Forgot your password?
typodupeerror
Security Medicine IT

Healthcare Organizations Under Siege From Cyberattacks, Study Says 61

Posted by Soulskill
from the it's-hip-to-ignore-hippa dept.
BigVig209 sends this report from the Chicago Tribune: "A new study set to be officially released Wednesday found that networks and Internet-connected devices in places such as hospitals, insurance companies and pharmaceutical companies are under siege and in many cases have been infiltrated without their knowledge. ... In the report, the groups found from September 2012 to October 2013 that 375 healthcare organizations in the U.S. had been compromised, and in many cases are still compromised because they have not yet detected the attacks. ... 'What's concerning to us is the sheer lack of basic blocking and tackling within these organizations,' said Sam Glines, chief executive of Norse. 'Firewalls were on default settings. They used very simple passwords for devices. In some cases, an organization used the same password for everything.'"
This discussion has been archived. No new comments can be posted.

Healthcare Organizations Under Siege From Cyberattacks, Study Says

Comments Filter:
  • Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.
    • by rhsanborn (773855) on Wednesday February 19, 2014 @09:26AM (#46285089)

      Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.

      That's not the case at all. HIPAA makes a distinction between covered entities (usually hospitals, doctors, insurance companies), business associates (people providing services for covered entities such as medical coding, transcription, IT services, etc.) that require access to protected health information, and everyone else who isn't allowed to access protected health information. If a covered entity loses or discloses protected health information, or is breached, that entity is responsible for fines under HIPAA, which are being levied regularly. e.g. http://www.healthcareitnews.co... [healthcareitnews.com]

      • "Regularly" is vague. HIPAA was passed in what, 1996? The first fines weren't levied until after 2010. So I think the parent's point is still valid, the act was pretty toothless as far as consequences for quite some time. The ratio of incidents to fines is still very heavily in favor of the careless. If you had a choice between paying $2 million in security or a remote chance of a $1 million fine, which would you take?
    • No threat of punishment == no compliance.

      Don't worry, there's no lack of authoritarian punishment [hhs.gov] built into the system.

      But you know, if merely punishing people stopped them from complying with rules we'd be living in paradise. Our punishment-oriented culture serves to gratify the sadism of our rulers, and doesn't really do much to prevent crime. In real life the most effective way to prevent crime is to ensure the availability of rewarding work... and hospital paperwork, I have to tell you, is the opposi

  • In some cases, an organization used the same password for everything.'"

    That's not negligence, it's just the Navy keeping up with the times and implementing Single-Sign-On.

    • by oodaloop (1229816)
      Glad to see you're keeping up with the times, being that this article is about healthcare and not the Navy.
  • Recall that at least the original license agreement for Sun Java specified that it must not be used to operate nuclear power plants. That got a lot of ridicule but was arguably a good idea.

    From time to time I see posts for medical device coding jobs on craigslist and the like. Quite commonly they require one to have experience with C# .Net.

    That doesn't make a whole lot of sense to me. Heart disease runs in my family. If I get a pacemaker, is it going to be running Microsoft Windows?

    • by gl4ss (559668)

      no but the ui is going to be written in c#.

      (...so that it'll be deprecated in a few years)

    • by Chewbacon (797801) on Wednesday February 19, 2014 @07:11AM (#46284523)

      Rapid application development perhaps. Hospitals are trying to get these systems up and running for the sake of cash deposits and reimbursement from Uncle Sam and every company who can write software, good or bad, wants a piece of it. And yeah, it may run on windows. One of the fluoroscopes in my lab runs Win2K.

    • by melikamp (631205)

      From time to time I see posts for medical device coding jobs on craigslist and the like. Quite commonly they require one to have experience with C# .Net. That doesn't make a whole lot of sense to me. Heart disease runs in my family. If I get a pacemaker, is it going to be running Microsoft Windows?

      This is yet another symptom of a very common disease: enter computers, and all of the sudden medical professionals simply ignore patient privacy and security. May be it's for the lack of understanding on the part of individual doctors, but then where are their governing bodies looking? They are selling us out. They must be corrupt three times over.

      Last time I went to a doctor for a regular checkup, I almost asked her: are my responses private? [Yes, I assume] Then why the bloody hell are you typing them i

      • by Anonymous Coward

        You are sharing them with Microsoft and its affiliates as you are typing them

        This is called "paranoia". It's a medical condition.

        opting instead to be very discrete about my medical condition

        So you won't tell your doctor about your paranoia, but you'll tell a random group of people on Slashdot?

        Face it, you're squarely in "wingnut" territory. Microsoft does not keep copies of your data unless you send it to one of their services. They don't care that you're paranoid because it doesn't make them any money. The

    • by jythie (914043)
      "Medical devices" covers a lot of area. I suspect things like pace makers are developed using some RTOS while desktop apps designed to connect to devices are written in some commonly used language like C# or Java.

      Though there is probably a lot of pressure due to what kinds of programmers they can find. One thing that pushed LISP out of certain industries, even when it worked really well for individual companies, was difficulty finding experienced programmers.

      Medical devices should probably be programmed
    • Why use C#? Well it is actually rather simple. In many areas they are easier to find developers, then with Java or C.
      Microsoft Products don't suck as much as Slashdot makes them out for. Windows 2000 onward have been very stable, and for the past decade I have seen more Linux Kernel Crashes than Blue Screens of Death. Making your product in C# vs Java isn't that big of a deal, the real issue that I find, is that you are Stuck on Windows, and that sucks because you may want to be flexible with your next u

      • Right now their big push is adding Business Intelligence to their software.

        If you ask any IT upper manager or executive in a US health system what Business Intelligence is then if they can give you any answer at all it is some recited drivel fed them by the plethora of vendors selling snake oil at the last HIMS conference.

        Having nearly a decade of experience working as a software engineer for healthcare ISV's and healthcare systems, I have earned a bit of a perspective to why healthcare IT struggles behind nearly every other industry. To understand why things are dysfunctional an

    • by ljw1004 (764174)

      C#' is an ISO standard that runs (great) on ios, android, desktop Linux, netduino, as well as windows

  • by Karmashock (2415832) on Wednesday February 19, 2014 @08:30AM (#46284815)

    By which I do not mean putting some off the shelf software or hardware between your network and the federal ACA system. Rather, have an isolated system distinct from the rest of your network which interacts with the ACA. Give that system no access to the rest of your network or vice versa except through very tightly controlled protocols. Effectively, assume that machine is compromised or at least in extreme danger of being compromised.

    Then carry on. Worst case, that isolated system will be infiltrated. But since the Federal ACA system is compromised that's nothing special. Your internal network will remain safe from that vector and you can continue to comply with this federal boondoggle.

    Government... we only take them seriously because they threaten to shoot us. No really. Absent threats of violence who would be complying with the ACA at this point? No one. That's all that keeps this bullshit going.

  • Simple solution (Score:2, Insightful)

    by Anonymous Coward

    We need a law (or laws) that place very painful penalties on any business or organization that suffers a data breach through their own negligence.

    The right wingers who run a lot of these businesses just love to talk about the magical results we can get by relying on the free market. Well, let's see them put their money where their mouth is. Currently, they can be sloppy with their IT practices and pay virtually no price even when something goes wrong that causes considerable pain to their customers/users

    • by jythie (914043)
      the problem is, within that philosophical system (I can not call it economic, that set of economic theories were debunked decades ago) the customers would be the ones to punish the company by going somewhere else and there are no "external costs", the only thing that matters is what on their side of the interface and everything outside that the market magically fixes.
      • That doesn't work in many areas where many of these healthcare systems have a practical monopoly in their respective regions. There is often no other choice for customers (Let it be known I find that term offensive, they are really patients). They really aren't broken up because they are also "non-profit" which is lately becoming an ethically dubious term for many health systems.
        • by jythie (914043)
          *nods* and even when there are choices in a particular region, often one's health coverage makes the choice for them, and forgoing one's employer provided health care and going to the individual market is often a bad economic choice for individuals or families. So the barrier to voting with one's dollars becomes very high.
    • by rhsanborn (773855)
      There is a law, it's called HIPAA. Healthcare organizations are very cognizant of HIPAA and do work to avoid breaches of healthcare data. The Department of Health and Human Services does hand out significant fines for breaches. http://www.hhs.gov/ocr/privacy... [hhs.gov] Additionally, for large breaches, healthcare organizations are required to notify prominent news media, which arguably has a larger financial impact than the fines themselves.
  • Let me summarize the situation so we can avoid having an article for every industry.

    Any business worth any substantial amount of money is, and has been for years, under constant 'cyberattack'.

  • I've been there. The organizations just don't care, it is more important to keep doctors happy. There is very little appreciation for IT and its value. And since there are limited consequences for breaches, there is no motivation to change.
  • We are a healthcare startup and we get the usual metasploit attacks, but more important we are phished like crazy.

    The information is valuable and because it is, healthcare firm staff will be easy pickings for being targets.

    They simply don't know what they are doing (for instance, there is a 90% chance your doctor is using SMS/MMS to communicate about patients)
  • Who else would benefit from knowing your health info? Drug companies could spam you with ads, I suppose, but insurance companies have the most to gain by denying coverage to the "accident prone, chronically ill, and those who might inherit propensities for certain health problems. For health insurers, this has supposedly been fixed under Obamacare, but like taxes, there are many lawyers looking for loopholes and they will certainly find them. And what about life insurance? Those guys would love to have

    • but insurance companies have the most to gain by denying coverage to the "accident prone, chronically ill, and those who might inherit propensities for certain health problems.

      Which is illegal under the ACA, hence irrelevant.

  • This story doesn't indicate that this is largely the NSA collecting information in support of further executive adjustments to the Afraudable Care Act. This is just how they operate. "It's better to beg for forgiveness than to get permission or follow legislation. It's even better to deny that you did it than to beg for forgiveness." --Eric Holder

  • Low-level DDOS (Score:3, Interesting)

    by ahs_boy (125818) on Wednesday February 19, 2014 @10:36AM (#46285651) Homepage

    One of my clients is an umbrella organization for a few local community health centers, and there has been a steady stream of empty POST submissions to their website -- at the rate of about 2/second -- for about 4 straight months now. Virtually every hit is from a unique IP address, so the spoofing is either great, or the botnet is enormous. This is normally a VERY low-traffic site, so the attack constitutes about 99% of their traffic at this point.

    I'm assuming that the timing of the start of the attacks -- just as the Affordable Health Care Act came into effect -- is not a coincidence. It's a brain-dead attack, and easy to mitigate, but I'm a bit dumbfounded that it continues to this day, despite having no effect on the accessibility of their site at all.

  • just wants to know which terrorists are going to the hospital and for what treatment. ordinary citizens have nothing to fear, it is only collecting meta-data about your bloodwork, x-rays, mri's......

  • An acquaintance of mine, several years back, worked at a medical coding company called Meddata (based out of Ohio, I believe, and owned by a private equity/leveraged buyout firm) which kept having computer problems, which their inept and incompetent IT sleazoids were unable to prevent. She monitored their systems inhouse, and ascertained that they were being hacked at mercilessly, within the USA region. It didn't take her long to figure it out: the executives there, from a previous company but now in top

Some people have a great ambition: to build something that will last, at least until they've finished building it.

Working...