Ransomware Forces 3 Hospitals To Turn Away All But the Most Critical Patients (arstechnica.com) 89
Ten hospitals -- three in Alabama and seven in Australia -- have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients, it was widely reported on Tuesday. Ars Technica reports: All three hospitals that make up the DCH Health System in Alabama were closed to new patients on Tuesday as officials there coped with an attack that paralyzed the health network's computer system. The hospitals -- DCH Regional Medical Center in Tuscaloosa, Northport Medical Center, and Fayette Medical Center -- are turning away "all but the most critical new patients" at the time this post was going live. Local ambulances were being instructed to take patients to other hospitals when possible. Patients coming to DCH emergency rooms faced the possibility of being transferred to another hospital once they were stabilized.
"A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment," DCH representatives wrote in a release. "Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available." At least seven hospitals in Australia, meanwhile, were also feeling the effects of a ransomware attack that struck on Monday. The hospitals in Gippsland and southwest Victoria said they were rescheduling some patient services as they responded to a "cyber health incident." According to news reports, hospital computer systems remained locked down at seven hospitals on Tuesday more than 24 hours after the attack struck. "An official said it would take weeks to secure and restore damaged networks," reports Ars Technica. "The official said there was no indication that patient records had been accessed."
"A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment," DCH representatives wrote in a release. "Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available." At least seven hospitals in Australia, meanwhile, were also feeling the effects of a ransomware attack that struck on Monday. The hospitals in Gippsland and southwest Victoria said they were rescheduling some patient services as they responded to a "cyber health incident." According to news reports, hospital computer systems remained locked down at seven hospitals on Tuesday more than 24 hours after the attack struck. "An official said it would take weeks to secure and restore damaged networks," reports Ars Technica. "The official said there was no indication that patient records had been accessed."
Good time to be in infosec, I guess.. (Score:3)
Re:Good time to be in infosec, I guess.. (Score:4, Insightful)
Are you kidding? Hospital administration isn't qualified to hire infosec. They know it so they don't even try. Instead, they hire the type of bottom-of-the-barrel Windows admins (point-and-click mouse gurus) that need to make ends meet by spreading ransomware to their clients.
Re: (Score:1)
redneck hospitals can't afford them
Re: (Score:2)
Re: (Score:2)
Alabama has some of the best hospitals and research facilities in the country.
You're confusing equine veterinary services and hospitals.
Re: (Score:2)
Go ahead and laugh, but Alabama has some of the best hospitals and research facilities in the country.
Yes, but they're in Alabama.
Re: (Score:2)
Re: (Score:2)
Then die if you need them.
Forget it. Even my corpse wouldn't be caught dead in Alabama.
Re: Good time to be in infosec, I guess.. (Score:1)
Re:Good time to be in infosec, I guess.. (Score:4, Insightful)
Re: (Score:3)
Re: (Score:1)
Whats wrong with running Windows XP and Windows CE? Both of those products have entered the "stability" phase of their lifecycle because the vendor (Microsoft) has stopped diddling with them. Just because the vendor no longer diddles with the software breaking it at every turn, does not mean that it is any less secure than the crap the vendor IS still diddling. In fact, the diddle-free stable software is immensely more reliable and easy to secure than the still-diddling-about versions.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Turning Away New Patients? (Score:5, Funny)
Re: (Score:1)
internet addiction and dependence (Score:4, Insightful)
Do hospital computers really even need to be connected to the internet? Air gap them and have IT staff install USB stick isolation software to prevent rogue software from being installed that way.
I have to sort of agree with the people who say that the ransomware epidemic is sort of a good thing. Eventually it has to force managers to take IT and computer security seriously.
In a work place environment vulnerable to ransomware probably only special Linux browser devices should have any internet connectivity whatsoever and even on air gapped computers Windows should only be used if Linux is just not an option for some reason. Linux should be the default. Not Windows.
It is unfortunate that the Linux world mostly ignores the idea that a computer might lack internet connectivity. It's a real blind spot in the software world in general where always connected computers are assumed. It will make Linux installation on an air gapped computer impractical. You'd probably have to connect to the internet at least during the initial install.
Re:internet addiction and dependence (Score:4, Insightful)
Do hospital computers really even need to be connected to the internet?
Hospital workers need access to patient files, need to upload results, access medical texts, etc. If this is all available on an intranet, extranet or the internet is debatable with 'the cloud' and 3rd party outsourcing.
Air gap them and have IT staff install USB stick isolation
Again. An X-Ray is taken, and the results are then sent from the machine to a technican work station for processing, then to a specialist to be reviewed and a report written, then send to the referring doctor. This doesn't even count the actual IT Services involved.
USB stick isolation
This isnt the issue. Most of the time it is lack of downtime and paching. That X-Ray machine hasnt been turned off since it was installed. Its PC control computer is probably still on XP and unpatched. USB sticks are not the problem.
Windows should only be used if Linux is just not an option for some reason
Linux is not special. Windows is not special. Both need patching. Both need hardening. once those are done (and done regularly) the applications installed on end devices and services then are the issue. End devices then have the special issue of having users destroy them (clicking on phishing emails, etc)
Re: (Score:1, Redundant)
Probably better to keep patient records off the internet anyway. All the computers in the hospital should be networked and all should have access to the database. So yes an intranet. The internet isn't required.
For the x-ray example it can just be stored in the patient record database and accessed by all of the computers on the network. No need for internet there.
If USB sticks are not really used at least in your part of the world and hence not a vector then no problem. One less thing to worry about.
Linux is not special. Windows is not special. Both need patching. Both need hardening. once those are done (and done regularly) the applications installed on end devices and services then are the issue.
Most ra
Re: (Score:3)
They also need to work with doctor's offices and their records, and pharmacies. Also all the various health insurance including medicare and medicaid. Then there's the associated outpatient clinics.
Re: (Score:2)
>" will be a huge boost for Linux installations as well as for OS X"
MacOS
Re:internet addiction and dependence (Score:4, Insightful)
A person is talking to their own specialist a week later and the expert wants to see the files.
Bring the physical media? Send it by post?
With a "computer" and a secure "network" the specialist can view the full set of files digitally in seconds.
Re: (Score:2)
Re:internet addiction and dependence (Score:4, Informative)
It isn't just a matter of finding time to patch the computer's software, or replacing the OS under the application.
Medical equipment goes through a draconian approval process mandated by the government. (People's lives depend on it not malfunctioning, and the bureaucratic rules {In the U.S.} grew out of the Pure Food and Drug Act of 1906 [wikipedia.org] and are glacial. This approval includes the particular version of the software on it. Patching the software requires another lengthy and expensive approval process. It can't be done lightly to incorporate the latest anti-malware hacks.
(Yes, the regulations are not a good fit for the threat situation with computer-driven medical equipment. But you need to talk to Congress about that, and you need to have your ducks on software quality in a much neater row than they currently march before doing so.)
So, for the foreseeable future, computerized medical equipment will, by law, be vulnerable to any given attack for a long time after each vulnerability is discovered. If it needs to be networked, about the best a hospital can do is a perimeter defence.
Re: (Score:2)
Medical equipment goes through a draconian approval process [that] grew out of the Pure Food and Drug Act of 1906 and are glacial
Actually, out of the 1976 amendment (re Medical Devices) to its 1938 rewirte, the Federal Food, Drug, and Cosmetic Act [wikipedia.org].
Re: (Score:2)
(People's lives depend on it not malfunctioning, and the bureaucratic rules {In the U.S.} grew out of the Pure Food and Drug Act of 1906 [wikipedia.org] and are glacial.
And yet this glacial, bulletproof testing system has resulted in computer systems that are malfunctioning in the very worst way.
Death from their delays are nothing new. (Score:5, Insightful)
And yet this glacial, bulletproof testing system has resulted in computer systems that are malfunctioning in the very worst way.
Deaths from this bureaucracy's delays are nothing new.
When the Pure Food and Drug act was first debated, the congresscritters thought that, if it delayed new drugs by more than six months, it would be doing more harm by delaying treatments than good by avoiding poisoning from bad drugs.
But an approved drug that does harm in some situations is very visible (i.e. flipper-babies from Thalidomide) and easy to pin on a particular set of regulating personnel, while the suffering and deaths from a drug delay or rejection are not so obviously some particular bureaucrats' fault. So the incentive is to make it harder (and thus also slower and more expensive) to get a drug approved.
Now the median time to approval is six to seven years and the median cost about 19 million dollars. (And then there are all the drugs that don't make it, not because they're useless or bad, but because the drug company threw in the towel.)
Just ONE drug delay, according to the Wall Street Journal, caused 100,000 deaths. (And if you read the article the headline looks conservative and the number closer to 400,000.) That was the use of the (already approved for other things) beta-blocker drugs to prevent secondary heart attacks in those who had already had one. They were already in use for that in Europe. But the FDA wouldn't accept the European research, so the experiments had to be re-run over here, and that delayed the use of the drugs for years.
That's why things like the recent "right to try" legislation is so important.
(IMHO there's nothing in the constitution giving the federal government the power to prohibit such substances. The FDA's drug approval should be reduced to an advisory certification. Informed adults should be able to put any compound they chose into their bodies, at their own risk, without penalty {other than having to find a new insurance company or go it alone if taking that drug would breach a contract.})
Re: (Score:3)
(IMHO there's nothing in the constitution giving the federal government the power to prohibit such substances. The FDA's drug approval should be reduced to an advisory certification. Informed adults should be able to put any compound they chose into their bodies, at their own risk, without penalty {other than having to find a new insurance company or go it alone if taking that drug would breach a contract.})
Furthermore, why can't doctors prescribe compounds that have passed foreign regulatory agencies that are FDA equivalents? Drugs that are approved in Switzerland, EU and Japan should be immediately available to us.
Re: (Score:2)
Furthermore, why can't doctors prescribe compounds that have passed foreign regulatory agencies that are FDA equivalents? Drugs that are approved in Switzerland, EU and Japan should be immediately available to us.
Because doctors are licensed by the government and if they do so, their license is taken.
Re: (Score:2)
That's what I'm suggesting we change. Ther is no medical reason for this restriction. It's pure protectionism.
Re: (Score:2)
That's why things like the recent "right to try" legislation is so important.
Except it is not. [statnews.com] Why do drug manufacturers actually like government regulation and testing? Because drug manufacturers make money on drugs that actually work. The only way to know if they actually work is to perform controlled trials on the drugs, not give them out to any yahoo who wants them.
Anyone who knows history can tell you that before government required proof of effectiveness, pharmacy counters were filled with all sorts of highly promoted quack remedies of unknown origin. Drug manufacturers
Re: (Score:2)
ORLY?
The article you reference says that "nearly half" (13 out of 29, i.e. 45%) wanted an external security blanket, in the form of an FDA review (6) or a "research ethics committee or institutional review board" (5).
Well, gosh. That means MORE than half HAVEN'T even ASKED for some institution to set up a procedure to give them an external second opinion.
All of which is beside the point. The previous situa
Re: (Score:2)
Why do drug manufacturers actually like government regulation and testing? Because drug manufacturers make money on drugs that actually work. The only way to know if they actually work is to perform controlled trials on the drugs, not give them out to any yahoo who wants them.
Your objection is an example of the excluded middle. The choices on effectiveness (and safety, etc.) are not limited to the government regulators vs. no testing.
Drug manufacturers have plenty of incentive to do (or commission from rec
Re: (Score:2)
And yet this glacial, bulletproof testing system has resulted in computer systems that are malfunctioning in the very worst way.
But the government has sovereign immunity so it is the hospital's and manufacturer's fault even though they are prohibited from doing anything.
Re: (Score:2)
That X-Ray machine hasnt been turned off since it was installed. Its PC control computer is probably still on XP and unpatched. USB sticks are not the problem.
It's worse than that (or maybe better, depending on one's view). GE Medical still supports C-arm X-ray machines controlled by a 486 running DOS 5.0...these machines don't need a multitasking OS since they literally only do one thing.
Re:internet addiction and dependence (Score:4, Interesting)
Well, the sensible answer is a redundant system running in the shadows that serves as a backup and then disconnects from the WAN and LAN.
Hardware ans software prices are low enough to have 5 fucking isolated copies of crucial operations.
For small businesses, the answer is what all of us in the business have been preaching (and I practiced) and that's offsite backups.
At one law firm, the rotation was every day for a week. The tape that was changed out Monday morning was a tape (and later, EHD) that was overwritten Saturday night and then Sunday night.
We also stored the last tape of the month for 12 copies.
At another law firm, the owner insisted on a 30-day rotation with daily offsite retention. He was scared. So was I.
Re: (Score:2)
"Hardware ans software prices are low enough to have 5 fucking isolated copies of crucial operations."
Actually, if everyone took security seriously those 5 copies should be part of the licensing so that they are no extra cost, or just a marginal extra cost. Businesses should be able to charge extra for such features, but then again... its not like we take infosec seriously.
"For small businesses, the answer is what all of us in the business have been preaching (and I practiced) and that's offsite backups."
N
Re: (Score:2)
You "Both" everything, onsite (high value) & offsite (last resort), you lag everything based on desired RTO/RPO. You keep offline infrastructure ready to be fired up the moment the vector of ransomware infection can be determined & isolated.
No I don't.
I do know the difference between bullshit and wild honey. You don't.
Re: (Score:3)
Do hospital computers really even need to be connected to the internet?
Yes!
Computers used by doctors/nurses will scan items for billing purposes, hence connected via network to the billing system. Parts of the billing system have to be exposed to users over the internet so they can view and pay their bills online.
Doctors in their office will type up patient record notes, and also look up symptoms and diseases online, and also look up medical research online. The two don't have to be on the same physical device, but it's pretty handy for a patient-facing doctor to just have one
Re: (Score:2)
You don't need the internet access to everything for that.
A good proxy service would do that job so that only it has the access and everything else gets that necessary data from it.
Which segues to another issue... the fact that the medical industry can keep its prices for things so secret despite being in a well connected world. It ensures that patients are not allowed to have an effective say in their own care.
Re: (Score:2)
You don't need the internet access to everything for that. A good proxy service would do that job so that only it has the access and everything else gets that necessary data from it.
Totally agreed. Just to note, I was responding to someone who said "airgapped; not connected to the internet". If we have a proxy, then it's not airgapped -- it's relying on proxy software rather than an air gap to keep things separate.
Re: (Score:2)
Obviously some computers in hospitals need to be on the internet, but some equally obviously don't. In the olden days I would have put those computers on an IPX network and never even given them an IP. Today I'd put them on their own reserved IP network and firewall the shit out of it, and not offer any internet access to the imaging machines and the like, where full fledged windows is used as an embedded OS thanks to the apparent general incompetence of medical device manufacturers. They'll sell you a syst
Re: (Score:2)
Today I'd put them on their own reserved IP network and firewall the shit out of it, and not offer any internet access to the imaging machines and the like
That makes sense. Presumably the imaging machines would still be connected to the hospital network so that (1) you can scan the patient's barcode and have the images associated with that patient, (2) you can send the imaging results directly over to the specialist, the doctor and the patient's records.
This is all still about machines that aren't air-gapped from the internet; they have a physical connection that ultimately does connect to the internet, and they rely on software (proxies, firewalls) to to as
Re: (Score:2)
How did this post get modded "insightful"?
"I have to sort of agree with the people who say that the ransomware epidemic is sort of a good thing. Eventually it has to force managers to take IT and computer security seriously."
This is not the first computer security issue we have face. NO it will absolutely not "force" anyone to take computer security seriously.
Security is never taken seriously with computers because security was not even a concern when we started writing code for systems. Components are no
Re: internet addiction and dependence (Score:1)
Re: (Score:1)
Re: (Score:3)
So, to answer your question "Do hospital computers really even need to
Re: (Score:2)
Re: (Score:2)
"I don't know what bubble you live in, you can be serious as a heart attack about security and still get ransomware."
I don't know what world you live in but getting ransomware is a non-issue. Systems being breached are not a matter of if, it's a matter of when. Security is not just about prevention. It's about tracking intrusion, monitoring the progress and process of that intrusion, its also about RPO/RTO from the fallout of an intrusion. How many places do you know that has a runbook for compromise li
Re: (Score:2)
If keeping paper, 50 bookeepers, a wing dedicated to housing the book keepers and 1000 file cabinets and clerks all armed with pocket calculators and runners to deliver the photography x-rays to doctors then yeah
Re:internet addiction and dependence (Score:4, Interesting)
Given how often I've seen Linux servers on the net get rooted, I doubt that will help. What's needed is to completely flip computer security on its head (at least for servers and devices with embedded systems). Right now, the way computers work is that anything is allowed to run, unless disallowed. This needs to be inverted so nothing is allowed to run unless it's explicitly white-listed.
The method I've advocated for years is to change OSes so they can run off a read-only filesystem (things like logfiles and mutable data can go onto a second writeable filesystem). You set up the OS, configure it, and install the programs you need to run for the computer to do whatever it needs to do. Then you flip a physical switch to make that filesystem read-only. At that point there's not much a remote hacker could do except steal data. Even if a vulnerability is found which allows them to gain root, they can't leverage it to change what the computer does. All they can do is run programs which are whitelisted. They can't change those programs, add new programs, or change the whitelist because they're on a read-only filesystem.
In fact a hacker is unlikely to even get this far since most hacks involve leveraging a vulnerability to modify certain system files to gain root access. e.g. A memory overrun exploit allows you to change a root-privilege process to add a new program to the boot sequence which grants the hacker root. Well, in this case, they can't add a new executable, and can't modify the boot sequence. All they can do is try to use the exploit to manipulate already-running programs in memory.
Re: (Score:2)
The method I've advocated for years is to change OSes so they can run off a read-only filesystem (things like logfiles and mutable data can go onto a second writeable filesystem). You set up the OS, configure it, and install the programs you need to run for the computer to do whatever it needs to do. Then you flip a physical switch to make that filesystem read-only.
Could you not mount a drive as read-only? (and still have the second drive for the mutable data)
Re: (Score:1)
A fast network for medical care all over the city allows for that file to be looked at from any approved computer..
Re: internet addiction and dependence (Score:1)
Re: (Score:2)
From actually trying it when I lacked internet access for more than 6 months. That's how I know. Pretty much every install image seems to assume always connected internet. I didn't say it couldn't be done. I guess it can be done if you are sufficiently good with Linux. I am not a skilled enough Linuxian to do it easily and I found the whole thing prohibitively difficult.
Re: (Score:2)
"It is unfortunate that the Linux world mostly ignores the idea that a computer might lack internet connectivity. It's a real blind spot in the software world in general where always connected computers are assumed. It will make Linux installation on an air gapped computer impractical. You'd probably have to connect to the internet at least during the initial install."
By your use of the weasel word "probably" i can conclude that you've never actually tried this. You've probably never even installed Linux at
Re: (Score:2)
By your use of the weasel word "probably" i can conclude that you've never actually tried this. You've probably never even installed Linux at all.
I've tried it many times. How about you provide me free tech support next time I try? I have run Linux for many years. I have Xubuntu installed right now, but my next install will probably be Arch Linux.
Re: (Score:2)
I've installed Linux literally dozens of times from media, with no internet access. I tend to be on a garbage connection because i tend to live in the sticks. So when i have multiple machines i generally install them all from one disc to save my transfer allotment. Sometimes i do one from the internet and then set up my package cache as a repo so i can install the second one from the first one, that works too.
If you need help, feel free to ask. Hell, you can even email me.
Re: (Score:2)
"It is unfortunate that the Linux world mostly ignores the idea that a computer might lack internet connectivity. It's a real blind spot in the software world in general where always connected computers are assumed. It will make Linux installation on an air gapped computer impractical. You'd probably have to connect to the internet at least during the initial install."
what are you talking about? at work we installed 100's of machines each day, none of these install happen over the internet at any point. in
Re: (Score:2)
Sounds like they had all the necessary continuity plans in place and switched to them immediately rather than running around like a bunch of chickens waiting for the head dickwad on vacation in Bulgaria to "approve" activating the continuity plans.
Sounds like someone did some excellent risk analysis and continuity planning, and when the contingency arose that required them to be implemented, that was done without hesitation. Congratulations there!
Good planning does not care whether the root cause of the pr
Alphabetical by location? (Score:4, Funny)
Hopefully we can stop this before it reaches the Bahamas, Bahrain, Bangkok, Bangladesh, Barbados, Beijing, Belarus, Belgium, Belize, Benin, Berlin, Bermuda and Bolivia.
Yes their IT should be more secure. BUT... (Score:3, Interesting)
Yes their IT should be more secure.
But if law enforcement can't even go after criminals who are literally engaging in life-threatening terrorist attacks like this, what the heck use ARE they?
What's the point of all those anti-cracking laws if they aren't enforced against people who would disrupt hospital infrastructure to for extortion? How can draconian penalties deter criminals if they are not enforced?
How many people have to die from this sort of criminal activity before we see any visible action to find, convict, and punish the perpetrators?
Re: (Score:2)
CaptainDork's 17th Corollary: "For every motherfucker out there with a computer, there's another motherfucker out there with a computer."
It's insane that my desktop at home is just as capable as the goddam hospital's.
Re: (Score:2)
"But if law enforcement can't even go after criminals who are literally engaging in life-threatening terrorist attacks like this, what the heck use ARE they?"
And catching the perpetrators after the fact (which is what law enforcements SOLE job is) would be helpful how exactly? It certainly provides the capability for revenge, which is what law enforcement is designed for.
"What's the point of all those anti-cracking laws if they aren't enforced against people who would disrupt hospital infrastructure to for
Re: (Score:2)
The corpse would beg to differ and won't bother us further.
Bullshit.
Re: (Score:1)
Law enforcement gave the ip to the FBI and is still waiting?
Interpol is asking another nation to help?
The FBI has found CCTV "somewhere" and is looking back over days and months of surrounding CCTV. Cell tower use.
Someone has a face on CCTV and had their smartphone was on?
The FBI is talking to another nation about a VPN company used?
Waiting for the same person to use their VPN again? Just one more time.
The VPN logging is now ready in some
Makes me think of the old saying–– (Score:3)
you should try ignorance.
How long before everyone wises up and starts securing their systems. IOW paying someone, who knows what they're doing, what they're worth, to do the job right.
Re: (Score:2)
It will never happen. The actuarial tables tell them that it is cheaper to kill a few people and pay the occasional one-time cost-of-doing-business-fee with that defective design than it is to either (a) fix it; or, (b) pay someone smarter so they can do it right the first time.
While you may not like this (unless you are a psychopath holding an executive C-level job who usually find nothing amis with that attitude) it is how the world has worked since the big bang (which is a VERY VERY long time), so you m
Re: Makes me think of the old saying–– (Score:2)
God I love technology (Score:2)
Re: (Score:2)
Yeah something like a hospital should have a backup plan for when their computers go down for some reason or if their patient database gets erased. And of course they should back up their databases at least weekly to an air gapped or off site storage location. Presumably their IT departments will be hiring soon. Maybe HR will be clever enough to ask the new IT people exactly what they would have done to prevent this. I would say air gaps and Linux.
I am old enough to remember when hospitals got along just fi
Re: God I love technology (Score:1)
That Criminal... (Score:4, Interesting)
That Criminal is the person in the office of whomever answers to all of IT in each location.
Director, or VP.
They're the ones who should hang, for gross incompetence.
If there were policies and procedures in place, then obviously they failed, they need looked at, and the Director or VP should still be jobless for failure to ensure a tightly-ran ship.
Re: (Score:1)
Re: That Criminal... (Score:1)
Re: (Score:1)
Hire a guy like me to look. That's what I do. I'm surprised at how many places don't do the simplest things - such as automatic updates. I'm still finding passwords under keyboards, one on the screen.... one safe with the combination written on the front of it. What was it? 12345
Know what they changed it to? Something else just as obvious.
There was some firing there.
Easy way to stop this (Score:1)
If someone dies from ransomware, they're guilty of murder. Put out a bounty with proof.
Someone will figure out who they are...
I want to dream (Score:3)
If there is any justice in the world, these assholes will one day end up in the hospital, and they'll go under the knife or the X-ray machine or whatever, and at just the right moment, some ransomware F's them up real good. And I want to be there to tell them exactly why they're F'd up, and why they so richly deserve it while I laugh at them heartily. Of course, there's no justice in the world, but I can dream.
Down Under (Score:2)
The Australian one has affected a number of hospitals and services in a semi-rural area. Health Care in Australia is primarily State Government run with a mix of Federal and State Funding. Many services are provided by smaller government entities, private businesses who might provide services or manage hospitals and some NGO's. The model is heavily based on a local delegation model in rural areas.
At the State Government level IT Security is taken very seriously [I have worked on Health projects here] but th
Re: (Score:1)
Re: (Score:2)
"At the State Government level IT Security is taken very seriously"
If your not using security tags per data item, you're not taking IT security seriously. That means using things like solaris security labels or CIPSO.
If your office worker workstations can talk to each other, you're not taking IT security seriously. Firewalls in buildings don't protect the front door, they protect part of the building from fires in other parts of the same building.
If you aren't scanning your network using IPv6, you're not
Re: (Score:2)
Security tags predate Unix (they were in Multics). They are a pain but once in place let the OS gatekeep data between security zones. The biggest problem is programers need to understand them and I haven't meet one in decades that even knew OS based labeling as even an option.
PCs talking to each other has been a major source of infections and spread of malware for decades and it isn't needed. It is trivial to setup managed switches to give every workstation its own vlan. Even cheap 5 and 8 port managed sw
Too Late ... (Score:3)
"An official said it would take weeks to secure and restore damaged networks"
They should have secured the networks last month, then they would not be having this problem. Waiting until you need to drive to the hospital because you got shot before fixing the flat tire on the car is not a very wise move.