR maybe their mail server got powned and we won't hear about the new virus for awhile, but its out there and did it infect the CAT scan imager, who knows?
(Score: 0) by Anonymous Coward on Wednesday November 17, @08:59PM (1 child)
Guess I'll die.
(Score: 0) by Anonymous Coward on Wednesday November 17, @09:08PM
Not our fault you chose to be born with a faulty $organ, and we've been artificially keeping you alive for the past X months.
(Score: 2) by VLM on Wednesday November 17, @09:26PM
Similar to other recent famous virus reporting (LOL), if you only got 5 new cases to drum up propaganda about, you report the percentage increased by 500% to increase fear. Noticed the report of go language related hospital cyberattacks went up by a very suspiciously even numbered percentage 500% in the linked article, and I'd bet money that means it went from 1 lifetime case to 6 lifetime cases.
That's why 60% haven't heard of anything, there's relatively speaking nothing to report LOL.