SoylentNews is people
SoylentNews
Hospitals are at a high risk of cyberattacks, but patients don't realize it:
Information technology experts are worried about increasing rates of ransomware attacks on healthcare organizations. Most patients, though, don't know they're happening, according to a new survey.
Southern Ohio Medical Center, a not-for-profit hospital in Portsmouth, Ohio, canceled appointments for today and is diverting ambulances after it was hit by a cyberattack on Thursday. It's part of a series of escalating attacks on healthcare organizations in the past two years — a trend that could have serious consequences for patient care.
But while information technology experts are well aware that the risk of cyberattacks that compromise patient data and shut down computer systems is on the rise, patients don't seem to be, according to a new report by cybersecurity company Armis. In fact, over 60 percent of people in the general public surveyed in the new report said they hadn't heard of any cyberattacks in healthcare in the past two years.
That's despite a doubling of cyberattacks on healthcare institutions in 2020, high-profile incidents like the attack on hospital chain Universal Health Services, and a major threat from groups using the ransomware Ryuk. The magnitude of attacks during the COVID-19 pandemic shocked experts, who said that ransomware gangs were targeting hospitals more aggressively than they had before. Unlike attacks on banks or schools, which are also common, these attacks have the potential to directly injure people.
(Score: 2) by VLM on Wednesday November 17 2021, @08:59PM (3 children)
Oh a third one he told me about that's a pretty major problem:
3) From the same idiots that thought security was an addon you just checkmark and recompile, brought on by shitty TV shows there's an idea that a little red LED turns on the chassis to let you know systems are powned. So the HVAC controller running window 98 finally gets powned and its on the same LAN as the EMR, now the cyber crisis team steps in and freezes everything until legal is done doing forensics on the HVAC controller and magically its "proven" somehow that the EMR isn't powned, nor the VOIP phones, nor the fileservers... and how do you "prove" that? Can anyone here tell me how you'd "know" that your fileserver didn't get powned in a way nobody knows about yet, or it just happened 30 seconds ago or ... And at the same time resources are diverted away trying to explain to highly non-technical business people why a virus that only attacks W98 and has been known about for around 23 years now, probably has NOT infected the unix based record system or the RTOS based xray controller or WTF else. Then again there's docs "proving" that they decommissioned the last W98 box decades ago but here it is powned so how do you "know" that theres not another W98 box out there running the radiation therapy lab or something and its about to kill a patient?
I bet in the linked example they shut down for reason #3. Some useless piece of shit webserver that hasn't been used or accessed since 2010 got powned and now everyone is terrified that everything ELSE might also be powned. OR maybe their mail server got powned and we won't hear about the new virus for awhile, but its out there and did it infect the CAT scan imager, who knows?
(Score: 3, Informative) by MostCynical on Wednesday November 17 2021, @10:42PM (1 child)
medical equipment with attached pc for control, installed 10 years ago, state-of-the-art multi-million dollar machinery or just an inventory system for the pharmacy... proprietary software not updated since the day it was installed (and now no longer supported)
find if this is a stand-alone device - but images, scans, and scripts need to be transferred between devices and the rest of the hospital.. so we need 'holes' - shared file storage space, apis, "transfer modules", and then ... the device is effectively connected to the www..
"chase the sun" diagnosis (sending scans and files to a specialist somewhere else on the planet, who happens to be awake at 2am your local time) is great - but attachments and all that proprietary interface stuff also require more holes in the firewalls... (or Big Doctor needs system to work.. and yet another port is opened)
Air-gapping the systems is too hard (even one extra step is resented by medical staff "trying to save lives") - so they will just use a USB thumb drive and move stuff...
fixing humans is hard
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by bzipitidoo on Friday November 19 2021, @04:25AM
One ingredient you all left out, for US hospitals, is HIPAA. HIPAA is the goto excuse for why a hospital can't do something. Use open source? Might violate HIPAA! Upgrade a system? Not if the new system isn't certified as HIPAA compliant!
(Score: 0) by Anonymous Coward on Thursday November 18 2021, @04:47AM
your credibility is somewhat undercut by you apparently not knowing how to spell this super old slang term