Why Are Hackers Increasingly Targeting the Healthcare Industry? (helpnetsecurity.com) 111
Slashdot reader Orome1 shares an article by Bitdefender's senior "e-threat analyst," warning about an increasing number of attacks on healthcare providers:
In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identity theft. This personal data often contains information regarding a patient's medical history, which could be used in targeted spear-phishing attacks...and hackers are able to access this data via network-connected medical devices, now standard in high-tech hospitals. This is opening up new possibilities for attackers to breach a hospital or a pharmaceutical company's perimeter defenses.
If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security... The majority of healthcare organizations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection.
The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."
If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security... The majority of healthcare organizations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection.
The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."
of course (Score:5, Insightful)
Re:of course (Score:5, Insightful)
1: There's a lot of money in it.
2: The healthcare industry can't afford downtime or failures, so they pay up quickly.
3: Insurance covers a lot of it.
4: Generally poor security practices make it easier, on top of all that (typical of an industry that hasn't been targeted a lot in the past, their security is focused on other things, to the extent they have it).
So in summary, it's a relatively large/easy target, with lots of money, that can't afford downtime. The only surprising thing is that it took this long to become a target.
Re: (Score:3)
You know what they say - there are only two hard things in computer science: cache invalidation, naming things, and off by one errors.
Re: (Score:3)
Re: (Score:2)
And by three, I mean four. You know what they say - there are only two hard things in computer science: cache invalidation, naming things, and off by one errors. ;)
Did you used to work with these guys?
https://www.youtube.com/watch?v=oJZ2m6_T1wc [youtube.com]
Re: (Score:2)
"...Then thou must count to three. Three shall be the number of the counting and the number of the counting shall be three. Four shalt thou not count, neither shalt thou count two, excepting that thou then proceedeth to three. Five is right out. Once the number three, being the number of the counting, be reached..."
Re: (Score:2)
You have a few more things.
Integrated environment nearly every system talks to the other. The Registration system talk to the Health Record System which talks to the lab systems and back to the Health System and to the billing system... That is the simple work flow for an office visit. Normally your data is being passed to a dozen independent systems.
Healthcare typically is about 10 years behind the time in technology there is a lot of old equipment out there that slows down the others the tight integrati
Re: (Score:2)
An insight into that attitude was demonstrated a few years ago on Slashdot with the stories about the doctor who collected other people's linux kernel patches getting into an argument with Linus Torvalds.
Re: (Score:2)
> Generally poor security practices make it easier
This. Something people don't get about hospitals.... they LOVE IT. They are IT adopters, big time. You don't hear about the tech they adopt, because they are too busy adopting it to tell you about it. They have one fucking goal: Healthcare, and they aim to meet it.
When I worked in tech support for a hospital, I took tickets for desktop PCs sitting at bench that used to be used to solder core memory.
Security was never their concern until very very late. Th
Re: (Score:2)
Re: (Score:1)
HIPAA makes this easy--high liability. Relatively low skill=quick to pay off.
Why Are Hackers Targeting the Healthcare Industry? (Score:1)
Re: (Score:2)
Because the people in charge are idiots (Score:2, Troll)
It's as simple as that. Hospitals, like (or due to) governments often go for the cheapest option where security is an afterthought. Once you are embedded with the cheapest vendor, you are locked in forever because the contract never demands open hardware or software and thus once the install is done, the vendor disappears and the sub-par it staff has no clue what to do to make anything work besides just opening the entire thing up.
If you go with a big-name vendor and actually contract support for a device w
Re: (Score:3)
It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.
Re: (Score:1)
It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.
This!
Th real insidious problem here is that above those two techs in the hierarchy the decisions are being mad by bean counters who have no technical competency. These organizations would do better to promote one of the 2 techs to being the designer or manager of the organization so that they can apply their experience to correcting and closing security holes rather than the managerial raises being based on "I saved you x million dollars here so give me a raise!". If I had a nickel for every organization t
Re: (Score:1)
It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.
This!
Th real insidious problem here is that above those two techs in the hierarchy the decisions are being mad by bean counters who have no technical competency. These organizations would do better to promote one of the 2 techs to being the designer or manager of the organization so that they can apply their experience to correcting and closing security holes rather than the managerial raises being based on "I saved you x million dollars here so give me a raise!". If I had a nickel for every organization that I have worked for that was being run by someone with less than an associates degree level of education in IT, I would have enough money to retire, twice!
MOD THIS UP!
In addition to this, I have noticed that tech in general are almost never promoted into management, despite the fact that they would be the absolute best qualified people to correct these problems. The management is usually someone with an MBA from some cheap college and no experience beyond that or god forbid someone with only a high school diploma. This has to change unless they want these problems to continue forever.
Re: (Score:1)
Well no surprise that /. can't do so much as mod up the obvious answer to a simple problem. They have that in common with the people at the root of this problem in the industry, namely the hiring managers who keep NOT putting IT experts into management positions post haste in order to fix the gaping security holes in the medical industry! Seriously guys spend a mod point, mod this up and realize that the parent posters are right, we need IT experts in management who have a grasp of the problem and how to f
Re: (Score:1)
It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.
Most Companies for Medical Equipment should do that as well.
The security measures on most, even permanently connected stuff, was abysmal. I am not an expert on IT Security, but there were enough glaring holes that even I could easily see them.
Since a lot of this tech got a common sight security by obscurity won't work there as good as it did five years ago....
Most hospitals here have quite extensiv IT Staff, still close to none in management. Reason for that are real tough data protections laws and the poss
Re: (Score:2)
I was going to say "low hanging fruit."
There's a lot of easy targets in healthcare, in part because so many hospital IT departments are so f-ing paranoid that they lock down their networks to a point of near dysfunctionality, especially in places like operating rooms. So, device makers, not wanting to add to the security frustrations, tend to rely a bit on that network paranoia and keep their device security relatively simple - who wants to be sent out to a customer site to help work through a security iss
Re: (Score:2)
Once you are embedded with the cheapest vendor, you are locked in forever because the contract never demands open hardware or software and thus once the install is done, the vendor disappears and the sub-par it staff has no clue what to do to make anything work besides just opening the entire thing up.
That and they're buying equipment to be used for 10-20 years, and the computer systems of even 10 years ago were barely planned to be connected to a network, much less the internet.
Meanwhile, the computer systems connected and integrated into such devices are considered medical equipment, and certification was on the basis of 'as installed', IE no patches, no upgrades. It's only in the last few years that the FDA changed this to that in order to remain certified that the computers need to be patched or kep
Seems pretty cut and dried, if you ask me (Score:3)
easy one (Score:3)
Because they're horrible human beings. Real shitstains who would throw a puppy off a bridge for a quarter. Many are probably bedwetters. All sociopaths. May they die horrible deaths and then be forgotten.
Re: (Score:2)
Re: (Score:1)
It is not much more horrible to attack the healthcare industry than any other.
Hackers aren't after human lives, it attracts too much attention and doesn't pay well.
They are after your bank account, and emptying your bank account from a hospital is not worse than emptying it from an e-commerce site.
The real evil here are all the people who legally exploit the system by overpricing essential drugs, equipment and services because the insurance will pay, insurance themselves for changing monster premiums for s
Re: (Score:2)
Sure it is. They're going after the bank accounts of sick people.
Re: (Score:2)
So just to be clear less ok to steal from some people then others. Does that spectrum run all the way to it being actually ok to steal from some people?
If someone is healthy wealthy and strong enough, are others morally entitled to rip them off? If everyone ripped them off would they still be wealthy?
I was taught it wrong to take things that don't belong to you and are not freely given.
Re: (Score:2)
Yes.
http://screenrant.com/wp-conte... [screenrant.com]
Seriously, though if you believe that stealing a loaf of bread to feed your family is the same as stealing the crutches of a crippled man, your parents taught you morals all wrong.
Re: (Score:2)
No that isn't the same. The reason is not the baker or grocery store owner is some rich guy though. The issue is your need and own desperation. A lot usual mores go out the window when your survival is at stake. Its not normally ethical to use violence against someone but if you are forced to defend yourself from violence it certainly is; same thing.
So yes if you are stealing to prevent yourself and loved ones from starvation, fine you get some kind of a pass, providing you are only stealing what it tak
Re: (Score:2)
Hate to tell you this, but there isn't a single person named "hackers" here.
We're talking about many thousands of vastly different people with wildly different mindsets on any subject you can think of.
Sure, but I assumed we were talking about the usual "black hat" motivated by financial gain. And I think GP referred to them too "Real shitstains who would throw a puppy off a bridge for a quarter". I suppose that, for example, a hacker using exploits to reveal the wrongdoings of a hospital is not what GP had in mind.
About hackers killing people, we often here stories about how they could kill but very few, if any, actual cases. So I assumed that in general, hackers aren't killers.
Re: (Score:1)
Re: (Score:3)
If prescription dispensing can be practically hacked, the possibilities are disturbing. Because they not only could kill people; they'd also know who they were killing, and could target specific people. Even high profile ones.
Re: (Score:3)
If prescription dispensing can be practically hacked, the possibilities are disturbing. Because they not only could kill people; they'd also know who they were killing, and could target specific people. Even high profile ones.
You bring a strong point here. I wonder if anyone will wake up to security concerns when cyber-attack turns into cyber-murder?
Even more of a disturbing thought; what happens when a life insurance company hires someone to "accidentally" send an overdose of medication to make a patient look like they've committed suicide to avoid a payout? (sadly, greed knows no bounds)
If these aren't enough reasons to take the damn hardware offline, I don't know what is. The answer certainly isn't cutting back on hospital
Re: (Score:2)
You space cadets are taking way to much meth. The usual Slashdot paranoia (which is one klick South of Area 51) is really pretty tame compared to this.
No, they're not trying to OD somebody on insulin to get their life insurance payout, they're trying to extort money from the hospital or steal patient financial and medical info to extort money from somebody else.
They want to make money, just like everybody else.
Re: (Score:2)
...They want to make money, just like everybody else.
Over time, your assumptions will find it harder and harder to identify "They".
Silly question (Score:2)
Why did Somali pirates attack international shipping?
Because it worked and shipping companies were paying their ransom. Likewise for hospitals. Hospitals are dumb enough to pay which makes them a target for more attacks.
I think this is about a third of it (Score:4, Insightful)
Two things missing from your summary. First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance. All of this data makes it simple to steal your identity, which ties into our second item.
Second item: Profit. In addition to using your prescription coverage for codeine, big ticket items are being charged to people because identity theft is so easy. Within the last month or so,. two people hit with tens of thousands of dollars in co-pay for major surgery, and another was hit with fees from a transplant. All of which were done to other people. A bit of investigation determined that the people bought insurance on the black market for their procedures. The better the insurance being stolen, the higher price it retrieves. Shame on the US for using a SSN for nearly everything.
Re: (Score:2, Informative)
Re: (Score:3)
Of all the sweeping changes made by ACA, this is not one of them
He didn't say ACA. Much of it was mandated by HIPAA, but it's really due to malpractice lawsuits. A healthcare provider needs to document everything and keep it essentially forever, including billing information in case they get charged with fraud.
Re: (Score:1)
First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance.
They've always done this. And it's always been available to the government. They might have needed a warrant, but it's available.
All of this data makes it simple to steal your identity, ... Within the last month or so,. two people hit with tens of thousands of dollars in co-pay for major surgery, and another was hit with fees from a transplant. All of which were done to other people.
Seems like an easy thing to get out of. Did I have a transplant? No? You billed the wrong person. Also seems like a very simple thing to track down the guilty party, especially with something like a transplant that requires specialized long term oversight and care. A last note, tens of thousands of copay for a single incident is pretty crappy insurance.
Liar (Score:2)
If you don't like the label don't perform the act.
Less than 20 years ago we had to hand carry files, lab results, and images from doctor to doctor. "Always" is complete horse shit, and as we have moved to everything being on-line crimes have increased due to opportunity.
The on-line convenience for some has impact to everyone. I'd be willing to bet you can see it if you just opened your eyes.
Re: (Score:1)
Take your meds.
Hand-carrying files doesn't mean the gov couldn't get their hands on the data, it reinforces that yes, they indeed could get data that was there to get. Very little is not subject to a court order. Medical records are not an exception.
Considering I have done work in the health-care industry, I'm well aware of what the online "convenience" means, and how shoddy current privacy protections are. And even then, I still have to go grab my paperwork from various locales to give to my new doc, so
Still a liar, take your own meds (Score:2)
Generally speaking the Government was prevented from accessing your health care data by law. It was not until the government mandated and regulated recent history that they had access to your data.
Exceptions were people in the Government system, such as Welfare/Veterans, etc... Many veterans avoided Government doctors for exactly that reason.
Instead of claiming someone else needs meds, evaluate your own lack of truth and desire to defend your lies.
Re: (Score:1)
You still don't get it. I think you're arguing an unstated semantic point here. If your statement is the government now has easy unfettered and full access to your medical history, that's a different statement and one I'd respond that while they technically can have that level of access, but in reality the access is fettered by a whole set of incompatible and crappy systems that only marginally talk to each other, at least in my experience.
That the gov has always been able to get access if there was a (le
Re: (Score:2)
My point is absolutely factual, you are arguing that recent trends of making everything digital and on-line data have "always" been the norm. Your view is factually incorrect on all accounts. It was not quite 2 decades ago that everything was in paper and film. Very little was digital in terms of patient data. I had a full reconstruction of my shoulder and had to hand carry MRIs, Xrays, and folders full of data between my Orthopedic Surgeon and the Hospital because it was illegal for them to make copies
s.petry the troll (best case scenario) (Score:1)
First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance.
They've always done this. And it's always been available to the government. They might have needed a warrant, but it's available.
Your reading comprehension leaves something to be desired, or there's something worse afoot with you. To make this absolutely clear, I stated the following:
They've always done this.
to clearly and, yes, pedantically state what that means, since your comprehension of said quotes above seems severely lacking this can be transformed into a plain fully qualified self-standing sentence:
I do not believe there's any question that they've done this for
Re: (Score:2)
Easiest question ever (Score:2)
Why the healthcare industry? Easy. There is lots of valuable information and money to be made by doing so and frankly the healthcare industry is a soft target if there ever was one. Their IT systems typically have security as an afterthought if they consider it at all. They don't tend to hire the best and brightest IT people and the results prove it. They are hamstrung by regulations that legally prohibit them from updating equipment for security reasons even when it needs it. The people that run medi
Re: (Score:2)
The healthcare systems are a flipping nightmare from an interoperability standpoint - so many things all trying to hang together in a single functional ecosystem, so little in the way of true standards (HL7, DICOM, yeah like saying you speak an "Eastern Language" something between Farsi and Mandarin.)
In those systems are records that literally are "worth money," so, yeah, low hanging fruit.
This is what we want (Score:2)
Put lots of data in one place, it becomes a target.
There seem to be a belief that by using e-records, it will save your life. In an emergency, your records are immediately available. Now you have conflicting goals. 1) Open access (even if you are unconscious) for medical professionals everywhere all the time and 2) locked-down, secure systems.
What we get is a system where medical professionals can't get access to your records when they do need them. The quality of record keeping drops significantly becau
Re: (Score:3)
Re: (Score:2)
Agree with you 100%.
Re: (Score:2)
And about thirty minutes after you started that, you would put that email address in your spam folder. You'd get more hits than a Slashdot article on Hilary Clinton. We are constantly opening your file - doing financial audits, do pharmacy audits, checking for overdue records, checking to see if you are overdue for an appointment, checking the status of an insurance claim (twenty times a day), counting the number of diabetics, counting the number of people who need tetanus shots.
All manner of reports all
Re: (Score:2)
doing financial audits, do pharmacy audits, checking for overdue records, checking to see if you are overdue for an appointment, checking the status of an insurance claim (twenty times a day), counting the number of diabetics, counting the number of people who need tetanus shots.
You shouldn't have to access my personal medical records for that, I'm not talking about generic hospital administration stuff. In fact over here you're not even allowed to access medical records for any of those reasons, the best you get is anonymized aggregated data. Hospitals do keep a lot of additional data in order to keep their books in order, but even so that information is still classed extremely sensitive, and they're not about to open up that data to other parties like insurance companies (thoug
Re: (Score:2)
I have a friend who works in IT in a hospital system, managing the middleware that translates between hospital systems. He says its really heavily audited and even the middleware troubleshooting system where you can pull HL7 records out of the queue to figure out why they're not working is audited.
Pulling records at random without audit information being logged, while not technically impossible for him, is very difficult and basically impossible for anyone not operating at the IT level. Even then he says
Because of the slope of the tradeoffs (Score:2)
Because of the slope of the tradeoffs.
Security is always a tension between making the data safe vs. making it usable.
In the case of health care, if the data isn't usable: people die.
So in any situation where a human may route around security so that someone doesn't die: they do so. It leaves the system riddled with security holes, but on whole: functional for the intended purpose of keeping people alive.
Keeping the data useful is also why these companies are fairly quick to pay the ransoms, and (I'd like t
Re: (Score:2)
You ever try to tell a DOCTOR to do anything ? (Score:3)
Good luck getting them to comply with security policy or keeping any policy in place that one objects to.
Re: (Score:2)
Good luck getting them to comply with security policy or keeping any policy in place that one objects to.
Oh, they don't want to listen? Fine.
Tell them their liability insurance is going to go up by 20% every year until they do fucking listen.
Only way ANYONE listens is when you speak directly to their wallet.
Re: (Score:2)
Good luck getting them to comply with security policy or keeping any policy in place that one objects to.
Oh, they don't want to listen? Fine.
Tell them their liability insurance is going to go up by 20% every year until they do fucking listen.
Only way ANYONE listens is when you speak directly to their wallet.
And they will just pass that on.
Don't like the paying the price? Feel free to get worse / die while price shopping then.
The stick is not the answer here. Systems engineering needs to step up and accommodate them in this case
Re: (Score:2)
Good for you. It's always nice to meet a good able in a barrel of bad ones.
You would not believe
1 how many open WiFi access points there are in doctors offices.
2 how many workstations without default logins/ username only
3 how often file attachments to emails are opened.
4 in your own field of radiology how often insecure methods are demanded for image viewing.
Yes it does happen often and there is little IT people can do about it because it looks like a good gamble.
Time is money and the risky practices are o
Re: (Score:2)
Oh and IT asleep in a bed late at night ? Check the timestamps. There's lots of nasty stereotypes that are applicable to I.T. but having regular hours isn't one of the.
Re: (Score:2)
Fantastic! That's great news that the IT folks are available when I'm taking care of patients. What words would you use to describe the 2 pager system I have to use to reach them, with zero standards for turnaround time or actual assistance. And you can keep the ticket number to your self - trying to read me a 20 character code confuses my job for yours.
Well I am laughing and I'll tell you either get better IT staff or pay the ones you have enough to be on call 24/7
P.S. You're a radiologist. When the fuck do you take care of patients ? You're writing up opinions on MRI's and XRays.
Health care people just don't care (Score:4, Informative)
I've worked a bit with the health industry (not as a career, thank god, that would be soul crushing), and outside of government health care has the worst IT and worst security I've ever seen. Because they just don't care unless it impacts their bottom line.
All those health apps that doctors and nurses uses, and all those devices? Yeah, they have terrible security because the hospitals don't make it a priority and they just don't care either. Class C medical devices that are PCs running windows XP with active USB ports? You bet.
Your online records? Those are handled by outsourced people running cobbled together Ruby scripts that take 30 hours to process 24 hours worth of data in plaintext csv (I use that because I've seen it)- they certainly don't care about security. Your insurance company? They certainly don't give a damn whether you live or die as long as they're raking in the cash.
All they care about is preserving the appearance of not violating HIPAA because that might cause them some grief.
Re: (Score:2)
Simple (Score:2)
It's a soft target with lots of interesting information.
Why Are Hackers Increasingly Targeting.... (Score:2)
Why are hackers targeting the healthcare industry? (Score:2)
Because they're used to viruses and infections?
Re: (Score:2)
Only if they got paid enough money by the drug companies.
The answer is simple (Score:1)
Because it is trivially easy to break into the medical industry systems while their IT security is being designed by MBA managers with impotent and clueless security policies. Anyone here ever tried to apply for one of these management positions? Anyone here ever worked in the medical industry's IT division and realized that it was a dead end job if you are an IT worker? You are never going to get into the management there because they don't promote people from IT into management positions. It does not take
The answer is quite obvious (Score:1)
The fact that you don't know how many medical bills you'll get, from whom, or what the total will be creates huge opportunities for fraudulent medical billing. You find out when someone was in a hospital and for what, then send them a fake bill for a couple grand for (insert bullshit reason here). Then harass the living shit out of them until they agree to settle for half of what you originally asked for.
Medical Data Hacking a Myth (Score:1)
This problem has to be a myth.
Each time I enter the healthcare industry, I have to fill out the same "wonderful" multi-page form by including basic personal information and health history therein.
So what data is being hacked?
Yes, I'm being facetious, if that fails to go without saying.
Re: (Score:1)
... Each time I enter the healthcare industry, I have to fill out the same "wonderful" multi-page form by including basic personal information and health history therein.
So what data is being hacked? ...
They have your data, they just want to see if you are the same person and if you can remember it. It's a test! 8-P
Not their business (Score:1)
The doctors and other personnel consider "data should be free", for their work, and security is not in their area of expertise. They consider patients first, which is good, but they don't believe that the patients also need the security. It is in the way, so they push it aside and forget it.
It is basically a lack of training in the medical collages.
Why? Seems obvious (Score:1)
I have to wonder if this is simply a LEO phishing attempt. I'd think we'd all know why they're doing it. They've told us according to the articles I've read. It's a punch in the nose to bloody it so they'll actually do their jobs. You know, actually patch machines, keep software up to date, things like that. A number of hospitals, they're version of windows is real old, not updated, easy pickins. One article said they even told the hospital many times over three years about it. Didn't move them at all. Ok,