Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Medicine Crime Security

Ransomware Attack Delays Patient Care at Several Hospitals Across the US (nbcnews.com) 30

"One of the largest hospital chains in the U.S. was hit with a suspected ransomware cyberattack this week," reports NBC News, "leading to delayed surgeries, hold ups in patient care and rescheduled doctor appointments across the country." CommonSpirit Health, ranked as the fourth-largest health system in the country by Becker's Hospital Review, said Tuesday that it had experienced "an IT security issue" that forced it to take certain systems offline. While CommonSpirit declined to share specifics, a person familiar with its remediation efforts confirmed to NBC News that it had sustained a ransomware attack.

CommonSpirit, which has more than 140 hospitals in the U.S., also declined to share information on how many of its facilities were experiencing delays. Multiple hospitals, however, including CHI Memorial Hospital in Tennessee, some St. Luke's hospitals in Texas, and Virginia Mason Franciscan Health in Seattle all have announced they were affected.

One Texas woman, who spoke to NBC News on the condition of anonymity to protect her family's medical privacy, said that she and her husband had arrived at a CommonSpirit-affiliated hospital on Wednesday for long-scheduled major surgery, only for his doctor to recommend delaying it until the hospital's technical issues were resolved.

The surgeon "told me it could potentially delay post-op care, and he didn't want to risk it," she said.

Wednesday the company confirmed that "We have taken certain systems offline."
This discussion has been archived. No new comments can be posted.

Ransomware Attack Delays Patient Care at Several Hospitals Across the US

Comments Filter:
  • by gweihir ( 88907 ) on Sunday October 09, 2022 @12:40AM (#62950397)

    IT security? Is that going to make us more money? Don't think we need that. We do medicine and IT is not that important anyways, right?

    And in actual reality, businesses need to be forced by regulation to do rational, effective risk-management. Otherwise the C-level fuckups will always hope it will not hit them and they will get a higher bonus.

    • by sjames ( 1099 )

      Seen everywhere in American business:

      CEO to accountant: How important is IT to our profits?

      Accountant pulls up spreadsheet linked to multiple databases across the company's offices and starts clacking away on his keyboard. Launches a few custom queries set up by the dba, reads his screen and replies: Not at all.

  • by xack ( 5304745 ) on Sunday October 09, 2022 @02:34AM (#62950531)
    Only when ransomware hackers get proper punishment will the epidemic of this ransomware attacks be solved. Shut down crypto exchanges that launder ransomware funds as well.
    • Re: (Score:2, Insightful)

      Running a hospital into the ground so you can maximize profits should be a death sentence

    • by theCoder ( 23772 ) on Sunday October 09, 2022 @05:35AM (#62950667) Homepage Journal

      Only when people start getting convicted of negligence for running hospital (or other) computer systems in ways that make them vulnerable to ransomware attacks will the epidemic of this ransomware attacks be solved.

      • by ET3D ( 1169851 )

        That's unlikely to solve the problem, and is likely to virtually kill computing.

      • Only when people start getting convicted of negligence for running hospital (or other) computer systems in ways that make them vulnerable to ransomware attacks will the epidemic of this ransomware attacks be solved.

        It bothers the hell out of me every time I see posts that blame the victims of ransomware attacks. Even more so when such posts get modded *insighful*. I'm also convinced that the people making these aspersions know pretty much nothing about computer security. People who actually know about security would never assert that - if you do everything correctly, follow best practices, etc. - then you can't get hacked. In fact, it's quite the opposite. Security experts will tell you that if a skilled attacker want

        • While I agreed with the FP that many industries have a bad reputation about IT being a cost center, not a revenue generator, there isn't enough data in this news release to start casting blame yet. If the headlines next week state "CommonSpirit Health hit with ransomware attack, running normally three days later" then it would be a credit to the IT department. If they are still doing emergency reconstruction four weeks later, then the IT department might need a thorough review.

          I agree with your assertion

    • Actually, no. (Score:5, Insightful)

      by Gravis Zero ( 934156 ) on Sunday October 09, 2022 @06:00AM (#62950685)

      There are few problems with this approach:
      1) Criminal hackers are generally attacking from a foreign nation where it is safe to do so due to a lack of an extradition treaty with the US/EU.
      2) Criminals are notoriously bad at risk assessment. This is absolutely crucial because even if you manage to fix #1 and the penalty is absolute (death without trial) they are still going to do it because again, they are notoriously bad at risk assessment.
      3) There is a limitless supply of criminals due to a growing global population, corruption, and injustice.

      Effectively, there will always be someone willing to ransomware hospitals if they know the hospitals will pay it.

      These leaves you two options:
      1) Try to shut down all use of crypto currency exchanges. (I'm in favor of it but good luck trying.)
      2) Mandate good security at critical infrastructure points like hospitals.

      Good security costs money but US Hospitals can easily afford it. So the question is, why the fuck do hospitals have shitty security?

      • by gweihir ( 88907 )

        2) Criminals are notoriously bad at risk assessment. This is absolutely crucial because even if you manage to fix #1 and the penalty is absolute (death without trial) they are still going to do it because again, they are notoriously bad at risk assessment.
        3) There is a limitless supply of criminals due to a growing global population, corruption, and injustice.

        Effectively, there will always be someone willing to ransomware hospitals if they know the hospitals will pay it.

        Very much so. It is enough that they _hope_ the hospitals will pay and some may not even know they are attacking hospitals. Also see 2). So we can reduce the problem on that side, but not eliminate it.

        These leaves you two options:
        1) Try to shut down all use of crypto currency exchanges. (I'm in favor of it but good luck trying.)
        2) Mandate good security at critical infrastructure points like hospitals.

        Good security costs money but US Hospitals can easily afford it. So the question is, why the fuck do hospitals have shitty security?

        As to 2): Regulator failure. There is just too many profits and likely too many bribes paid to politicians.
        There is however
        3) Make paying ransom a criminal act that gives the CEO prison time.
        That would cut down on these attacks a lot.

        Incidentally, I would recommend prison time for the CEO for failure to do ade

      • People don't need crypto exchanges to launder ill-gotten gains. Also many exchanges are incorporated in countries where they are outside of the reach of US financial regulations. So good luck shutting those down.

    • by ET3D ( 1169851 ) on Sunday October 09, 2022 @06:39AM (#62950729)

      Yes, I'd say that's analogous to terrorism, and should be acted on in a similar way.

    • by gweihir ( 88907 )

      That state is likely not reachable. What about actually punishing providers of critical infrastructure, like hospitals, for not getting IT security right? There really is no excuse for that anymore and the only reasons possible why they messed up are greed and incompetence. Both are not acceptable. And. unlike ransomware scum, these people are identifiable. The other thing that would help is making the payment of ransom a criminal act with personal criminal liability, i.e. the CEO goes to jail.

    • This, here. Greedy hacker kills patients, gets free room for life in house of many bars for manslaughter. Yes, the otherwise useless crypto, universally used for paying the ransom, should be terminated with extreme prejudice. Nothing of value will be lost. Especially jpegs of yawning chimpanzees in boating hats.
    • Only when ransomware hackers get proper punishment will the epidemic of this ransomware attacks be solved. Shut down crypto exchanges that launder ransomware funds as well.

      Time to unleash Blackwater on them, and as part of the contract post pictures of the mutilated corpses.

  • by thegarbz ( 1787294 ) on Sunday October 09, 2022 @03:21AM (#62950571)

    "Hospital Chains" The rest of the world has hospitals, but America has "Hospital Chains". Do you get a free prostate exam with every 4 x-rays from participating hospitals? Do they offer cheap Tuesday deals?

  • Drone those mofos (Score:5, Interesting)

    by PeeAitchPee ( 712652 ) on Sunday October 09, 2022 @05:50AM (#62950675)
    These sick fucks need to stop breathing. There's no place above ground for anyone specifically targeting hospitals and innocent patients. And sure, we can talk about hardening hospitals' IT infrastructure in a separate conversation, but this stuff is always gonna happen. "People" targeting hospitals are just plain evil and there needs to be serious consequences for these actions.
    • by gweihir ( 88907 )

      Well, these people are certainly the scum of the earth, but you know what? They understand IT security, different from their victims. And hence, except for rare cases, they cannot be identified. What can be identifies is the crypto-exchanges that do the money-laundering for their criminal proceeds. And the owners there can easily be found and should go to prison.

    • And what of the hospital execs who neglect their IT security to the point where their systems are open to ransomware? Don't they have a responsibility to effectively secure and manage their systems?
  • I have a feeling it was the billing system.

  • ... between a full blown cyber attack and the traditional, "Please take a seat in the waiting room. The doctor will be with you shortly."

  • Hospital IT security is nearly nonexistent and it isn't a new problem. In 2015 I was working contract at a major regional hospital in Texas. The idiots running the IT department had one shared login for all users and a common password which everyone knew. They had a Windows share drive where most everything was stored, including protected healthcare information, lists of employee social security numbers, embarassingly poorly written letters of recommendation, recipes for chicken soup from the cafeteria, you
    • That is really disheartening. The big question in my mind is, why on earth are such hospital systems exposed to the outside world at all? What conceivable reason is there for IV pumps and cardiac monitors to be on any network other than a closed, hospital-internal network? The same is true for patient records, employee records, lab results, and so forth.

The gent who wakes up and finds himself a success hasn't been asleep.

Working...