Ascension Cyberattack Continues To Disrupt Care At Hospitals (npr.org) 43
An anonymous reader quotes a report from NPR: Hospital staff are forced to write notes by hand and deliver orders for tests and prescriptions in person in the ongoing fallout from a recent ransomware attack at the national health system Ascension. Ascension is one of the largest health systems in the United States, with some 140 hospitals located across 19 states and D.C. A spokesperson said in a statement that "unusual activity" was first detected on multiple technology network systems Ascension uses on Wednesday, May 8. Later, representatives confirmed that some of Ascension's electronic health records systems had been affected, along with systems used "to order certain tests, procedures and medications."
Some phone capabilities have also been offline, and patients have been unable to access portals used to view medical records and get in touch with their doctors. Due to these interruptions, hospital staff had to shift to "manual and paper based" processes. "Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible," an Ascension spokesperson said in a May 8 statement. Kris Fuentes, who works in the neonatal intensive care unit at Ascension Seton Medical Center in Austin, said she remembers when paper charting was the norm. But after so many years of relying on digital systems, she said her hospital wasn't ready to make such an abrupt shift. "It's kind of like we went back 20 years, but not even with the tools we had then," Fuentes said. "Our workflow has just been really unorganized, chaotic and at times, scary."
Fuentes said orders for medication, labs and imaging are being handwritten and then distributed by hand to various departments, whereas typically these requests are quickly accessed via computer. A lack of safety checks with these backup methods has introduced errors, she said, and every task is taking longer to complete. "Medications are taking longer to get to patients, lab results are taking longer to get back," she said. "Doctors need the lab results, often, to decide the next treatment plan, but if there's a delay in access to the labs, there's a delay in access to the care that they order." As of Tuesday, Ascension still had no timeline for when the issues might be resolved, and reported that it continued to work with "industry-leading cybersecurity experts" to investigate the ransomware attack and restore affected systems. The FBI and Cybersecurity and Infrastructure Security Agency are also involved in the investigation. "While Ascension facilities remain open, a health system representative said on May 9 that in some cases, emergency patients were being triaged to different hospitals, and some non-emergent appointments and procedures were postponed," reports NPR. "Certain Ascension pharmacies are not operational, and patients are being asked to bring in prescription bottles or numbers."
"Individuals who are enrolled in Ascension health insurance plans are being directed to mail in monthly payments while the electronic payment system is down."
Some phone capabilities have also been offline, and patients have been unable to access portals used to view medical records and get in touch with their doctors. Due to these interruptions, hospital staff had to shift to "manual and paper based" processes. "Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible," an Ascension spokesperson said in a May 8 statement. Kris Fuentes, who works in the neonatal intensive care unit at Ascension Seton Medical Center in Austin, said she remembers when paper charting was the norm. But after so many years of relying on digital systems, she said her hospital wasn't ready to make such an abrupt shift. "It's kind of like we went back 20 years, but not even with the tools we had then," Fuentes said. "Our workflow has just been really unorganized, chaotic and at times, scary."
Fuentes said orders for medication, labs and imaging are being handwritten and then distributed by hand to various departments, whereas typically these requests are quickly accessed via computer. A lack of safety checks with these backup methods has introduced errors, she said, and every task is taking longer to complete. "Medications are taking longer to get to patients, lab results are taking longer to get back," she said. "Doctors need the lab results, often, to decide the next treatment plan, but if there's a delay in access to the labs, there's a delay in access to the care that they order." As of Tuesday, Ascension still had no timeline for when the issues might be resolved, and reported that it continued to work with "industry-leading cybersecurity experts" to investigate the ransomware attack and restore affected systems. The FBI and Cybersecurity and Infrastructure Security Agency are also involved in the investigation. "While Ascension facilities remain open, a health system representative said on May 9 that in some cases, emergency patients were being triaged to different hospitals, and some non-emergent appointments and procedures were postponed," reports NPR. "Certain Ascension pharmacies are not operational, and patients are being asked to bring in prescription bottles or numbers."
"Individuals who are enrolled in Ascension health insurance plans are being directed to mail in monthly payments while the electronic payment system is down."
I have to ask... (Score:2)
Are the infected systems running Windows, and if so, what version?
Re: (Score:3)
If you are asking that question you've failed security 101. Dumb users exist sitting at every OS, and they are nearly always the attack vector used.
Re: (Score:2)
Re:I have to ask... (Score:4, Funny)
Isn't that just called Apple?
Wakka wakka wakka!
Re: (Score:2)
That is in general a good idea but presents its own problems:
a) Writing an OS isn't trivial. The idea that something unique would be bug free is a fantasy.
b) There is a balancing act between capability and security. The more you lock something down the less useful it is, the more costly it is to manage and change, and the less tolerant it is of edge cases. So there will always be a requirement to bypass or do something somewhere by someone, and that someone is a security risk.
c) A special purpose OS for cri
Re:I have to ask... (Score:4, Informative)
[citation needed]
When you can find a company who: 1) is as attractive a target as Ascension health, 2) who has also switched entirely over to another OS, and 3) has had as many security issues as similar companies, then I'll believe you. Until then, you have nearly 0 evidence supporting your point.
That said, if Ascension is who I think they are, they're using one of the products produced by my old employer (unless they went to something new, recently). If that's true, the database is stored in ISAM/text files, on a Linux server, in a Samba-accessible share. Dumb. My current employer is another customer of my former employer, using the same product, and we fixed that a few years ago, by making the database inaccessible to Windows machines.
Re: (Score:2)
Re: (Score:2)
The application was written in this programming language - https://en.wikipedia.org/wiki/... [wikipedia.org] - which has ISAM support built in. This was the specific vendor we used: https://www.dbcsoftware.com/ [dbcsoftware.com]
Re: (Score:2)
When you can find a company who: 1) is as attractive a target as Ascension health, 2) who has also switched entirely over to another OS, and 3) has had as many security issues as similar companies, then I'll believe you. Until then, you have nearly 0 evidence supporting your point.
Except we have plenty of evidence supporting this point. You just need to look up how modern attack vectors generally work. It's incidentally also the reason so much corporate security is focused on either user restriction or user education. Very few viruses these days target OS bugs directly. They get squashed too quickly. When they do, it becomes news, even if that malware hasn't had any impact. In the meantime there's a never ending string of reports of phishing scams, people falling for the "we're from
Re: (Score:2)
Not really sure how you can call an OS that just lets you install any random software a user problem, but okay...
kinetic response required (Score:2)
These types of attacks deserve to be treated as a terrorist attack.
Respond appropriately...
Re: (Score:2)
These types of attacks deserve to be treated as a terrorist attack.
Respond appropriately...
True enough. But the horrid comsec of Hospital systems where just about any patient info is jealously guarded, the hospitals are the worst violators of HIPPA, giving everyone's personal and health informations to people who have extremely malicious intent. And I counsider the hospitals equally liable.
Getting that shit off the internet and free to anyone is step one.
Re: (Score:2)
Sure... blame the victims for being weak. It's their fault.
It is. They could (should) have done better.
But that is fantasy land. As a nation, we need to treat these attacks as what they are: attacks.
If someone attacks you, destroy them. ...and make security a national defense issue. We have unlimited budget for national defense. Use it to defend the citizens from this shit.
Re: (Score:2)
Sure... blame the victims for being weak. It's their fault.
They share some of it.
"Oh, I know that the password is Password one - that's how the bad guys got into our whole system, and now we're paying 500 million to get the records back - but don't worry, you are innocent and blameless, GO ahead and use Password1.
They could (should) have done better.
But that is fantasy land.
The problem is that so many ransomware attacks happen because of for shit security. In no way to I support shitty security as a defense when a system is hacked. Point is, if you are a large enough organization, and you have shitty security, you simply
Re: (Score:2)
These people are not victims. They are perpetrators. Stop pushing that lie.
Re: (Score:2)
Re: (Score:2)
Is a bank that lets it tresor open to the public with no supervision a pure victim?
Re: (Score:2)
...the hospitals are the worst violators of HIPPA...
The first rule of HIPAA: You can probably disregard the opinions of those who don't know the acronym ;-)
But in all seriousness, the OCR would love to hear about this litany of violations. They taken them quite seriously and the fines can be steep.
Re: (Score:2)
If you could easily find out who does this, it would already have stopped. The problem is IT systems that are not appropriately defended and resilient. Chap, dumb "management" at work.
Also, cave-man much?
Re: (Score:2)
Good luck with that. First, they are not. This is not-that-competent criminals walking over laughably bad IT security. Second, care to explain how to identify the attackers? Because nobody knows a reliable way at this time. And third, you are cheapening the term "terrorism".
Oh my gawd! (Score:3)
It's a widescale collapse of the whole medical system. Well it is, but there is something that just might be saying that they aren't doing it right.
But just perhaps, they are going to learn that the way they used to do it - works. And it''s remarkably resilient against online attacks.
Re: (Score:3, Insightful)
Nah, shit in America is ass backwards. Faxing is still the standard method of transferring medical records, which in the United States still does not have any standardized system for, which is why anytime you go to a new doctor they never have your medical history and you have to go through the rigamarole of tracking down all your records or they just end up doing tests all over again.
Plus nobody actually does their billing, everything is run through multiple layers of brokers that doctors, insurance compa
Re:Oh my gawd! (Score:4, Insightful)
Nah, shit in America is ass backwards.
I think there is a non-zero chance that you completely missed my point. I know you have an axe to grind about 'Murrica, but the EU is not a haven of computer security:
https://www.france24.com/en/eu... [france24.com]
https://www.bbc.com/news/techn... [bbc.com]
https://www.zdnet.com/article/... [zdnet.com]
It is the same problem, everywhere. And if we just point fingers at the USA as the place, it won't fix anything, no matter how good it makes people feel about themselves.
Re: (Score:2)
What did I say that wasn't true though?
And also if this is is a global problem that makes my point even more because we pay that much more than Europe and we don't even get better cybersecurity? And in all likelihood probably worse as those attacks don't seem on the same scale and even in that second article the EU is talking about problems stemming from the US.
So is this is a problem? Absolutely. Is the solution to make our medical system even slower, more burdensome and more expensive the answer? I'm gon
Re: (Score:2)
Being correct doesn't mean you aren't wantonly disrupting the discussion. There are LOT of things that are correct.
Re: (Score:2)
Maybe, but the original comment was "Well it is, but there is something that just might be saying that they aren't doing it right." and I said what I thought wasn't right or at least a possible explanation for such problems. Also the prescription given was effectively "just do nothing digital" which I also disagreed with.
Yeah I can come off like an ass but this is internet so who cares, we're all here to spout our piece off.
Re: Oh my gawd! (Score:1)
Re: (Score:2)
Nah, shit in America is ass backwards. Faxing is still the standard method of transferring medical records, which in the United States still does not have any standardized system for
I challenge you to name a country that does have a standardized system for transferring a complete medical record (labs, notes, medications, etc.). It's actually a pretty hard problem to solve.
Re: (Score:2)
Depending on how it's viewed anywhere from 7 to 15 I believe and many are working on it. The EU also has an initiative to get all the members states to coordinate better. Interesting study of eHRs here
https://www.oecd.org/publicati... [oecd.org].
Fine Them, Heavily (Score:3)
Imagine having a network so pooorly segmented that some random dunce can download malware that spreads to your billing, inventory, and records systems.
I know "zero trust" is almost a management buzzword at this point, but we have the technology to prevent these kind of attacks from hitting critical infrastructure.
Sure, a bunch of workstations within a broadcast domain may infect each other, but anything beyond that is negligence---in my opinion, we should demand better in health, safety, and finance sectors at a minimum.
Re: (Score:2)
You can't really say that without knowing the attack vector. Various attack mechanisms have come as total surprises.
OTOH, what you say is often true. Just don't be sure in any particular case until you know the attack vector.
Re: (Score:2)
They could be. And the clearly shouldn't be. But from the (summary) item we don't know that they were.
Mail in? (Score:3)
"Individuals who are enrolled in Ascension health insurance plans are being directed to mail in monthly payments while the electronic payment system is down."
If I was a customer of that company, I wouldn't be paying any bills right now...
Re: (Score:2)
In America at least the unspoken (but often spoken) recourse to big medical bills is... just not pay them, wait it out and then you more than likely can pay pennies on the dollar once it goes to collections. You already got the medical care, they can't repo that... yet at least. [imdb.com]
Re: (Score:2)
LOL seriously you can't even trust them to process a paper check at this point
Hot take (Score:1)
I won't mind violence against any "hacker" that is targeting a hospital.
A metal keyboard against the face, repeatedly, in broad daylight.
Will probably need to bend something that was not meant to be bent.
Re: (Score:2)
Cave-man level responses universally make the problem worse, not better. Adults are supposed to know that. I guess you do not qualify.
Re: (Score:1)
You will respect your elders!
Cavemen were there before you were around and faced a much harsher environment.
The only adversity you've ever faced with someone getting your name wrong at Starbucks.
Re: (Score:2)
Well, obviously you are not an adult. Thanks for the confirmation.
I used to work there - here's some fun info (Score:2, Interesting)
Re: (Score:2)
Cathartic
Yeah it's amazing, an ex-friend of mine faked his supervisor's signature on a form ... and got caught, and was fired ... I mean, it was a stupid thing to do, but he was pretty clearly a very stupid guy. The problem is, there are tons of people just like him wandering around out there who think cheating and lies are fine