Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security United States

Ransomware Hits Hundreds of Dentist Offices in the US (zdnet.com) 76

Hundreds of dental practice offices in the US have had their computers infected with ransomware this week, ZDNet reported Thursday. From a report: The incident is another case of a ransomware gang compromising a software provider and using its product to deploy ransomware on customers' systems. In this case, the software providers are The Digital Dental Record and PerCSoft, two Wisconsin-based companies who collaborated on DDS Safe, a medical records retention and backup solution advertised to dental practice offices in the US. Over the last weekend, a hacker group breached the infrastructure behind this software, and used it to deploy the REvil (Sodinokibi) ransomware on computers at hundreds of dentist offices across the US. The security breach came to light on Monday, when dentists returned to work, only to find out they couldn't access any patient information. A source impacted by the ransomware tells ZDNet that the two companies opted to pay the ransom demand. The Digital Dental Record and PerCSoft have been sharing a decrypter with impacted dental offices since Monday, helping companies recover encrypted files.
This discussion has been archived. No new comments can be posted.

Ransomware Hits Hundreds of Dentist Offices in the US

Comments Filter:
  • by Fly Swatter ( 30498 ) on Thursday August 29, 2019 @12:34PM (#59137876) Homepage
    Funding continued criminals and terrorism, there ought to be a law or something...
    • Yeah well, until proper backups are made, on and off site, there isn't a lot of choice. Business is business.

    • Comment removed based on user account deletion
    • by gweihir ( 88907 )

      Well, in any case, this should come with a huge cost to them. The reason that attack was possible is that they were too greedy and did not invest into adequate IT security. I would say, estimate what decent security would have cost them, then fine them 3x that much and require them to fix their infrastructure. Then yearly independent audits for 10 years and if they do this crap again, repeat the fine.

      And yes, paying for this should be a federal crime.

      • by BitterOak ( 537666 ) on Thursday August 29, 2019 @02:07PM (#59138296)

        then fine them 3x that much and require them to fix their infrastructure.

        Fine them, for begin victims of a crime??? So if you don't invest in adequate security for your house, buying cheap locks for your doors, and someone breaks in while you're away and steals your stuff, then in addition to losing your possessions, you should be fined as well? After all, the burglars could sell the stuff they stole from you and use the proceeds to expand their criminal organization!

        • False equivalence. In your fake scenario, the victim does not then fund additional terrorism out of their own pocket in a vain attempt to get their shit back.

        • Fine them, for begin victims of a crime???

          No, fine them for being grossly negligent and funding crime. Then require them to pay the dentist offices their full ongoing operating costs until the dental offices have rebuilt their databases (probably from scratch) and are whole again.

          Do that one or twice, and I think they would resolve their security issues.

          • by gweihir ( 88907 )

            No, fine them for being grossly negligent and funding crime.

            Exactly. They are not victims. They are perpetrators. Gross negligence is pretty much the same as intent here.

        • by bjwest ( 14070 )
          When you buy cheap locks and allow someone to easily break into your house, you're not also allowing them to break into the entire neighborhood. The better analogy would be a bank buying cheap locks for the vault and safety deposit boxes, allowing a burglar to break in to the vault and steal everyone's shit. You damn right the bank is at fault there, and should be fined out the ass for that.
    • by atrex ( 4811433 )
      There does seem to be some criminal negligence going on at this company considering the TFA sites that this is the third time their software has been compromised, but, narking them for paying the ransom demand is a bit harsh. They have an obligation to their customers to get their data back as quickly and completely as possible considering that they failed in their obligation to their customers to safe guard their data properly in the first place.

      The Feds are certainly welcome to open an investigation in
      • You think falling for this a third time in a row isn't proof enough? Consider how much cheaper some spare harddrives for backups would have been the first and second times.

        • Therein lies the problem (fraud?). DDS Safe is endorsed by the ADA but apparently they aren't really taking secure onsite and offsite backups as promised. Otherwise they would have just restored from the backup images. Also, everyone touting "just copy to an external hard drive and disconnect" don't understand the amount of data or the time that that solution will take for a dental office that has digital X-rays, 3D pans, etc. and you can't have enough hard drives to rotate through to protect yourself.
  • Or you will never get your information back.
  • The Cloud (Score:5, Insightful)

    by fluffernutter ( 1411889 ) on Thursday August 29, 2019 @12:37PM (#59137900)
    Dentists were never hacked en masse before they used cloud services. Here is a reminder why it may be bad to use one; you become part of a bigger target.
    • I would think that this more of a cautionary tale for managed service providers.

      The Dental offices aren't on the hook. Actually, this is why dentists pay someone else to take care of things.

      • by Anonymous Coward
        Well, if they lost their patients' files and can't get them back soon enough then the dentists are definitely on the hook.
        • by AHuxley ( 892839 )
          AC how about a paper file? Off site digital backup?
          Some sort of encrypted file at the end of every shift that's not fully networked/on the cloud?
    • Dentists were never hacked en masse before they used cloud services. Here is a reminder why it may be bad to use one; you become part of a bigger target.

      Cloud services seem to be enabling this burst of criminality, not suppressing it. You're collecting the high-value data of clients online where there are more attack vectors to compromise that data. Online = At Risk, and More Convenience = Less Security. Every time. So I'm getting tired of hearing all these pitches about how "The Cloud" is the answer to our security problems. We keep forgetting that the Cloud isn't this magic thing, it's just a slick marketing term for "someone's servers".

    • Dentists were never hacked en masse before they used cloud services. Here is a reminder why it may be bad to use one; you become part of a bigger target.

      Dentists were never hacked when they had all their records on paper.

      Dentists were never hacked before people/insurance started paying to unencrypt files.

      The cloud has about as much to do with this as the tooth fairy.

      They were targeted because they are not secure and because they have lots of records that they need to do business. Patient history, x-ray imagines, etc.

      It doesn't take a "cloud" to look-up easy targets. Small local governments, and now apparently dentists have been added to the list.

      Sounds lik

      • they have lots of records that they need to do business. Patient history, x-ray imagines, etc.

        Indeed. My dentist looks at my x-rays and then imagines that I need all sorts of work that isn't actually necessary.

        But to be fair, he does have boat payments to make.

    • by jetkust ( 596906 )

      Dentists were never hacked en masse before they used cloud services. Here is a reminder why it may be bad to use one; you become part of a bigger target.

      What do cloud services have to do with this story? If anything, cloud services would have prevented loss of data. They got hacked because their security got breached, nothing to do with any cloud.

    • Yep... cloud hosted is a bigger and bigger target. I'm calling inside job with the devs, but that's just pure speculation.

      And the dentists are not functioning for days waiting for stuff to come back up??? This is why you hire someone, even if just part time consulting, in the IT world to help you out. If you hire someone you can trust, you'd have backups at least.

    • by gweihir ( 88907 )

      What I told my dentist when he asked me several years ago: Stay with the paper-based system, because that every educated person can understand and master.

  • Dentists / Dockers are dumb with IT and some of there software needs things like local admin. In the past some of it was stuck on XP.

    They are also are independent so they have to do there own IT work or out source it as well.

    • by LostMyAccount ( 5587552 ) on Thursday August 29, 2019 @12:52PM (#59137960)

      I've worked with dentists and orthodontists and they're some of the worst clients.

      They have all the arrogance of "I'm a doctor", plus its amped up because they have a chip on their shoulders about not being *real* doctors. Some added amplification for orthodontists for their specialty status and further gap from any actual medical practice besides braces.

      Worse yet, they're all penny pinchers as bad or worse than most any other small business owner. Never want to pay for any desperately needed upgrades, the server is always jammed into the worst location. The "high tech" ones want PCs in every patient treatment area, but have cabinetry/facilities from the 1970s with no room/no power/no networking.

      They also have the worst vertical market software. I haven't dealt with this Wisconsin outfit mentioned here, but I've dealt with others and they're all based in some weird rural place and their software sucks. Bad compatibility, bad support, slow, just awful. I'm sure the dentists all buy this stuff based on whoever has the lowest cost products.

      And from a support perspective, they're often open weird hours, and want you to do upgrades in tiny windows when there's some office manager there, but no patients, and there's little flexibility about this -- because it would mean paying the $12/hr office manager extra money to be there, probably, I guess so I don't huff on nitrous oxide or steal dental floss.

      • You forgot the fact that they're trying to run the clinic on a Chevy budget while they drive Mercedes'.
        • They're like every other small business guy. They don't think about the business, they just think of it as a cash machine.

          I suppose one thing that impacts this is how fucking capital intensive a dentist office is in terms of equipment, tools and even stuff like insurance.

          And I suppose your dentists under about 50 are buried in student loans and probably even the buy-in to get a chunk of a practice or the capex expenditure to get the place off the ground.

      • by jellomizer ( 103300 ) on Thursday August 29, 2019 @01:24PM (#59138098)

        Of course you can use their Arrogance against them, to get what you want. I will often play dumb with doctors, I know what I want to do, but they want to come up with the solution. So I give them data all pointing to what I want to do, while I act like there are many good options available. When they start straying, Ill happen to find some more information to put them back into making the conclusion I already made.

        That way they feel they had made this big decision, while you guided them all the way there.

        If you are vendor, try to be first, that way your product is stuck in their head as the baseline.
        With options give them you best option first

      • by sconeu ( 64226 )

        Yeah, the vertical stuff sucks. Seriously. My SO is an orthodontist, and she can't even use 3rd party payment systems, because the vendor refuses to integrate with them.

    • Doctors in general (MD, Dentists, Professors,...) Have an ego problem that makes it really bad for their IT Infrastructure.
      Good IT in general doesn't require brain power per say, but experience. Advanced degrees usually creates a focus on a particular area, however with Dr in front of your name, society treats you like a smart person, where you are expected to know the answer, even in areas which you have no experience in.
      What is worse is we all fall for this, and actually believe that we are smarter then

    • Dentists / Dockers are dumb with IT and some of there software needs things like local admin. In the past some of it was stuck on XP.

      They are also are independent so they have to do there own IT work or out source it as well.

      If you're dumb with IT, outsourcing makes sense. It's not unreasonable, but a little naive, to assume that your IT provider is taking care of security and data recovery.

    • Came here to say this, the medical profession sees IT as a bothersome and wholly unnecessary expense and will neglect everything to within an inch of its life (on top of the common problem of equipment interface software being a total shitshow), so rampant ransomware infections don't surprise me in the slightest. Serves 'em right I say, maybe having to defer the purchase of that nice supercar they were looking at will teach them the value of maintaining their IT systems.

  • by hcs_$reboot ( 1536101 ) on Thursday August 29, 2019 @12:42PM (#59137924)
    1) "a medical records retention and backup solution" Where are the backups?

    2) Operating Systems? What are the affected OSes and how were they hacked?
  • by sinij ( 911942 ) on Thursday August 29, 2019 @12:49PM (#59137948)
    Someone going to get drilled for this...
    • by Anonymous Coward

      Who are you? Jimmy TwoTimes?

  • by chuckugly ( 2030942 ) on Thursday August 29, 2019 @01:07PM (#59138016)
    "You may feel a little pinch" - I've always wanted to say that to a dentist.
  • Urgent Memo from the IT department:

    To: All Employees

    Please stop downloading porn at work on our computers. You are causing lots of problems. All of you.

    Thanks.
    IT

  • Or perhaps it will.

  • by ctilsie242 ( 4841247 ) on Thursday August 29, 2019 @01:28PM (#59138122)

    One orthodontist I went to was still using 3270 terminals (yes, true IBM 3270 terminals with the little switches and red LED lights around it, and Medeco keylocks where the secretary took the key home with her). The mainframe communication went via a dedicated serial line to another city. This setup has been working the same way since the 1970s.

    Sometimes it makes me wonder if going back to the mainframe may not be such a bad idea after all. The 3270 terminal doesn't use the Internet for anything, unless the telco routes traffic via a link, and someone trying to get in would need access at that physical site, and be able to guess the password (which changes monthly) in three tries, otherwise the terminal and account are locked until someone calls in and has it reset. Even the physical terminal has a physical key to it, so someone would have to either pick the Medeco cam lock, or crack the case and jumper it.

    The graphics are nonexistent, but the terminal is extremely responsive, so once someone gets used to the key sequences, they can go through transactions extremely quickly.

    Wish IBM would price the iSeries machines at a reasonable level that businesses can afford. With all the ransomware going on, having something based on a secure stack might be useful.

    • iSeries isn't mainframe though. it's the midrange formerly known as AS/400. many places will call their midrange (unix box or i series "the mainframe" but it isn't

      Actual mainframe, the z-series would be very expensive. As in over a million dollars for hardware initial capital cost, then another million each year for software plus hardware maintenance. That's for places with few thousands of apps and/or tens of thousands or more users.

      • Agreed. iSeries is POWER. It does a great job at limiting what hanky-panky happens at the endpoints.

        I should have been more specific, since this orthodontist uses a mainframe, but an i-Series would be an upgrade, provided it is locked away and only people who know what they are doing be allowed in... everyone else gets a terminal.

        • it's claimed that mainframe apps and virtual machines can be locked down tighter than an i-series (or any other midrange or big iron unix) though.

    • Do you really think that the serial link is authenticated properly? I'm sure some social engineering could get the telco to reroute the traffic to a man in the middle. The only security here is that the target is too small and complicated to be worth attacking.
      • Yes, there are ways to attack the connection, and serial has its items, but most successful compromises are at the endpoints. By going back to terminals, it limits the damage users can do, and an attacker would have to go after the telco or the mainframe provider to be successful.

  • If you pay, this will keep happening.

    That is all.

  • Can you trust the data once it's unlocked? How do you know they didn't do other things to the data like make subtle changes to dosage amount, etc, something that most human eyes won't pick up on but can kill the patient?

      I would consider the data to be forever contaminated, and see fit to wipe and restore from an earlier (non contaminated) backup. Your organization does back up their drives on a regular basis and keep paper copies of all patients' info, right?

  • My dentist keeps paper records in folders behind the front desk

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...