Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Medicine United Kingdom

Computer Virus Attack Forces Hospitals To Cancel Operations, Shut Down Systems (zdnet.com) 127

A hospital system in the United Kingdom has canceled all planned operations and diverted major trauma cases to neighboring facilities citing a computer virus outbreak. From a report on ZDNet: The Northern Lincolnshire and Goole NHS Foundation Trust says a "major incident" has been caused by a "computer virus" which infected its electronic systems on Sunday. As a result of the attack, the hospital has taken the decision to shut down the majority of its computer networks in order to combat the virus. "A virus infected our electronic systems [on Sunday] and we have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," said Dr Karen Dunderdale, the trust's deputy chief executive. The use of a shared IT system also means the United Lincolnshire Hospitals Trust has been taken offline as staff attempt to combat the attack. As a result of the attack, all outpatient appointments and diagnostic procedures that were set to take place at the infected hospitals on Monday and Tuesday have been canceled, while medical emergencies involving major trauma and women in high-risk labor are being diverted to neighboring hospitals.
This discussion has been archived. No new comments can be posted.

Computer Virus Attack Forces Hospitals To Cancel Operations, Shut Down Systems

Comments Filter:
  • by cayenne8 ( 626475 ) on Wednesday November 02, 2016 @05:30PM (#53202039) Homepage Journal
    Did everyone suddenly forget how to use pen and paper for records?

    Do they not have paper they can write on till the computer system is back up and then retroactively enter the data in?

    Seriously, it wasn't that long ago that it was ALL paper records and charts....surely people can still write and notate on paper till the computer system comes up.

    If not, then we all SERIOUSLY need to reconsider having only electronic records for medical treatment, or a few hackers could really kill people...literally.

    • But they'd then have to issue several copies of the same records/data/requests to forward them to various departments of the hospital. People would be loathe to writing the same thing down several times, and I'm suspecting that they no longer use carbon paper. So using hand written instructions would be out of the question
      • by SeaFox ( 739806 ) on Wednesday November 02, 2016 @05:39PM (#53202119)

        But they'd then have to issue several copies of the same records/data/requests to forward them to various departments of the hospital. People would be loathe to writing the same thing down several times, and I'm suspecting that they no longer use carbon paper. So using hand written instructions would be out of the question

        If only there was some sort of machine that made a photo-perfect copy of the writing and illustrations on paper...

      • by DarkOx ( 621550 ) on Wednesday November 02, 2016 @06:07PM (#53202277) Journal

        Its one thing for your local Applebees to bust out the hand held check pad for the evening if the computers are down.

        The worst that happens is someone screws up and few meals have to get comped, maybe some supplies don't get reordered etc. As long as they get it mostly right things will be fine.

        Its different in a Hospital, mostly right is often not only not good enough but deadly. You don't want staff suddenly using a fall back procedure they have comparatively little training and practice with! If its an emergency and you have a triage situation because of a disaster that is one thing, but you would be foolish to do anything that is elective or can be safely postponed.

        • by ColdWetDog ( 752185 ) on Wednesday November 02, 2016 @06:33PM (#53202385) Homepage

          While everyone has paper fall back systems in place, they're rarely, if ever, tested because you've then just given everyone double the work load for some period of time. Always a winner when it comes to employee satisfaction.

          Also, computers are increasingly used as decision support tools. Yes, you could, theoretically, put that logic flow down on paper. In fact, that would be a useful exercise to do so you could step through everything. No, people aren't going to go do that (see above).

          Especially in medicine, hospital systems are going to have to rethink their networks. It really can't be a standard Windows business-class 'works most of the time to some degree' type thing. It must be more along the line of a bank or Amazon - high availability, high security, fail over capability. You really shouldn't be able to, for example, hang around on Slashdot on the hospital network.

          Oh. Wait.

          • Especially in medicine, hospital systems are going to have to rethink their networks. It really can't be a standard Windows business-class 'works most of the time to some degree' type thing.

            Exactly. They brought this on themselves by using Windows. The IT director should be fired.

            • Yeah, because we all know that Linux is immune to hacks, exploits and worms....

              Even if this was somehow a failing of Windows (which it most likely isn't), how far is an IT director going to get pushing an OS that is incompatible with the hospital's software applications (accounting systems, patient records, etc, etc)?

              Now, that isn't to say that there aren't grounds for this IT director's dismissal. It could turn out that they were negligent and weren't keeping up with updates or using security best practice

        • I would be willing to bet that the intrusion will be traced back to a phishing e-mail or some other social engineering tactic.

          If computers are so important, then computer training and procedures should be top priority.

          Clearly, they cannot fulfill their primary purpose without them, so why aren't people trained properly to use them?

    • Many hospitals are going to a paperless document management system for storing records. The only people who might be using pen and paper are doctors with a prescription pad, which has to be scan into the system and transmitted to the pharmacy department..

      • by rtb61 ( 674572 )

        So basically next time there is a major solar flare that will impact the earth, hmm, everyone on that side of the planet in hospital basically dies, hmm, sounds like a plan.

        Reality is all essential services managed by government should maintain manual pen and paper systems as backup. Those pen and paper system put the computer systems in place and when computer systems and the cloud goes down in a catastrophe, what the fuck happens when there is no pen and paper system to get them back up again. You coul

        • So basically next time there is a major solar flare that will impact the earth, hmm, everyone on that side of the planet in hospital basically dies, hmm, sounds like a plan.

          The electrical grid in the US will probably go offline in a significant solar storm or EMP attack. Only military installations are hardened against such events. The utility companies are aware of this problem but they want the federal government to pick up the tab for upgrading the grid.

          How many hours before it all collapses, make it past the first 24 maybe, how about after 72 not so pretty outcome and any longer and people will start dying in significant numbers.

          Hurricane Katrina was a good example of that.

          • by rtb61 ( 674572 )

            People tend to forget how durable manual systems are. The minds of people, pencil, paper and ruler and you can organise anything. All digital and a major failure becomes a completely unnecessary catastrophe, quite foolish.

    • by Anonymous Coward

      It's just like the army. If all their tanks and guns broke down you'd think some of them would know how to use spears.

    • Did everyone suddenly forget how to use pen and paper for records?

      Not sure if they forgot how, but it seems someone forgot why they got rid of them in the first place. That's if "he" actually know in the first place.

      Do you think they kept a load of clerks waiting in the wings, just on the off-chance? After all, businesses have a tea-chest in the basement full of lever operated adding machines packed in grease don't they?

    • by Jeremi ( 14640 )

      Did everyone suddenly forget how to use pen and paper for records?

      Not at all. Everyone forgot gradually, over the course of many years of always doing everything via computer.

    • Did everyone suddenly forget how to use pen and paper for records?

      Do they not have paper they can write on till the computer system is back up and then retroactively enter the data in?

      Paper and pen records started being replaced as far back as the '60 (when my father, an administrator in a major hospital, replaced hand-copying the patients' name and medical record number onto each form - using up more of the nurses' time than actually caring for the patient - with imprinting this info using a credit-card-st

    • by Aaden42 ( 198257 )

      They can write all they want until the system comes back up, but that doesn't give them access to patient history that's been taken electronically for years now. It's all well & good to write down what happened today & data enter it later.

      Today patient died because past drug allergy information was unavailable in offline computer system.

      Yeah... Not so good... Not undertaking non-emergent care (and diverting emergent care to another near-by facility) is by far the safest choice when medical history

    • Any competent hospital knows to have emergency processes ready to stand in in the event of a power outage, natural disaster, or even a labor action.

      I'm glad I don't do this work any more. Imagine having to explain to your business administrators that you need to firewall your internal departments from one another, that you cannot allow users to send or receive certain email content, that you must not permit sharing between certain critical functional units, that HIPAA in the US requires you to lock down dat

    • Did everyone suddenly forget how to use pen and paper for records?

      Do they not have paper they can write on till the computer system is back up and then retroactively enter the data in?

      Seriously, it wasn't that long ago that it was ALL paper records and charts....surely people can still write and notate on paper till the computer system comes up.

      If not, then we all SERIOUSLY need to reconsider having only electronic records for medical treatment, or a few hackers could really kill people...literally.

      With automation, pen and pencil have disappeared. Recall, schools do not teach recursive writing. And the advantage of electronic systems is sharing. Two hospitals can share xrays, mri info etc.

      • Recall, schools do not teach recursive writing.

        That's because if they taught recursive writing they'd have to teach recursive writing.

  • by mark-t ( 151149 ) <markt@NoSPaM.nerdflat.com> on Wednesday November 02, 2016 @05:38PM (#53202109) Journal
    ... virus attack vector in the first place. While I realize that no OS is immune to viruses, it seems that switching to an OS that isn't as widely targeted should at least substantially reduce the likelihood they would be susceptible... and as most of the alternatives are a variant on Unix, usually have enough restrictions on what users are allowed to do that no one end-user with normal privileges can render the system unusable for anyone else.
    • They don't say, but we all know it is an MS-Windows based system.... probably clients and servers.

    • by Anonymous Coward
      They probably don't have a choice of OS. That is likely determined by their software vendor. (I'm guessing you don't work in health care; the choices are very limited.)
      • by haruchai ( 17472 )

        I worked in healthcare IT - it's not "limited choice", it's the same end-user laziness that keeps people on Windows.

        • by Mashiki ( 184564 ) <mashikiNO@SPAMgmail.com> on Wednesday November 02, 2016 @06:59PM (#53202517) Homepage

          Don't know what company you worked for, or who you were forced with. But I've done several big installations of new healthcare hardware and software(hospitals and dr's offices) . They all required Windows because the company that made the software, which was required to communicate with provincial offices for billing required a "common database" for communication. That's the way it was in 1999 in my first job doing it, and that's the way it was on the last healthcare job I did ~3 years ago. So depending on where you are, it can indeed be "limited choice" and you can enjoy all the fuckedupness that goes along with it.

          • by Ichijo ( 607641 )

            But I've done several big installations of new healthcare hardware and software(hospitals and dr's offices) . They all required Windows

            An unpatched version of Windows, with local admin rights?

          • by haruchai ( 17472 )

            "required a "common database" for communication"? In 1999? So Microsoft Access?

          • by GNious ( 953874 )

            Only been exposed to one It system at a medical facility - it was a thin-client, unix based thing, with not a single windows machine in sight.
            It was also early 1990'ies, with dot-matrix printers and other goodies :)

        • Really so people still like using XP and IE 6 in 2016? Wow

          • There are medical devices that are just some machine attached to a WinXP PC with a special software (Windows only). The same goes for industrial automation, there are industrial controllers made of a cheap SOC with Windows CE 5.0 (!) in 2016 (!!).
      • They probably don't have a choice of OS. That is likely determined by their software vendor.

        That merely shifts the blame. The software vendor was foolish for choosing that OS. Collective foolishness is still foolishness.

        • by Voyager529 ( 1363959 ) <voyager529@ya h o o.com> on Wednesday November 02, 2016 @07:28PM (#53202627)

          They probably don't have a choice of OS. That is likely determined by their software vendor.

          That merely shifts the blame. The software vendor was foolish for choosing that OS. Collective foolishness is still foolishness.

          The problem isn't "the software vendor", it's "all the software vendors".

          EMR is more frequently than not a SaaS application like PointClickCare. Have Browser, Will Travel. This is the height of "cross platform awesomeness". It's also basically the end of the highlights.

          Prescription medication inventory and ordering software is a trainwreck, and even if that's ported to Linux, now you have to worry about some highly specific printers, some with MICR funcitonality, for which you'll need drivers.

          Then, let's get into all the different gadgets in a hospital, from MRI machines to EKG logging to weight distribution sensors to X-ray machines to chiropractic thermal sensors to sonogram machines to things I simply haven't spent enough time in a hospital to recall. A nontrivial amount of these machines cost a solid six figures or more and require dedicated training in their use...and all have a highly vertical software stack that even flows into downstream situations (doctors don't exactly get 3D MRI scans in PDF formats...), and yes, there's frequently DRM involved.

          There's also the billing office, which is the kind of place where drop-in replacement for the existing billing software *and* near-infinite accessibility of archived data is going to be a requirement. I wouldn't be surprised if more than a handful of hospitals are either still directly using an AS/400, or a frontend for one. To be fair, this is one place where a number of EMR vendors as well as separate cloud vendors have products, but incumbent data is going to be a major problem.

          Remember how I said it wasn't "the vendor"? I wasn't kidding - it's *all the vendors*. If a hospital is going to switch to Linux, everything above has to be compatible. Tell a hospital they need to replace their three year old, $4 million MRI machine because it's not Linux compatible, and see how far that gets you. Conversely, the software developers who write the custom software to run that MRI machine aren't going to reinvent the wheel because one hospital says "pretty please", and even if half of those vendors *did* revamp their software for Linux *and* they managed to avoid situations like one company only supporting Red Hat while another company only supports Ubuntu...you'll still need to have Windows around for the other half.

          Ultimately, it's a chicken-and-egg problem, because it requires far too much cooperation from far too many people at once to write some highly expensive software for a niche within a niche. Don't get me wrong, if Mark Shuttleworth wants to spend a billion or two to target a specific hospital and cover the bill to bootstrap the development of a fully HIPPA compliant Ubuntu software stack and ensure that there isn't a device, application, or workflow in that hospital that would require Windows, I'd be beyond thrilled. However, I'm not holding my breath on that.

          • Re: (Score:2, Interesting)

            by Anonymous Coward

            Medical imaging uses a networking standard called Dicom. Some equipment are running Windows, other Linux, some review stations Mac Os, etc...

          • This is total BS.

            First off, not everything has to run Linux. Go look at the software running on your infuser pump; it's not Windows, nor is it Linux, it's some RTOS. Anything else would be criminally negligent. Your MRI machine doesn't need to run Linux (though it'd be nice), you just have to be able to communicate with it. What needs to run on Linux is the main infrastructure, patient records, billing, etc. Some scanner or whatever doesn't matter; if your MRI machine catches a virus and goes down, tha

            • Chiropractic isn't real medicine, it's bullshit, and you won't find it in a real hospital.

              The physical therapy department of every hospital large enough to have one would like to have a word with you.

              • Citation needed. Chiropractic is not physical therapy, it's an entirely different thing with different schools, and is not actual evidence-based medicine.

                • No, you need citation. Physical therapy uses chiropractic techniques all the time. Just because there are frauds that exist within a field does not mean that the field itself is a fraud, but apparently there are people out there far too stupid to grasp this concept.
                  • The whole field is a fraud, since it all depends on the idea of "subluxations" which are mystical BS. But apparently people like you are too stupid to understand basic science.

                    It doesn't help that most chiropractors buy into lots of other BS quack stuff like applied kinesiology, homeopathy, etc. But I guess morons like you believe in that stuff too, right?

                    • I don't know what the fuck you are referring to as a chiropractor, but around here they manipulate the spine to relieve pressure on nerves and fix misalignment of vertebrae. I have not once seen a chiropractor who believes in the bullshit you are spouting off about. I suspect you are more than a just a bit on the delusional side.
                    • You're completely clueless about the "science" behind the profession you promote. Try reading and getting educated:

                      https://en.wikipedia.org/wiki/... [wikipedia.org]

                    • Wow, you're like a religious zealot waging a crusade against a profession you know nothing about. Well, at least I know where you are from now, because only a Brit could be that full of shit and still be that arrogant.
                    • Wow, what a fucking moron you are. You call a well-researched Wikipedia article on the profession "religious zealotry"? Who's the religious one?

      • by guruevi ( 827432 ) <`moc.stiucricve' `ta' `ive'> on Wednesday November 02, 2016 @06:47PM (#53202455) Homepage

        I do work in the business, we run my department completely on Mac and Linux, not only that but we have almost no proprietary software. All of our core software is open source with only a few things like certain visualization software that isn't.

        The problem isn't choice, the problem is nobody cares that your hospital is a billion dollars over budget, government and insurance will pay for it. Another symptom is the "head count problem", a CIO is successful if it can reduce the amount of people working for it and as such it's liability.

        The reason everything is shifting to being outsourced is liability, if a contractor or a vendor screws up, the hospital doesn't have to notify anyone and the contracting company (a glorified shell company) in worst case can just change it's name or cease operations, even better if your local laws don't apply to the contractor. Either way, nobody is held responsible or embarrassed.

      • by Anonymous Coward
        That's certainly the case. Most vendors only have software which runs on Windows. While increasingly, some is becoming web accessible, the vendors are still often insisting on windows backends.

        Not only that, but some vendors simply don't want to test on multiple platforms. My hospital recently a year ago for an EMR system, and we got 1 single bid. We put in the tender document that the client software must work on Mac OS (via Safari) and linux (via firefox) as well as on Windows. However, as we got 1 bid
    • It is so tedious hearing people trot out this rationale. If a majority of people switched to "a variant on Unix", it would then BECOME the "largest virus attack vector".

      And don't kid yourself that your OS of choice is intrinsically more secure simply because it's not Windows.

      • by mark-t ( 151149 )
        It's intrinsically more secure not because it's not windows, but because it's not built upon a paradigm where users without at least some system admin privileges can't do anything useful with the system.
      • And don't kid yourself that your OS of choice is intrinsically more secure simply because it's not Windows.

        If you don't see a problem with letting the common user have administrative permissions, then perhaps you're not the best judge of security. Windows has made some big improvements here, but it's still got some issues. Don't kid yourself into believing that rarity is the only reason why Linux is safer.

        • If your business gives ordinary users administrative permissions and they accidentally the whole system that's not really Microsoft's fault.
    • by houghi ( 78078 )

      Reminds me of when the "I Love Virus" hit our company and the rest of the world. Our IT department decided to close down the company. Meaning everybody, except IT staff had to leave the building and go home.
      What I did was launch the dualboot BeOS and others their Linux as we got a LOT of request from other companies regarding the virus.
      It took us all of 2 minutes to be operational again in some sort.

      We did the same when the authentication server went down and IT tried to blame it on the routers.

      So having mo

  • by khz6955 ( 4502517 ) on Wednesday November 02, 2016 @05:39PM (#53202115)
    What was the name of this "computer virus" and what was the name of the Operating System platform?
    • by leathered ( 780018 ) on Wednesday November 02, 2016 @07:32PM (#53202643)

      From what I've heard it's a ransomware variant. The NHS is virtually all-Microsoft.

      I currently work in IT for an NHS trust. We've had several incidents involving ransomware encrypting files on shares but they've been contained and easily dealt with because 1) we have a highly granular file structure, users only have write access to shares and folders that is absolutely necessary and access is regularly audited. 2) a snapshotting file system which makes it a lot easier to recover files than restoring from tape. 3) by identifying the ownership of the encrypted files we can nail the culprit quickly and remove their access immediately to prevent further damage.

      Anti Virus has proven to be useless, the people who write this stuff are always one step ahead of the AV vendors.

      • by Bongo ( 13261 )

        So was that trust hit somewhere critical, or was the shutdown just to stop it spreading?

      • by WallyL ( 4154209 )

        What filesystem do you use? I would like to know what snap-shotting filesystem you use that serves Windows systems.

  • IT Admin wanted... (Score:5, Informative)

    by dfsmith ( 960400 ) on Wednesday November 02, 2016 @05:55PM (#53202215) Homepage Journal
    They're currently posting an ad for an IT Admin (asset mgmt) at UKP 17k (~$20k/yr). Great advertising... any takers? http://jobs.nlg.nhs.uk/job/UK/... [nlg.nhs.uk]
  • by Streetlight ( 1102081 ) on Wednesday November 02, 2016 @06:39PM (#53202419) Journal
    I'm assuming the virus got into the hospital's record keeping data system through an Internet connection. This makes me wonder if every system in the hospital is connected to the public Internet, including life support systems such as ventilators, heart monitors, etc., and and other devices such as robotic surgery machines, analytical laboratory equipment, x-ray data analysis computers, and more. Every data storage and manipulation device does not need to be on the general public Internet. Imagine if a county's ICBM launch systems were connected to the public Internet. The mind boggles. Even if these many systems were not on the Internet, a black hat with access to a significant collection of important networked computers can still do damage. The Stuxnet compromise of the Iranian uranium enrichment centrifuges is a perfect example.
  • Operation's been canceled? Guess it's time to break out the wire snippers.
  • Replace "computer virus" with "virus" and "network shut-down" with "quarantine" and you get a nice scenario just a few days late for Halloween.
    Maybe we could add a few zombies [wikipedia.org] to spice things up.

  • by Anonymous Coward

    After a recent experience myself I can say for sure that hospitals are not prepared for a attack on their technology. For one, I don't think many working the devices know much about securing them. When they break or fail to work they just set them aside until someone comes from the company or service company. I saw a lot of internal systems running older Windows and probably not completely protected or updated. It's a ticking time bomb that nobody is addressing.

  • by troublemaker_23 ( 727868 ) on Wednesday November 02, 2016 @08:18PM (#53202857)
    Why does ZDNet always hide the fact that Windows is the operating system involved when viruses, worms, malware, scumware, ransomware etc are involved?
    • by SeaFox ( 739806 )

      They aren't hiding it. They're just not mentioning it because it's not newsworthy.
      It would be like reporting that it rained and you're asking why they didn't say if it rained water.
      If it wasn't water, they would have made a big deal out of it.

    • "Man Bites Dog" is news. "Windows gets Malware" is not news.

  • Here in Hobart, Tasmania, I wince every time I go to a medical facility because many of them are still using PCs running Windows XP. I have yet to see one running a currently supported version of Windows. I expect an event like the one reported in the article any day now.
  • ...until the right person dies.
    I spent 20 years with 911/999/etc and that is the motto there also.

    So until some important lorrie/torrie/libdem/publican't loses a parent/spouse/child to hacking....it will not be fixed.

    Until then install VirtualBox and with a VM for SolydK.
    Been using for 3 years with not problems in auto-updates.
    Developers came from Debian.
  • With increased size come economies of scale. Or at least,t he possibility of economies of scale.

    With increased size come outages or destruction which affect larger numbers of people. Or at least the possibility of such outages or destruction.

    Barings Bank comes to mind.

    So does Nassim Nicholas Taleb's anti-fragility.

Genius is ten percent inspiration and fifty percent capital gains.

Working...