Hackers Demand $3.6 Million From Hollywood Hospital Following Cyber-Attack (softpedia.com) 212
An anonymous reader writes: The Hollywood Presbyterian Medical Center has been hit by a cyber-attack and its systems are now being held hostage by hackers that are demanding a ransom of 9,000 Bitcoin, which is about $3.6 million (€3.2 million) in today's currency. Management has forbidden staff to turn on their computers, fearing the attack might spread, and the Radiation and Oncology departments have been completely shut down because they can't use their equipment." The staff were also forced to use fax machines rather than email, and to write down patient data on paper; patients had had to come in in person for results.
Restore from backup (Score:5, Insightful)
Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.
Re:Restore from backup (Score:5, Insightful)
If you get re-infected within moments by other infected machines, the backups don't help much. I've seen a partner infested this way, and it was horrible.
Re: (Score:2)
That's why you make sure you have an up-to-date image and use an OS that doesn't default to open.
Re: (Score:2)
That's great, if you've been permitted the resources to set up PXE boot and keep track of assets to install the images only where you have licenses. Unfortunately, getting all the doctor's laptops and home machines that come in via VPN connections updated can be a nightmare. And if the patch isn't already in the image, you can be re-infected by within minutes after re-activation. I'm not trying to say that it's an insoluble problem: Isolating such an infected network and setting up "DMZ's" or "demilitarized
Re:Restore from backup (Score:5, Insightful)
Yes. It is. Starting with a copy of "dban", downloaded on a Linux laptop in a local coffee house and applied to to our disks, or using a slimple live Debian or CentOS or even OpenBSD DVD image, can be a start. But getting anything _alive_ that can handle patient data, however, can be pretty iffy. Windows machines can be re-infected in the process of re-installatiion in an infested local environment. Dealing with several hundred such systems that handle doctor's schedules, patients care plans, or handle prescriptions and billing and correspondence and mortgages and health insurance records is an absolute nightmare.
Can you burn your own home to the ground and rebuild from scratch? Certainly. Can you do this with a hospital without kill anyone who regularly scheduled kidney medicine, who is scheduled for surgery on Tuesday, or who needs immunization records or simply needs allergy records before transferring schools? That is a nightmare.
DBAN (Score:2)
http://www.dban.org/ [dban.org] shows it outdated and have a commercial product now? :(
Re: (Score:2)
It is real easy to clean and machine and get it going, it takes a little time but no problem as long as the bios is intact. The problem is the network must be shut down and all computers taken off. Then the servers are redone and once they are up and tested they go back on the network. Each computer is checked, rebuilt if neccesary and put on the network. Do it in hours, if you have the bodies to do it (one skilled person per computer device on the network), fewer people more hours, days or even weeks of d
Re: (Score:2)
Why in hell is a printer sitting on the end of an ethernet jack somewhere in any position to compromise anything?
Re: (Score:2)
Now my opinion about the hackers: They should go steal shit from somewhere else like the bank where there's lots of money. Disrupting a hospital can lead to patient deaths... and when these hackers get caught, they should ALL get death sentences regardless if there has been any patient fatalities.
Re:Restore from backup (Score:5, Insightful)
... when these hackers get caught, they should ALL get death sentences regardless if there has been any patient fatalities.
This was an ill-conceived attack on the hackers' part.
If any patient dies in connection with this attack, then it puts murder charges on the table. And the thing about murder is that there's no statute of limitations. Thus, these guys will be looking over their shoulders for the rest of their lives.
All for MAYBE $3.6 million in Bitcoin.
Re: (Score:2)
Even moreso, it's probably easier to get inter-department cooperation and if necessary extradition for murder.
Re: (Score:2)
And, of course, one could argue that hacking into a hospital and endangering lives/causing death could fall under the purview of people who investigate terrorism.
And then it becomes something entirely different in terms of the scope of who is coming after you.
Re: (Score:3, Insightful)
"If any patient dies in connection with this attack, then it puts murder charges on the table. And the thing about murder is that there's no statute of limitations. Thus, these guys will be looking over their shoulders for the rest of their lives."
I've said it before: If the NSA is as good at mass surveillance as is being claimed, why aren't we seeing them finding ransomware purveyors and strangling them with their own intestines? It would give them the positive publicity they have been waiting for.
Re: (Score:2)
As I said why in hell is a printer in a position to be used as a jumping off board into anything? A printer needs to talk to a well defined set of hosts and only those hosts generally the print/scan servers and not much else.
Re: (Score:2)
I'm pretty sure the 'printer toner' reference was in spilling it, not that a toner cartridge was infecting the network. Toner is the office equivalent of glitter.
Re: (Score:3)
I keep telling you people. Trying to make an analogy without using automobiles as a reference point is like trying to fry a fish with a tape recorder.
Re: (Score:2)
Trying to make an analogy without using automobiles as a reference point is like trying to fry a fish with a tape recorder.
It's not hard to do if your aquarium full of betas.
Re: (Score:2)
Na was specific to replace the printers to be safe. A printer should not be in a position to compromise anything. All it needs is inbound sessions from a print server. That's a very small exposure window of some sort of exploit.
Re: (Score:2)
Again, I don't think the original post was about the printer being an infection point.
Re: (Score:2)
Are you willing to spend a couple hundred bucks per printer plus the man-hours to firewall it off and maintain access lists? Even if you are, any competent business manager would decline that request. Some risks should be accepted after cost-benefit have been weighed. The unlucky ones make the news but the other 99.9% stay within budget.
Just supplying a port to the printer costs more that that in any b cigompany, so yeah, spend a few bucks to put it on its own isolated VLAN that only the print servers can talk to. No modern IT department should let their printers on the same subnet as their office computers because there are tons of vulnerabilities in them. We're a pretty small shop (~100 users) and our printers are on their own VLAN because it only took us 10 minutes to do so.
Re: (Score:2)
DICOM Printers for digital X-ray images need a lot of code for the network protocols and actual printing. I've seen some older models which contain a PC inside running Windows NT with software to convert between DICOM on the outside and the actual printer's native interface. Of couse, that machine is on the network, because all the X-ray machines need to print X-rays.
Re: (Score:2)
Yes it's on the network but a network should not be a flat thing security wise. Modern gear (ok anything enterprise grade made in the last decade) is perfectly capable of basic ACL's at the port level vlans etc. Modern network security is more than capable of configuring all those layers in an automated fashion. Being on the network and only being able to talk to the xray machines via some specific ports is not much of a risk.
Re: (Score:2)
Because of IT budgets
Re: (Score:2)
Pretty sad that HIPPA has less security requirements and teeth than PCI.
Re:Restore from backup (Score:5, Insightful)
If you don't have the list of softwarekeys, or the licenses, to reinstall from scratch, and if you don't have the staff with the tools to re-image systems swiftly, rebuilding the systems from scratch is a herculean job and you *wiall* lose vital patient data. If you don't have the tools, the systems *will* get re-infected while you're reinstalling them. Been there, done that, it's why i never,run the basic backup systems on Windows.
Re: (Score:2)
If you don't have the list of softwarekeys, or the licenses, to reinstall from scratch, and if you don't have the staff with the tools to re-image systems swiftly, rebuilding the systems from scratch is a herculean job and you *wiall* lose vital patient data. If you don't have the tools, the systems *will* get re-infected while you're reinstalling them. Been there, done that, it's why i never,run the basic backup systems on Windows.
It's not really a backup if it can't be used to restore what needs to be restored. I should hope that a hospital is not relying on the backup backup systems of Windows. Data Protection Manager is a bear to set up and configure, but once it's running, they should be able to do bare metal restores without losing anything. The only thing more expensive than an enterprise backup system is not having backups when you need them.
And even if they do lose vital patient data in the restore, they've *already* lost vit
Re:Restore from backup (Score:5, Insightful)
I lost data once and only once. Well, a significant amount of data. I've had crashes with not-yet-saved documents that took out trivial amounts but that doesn't even happen any more. You're not only correct, you're spot on.
One other thing to add - without verifying your backup - you have no backup at all. That includes a restoration strategy, that's part of the verification process. That includes having the ability to put a fresh system up, while the system is down, and have it isolated to access tools for recovery (such as updated patches).
My loss of data was infuriating and bizarre. I've been very anal about keeping backups ever since. To this day, even for my personal data, I keep regular updates at disparate locations and provision the same services for my friends. It's all fairly automated at this point but I still test the recovery often enough to know that I shouldn't ever lose any valuable data ever again.
Hardware, software, and bandwidth are cheap. They're cheap enough to be considered ubiquitous and there's no excuse for me to not do this. It is not expensive and doesn't even require physically moving the data on a regular basis. With a little bit of initiative, you can even automate a good portion of it. (I've not really found a good way to do the verification completely automatically from within the OS. I've not yet found one that I can really be certain of so I do verifications on my own.)
Re: (Score:3, Insightful)
Most likely ransomware (which can be very pervasive) and has spread to hospital equipment that was never secured or backed up, no-one thinks to backup data on a pain-pump or a smart-bed, all have software so theoretically can be infected or at least be a hiding place.
Backups may not be enough, might have to do a full wipe of everything connected, while the patient files should be ok so much will be lost because no-one though it would happen. (assuming they have a good backup system, or have practiced an eme
Re: (Score:2)
Most likely ransomware (which can be very pervasive) and has spread to hospital equipment that was never secured or backed up, no-one thinks to backup data on a pain-pump or a smart-bed, all have software so theoretically can be infected or at least be a hiding place.
Freaky, Just yesterday, I wrote a Hypothetical bit about hackers Breaking and entering an Insulin pump and demanding bitcoin for not having it over-pump, send a person into insulin shock and kill the patient. While it was reviled then, little did I know my only error was in magnitude. I wrote of one person, here the bastards pulled their stunt on an entire hospital.
I dunno - it seems like the exact reason the internet of things is a disaster waiting to happen. Oh wait... it has happened
Re:Restore from backup (Score:5, Interesting)
Re: (Score:2)
No they don't. The reason that we don't patch as much as we should is crappy programming on the vendor's part. Half the systems crash at various patch levels. We can't use Firefox for much these days because it changes so much. We're stuck on three different versions of IE on different machinery. Sucks? Yep. Can it be prevented? Possibly - if you got to build a hospital from scratch. But there is so much tech thrown about in corners and in rooms that were never designed to work with each other an
Re: (Score:2)
No they don't. The reason that we don't patch as much as we should is crappy programming on the vendor's part. Half the systems crash at various patch levels.
Then stop buying the crap - the only reason vendors can get away with selling crap software is because hospitals are buying it. Someone has to step up and say "We're not buying unsupportable crap, either support your software through operating system upgrades, or we're not buying it".
Re: (Score:2)
That doesn't work well when you are in the medical field or controls field (like I am) or some other fields as well and have legacy systems in place. You don't have an unlimited number of vendors that can do what you are doing as well. Combine that with huge installed base and you can't simply migrate away.
One of the biggest things I deal with is I have hardware that is running systems that go down once a year or once ever few years for maintenance. Some of the hardware is 40+ years old (we have an upgra
Re: (Score:2)
Re: (Score:2)
restore vulnerability. Also, proper, tested, incre (Score:2)
If they had PROPER backups, simply restoring would restore them to the same vulnerable state they were in just before the attack, and the attackers would immediately re-infect. Before restoring, they have to protect the system from being exploited again. They should try to determine how the original attack was carried out and fix that hole. Also, a too-strict intrusion prevention system at the firewall would be a good idea. They can whitelist as required.
That assumes PROPER backups, but most people don'
Re: (Score:2)
Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.
Speaking as somebody who has worked for far too long with this kind of issues: backups can be a help, but rarely if we're talking a complete wipeout of all systems. For that, you need to have prepared a disaster recovery plan, and if you have done it properly, you can be back in business in a matter of anything down to minutes, depending on how much you invested in this.
But apart from that - we are talking about serious crime here. On one hand there is the obvious crime of endangering the lives of patients
Re: (Score:2)
What if the malware was in the systems for months just sitting dormant thus making the backups tainted as well.
Re: (Score:2)
Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.
You also have to consider that its not just workstations that are infected. A server is often just as easily infected once the ransomware is in the domain.
If this reaches the database, and ends up encrypting database files, you could very well be hooped. Its not easy restoring a database at a hospital, when all your backups are connected to the same system that is infected, and thus potentially vulnerable and/or infected already.
Why is restoring a database backup any harder at a hospital compared to any other site? I can restore my SqlServer and Oracle DB's to any point in time from 6 months ago to 6 seconds ago. I can also restore from up to 3 years back, but older backups are meant as point-in-time snapshots and aren't guaranteed to have transaction log chains to bring them up to the current date. Those backups are stored on a mix of on-prem storage (with NAS enforced snapshot that Malware can't touch unless it hacks the NAS),
Wait (Score:5, Funny)
So wait until next week when that 9000 BTC is worth $1.50, but not until the week after when it will be worth three times that.
Re: (Score:2)
Find me the last time 9000 BTC was worth $1.50.
Re: (Score:2)
Wish someone would take me back to the time even 1BTC was $1.50
Re: (Score:2)
Beginning of July 2010.
Who handles their IT? (Score:5, Informative)
I'd like to know who handles their IT?
Contractor? Imports? If they cannot turn their computers on.... are they pulling the drive to access the data on clean airgapped computers?
I'd bet they have a marginal IT staff and a bunch of managers. Would be typical.
Re: (Score:2)
Re: (Score:2)
Hospital IT is its own kind of hell. Between your normal IT concerns, HIPAA regulations, the fact that most systems aren't modernized, and doctors who are frequently overworked as it is without dealing with the latest IT boondoggle as well, and it makes for a very difficult environment. That they need a better IT organization I don't think is in doubt, but I don't think I could do any better at the job given the environment.
Re: (Score:2)
It actually isn't all that bad for most systems, the worst part of it is that hospitals always tend to 'buy' solutions from "vendors" (aka sales people) in the healthcare space and they manage to screw every single rule, contract and regulation up. HIPAA isn't actually all that bad, it's relatively easy to conform to and consists mainly of out of best practices, the problem is when the FDA gets involved and says you can't update your machine without another round of approval. At that point, you can see why
Re: (Score:2)
"Air gap"... is that the thing Wifi signals use to travel?
Re: (Score:2)
Upgrading (Score:2)
Re: (Score:2)
TFA didn't say what OS the hospital was using, or if it'd been kept properly updated. I hope, however, that they'll use this as an opportunity to either update all of the computers during the reinstall, or install a more recent version of whatever OS they're using. The same thing goes, of course, for any anti-virus/anti-malware software involved.
Ahahahaha yeah right, it's not the actual upgrade that is the problem. It's all the medical equipment and niche software that won't work right - or at least isn't certified to work right - if you do that. And they certainly won't rush that process in a crisis. This will be a mad scramble to find and isolate the cause, clean the network and restore systems as best they can to exactly how they were.
Re: (Score:2)
You can be rather certain that the OS is MSWind, and not just MSWind, but multiple different versions of MSWind, with different machines demanding that only some particular version be used. By now they've probably replaced all the MSWind95 and MSWind98 machines, but don't bet they don't have some MSWindNT and MSWind2000 machines. They may even have some DOS machines (which likely aren't restricted to only MSDOS, but could be if they depend on particular RAM locations).
IIUC when they buy an expensive machi
The criminals just made a huge mistake (Score:5, Insightful)
They picked the wrong target. If you hit a small business it's easier to pay. If you hit a large business you pay because you don't want people to find out. You hit a hospital though and people could die and it is very very public.
Right about now there will be a whole lot of resources targeted towards finding these people. They are fucked.
Re: (Score:2)
One may hope so. I'm not sure how that would work, though, if they are attacking from, say, Somalia.
Re: (Score:2)
If that is where they are. But I suspect they are probably somewhere more developed than that and somewhere that the US can exert a fair bit of pressure. It is unlikely to be a state sponsored attack so they won't be getting any support in hiding.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Totally off-topic, english people (Score:2)
When english fails: "patients had had to come in in person for results".
Could have just said: "patients had to come in person for results". ...and then we actually would have understood it without ten-times the brain power.
Re: (Score:2)
The latter expresses only obligatory mode and past tense, while the former also conveys perfect aspect, i.e. that the obligation was completed.
Re: (Score:2)
I agree that the original sentence is a bit messy to look at, but it is more correct than your alternative.
Perhaps something like "Patients have had to come in for results in person" would have been nicer.
Re: (Score:2)
How about: "patients had to come in".
Re: (Score:2)
It does not communicate the same information.
In fact, that sentence implies an entirely different meaning; as if all patients had to come in, not just if they wanted to obtain results.
Re: (Score:2)
it doesn't specify "all". you infered that for no reason.
Replace systems entirely (Score:4, Interesting)
It has an extremely protected back end and a very difficult to infect front-end: The iPad.
I challenge hospitals in this country to do the switch... at least get in with a POC/Beta program.
Re: (Score:2, Insightful)
Pay Attention IoT! (Score:5, Insightful)
Re: (Score:2)
Isn't health care practically the highest critical tier of the "Internet of Things"?
Yes.
We can't even motivate ourselves to properly secure medical data, literally life and death stuff, even after they get pwned like this. The folks on the IoT bandwagon actually want to hitch more of our daily technology to the Internet, things with even lower security motivation?
Hey, you've seen it. If a person even dares to say that the Internet of things is a disaster waiting to happen, they are accused of being luddites, that they want those kids off their lawns, or just hateful of progress.
This is a perfect example of Internet of things and it's inevitible problem. As well, how exactly did life critical systems get plugged into a non-life critical OS. and then put on teh same network that is soon to demand that we allow our computers to be a little more secure by using ad an
In Soviet Russia... (Score:4, Interesting)
I spent about 8 years to convince my boss to never use Windows in equipment control. The only places where Windows XP (not later) is allowed to be are the workstations of different secretaries and specialists which are too old to be retrained. So if some ransomware hits the damage is limited to the computers that are easily reinstalled from scratch.
There is the place where the ransomware can still hit: It's the SAMBA server that has shares that the ransomware can encrypt, but it presumably has a proper backup.
To do so we sometimes had to design and produce our own data collection equipment since the existing one is Windows-only.
Sorry, I have no security clearance to name our preferred OS (not Linux) and a place in the Russian military-industrial complex where I work.
terrible news (Score:2)
Here's hoping they have a rolling backup they can just nuke the entire system from orbit and perform a full restore, they'll be back up and flipping off the hackers in a matter of hours...
Oh, wait, it made Slashdot. Must mean nobody had a backup plan.
Fools.
Re: (Score:2)
Just the network side could take weeks to validate. How do you check firmware on workstations? How do you check all of the connected devices?
It takes an insane amount of manpower, and logistically you might be better off just replacing everything.
I think one of the problems is the medical equipment vendors, but they haven't been squeezed enough yet to make their systems secure....
Managers will never learn... (Score:2)
Even if it is in FileSystemChecKing Harvard Business Review, October 2009, page 38.
http://www.ganino.com/files/Harvard%20Business%20Review%20%282004%20to%202013%29/Harvard%20Business%20Review%202009/10.%20HBR%202009%20Oct.pdf
Enhanced Effect (Score:2)
Silver lining? (Score:2)
The more that important infrastructure gets compromised, the more the public will become aware of how fragile these systems are. We need more publicity like this. It will only be through things like this that will draw attention to how bad the security is for computer systems at places like hospitals, etc;
9000... or 9001? (Score:2)
If it were me: Move all the patients out to another hospital, then nuke every system and peripheral that can possibly be infected, reload everything from backups or from scratch. Either get manufacturers to re-flash firmware, or smash them with a hammer (literally) and replace them. And yes, as others have suggested, if a single patient dies, then the hackers responsible get murder charges tacked on to the rest. If a single patient gets injured, even, th
Re: (Score:2)
Re:Sorry (Score:5, Insightful)
Interesting point, but you do realise that to the rest of the world, America is the "1%"?
Re: (Score:2)
Not to be a mathhole or anything, but we have 300 million people. Out of 7 billion, that's well over 4%.
Re: (Score:2)
Hence the quotes :)
You are right though, but it is easy for the rest of the world to look at America and see not the poor and unemployed, but the rich and upper-classes.
Re: (Score:2)
Don't worry, it's a hospital for the 1%'ers. Eat the rich!
I've been on /. for quite a few years, and can't recall a more asinine comment than this. Congratulations jackass.
Re: (Score:2, Interesting)
"These guys are super assholes for putting patient lives in danger for a few bucks."
In fact yes.
How that hospital's management dared to have their IT forgotten, without proper budget, training, auditing and support for their staff, putting that way patient lives in danger just to save a few bucks?
Re: (Score:2)
When you need to replace a $Million machine because the system you have only works with XP, you have a very difficult starting point. When doctors demand remote access to these systems, things get nearly impossible very quickly.
You really need a system designed from the ground up around security rather than Medicare billing codes.
Re: (Score:2)
"When you need to replace a $Million machine because the system you have only works with XP"
Yes, that's what happens: incompetence accumulates over time.
"You really need a system designed from the ground up around security rather than Medicare billing codes."
But that's not true either: systems need to be designed around their required function. It's only that their security levels are also part of their required function, not an afterthought.
But, as one of the first posters already said, why should you tak
Re: (Score:2)
It's impossible to build an unhackable IT system.
Especially so for any even remotely sane budget.
Re: (Score:2)
"It's impossible to build an unhackable IT system.
Especially so for any even remotely sane budget"
Maybe that's right, but that's tad far from "so, why even try?"
In this case, how many of these computers need to offer services to the network? I bet barely no one. But then, how is it that they are afraid to turn off their computers -even if they are -gasp! older versions of Microsoft products that any sane mind would have banned in that environment to start with? Because incompetence.
Oh, but the doctors!
Re: (Score:2)
Why do you assume they don't even try?
Re: (Score:2)
"Why do you assume they don't even try?"
Because I'm a nice guy.
The alternative is that they failed miserably showing utter incompetence against what seems not much more than a bunch of script kiddies with some internal knowledge.
Re: (Score:3)
Why is it that the victims of an attack take all the blame for an attack such as this one?
If you're just walking along, minding your own business and get attacked by surprise, your attacker takes all the blame.
If you're a military sentry waling your patrol and get attacked by surprise, you are to blame, because alertness is your entire job.
If you operate key infrastructure, you're somewhere in between these cases, and some blame attaches to you if you're successfully attacked.
Re: (Score:2)
"Why is it that the victims of an attack take all the blame for an attack such as this one?"
In two words: Due Diligence
"You have absolutely no proof that the IT budget or the IT department in general were the cause of this problem."
Yes, I do: "Management has forbidden staff to turn on their computers, fearing the attack might spread"
No ability to segregate their networks by security/functional realms, no ability to bootstrap their systems in case of catastrophic or widespread failure, no clear disaster reco
Re: (Score:2)
Re: (Score:2)
They're also routinely employed in the legal field. Documents sent to the ICJ or the ICJ at The Hague or the ECHR are REQUIRED to be sent by Fax.
It's only recently (the last six years) that the RCJ in London has been accepting documents by email attachment (pretty much since my first visit as an Advocate, where I produced a netbook with the entire casefile on it and after much discussion with the Judge, got him round to the idea that a scanned bitmap compiled into a PDF was pretty much identical to a scanne
Re: (Score:2)
Linux (Score:2)
Just use Linux :)
Re: (Score:2)
good one. Fancy retraining several thousand medical staff?
Re: (Score:2)
Re: (Score:2)
While it would be better to have everything rebuilt on a better OS, I don't think it's the main culprit. If linux was the predominant OS in the last 30 years, criminals would be attacking it now.
And no mattter how secure an OS can be, I bet this is people's fault: someone opened a malicious attachment, or downloaded some malware while looking for movies or music in some too-good-to-be-true streaming sites.
Society is losing control on computers... I think we need severe education and policies, beside patches
Re: (Score:2)
Re: (Score:2)
Who? The execs who cut IT budgets?
Re: (Score:3)
Incompetent people should get fired.
Malicious people should get a entire firing squad.
Re: (Score:2)
Incompetent people should get fired.
I suspect you didn't really mean it that way. Competent people weren't always. People don't come out of the box competent. Now, if they've had sufficient time and training, and failed to become so, then fire their asses.
As for "Malicious people should get a entire firing squad.", I'd be happy to pull the trigger on these asshats.