Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Medicine Crime Security

Hackers Demand $3.6 Million From Hollywood Hospital Following Cyber-Attack (softpedia.com) 212

An anonymous reader writes: The Hollywood Presbyterian Medical Center has been hit by a cyber-attack and its systems are now being held hostage by hackers that are demanding a ransom of 9,000 Bitcoin, which is about $3.6 million (€3.2 million) in today's currency. Management has forbidden staff to turn on their computers, fearing the attack might spread, and the Radiation and Oncology departments have been completely shut down because they can't use their equipment." The staff were also forced to use fax machines rather than email, and to write down patient data on paper; patients had had to come in in person for results.
This discussion has been archived. No new comments can be posted.

Hackers Demand $3.6 Million From Hollywood Hospital Following Cyber-Attack

Comments Filter:
  • by hawguy ( 1600213 ) on Monday February 15, 2016 @06:18PM (#51515133)

    Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.

    • by Antique Geekmeister ( 740220 ) on Monday February 15, 2016 @06:26PM (#51515175)

      If you get re-infected within moments by other infected machines, the backups don't help much. I've seen a partner infested this way, and it was horrible.

      • by guruevi ( 827432 )

        That's why you make sure you have an up-to-date image and use an OS that doesn't default to open.

        • That's great, if you've been permitted the resources to set up PXE boot and keep track of assets to install the images only where you have licenses. Unfortunately, getting all the doctor's laptops and home machines that come in via VPN connections updated can be a nightmare. And if the patch isn't already in the image, you can be re-infected by within minutes after re-activation. I'm not trying to say that it's an insoluble problem: Isolating such an infected network and setting up "DMZ's" or "demilitarized

    • by Antique Geekmeister ( 740220 ) on Monday February 15, 2016 @06:30PM (#51515201)

      If you don't have the list of softwarekeys, or the licenses, to reinstall from scratch, and if you don't have the staff with the tools to re-image systems swiftly, rebuilding the systems from scratch is a herculean job and you *wiall* lose vital patient data. If you don't have the tools, the systems *will* get re-infected while you're reinstalling them. Been there, done that, it's why i never,run the basic backup systems on Windows.

      • by hawguy ( 1600213 )

        If you don't have the list of softwarekeys, or the licenses, to reinstall from scratch, and if you don't have the staff with the tools to re-image systems swiftly, rebuilding the systems from scratch is a herculean job and you *wiall* lose vital patient data. If you don't have the tools, the systems *will* get re-infected while you're reinstalling them. Been there, done that, it's why i never,run the basic backup systems on Windows.

        It's not really a backup if it can't be used to restore what needs to be restored. I should hope that a hospital is not relying on the backup backup systems of Windows. Data Protection Manager is a bear to set up and configure, but once it's running, they should be able to do bare metal restores without losing anything. The only thing more expensive than an enterprise backup system is not having backups when you need them.

        And even if they do lose vital patient data in the restore, they've *already* lost vit

        • by KGIII ( 973947 ) <uninvolved@outlook.com> on Monday February 15, 2016 @07:25PM (#51515663) Journal

          I lost data once and only once. Well, a significant amount of data. I've had crashes with not-yet-saved documents that took out trivial amounts but that doesn't even happen any more. You're not only correct, you're spot on.

          One other thing to add - without verifying your backup - you have no backup at all. That includes a restoration strategy, that's part of the verification process. That includes having the ability to put a fresh system up, while the system is down, and have it isolated to access tools for recovery (such as updated patches).

          My loss of data was infuriating and bizarre. I've been very anal about keeping backups ever since. To this day, even for my personal data, I keep regular updates at disparate locations and provision the same services for my friends. It's all fairly automated at this point but I still test the recovery often enough to know that I shouldn't ever lose any valuable data ever again.

          Hardware, software, and bandwidth are cheap. They're cheap enough to be considered ubiquitous and there's no excuse for me to not do this. It is not expensive and doesn't even require physically moving the data on a regular basis. With a little bit of initiative, you can even automate a good portion of it. (I've not really found a good way to do the verification completely automatically from within the OS. I've not yet found one that I can really be certain of so I do verifications on my own.)

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Most likely ransomware (which can be very pervasive) and has spread to hospital equipment that was never secured or backed up, no-one thinks to backup data on a pain-pump or a smart-bed, all have software so theoretically can be infected or at least be a hiding place.

      Backups may not be enough, might have to do a full wipe of everything connected, while the patient files should be ok so much will be lost because no-one though it would happen. (assuming they have a good backup system, or have practiced an eme

      • Most likely ransomware (which can be very pervasive) and has spread to hospital equipment that was never secured or backed up, no-one thinks to backup data on a pain-pump or a smart-bed, all have software so theoretically can be infected or at least be a hiding place.

        Freaky, Just yesterday, I wrote a Hypothetical bit about hackers Breaking and entering an Insulin pump and demanding bitcoin for not having it over-pump, send a person into insulin shock and kill the patient. While it was reviled then, little did I know my only error was in magnitude. I wrote of one person, here the bastards pulled their stunt on an entire hospital.

        I dunno - it seems like the exact reason the internet of things is a disaster waiting to happen. Oh wait... it has happened

    • by Nethemas the Great ( 909900 ) on Monday February 15, 2016 @06:57PM (#51515427)
      Hospital IT are far less organized and far less competent on average than you would expect given the nature of the business they're charged with safeguarding. The regulatory environment also disincentivizes timely patching of security vulnerabilities within devices under the stricter regulatory classes. That is to say--in a simplified nutshell--anything involved in the treatment and/or diagnosis of patients.
      • No they don't. The reason that we don't patch as much as we should is crappy programming on the vendor's part. Half the systems crash at various patch levels. We can't use Firefox for much these days because it changes so much. We're stuck on three different versions of IE on different machinery. Sucks? Yep. Can it be prevented? Possibly - if you got to build a hospital from scratch. But there is so much tech thrown about in corners and in rooms that were never designed to work with each other an

        • by hawguy ( 1600213 )

          No they don't. The reason that we don't patch as much as we should is crappy programming on the vendor's part. Half the systems crash at various patch levels.

          Then stop buying the crap - the only reason vendors can get away with selling crap software is because hospitals are buying it. Someone has to step up and say "We're not buying unsupportable crap, either support your software through operating system upgrades, or we're not buying it".

          • That doesn't work well when you are in the medical field or controls field (like I am) or some other fields as well and have legacy systems in place. You don't have an unlimited number of vendors that can do what you are doing as well. Combine that with huge installed base and you can't simply migrate away.

            One of the biggest things I deal with is I have hardware that is running systems that go down once a year or once ever few years for maintenance. Some of the hardware is 40+ years old (we have an upgra

    • If they had PROPER backups, simply restoring would restore them to the same vulnerable state they were in just before the attack, and the attackers would immediately re-infect. Before restoring, they have to protect the system from being exploited again. They should try to determine how the original attack was carried out and fix that hole. Also, a too-strict intrusion prevention system at the firewall would be a good idea. They can whitelist as required.

      That assumes PROPER backups, but most people don'

    • Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.

      Speaking as somebody who has worked for far too long with this kind of issues: backups can be a help, but rarely if we're talking a complete wipeout of all systems. For that, you need to have prepared a disaster recovery plan, and if you have done it properly, you can be back in business in a matter of anything down to minutes, depending on how much you invested in this.

      But apart from that - we are talking about serious crime here. On one hand there is the obvious crime of endangering the lives of patients

    • by Krojack ( 575051 )

      What if the malware was in the systems for months just sitting dormant thus making the backups tainted as well.

  • Wait (Score:5, Funny)

    by symes ( 835608 ) on Monday February 15, 2016 @06:25PM (#51515161) Journal

    So wait until next week when that 9000 BTC is worth $1.50, but not until the week after when it will be worth three times that.

  • by beheaderaswp ( 549877 ) * on Monday February 15, 2016 @06:35PM (#51515269)

    I'd like to know who handles their IT?

    Contractor? Imports? If they cannot turn their computers on.... are they pulling the drive to access the data on clean airgapped computers?

    I'd bet they have a marginal IT staff and a bunch of managers. Would be typical.

    • by ark1 ( 873448 )
      In a hospital, Doctors are stars and everything else is a cost center. One exec after another will show up and squeeze those costs further and further.
    • Hospital IT is its own kind of hell. Between your normal IT concerns, HIPAA regulations, the fact that most systems aren't modernized, and doctors who are frequently overworked as it is without dealing with the latest IT boondoggle as well, and it makes for a very difficult environment. That they need a better IT organization I don't think is in doubt, but I don't think I could do any better at the job given the environment.

      • by guruevi ( 827432 )

        It actually isn't all that bad for most systems, the worst part of it is that hospitals always tend to 'buy' solutions from "vendors" (aka sales people) in the healthcare space and they manage to screw every single rule, contract and regulation up. HIPAA isn't actually all that bad, it's relatively easy to conform to and consists mainly of out of best practices, the problem is when the FDA gets involved and says you can't update your machine without another round of approval. At that point, you can see why

    • by mwvdlee ( 775178 )

      "Air gap"... is that the thing Wifi signals use to travel?

  • TFA didn't say what OS the hospital was using, or if it'd been kept properly updated. I hope, however, that they'll use this as an opportunity to either update all of the computers during the reinstall, or install a more recent version of whatever OS they're using. The same thing goes, of course, for any anti-virus/anti-malware software involved.
    • by Kjella ( 173770 )

      TFA didn't say what OS the hospital was using, or if it'd been kept properly updated. I hope, however, that they'll use this as an opportunity to either update all of the computers during the reinstall, or install a more recent version of whatever OS they're using. The same thing goes, of course, for any anti-virus/anti-malware software involved.

      Ahahahaha yeah right, it's not the actual upgrade that is the problem. It's all the medical equipment and niche software that won't work right - or at least isn't certified to work right - if you do that. And they certainly won't rush that process in a crisis. This will be a mad scramble to find and isolate the cause, clean the network and restore systems as best they can to exactly how they were.

    • by HiThere ( 15173 )

      You can be rather certain that the OS is MSWind, and not just MSWind, but multiple different versions of MSWind, with different machines demanding that only some particular version be used. By now they've probably replaced all the MSWind95 and MSWind98 machines, but don't bet they don't have some MSWindNT and MSWind2000 machines. They may even have some DOS machines (which likely aren't restricted to only MSDOS, but could be if they depend on particular RAM locations).

      IIUC when they buy an expensive machi

  • by Harlequin80 ( 1671040 ) on Monday February 15, 2016 @06:58PM (#51515431)

    They picked the wrong target. If you hit a small business it's easier to pay. If you hit a large business you pay because you don't want people to find out. You hit a hospital though and people could die and it is very very public.

    Right about now there will be a whole lot of resources targeted towards finding these people. They are fucked.

  • When english fails: "patients had had to come in in person for results".

    Could have just said: "patients had to come in person for results". ...and then we actually would have understood it without ten-times the brain power.

    • The latter expresses only obligatory mode and past tense, while the former also conveys perfect aspect, i.e. that the obligation was completed.

    • by mwvdlee ( 775178 )

      I agree that the original sentence is a bit messy to look at, but it is more correct than your alternative.
      Perhaps something like "Patients have had to come in for results in person" would have been nicer.

  • by sentiblue ( 3535839 ) on Monday February 15, 2016 @08:10PM (#51515949)
    IBM and Apple are partnering to create an entire new system for hospital management.

    It has an extremely protected back end and a very difficult to infect front-end: The iPad.

    I challenge hospitals in this country to do the switch... at least get in with a POC/Beta program.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Anything with IBM involved will be 10 times the price with a timeline to delivery sometime in 2099 if it ever works at all. I would warn any organisation about dealing with such a set of companies (and have done in the case of IBM).
  • Pay Attention IoT! (Score:5, Insightful)

    by Irate Engineer ( 2814313 ) on Monday February 15, 2016 @08:13PM (#51515973)
    Isn't health care practically the highest critical tier of the "Internet of Things"? We can't even motivate ourselves to properly secure medical data, literally life and death stuff, even after they get pwned like this. The folks on the IoT bandwagon actually want to hitch more of our daily technology to the Internet, things with even lower security motivation? Sorry, IoT is dumb beyond belief. We really need to be working on air-gapping and unplugging a lot of stuff from the Internet. Some things should never, ever get plugged into the Internet, convenience be damned. For other things, maybe they can be plugged in, if a rock solid security apparatus is in place and you still maintain the ability to recover from a breach, acknowledging that it can still happen.
    • Isn't health care practically the highest critical tier of the "Internet of Things"?

      Yes.

      We can't even motivate ourselves to properly secure medical data, literally life and death stuff, even after they get pwned like this. The folks on the IoT bandwagon actually want to hitch more of our daily technology to the Internet, things with even lower security motivation?

      Hey, you've seen it. If a person even dares to say that the Internet of things is a disaster waiting to happen, they are accused of being luddites, that they want those kids off their lawns, or just hateful of progress.

      This is a perfect example of Internet of things and it's inevitible problem. As well, how exactly did life critical systems get plugged into a non-life critical OS. and then put on teh same network that is soon to demand that we allow our computers to be a little more secure by using ad an

  • In Soviet Russia... (Score:4, Interesting)

    by Thor Ablestar ( 321949 ) on Monday February 15, 2016 @09:22PM (#51516379)

    I spent about 8 years to convince my boss to never use Windows in equipment control. The only places where Windows XP (not later) is allowed to be are the workstations of different secretaries and specialists which are too old to be retrained. So if some ransomware hits the damage is limited to the computers that are easily reinstalled from scratch.

    There is the place where the ransomware can still hit: It's the SAMBA server that has shares that the ransomware can encrypt, but it presumably has a proper backup.

    To do so we sometimes had to design and produce our own data collection equipment since the existing one is Windows-only.

    Sorry, I have no security clearance to name our preferred OS (not Linux) and a place in the Russian military-industrial complex where I work.

  • Here's hoping they have a rolling backup they can just nuke the entire system from orbit and perform a full restore, they'll be back up and flipping off the hackers in a matter of hours...

    Oh, wait, it made Slashdot. Must mean nobody had a backup plan.

    Fools.

    • Just the network side could take weeks to validate. How do you check firmware on workstations? How do you check all of the connected devices?

      It takes an insane amount of manpower, and logistically you might be better off just replacing everything.

      I think one of the problems is the medical equipment vendors, but they haven't been squeezed enough yet to make their systems secure....

  • Even if it is in FileSystemChecKing Harvard Business Review, October 2009, page 38.

    http://www.ganino.com/files/Harvard%20Business%20Review%20%282004%20to%202013%29/Harvard%20Business%20Review%202009/10.%20HBR%202009%20Oct.pdf

  • This is particularly thrilling to hear right after a binge watch of Battlestar Galactica (TRS)'s season 1-2. NO NETWORKING ALLOWED!
  • The way I look at this, the more the better.
    The more that important infrastructure gets compromised, the more the public will become aware of how fragile these systems are. We need more publicity like this. It will only be through things like this that will draw attention to how bad the security is for computer systems at places like hospitals, etc;
  • The number 9000 suspiciously reminds me of Anonymous.

    If it were me: Move all the patients out to another hospital, then nuke every system and peripheral that can possibly be infected, reload everything from backups or from scratch. Either get manufacturers to re-flash firmware, or smash them with a hammer (literally) and replace them. And yes, as others have suggested, if a single patient dies, then the hackers responsible get murder charges tacked on to the rest. If a single patient gets injured, even, th

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...