Computer Virus Attack Forces Hospitals To Cancel Operations, Shut Down Systems (zdnet.com) 127
A hospital system in the United Kingdom has canceled all planned operations and diverted major trauma cases to neighboring facilities citing a computer virus outbreak. From a report on ZDNet: The Northern Lincolnshire and Goole NHS Foundation Trust says a "major incident" has been caused by a "computer virus" which infected its electronic systems on Sunday. As a result of the attack, the hospital has taken the decision to shut down the majority of its computer networks in order to combat the virus. "A virus infected our electronic systems [on Sunday] and we have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," said Dr Karen Dunderdale, the trust's deputy chief executive. The use of a shared IT system also means the United Lincolnshire Hospitals Trust has been taken offline as staff attempt to combat the attack. As a result of the attack, all outpatient appointments and diagnostic procedures that were set to take place at the infected hospitals on Monday and Tuesday have been canceled, while medical emergencies involving major trauma and women in high-risk labor are being diverted to neighboring hospitals.
Did everyone suddenly forget....? (Score:5, Insightful)
Do they not have paper they can write on till the computer system is back up and then retroactively enter the data in?
Seriously, it wasn't that long ago that it was ALL paper records and charts....surely people can still write and notate on paper till the computer system comes up.
If not, then we all SERIOUSLY need to reconsider having only electronic records for medical treatment, or a few hackers could really kill people...literally.
Re: (Score:2)
Re:Did everyone suddenly forget....? (Score:5, Funny)
But they'd then have to issue several copies of the same records/data/requests to forward them to various departments of the hospital. People would be loathe to writing the same thing down several times, and I'm suspecting that they no longer use carbon paper. So using hand written instructions would be out of the question
If only there was some sort of machine that made a photo-perfect copy of the writing and illustrations on paper...
Re: (Score:2)
they don't have local copying turned on? Do you have to put coins in it?
Re: Did everyone suddenly forget....? (Score:2)
Re:Did everyone suddenly forget....? (Score:5, Insightful)
Its one thing for your local Applebees to bust out the hand held check pad for the evening if the computers are down.
The worst that happens is someone screws up and few meals have to get comped, maybe some supplies don't get reordered etc. As long as they get it mostly right things will be fine.
Its different in a Hospital, mostly right is often not only not good enough but deadly. You don't want staff suddenly using a fall back procedure they have comparatively little training and practice with! If its an emergency and you have a triage situation because of a disaster that is one thing, but you would be foolish to do anything that is elective or can be safely postponed.
Re:Did everyone suddenly forget....? (Score:5, Insightful)
While everyone has paper fall back systems in place, they're rarely, if ever, tested because you've then just given everyone double the work load for some period of time. Always a winner when it comes to employee satisfaction.
Also, computers are increasingly used as decision support tools. Yes, you could, theoretically, put that logic flow down on paper. In fact, that would be a useful exercise to do so you could step through everything. No, people aren't going to go do that (see above).
Especially in medicine, hospital systems are going to have to rethink their networks. It really can't be a standard Windows business-class 'works most of the time to some degree' type thing. It must be more along the line of a bank or Amazon - high availability, high security, fail over capability. You really shouldn't be able to, for example, hang around on Slashdot on the hospital network.
Oh. Wait.
Re: (Score:2)
Especially in medicine, hospital systems are going to have to rethink their networks. It really can't be a standard Windows business-class 'works most of the time to some degree' type thing.
Exactly. They brought this on themselves by using Windows. The IT director should be fired.
Re: (Score:2)
Yeah, because we all know that Linux is immune to hacks, exploits and worms....
Even if this was somehow a failing of Windows (which it most likely isn't), how far is an IT director going to get pushing an OS that is incompatible with the hospital's software applications (accounting systems, patient records, etc, etc)?
Now, that isn't to say that there aren't grounds for this IT director's dismissal. It could turn out that they were negligent and weren't keeping up with updates or using security best practice
Re: (Score:2)
I would be willing to bet that the intrusion will be traced back to a phishing e-mail or some other social engineering tactic.
If computers are so important, then computer training and procedures should be top priority.
Clearly, they cannot fulfill their primary purpose without them, so why aren't people trained properly to use them?
Re: (Score:2)
Many hospitals are going to a paperless document management system for storing records. The only people who might be using pen and paper are doctors with a prescription pad, which has to be scan into the system and transmitted to the pharmacy department..
Re: (Score:2)
So basically next time there is a major solar flare that will impact the earth, hmm, everyone on that side of the planet in hospital basically dies, hmm, sounds like a plan.
Reality is all essential services managed by government should maintain manual pen and paper systems as backup. Those pen and paper system put the computer systems in place and when computer systems and the cloud goes down in a catastrophe, what the fuck happens when there is no pen and paper system to get them back up again. You coul
Re: (Score:2)
So basically next time there is a major solar flare that will impact the earth, hmm, everyone on that side of the planet in hospital basically dies, hmm, sounds like a plan.
The electrical grid in the US will probably go offline in a significant solar storm or EMP attack. Only military installations are hardened against such events. The utility companies are aware of this problem but they want the federal government to pick up the tab for upgrading the grid.
How many hours before it all collapses, make it past the first 24 maybe, how about after 72 not so pretty outcome and any longer and people will start dying in significant numbers.
Hurricane Katrina was a good example of that.
Re: (Score:2)
People tend to forget how durable manual systems are. The minds of people, pencil, paper and ruler and you can organise anything. All digital and a major failure becomes a completely unnecessary catastrophe, quite foolish.
Re: (Score:1)
It's just like the army. If all their tanks and guns broke down you'd think some of them would know how to use spears.
Re: (Score:2)
swords Bows and Browning would be the order of the day
Re: (Score:2)
Not sure if they forgot how, but it seems someone forgot why they got rid of them in the first place. That's if "he" actually know in the first place.
Do you think they kept a load of clerks waiting in the wings, just on the off-chance? After all, businesses have a tea-chest in the basement full of lever operated adding machines packed in grease don't they?
Re: (Score:2)
Did everyone suddenly forget how to use pen and paper for records?
Not at all. Everyone forgot gradually, over the course of many years of always doing everything via computer.
Re: (Score:3)
Did everyone suddenly forget how to use pen and paper for records?
Do they not have paper they can write on till the computer system is back up and then retroactively enter the data in?
Paper and pen records started being replaced as far back as the '60 (when my father, an administrator in a major hospital, replaced hand-copying the patients' name and medical record number onto each form - using up more of the nurses' time than actually caring for the patient - with imprinting this info using a credit-card-st
Re: (Score:2)
They can write all they want until the system comes back up, but that doesn't give them access to patient history that's been taken electronically for years now. It's all well & good to write down what happened today & data enter it later.
Yeah... Not so good... Not undertaking non-emergent care (and diverting emergent care to another near-by facility) is by far the safest choice when medical history
Re: (Score:2)
Any competent hospital knows to have emergency processes ready to stand in in the event of a power outage, natural disaster, or even a labor action.
I'm glad I don't do this work any more. Imagine having to explain to your business administrators that you need to firewall your internal departments from one another, that you cannot allow users to send or receive certain email content, that you must not permit sharing between certain critical functional units, that HIPAA in the US requires you to lock down dat
Re: (Score:2)
Did everyone suddenly forget how to use pen and paper for records?
Do they not have paper they can write on till the computer system is back up and then retroactively enter the data in?
Seriously, it wasn't that long ago that it was ALL paper records and charts....surely people can still write and notate on paper till the computer system comes up.
If not, then we all SERIOUSLY need to reconsider having only electronic records for medical treatment, or a few hackers could really kill people...literally.
With automation, pen and pencil have disappeared. Recall, schools do not teach recursive writing. And the advantage of electronic systems is sharing. Two hospitals can share xrays, mri info etc.
Yo dawg (Score:2)
That's because if they taught recursive writing they'd have to teach recursive writing.
Re: (Score:2)
Re: (Score:2)
Where in the story did it say that the IT system in question was based on Windows?
That's typically the case. Some of my best paying IT support contracts I've done are hospitals. Job security that pays well.
Maybe they shouldn't be using the largest... (Score:5, Informative)
Re: (Score:2)
They don't say, but we all know it is an MS-Windows based system.... probably clients and servers.
Re: (Score:1)
Re: (Score:1)
I worked in healthcare IT - it's not "limited choice", it's the same end-user laziness that keeps people on Windows.
Re:Maybe they shouldn't be using the largest... (Score:4, Informative)
Don't know what company you worked for, or who you were forced with. But I've done several big installations of new healthcare hardware and software(hospitals and dr's offices) . They all required Windows because the company that made the software, which was required to communicate with provincial offices for billing required a "common database" for communication. That's the way it was in 1999 in my first job doing it, and that's the way it was on the last healthcare job I did ~3 years ago. So depending on where you are, it can indeed be "limited choice" and you can enjoy all the fuckedupness that goes along with it.
Re: (Score:2)
An unpatched version of Windows, with local admin rights?
Re: (Score:2)
"required a "common database" for communication"? In 1999? So Microsoft Access?
Re: (Score:2)
Only been exposed to one It system at a medical facility - it was a thin-client, unix based thing, with not a single windows machine in sight. :)
It was also early 1990'ies, with dot-matrix printers and other goodies
Re: Maybe they shouldn't be using the largest... (Score:2)
Really so people still like using XP and IE 6 in 2016? Wow
Re: (Score:2)
Re: (Score:2)
They probably don't have a choice of OS. That is likely determined by their software vendor.
That merely shifts the blame. The software vendor was foolish for choosing that OS. Collective foolishness is still foolishness.
Re:Maybe they shouldn't be using the largest... (Score:5, Insightful)
They probably don't have a choice of OS. That is likely determined by their software vendor.
That merely shifts the blame. The software vendor was foolish for choosing that OS. Collective foolishness is still foolishness.
The problem isn't "the software vendor", it's "all the software vendors".
EMR is more frequently than not a SaaS application like PointClickCare. Have Browser, Will Travel. This is the height of "cross platform awesomeness". It's also basically the end of the highlights.
Prescription medication inventory and ordering software is a trainwreck, and even if that's ported to Linux, now you have to worry about some highly specific printers, some with MICR funcitonality, for which you'll need drivers.
Then, let's get into all the different gadgets in a hospital, from MRI machines to EKG logging to weight distribution sensors to X-ray machines to chiropractic thermal sensors to sonogram machines to things I simply haven't spent enough time in a hospital to recall. A nontrivial amount of these machines cost a solid six figures or more and require dedicated training in their use...and all have a highly vertical software stack that even flows into downstream situations (doctors don't exactly get 3D MRI scans in PDF formats...), and yes, there's frequently DRM involved.
There's also the billing office, which is the kind of place where drop-in replacement for the existing billing software *and* near-infinite accessibility of archived data is going to be a requirement. I wouldn't be surprised if more than a handful of hospitals are either still directly using an AS/400, or a frontend for one. To be fair, this is one place where a number of EMR vendors as well as separate cloud vendors have products, but incumbent data is going to be a major problem.
Remember how I said it wasn't "the vendor"? I wasn't kidding - it's *all the vendors*. If a hospital is going to switch to Linux, everything above has to be compatible. Tell a hospital they need to replace their three year old, $4 million MRI machine because it's not Linux compatible, and see how far that gets you. Conversely, the software developers who write the custom software to run that MRI machine aren't going to reinvent the wheel because one hospital says "pretty please", and even if half of those vendors *did* revamp their software for Linux *and* they managed to avoid situations like one company only supporting Red Hat while another company only supports Ubuntu...you'll still need to have Windows around for the other half.
Ultimately, it's a chicken-and-egg problem, because it requires far too much cooperation from far too many people at once to write some highly expensive software for a niche within a niche. Don't get me wrong, if Mark Shuttleworth wants to spend a billion or two to target a specific hospital and cover the bill to bootstrap the development of a fully HIPPA compliant Ubuntu software stack and ensure that there isn't a device, application, or workflow in that hospital that would require Windows, I'd be beyond thrilled. However, I'm not holding my breath on that.
Re: (Score:2, Interesting)
Medical imaging uses a networking standard called Dicom. Some equipment are running Windows, other Linux, some review stations Mac Os, etc...
Re: (Score:2)
This is total BS.
First off, not everything has to run Linux. Go look at the software running on your infuser pump; it's not Windows, nor is it Linux, it's some RTOS. Anything else would be criminally negligent. Your MRI machine doesn't need to run Linux (though it'd be nice), you just have to be able to communicate with it. What needs to run on Linux is the main infrastructure, patient records, billing, etc. Some scanner or whatever doesn't matter; if your MRI machine catches a virus and goes down, tha
Re: (Score:1)
The physical therapy department of every hospital large enough to have one would like to have a word with you.
Re: (Score:2)
Citation needed. Chiropractic is not physical therapy, it's an entirely different thing with different schools, and is not actual evidence-based medicine.
Re: (Score:1)
Re: (Score:2)
The whole field is a fraud, since it all depends on the idea of "subluxations" which are mystical BS. But apparently people like you are too stupid to understand basic science.
It doesn't help that most chiropractors buy into lots of other BS quack stuff like applied kinesiology, homeopathy, etc. But I guess morons like you believe in that stuff too, right?
Re: (Score:1)
Re: (Score:2)
You're completely clueless about the "science" behind the profession you promote. Try reading and getting educated:
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
Re: (Score:2)
Wow, what a fucking moron you are. You call a well-researched Wikipedia article on the profession "religious zealotry"? Who's the religious one?
Re:Maybe they shouldn't be using the largest... (Score:4, Interesting)
I do work in the business, we run my department completely on Mac and Linux, not only that but we have almost no proprietary software. All of our core software is open source with only a few things like certain visualization software that isn't.
The problem isn't choice, the problem is nobody cares that your hospital is a billion dollars over budget, government and insurance will pay for it. Another symptom is the "head count problem", a CIO is successful if it can reduce the amount of people working for it and as such it's liability.
The reason everything is shifting to being outsourced is liability, if a contractor or a vendor screws up, the hospital doesn't have to notify anyone and the contracting company (a glorified shell company) in worst case can just change it's name or cease operations, even better if your local laws don't apply to the contractor. Either way, nobody is held responsible or embarrassed.
Re: (Score:1)
Not only that, but some vendors simply don't want to test on multiple platforms. My hospital recently a year ago for an EMR system, and we got 1 single bid. We put in the tender document that the client software must work on Mac OS (via Safari) and linux (via firefox) as well as on Windows. However, as we got 1 bid
Re: Maybe they shouldn't be using the largest... (Score:2)
NIH still uses XP and IE 6.
I thought they did still pay MS for custom patches
better software is needed (Score:2)
they need to fix.
apps that need local admin to run
apps that have a fixed user login
apps that don't run after os updates
apps that only work with old IE vers
apps must have a open link to a 3rd party outside vendor to work.
Re: (Score:2)
It is so tedious hearing people trot out this rationale. If a majority of people switched to "a variant on Unix", it would then BECOME the "largest virus attack vector".
And don't kid yourself that your OS of choice is intrinsically more secure simply because it's not Windows.
Re: (Score:2)
Re: (Score:2)
And don't kid yourself that your OS of choice is intrinsically more secure simply because it's not Windows.
If you don't see a problem with letting the common user have administrative permissions, then perhaps you're not the best judge of security. Windows has made some big improvements here, but it's still got some issues. Don't kid yourself into believing that rarity is the only reason why Linux is safer.
Re: (Score:2)
Re: (Score:3)
Major incident caused by a "computer virus" (Score:5, Interesting)
Re:Major incident caused by a "computer virus" (Score:5, Interesting)
From what I've heard it's a ransomware variant. The NHS is virtually all-Microsoft.
I currently work in IT for an NHS trust. We've had several incidents involving ransomware encrypting files on shares but they've been contained and easily dealt with because 1) we have a highly granular file structure, users only have write access to shares and folders that is absolutely necessary and access is regularly audited. 2) a snapshotting file system which makes it a lot easier to recover files than restoring from tape. 3) by identifying the ownership of the encrypted files we can nail the culprit quickly and remove their access immediately to prevent further damage.
Anti Virus has proven to be useless, the people who write this stuff are always one step ahead of the AV vendors.
Re: (Score:2)
So was that trust hit somewhere critical, or was the shutdown just to stop it spreading?
Re: (Score:2)
What filesystem do you use? I would like to know what snap-shotting filesystem you use that serves Windows systems.
IT Admin wanted... (Score:5, Informative)
Re: (Score:2)
Re: IT Admin wanted... (Score:2)
Boy it seems we cannot find any qualified candidates!
I wonder where we can find top talent at the given price point??!
pay for your own background check as well (Score:2)
pay for your own background check as well.
wow that is as bad as this one Data Center that after having a robbery wanted to pay a armed guard near mini wage with bring your own gun being a big plus.
Re: (Score:3)
Some people are criminals, what else is new? If only people weren't thieves, I wouldn't need locks on my door. Computer virus propagation on corporate networks is simple negligence, there is no reason after nearly 40 years of viruses that an entire system can be brought down with a simple criminal act.
This is similar to someone cuttting the power or water supply to a hospital and for some reason we have thought about and funded all THOSE failure modes but lo and behold the magic computing devices, they have
Re: (Score:2)
I'm not very good at geography. Tell me, which state are Lincolnshire and Goole in?
Re:Betcha they still run Windows XP (Score:5, Funny)
Tell me, which state are Lincolnshire and Goole in?
Mostly solid, with some liquid and gaseous thrown in.
Oh, and confusion and frustration as well.
Such a sad state.
Strat
Re: (Score:2)
Re:Betcha they still run Windows XP (Score:4, Informative)
Do all network based systems need the Internet? (Score:3)
Oh Great. (Score:2)
Almost sounds like an actual virus attack (Score:2)
Replace "computer virus" with "virus" and "network shut-down" with "quarantine" and you get a nice scenario just a few days late for Halloween.
Maybe we could add a few zombies [wikipedia.org] to spice things up.
Rely on technology too much (Score:1)
After a recent experience myself I can say for sure that hospitals are not prepared for a attack on their technology. For one, I don't think many working the devices know much about securing them. When they break or fail to work they just set them aside until someone comes from the company or service company. I saw a lot of internal systems running older Windows and probably not completely protected or updated. It's a ticking time bomb that nobody is addressing.
Computer virus? Or Windows virus? (Score:5, Interesting)
Re: (Score:2)
They aren't hiding it. They're just not mentioning it because it's not newsworthy.
It would be like reporting that it rained and you're asking why they didn't say if it rained water.
If it wasn't water, they would have made a big deal out of it.
Re: (Score:1)
"Man Bites Dog" is news. "Windows gets Malware" is not news.
I wince every time I go to a medical facility. (Score:1)
This will not be fixed..... (Score:1)
I spent 20 years with 911/999/etc and that is the motto there also.
So until some important lorrie/torrie/libdem/publican't loses a parent/spouse/child to hacking....it will not be fixed.
Until then install VirtualBox and with a VM for SolydK.
Been using for 3 years with not problems in auto-updates.
Developers came from Debian.
Economies of scale versus anti-fragility (Score:1)
With increased size come economies of scale. Or at least,t he possibility of economies of scale.
With increased size come outages or destruction which affect larger numbers of people. Or at least the possibility of such outages or destruction.
Barings Bank comes to mind.
So does Nassim Nicholas Taleb's anti-fragility.
Re: (Score:2)