Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Medicine The Almighty Buck United States IT Technology

New Jersey's Largest Hospital System Pays Up In Ransomware Attack 34

New Jersey's largest hospital system said that it has paid hackers a ransom after a ransomware attack disrupted its services earlier this month. Threatpost reports: Hackensack Meridian Health, a $6 billion non-profit health provider system based in Edison, N.J., operates 17 hospitals, nursing homes and outpatient centers, as well as psychiatric facility Carrier Clinic. The hospital system told media outlets on Friday that it was targeted by a cyberattack on Dec. 2, crippling its computer software systems for nearly five days. "Our network's primary clinical systems are operational, and our IT teams continue working diligently to bring all applications back online safely," according to a statement issued to media, Friday. "Based on our investigation to date, we have no indication that any patient or team-member information has been subject to unauthorized access or disclosure."

The attack affected the hospital's computer software systems, from scheduling and billing systems to labs and radiology, according to reports. Consequently, the ransomware attack forced the hospitals that were part of Hackensack Meridian Health system to reschedule around 100 non-emergency appointments and surgeries earlier in December. The hospital system did not clarify how much ransom it paid, or whether its data has since been recovered. It also did not give further indication about how systems were first infected and what data was affected.
This discussion has been archived. No new comments can be posted.

New Jersey's Largest Hospital System Pays Up In Ransomware Attack

Comments Filter:
  • Subpoenas should be handed out if they don't cooperate and open all the books and logs.

    Evidently paying off the ransom is cheaper than making proper backups.

    Demand paper receipts...

    • Evidently paying off the ransom is cheaper than making proper backups.

      Exactly. Why do these companies not have proper backups for situations like this? Instead of paying the ransom try firing the CIO and use his/her salary to install a backup system that has been *tested and works*.

  • The cheapest and most likely way to deal with ransomware is to buy a copy of "Man on Fire" for every dumbass who thinks it should be legal to pay ransoms.

  • Hackensack Network (Score:4, Insightful)

    by Ogive17 ( 691899 ) on Monday December 16, 2019 @08:21PM (#59526736)
    Just asking for trouble with that name.
  • Based on our investigation to date, we have no indication that any patient or team-member information has been subject to unauthorized access or disclosure

    so attackers encrypted data and took nothing? sure.

    • How would they know? Everything is locked out and encrypted. I guess that's what meant by "no indication".
    • Hmm, yeah I'd be suspicious as well that only files/folders were encrypted and nothing was exported out of the network. Having said that, I think what makes these encryption attacks so popular is that all they need to do is get in via an email attachment or phishing link and then once in the internal network, do a rapid encryption of all possible files. At that point they don't have to worry about getting back out through the firewall as the damage has been done.

      My gut feeling is that they did have pre-
      • by DarkOx ( 621550 )

        Yes the data between the backups (and you can only trust the offline ones in a situation like this) is likely at least a little stale and as you say. I used have nightlys when I was sysadmining and when we had two drives in a raid5 manage die within a space of each other smaller than the time needed to generate the first failed disks data to the hot spare, I lost of about 5 business hours worth of data on our sales quoting system. Poof gone; even with proper backups and redundant hardware (raid array).

        Not

    • OCR will treat is as a HIPAA violation unless they can prove (eg loss prevention and data extraction detection at the firewall) that nothing was going out from those affected systems.

      But this will be a multimillion dollar fine since most hospitals have no functional IT leaders.

  • If they backed everything up every day, isn't the most they could lose just 24 hours worth of data? Wouldn't making backups work be cheaper than paying ransom? Doesn't paying ransom just encourage and fund more attacks?
  • never ever pay (Score:5, Insightful)

    by bool2 ( 1782642 ) on Tuesday December 17, 2019 @02:34AM (#59527628) Homepage
    It should be illegal to pay these criminals with huge penalties for doing so such that it is cheaper not to pay.
  • is this kind of money transfer legal?

    in other words, are they not complicit in illegal activity by giving away this money?

    • in other words, are they not complicit in illegal activity by giving away this money?

      Hmm, you seem to be suggesting that if someone kidnapped your infant daughter, YOU should go to prison if you paid the ransom....

  • If they are $6 BILLION in assets, they can pay to have a secure system and not be affected by ransomware.

    I know EHR is a rather vertical market, but WHY would you run your main line of business application (where the patient data is stored) on Windows? Get something secure. Some kind of Unix, iSeries, IBM Mainframe, OpenVMS, etc. Not saying that none of these are unhackable, but they sure are NOT susceptible to this ransomware du-jour that goes around.

    Then, if your workstation gets owned, wipe it, reima

    • " It also did not give further indication about how systems were first infected and what data was affected."

      Haven't you heard? Internet access is a right, and employees will walk off a job if they don't have it. Put an airgap in (aka 'no internet') and a lot of attacks don't work, or one has to work much harder to get in (aka Stuxnet).

    • From some Googling they are using Epic as their primary EHR, which runs it's back-end database on *NIX. The presentation layer is usually handled by some form of Virtualization running Windows, but can be local installs on the desktops.

      The primary EHR is just a small part of any medical system though. Our rather small hospital has at least 30 disparate systems that communicate with the primary EHR. There is a wide variety of OSs and back-end databases among them, although windows + MSSQL is certainly the mo

  • by gweihir ( 88907 ) on Tuesday December 17, 2019 @09:22AM (#59528260)

    Paying these "people" encourages them and just leads to more attacks. Hence paying them must be made illegal. Maybe also have reasonable IT security and backups at places that depend on their IT?

    • Maybe also have reasonable IT security and backups at places that depend on their IT?

      What often happens is the attacker is in your network for a while before you actually know about it. One of the first things they do is find a way to nuke your backups before they encrypt everything and demand a ransom. There are ways to protect against this, but I suspect a lot of companies do not adequately secure their backups and since it's not a visible problem, it likely doesn't get any meaningful attention.

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...