SoylentNews is people
SoylentNews
Hospitals are at a high risk of cyberattacks, but patients don't realize it:
Information technology experts are worried about increasing rates of ransomware attacks on healthcare organizations. Most patients, though, don't know they're happening, according to a new survey.
Southern Ohio Medical Center, a not-for-profit hospital in Portsmouth, Ohio, canceled appointments for today and is diverting ambulances after it was hit by a cyberattack on Thursday. It's part of a series of escalating attacks on healthcare organizations in the past two years — a trend that could have serious consequences for patient care.
But while information technology experts are well aware that the risk of cyberattacks that compromise patient data and shut down computer systems is on the rise, patients don't seem to be, according to a new report by cybersecurity company Armis. In fact, over 60 percent of people in the general public surveyed in the new report said they hadn't heard of any cyberattacks in healthcare in the past two years.
That's despite a doubling of cyberattacks on healthcare institutions in 2020, high-profile incidents like the attack on hospital chain Universal Health Services, and a major threat from groups using the ransomware Ryuk. The magnitude of attacks during the COVID-19 pandemic shocked experts, who said that ransomware gangs were targeting hospitals more aggressively than they had before. Unlike attacks on banks or schools, which are also common, these attacks have the potential to directly injure people.
(Score: 4, Interesting) by VLM on Wednesday November 17 2021, @08:49PM (4 children)
From the linked article:
I have a buddy who works at a electronic medical record company (big famous one) and its not an issue for them. All the defensive ideas people immediately think of, and plenty more, are already implemented.
Two ways a cyber attack DOES work against a hospital:
1) Flood the network. If whatever shitty instant message system they use, turbo spams the LAN until the perfectly working EMR is unreachable, well, at a system level it doesn't work. Kill the Windows10 box that the web browser runs on and it doesn't matter how secure the server is if they got nothing onsite that can access it. And PCI/DSS ass covering means it'll take days/weeks to get new hardware or image all the old hardware, even though "in a real emergency we could buy 100 ipads and put them on the wifi in about an hour" but doing that without fifteen certification signatures and 22 change mgmt committee meetings means everyone involved will be fired even if nothing bad happens as a result. So better to shut down than to get fired...
2) Business automation. "we do all our scheduling in Excel and the fileserver is down" "Medicare (or something) requires us to file within X hours and the MS Word to FAX gateway is down so unless we're converting to only charity work..." "Technically we can operate but with the fileserver down we can't store FAX receipts of docs we send to insurance so if they figure that out they'll 'lose' our paperwork and again we're not converting to only charity work so ..." "The hospital as a business or even as a medical provider is functional, but the hospital as a physical building is in big trouble because the HVAC system runs on windows and we got powned so the temperature inside is rapidly becoming the temperature outside..." "The fire alarm monitoring system in security dept runs on windows and that one PC got powned and if city health inspectors found out we were running a hospital without working fire suppression..." "The battery for the UPS for the VOIP PBX is dead so no phones in the entire facility so shut down (admittedly not cyber cyber cyber but could just as well have been the UPS monitoring PC that got powned)"
(Score: 2) by VLM on Wednesday November 17 2021, @08:59PM (3 children)
Oh a third one he told me about that's a pretty major problem:
3) From the same idiots that thought security was an addon you just checkmark and recompile, brought on by shitty TV shows there's an idea that a little red LED turns on the chassis to let you know systems are powned. So the HVAC controller running window 98 finally gets powned and its on the same LAN as the EMR, now the cyber crisis team steps in and freezes everything until legal is done doing forensics on the HVAC controller and magically its "proven" somehow that the EMR isn't powned, nor the VOIP phones, nor the fileservers... and how do you "prove" that? Can anyone here tell me how you'd "know" that your fileserver didn't get powned in a way nobody knows about yet, or it just happened 30 seconds ago or ... And at the same time resources are diverted away trying to explain to highly non-technical business people why a virus that only attacks W98 and has been known about for around 23 years now, probably has NOT infected the unix based record system or the RTOS based xray controller or WTF else. Then again there's docs "proving" that they decommissioned the last W98 box decades ago but here it is powned so how do you "know" that theres not another W98 box out there running the radiation therapy lab or something and its about to kill a patient?
I bet in the linked example they shut down for reason #3. Some useless piece of shit webserver that hasn't been used or accessed since 2010 got powned and now everyone is terrified that everything ELSE might also be powned. OR maybe their mail server got powned and we won't hear about the new virus for awhile, but its out there and did it infect the CAT scan imager, who knows?
(Score: 3, Informative) by MostCynical on Wednesday November 17 2021, @10:42PM (1 child)
medical equipment with attached pc for control, installed 10 years ago, state-of-the-art multi-million dollar machinery or just an inventory system for the pharmacy... proprietary software not updated since the day it was installed (and now no longer supported)
find if this is a stand-alone device - but images, scans, and scripts need to be transferred between devices and the rest of the hospital.. so we need 'holes' - shared file storage space, apis, "transfer modules", and then ... the device is effectively connected to the www..
"chase the sun" diagnosis (sending scans and files to a specialist somewhere else on the planet, who happens to be awake at 2am your local time) is great - but attachments and all that proprietary interface stuff also require more holes in the firewalls... (or Big Doctor needs system to work.. and yet another port is opened)
Air-gapping the systems is too hard (even one extra step is resented by medical staff "trying to save lives") - so they will just use a USB thumb drive and move stuff...
fixing humans is hard
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by bzipitidoo on Friday November 19 2021, @04:25AM
One ingredient you all left out, for US hospitals, is HIPAA. HIPAA is the goto excuse for why a hospital can't do something. Use open source? Might violate HIPAA! Upgrade a system? Not if the new system isn't certified as HIPAA compliant!
(Score: 0) by Anonymous Coward on Thursday November 18 2021, @04:47AM
your credibility is somewhat undercut by you apparently not knowing how to spell this super old slang term