Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Bitcoin Medicine

Ransomware Forces 3 Hospitals To Turn Away All But the Most Critical Patients (arstechnica.com) 89

Ten hospitals -- three in Alabama and seven in Australia -- have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients, it was widely reported on Tuesday. Ars Technica reports: All three hospitals that make up the DCH Health System in Alabama were closed to new patients on Tuesday as officials there coped with an attack that paralyzed the health network's computer system. The hospitals -- DCH Regional Medical Center in Tuscaloosa, Northport Medical Center, and Fayette Medical Center -- are turning away "all but the most critical new patients" at the time this post was going live. Local ambulances were being instructed to take patients to other hospitals when possible. Patients coming to DCH emergency rooms faced the possibility of being transferred to another hospital once they were stabilized.

"A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment," DCH representatives wrote in a release. "Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available." At least seven hospitals in Australia, meanwhile, were also feeling the effects of a ransomware attack that struck on Monday. The hospitals in Gippsland and southwest Victoria said they were rescheduling some patient services as they responded to a "cyber health incident."
According to news reports, hospital computer systems remained locked down at seven hospitals on Tuesday more than 24 hours after the attack struck. "An official said it would take weeks to secure and restore damaged networks," reports Ars Technica. "The official said there was no indication that patient records had been accessed."
This discussion has been archived. No new comments can be posted.

Ransomware Forces 3 Hospitals To Turn Away All But the Most Critical Patients

Comments Filter:
  • by RightSaidFred99 ( 874576 ) on Tuesday October 01, 2019 @04:31PM (#59258772)
    You infosec guys should be cleaning up and making bank helping deal with all this nonsense.
  • by nsuccorso ( 41169 ) on Tuesday October 01, 2019 @04:31PM (#59258774)
    The billing system must be down...
  • by 0111 1110 ( 518466 ) on Tuesday October 01, 2019 @04:39PM (#59258804)

    Do hospital computers really even need to be connected to the internet? Air gap them and have IT staff install USB stick isolation software to prevent rogue software from being installed that way.

    I have to sort of agree with the people who say that the ransomware epidemic is sort of a good thing. Eventually it has to force managers to take IT and computer security seriously.

    In a work place environment vulnerable to ransomware probably only special Linux browser devices should have any internet connectivity whatsoever and even on air gapped computers Windows should only be used if Linux is just not an option for some reason. Linux should be the default. Not Windows.

    It is unfortunate that the Linux world mostly ignores the idea that a computer might lack internet connectivity. It's a real blind spot in the software world in general where always connected computers are assumed. It will make Linux installation on an air gapped computer impractical. You'd probably have to connect to the internet at least during the initial install.

    • by grimthaw ( 2884377 ) on Tuesday October 01, 2019 @05:02PM (#59258882)

      Do hospital computers really even need to be connected to the internet?

      Hospital workers need access to patient files, need to upload results, access medical texts, etc. If this is all available on an intranet, extranet or the internet is debatable with 'the cloud' and 3rd party outsourcing.

      Air gap them and have IT staff install USB stick isolation

      Again. An X-Ray is taken, and the results are then sent from the machine to a technican work station for processing, then to a specialist to be reviewed and a report written, then send to the referring doctor. This doesn't even count the actual IT Services involved.

      USB stick isolation

      This isnt the issue. Most of the time it is lack of downtime and paching. That X-Ray machine hasnt been turned off since it was installed. Its PC control computer is probably still on XP and unpatched. USB sticks are not the problem.

      Windows should only be used if Linux is just not an option for some reason

      Linux is not special. Windows is not special. Both need patching. Both need hardening. once those are done (and done regularly) the applications installed on end devices and services then are the issue. End devices then have the special issue of having users destroy them (clicking on phishing emails, etc)

      • Re: (Score:1, Redundant)

        by 0111 1110 ( 518466 )

        Probably better to keep patient records off the internet anyway. All the computers in the hospital should be networked and all should have access to the database. So yes an intranet. The internet isn't required.

        For the x-ray example it can just be stored in the patient record database and accessed by all of the computers on the network. No need for internet there.

        If USB sticks are not really used at least in your part of the world and hence not a vector then no problem. One less thing to worry about.

        Linux is not special. Windows is not special. Both need patching. Both need hardening. once those are done (and done regularly) the applications installed on end devices and services then are the issue.

        Most ra

        • by sjames ( 1099 )

          They also need to work with doctor's offices and their records, and pharmacies. Also all the various health insurance including medicare and medicaid. Then there's the associated outpatient clinics.

        • >" will be a huge boost for Linux installations as well as for OS X"

          MacOS

        • by AHuxley ( 892839 ) on Tuesday October 01, 2019 @10:12PM (#59259700) Journal
          Re "Probably better to keep patient records off the internet anyway."
          A person is talking to their own specialist a week later and the expert wants to see the files.
          Bring the physical media? Send it by post?
          With a "computer" and a secure "network" the specialist can view the full set of files digitally in seconds.
        • > Probably better to keep patient records off the internet anyway. All the computers in the hospital should be networked and all should have access to the database. So yes an intranet. The internet isn't required. Hospital Helpdesk, First insurance is verified over the internet through the EMR, although it usually is done through an interface and not a website, Medical records from one location to another have to be done through the internet, as not everyone goes to a hospital in the same network as the
      • by Ungrounded Lightning ( 62228 ) on Tuesday October 01, 2019 @08:58PM (#59259520) Journal

        USB stick isolation

        This isnt the issue. Most of the time it is lack of downtime and paching. That X-Ray machine hasnt been turned off since it was installed. Its PC control computer is probably still on XP and unpatched. USB sticks are not the problem.

        Windows should only be used if Linux is just not an option for some reason

        It isn't just a matter of finding time to patch the computer's software, or replacing the OS under the application.

        Medical equipment goes through a draconian approval process mandated by the government. (People's lives depend on it not malfunctioning, and the bureaucratic rules {In the U.S.} grew out of the Pure Food and Drug Act of 1906 [wikipedia.org] and are glacial. This approval includes the particular version of the software on it. Patching the software requires another lengthy and expensive approval process. It can't be done lightly to incorporate the latest anti-malware hacks.

        (Yes, the regulations are not a good fit for the threat situation with computer-driven medical equipment. But you need to talk to Congress about that, and you need to have your ducks on software quality in a much neater row than they currently march before doing so.)

        So, for the foreseeable future, computerized medical equipment will, by law, be vulnerable to any given attack for a long time after each vulnerability is discovered. If it needs to be networked, about the best a hospital can do is a perimeter defence.

        • Medical equipment goes through a draconian approval process [that] grew out of the Pure Food and Drug Act of 1906 and are glacial

          Actually, out of the 1976 amendment (re Medical Devices) to its 1938 rewirte, the Federal Food, Drug, and Cosmetic Act [wikipedia.org].

        • (People's lives depend on it not malfunctioning, and the bureaucratic rules {In the U.S.} grew out of the Pure Food and Drug Act of 1906 [wikipedia.org] and are glacial.

          And yet this glacial, bulletproof testing system has resulted in computer systems that are malfunctioning in the very worst way.

          • by Ungrounded Lightning ( 62228 ) on Tuesday October 01, 2019 @10:02PM (#59259682) Journal

            And yet this glacial, bulletproof testing system has resulted in computer systems that are malfunctioning in the very worst way.

            Deaths from this bureaucracy's delays are nothing new.

            When the Pure Food and Drug act was first debated, the congresscritters thought that, if it delayed new drugs by more than six months, it would be doing more harm by delaying treatments than good by avoiding poisoning from bad drugs.

            But an approved drug that does harm in some situations is very visible (i.e. flipper-babies from Thalidomide) and easy to pin on a particular set of regulating personnel, while the suffering and deaths from a drug delay or rejection are not so obviously some particular bureaucrats' fault. So the incentive is to make it harder (and thus also slower and more expensive) to get a drug approved.

            Now the median time to approval is six to seven years and the median cost about 19 million dollars. (And then there are all the drugs that don't make it, not because they're useless or bad, but because the drug company threw in the towel.)

            Just ONE drug delay, according to the Wall Street Journal, caused 100,000 deaths. (And if you read the article the headline looks conservative and the number closer to 400,000.) That was the use of the (already approved for other things) beta-blocker drugs to prevent secondary heart attacks in those who had already had one. They were already in use for that in Europe. But the FDA wouldn't accept the European research, so the experiments had to be re-run over here, and that delayed the use of the drugs for years.

            That's why things like the recent "right to try" legislation is so important.

            (IMHO there's nothing in the constitution giving the federal government the power to prohibit such substances. The FDA's drug approval should be reduced to an advisory certification. Informed adults should be able to put any compound they chose into their bodies, at their own risk, without penalty {other than having to find a new insurance company or go it alone if taking that drug would breach a contract.})

            • (IMHO there's nothing in the constitution giving the federal government the power to prohibit such substances. The FDA's drug approval should be reduced to an advisory certification. Informed adults should be able to put any compound they chose into their bodies, at their own risk, without penalty {other than having to find a new insurance company or go it alone if taking that drug would breach a contract.})

              Furthermore, why can't doctors prescribe compounds that have passed foreign regulatory agencies that are FDA equivalents? Drugs that are approved in Switzerland, EU and Japan should be immediately available to us.

              • by Agripa ( 139780 )

                Furthermore, why can't doctors prescribe compounds that have passed foreign regulatory agencies that are FDA equivalents? Drugs that are approved in Switzerland, EU and Japan should be immediately available to us.

                Because doctors are licensed by the government and if they do so, their license is taken.

            • by Kludge ( 13653 )

              That's why things like the recent "right to try" legislation is so important.

              Except it is not. [statnews.com] Why do drug manufacturers actually like government regulation and testing? Because drug manufacturers make money on drugs that actually work. The only way to know if they actually work is to perform controlled trials on the drugs, not give them out to any yahoo who wants them.
              Anyone who knows history can tell you that before government required proof of effectiveness, pharmacy counters were filled with all sorts of highly promoted quack remedies of unknown origin. Drug manufacturers

              • That's why things like the recent "right to try" legislation is so important.

                Except it is not. [link]

                ORLY?

                The article you reference says that "nearly half" (13 out of 29, i.e. 45%) wanted an external security blanket, in the form of an FDA review (6) or a "research ethics committee or institutional review board" (5).

                Well, gosh. That means MORE than half HAVEN'T even ASKED for some institution to set up a procedure to give them an external second opinion.

                All of which is beside the point. The previous situa

              • Why do drug manufacturers actually like government regulation and testing? Because drug manufacturers make money on drugs that actually work. The only way to know if they actually work is to perform controlled trials on the drugs, not give them out to any yahoo who wants them.

                Your objection is an example of the excluded middle. The choices on effectiveness (and safety, etc.) are not limited to the government regulators vs. no testing.

                Drug manufacturers have plenty of incentive to do (or commission from rec

          • by Agripa ( 139780 )

            And yet this glacial, bulletproof testing system has resulted in computer systems that are malfunctioning in the very worst way.

            But the government has sovereign immunity so it is the hospital's and manufacturer's fault even though they are prohibited from doing anything.

      • That X-Ray machine hasnt been turned off since it was installed. Its PC control computer is probably still on XP and unpatched. USB sticks are not the problem.

        It's worse than that (or maybe better, depending on one's view). GE Medical still supports C-arm X-ray machines controlled by a 486 running DOS 5.0...these machines don't need a multitasking OS since they literally only do one thing.

    • by CaptainDork ( 3678879 ) on Tuesday October 01, 2019 @05:13PM (#59258934)

      Well, the sensible answer is a redundant system running in the shadows that serves as a backup and then disconnects from the WAN and LAN.

      Hardware ans software prices are low enough to have 5 fucking isolated copies of crucial operations.

      For small businesses, the answer is what all of us in the business have been preaching (and I practiced) and that's offsite backups.

      At one law firm, the rotation was every day for a week. The tape that was changed out Monday morning was a tape (and later, EHD) that was overwritten Saturday night and then Sunday night.

      We also stored the last tape of the month for 12 copies.

      At another law firm, the owner insisted on a 30-day rotation with daily offsite retention. He was scared. So was I.

      • "Hardware ans software prices are low enough to have 5 fucking isolated copies of crucial operations."

        Actually, if everyone took security seriously those 5 copies should be part of the licensing so that they are no extra cost, or just a marginal extra cost. Businesses should be able to charge extra for such features, but then again... its not like we take infosec seriously.

        "For small businesses, the answer is what all of us in the business have been preaching (and I practiced) and that's offsite backups."

        N

        • You "Both" everything, onsite (high value) & offsite (last resort), you lag everything based on desired RTO/RPO. You keep offline infrastructure ready to be fired up the moment the vector of ransomware infection can be determined & isolated.

          No I don't.

          I do know the difference between bullshit and wild honey. You don't.

    • by ljw1004 ( 764174 )

      Do hospital computers really even need to be connected to the internet?

      Yes!

      Computers used by doctors/nurses will scan items for billing purposes, hence connected via network to the billing system. Parts of the billing system have to be exposed to users over the internet so they can view and pay their bills online.

      Doctors in their office will type up patient record notes, and also look up symptoms and diseases online, and also look up medical research online. The two don't have to be on the same physical device, but it's pretty handy for a patient-facing doctor to just have one

      • You don't need the internet access to everything for that.

        A good proxy service would do that job so that only it has the access and everything else gets that necessary data from it.

        Which segues to another issue... the fact that the medical industry can keep its prices for things so secret despite being in a well connected world. It ensures that patients are not allowed to have an effective say in their own care.

        • by ljw1004 ( 764174 )

          You don't need the internet access to everything for that. A good proxy service would do that job so that only it has the access and everything else gets that necessary data from it.

          Totally agreed. Just to note, I was responding to someone who said "airgapped; not connected to the internet". If we have a proxy, then it's not airgapped -- it's relying on proxy software rather than an air gap to keep things separate.

      • Obviously some computers in hospitals need to be on the internet, but some equally obviously don't. In the olden days I would have put those computers on an IPX network and never even given them an IP. Today I'd put them on their own reserved IP network and firewall the shit out of it, and not offer any internet access to the imaging machines and the like, where full fledged windows is used as an embedded OS thanks to the apparent general incompetence of medical device manufacturers. They'll sell you a syst

        • by ljw1004 ( 764174 )

          Today I'd put them on their own reserved IP network and firewall the shit out of it, and not offer any internet access to the imaging machines and the like

          That makes sense. Presumably the imaging machines would still be connected to the hospital network so that (1) you can scan the patient's barcode and have the images associated with that patient, (2) you can send the imaging results directly over to the specialist, the doctor and the patient's records.

          This is all still about machines that aren't air-gapped from the internet; they have a physical connection that ultimately does connect to the internet, and they rely on software (proxies, firewalls) to to as

    • How did this post get modded "insightful"?

      "I have to sort of agree with the people who say that the ransomware epidemic is sort of a good thing. Eventually it has to force managers to take IT and computer security seriously."

      This is not the first computer security issue we have face. NO it will absolutely not "force" anyone to take computer security seriously.

      Security is never taken seriously with computers because security was not even a concern when we started writing code for systems. Components are no

      • It is by no means pointless to rename an account that has been disabled since someday someone might re-enable it. Of course deleting it would have been the right approach if you really meant for it to be "permanently disabled." You should probably do what you are told since you aren't as think as you smart you are.
      • The problem with Randall is that mathematically he's correct, but a dictionary attack turns it from 25 letters into a mere four words. If you cannot or will not use a password manager with randomly generated trainwrecks, you should use fictional words not found in the dictionary.
    • Just like all sectors, healthcare is migrating towards EMR (Electronic Medical Records) which is primarily cloud based. When you visit a doctor or a clinic, when they update your EMR, medications are automatically sent to the pharmacy. Also just like most industries, large health care companies are eating up smaller clinics. Centralization of customer billing, customer portals, patient histories work really well being cloud based...
      So, to answer your question "Do hospital computers really even need to
    • I don't know what bubble you live in, you can be serious as a heart attack about security and still get ransomware. Today's ransomware is mostly distributed by spearfishing. Someone gets compromised, their contact list gets hijacked, an "official" attachment is sent to a contact. The attachment can be a office doc or pdf that doesn't contain any malware, but when opened, downloads the malware. Since the payload doesn't exist in the email, endpoint security, corporate virus scanners, or email security sc
      • "I don't know what bubble you live in, you can be serious as a heart attack about security and still get ransomware."

        I don't know what world you live in but getting ransomware is a non-issue. Systems being breached are not a matter of if, it's a matter of when. Security is not just about prevention. It's about tracking intrusion, monitoring the progress and process of that intrusion, its also about RPO/RTO from the fallout of an intrusion. How many places do you know that has a runbook for compromise li

    • If keeping paper, 50 bookeepers, a wing dedicated to housing the book keepers and 1000 file cabinets and clerks all armed with pocket calculators and runners to deliver the photography x-rays to doctors then yeah

    • by Solandri ( 704621 ) on Tuesday October 01, 2019 @08:48PM (#59259494)
      They're pretty much required to be connected to the Internet somehow to comply with HIPAA guidelines on electronic prescriptions, and making patient records available to other doctors and hospitals should be patient decide to go elsewhere.

      In a work place environment vulnerable to ransomware probably only special Linux browser devices should have any internet connectivity

      Given how often I've seen Linux servers on the net get rooted, I doubt that will help. What's needed is to completely flip computer security on its head (at least for servers and devices with embedded systems). Right now, the way computers work is that anything is allowed to run, unless disallowed. This needs to be inverted so nothing is allowed to run unless it's explicitly white-listed.

      The method I've advocated for years is to change OSes so they can run off a read-only filesystem (things like logfiles and mutable data can go onto a second writeable filesystem). You set up the OS, configure it, and install the programs you need to run for the computer to do whatever it needs to do. Then you flip a physical switch to make that filesystem read-only. At that point there's not much a remote hacker could do except steal data. Even if a vulnerability is found which allows them to gain root, they can't leverage it to change what the computer does. All they can do is run programs which are whitelisted. They can't change those programs, add new programs, or change the whitelist because they're on a read-only filesystem.

      In fact a hacker is unlikely to even get this far since most hacks involve leveraging a vulnerability to modify certain system files to gain root access. e.g. A memory overrun exploit allows you to change a root-privilege process to add a new program to the boot sequence which grants the hacker root. Well, in this case, they can't add a new executable, and can't modify the boot sequence. All they can do is try to use the exploit to manipulate already-running programs in memory.

      • The method I've advocated for years is to change OSes so they can run off a read-only filesystem (things like logfiles and mutable data can go onto a second writeable filesystem). You set up the OS, configure it, and install the programs you need to run for the computer to do whatever it needs to do. Then you flip a physical switch to make that filesystem read-only.

        Could you not mount a drive as read-only? (and still have the second drive for the mutable data)

    • by AHuxley ( 892839 )
      The other "doctor"/"expert" for later review might not "work" at the same hospital but like a look at the scans on a network.
      A fast network for medical care all over the city allows for that file to be looked at from any approved computer..
    • Your comments on Linux needing internet connectivity are ridiculous. Almost nobody does a net install and every package manager can use local media as its source for repos. I have no idea where you got the ridiculous idea that you can't install packages and apply updates on an air gapped Linux system.
      • From actually trying it when I lacked internet access for more than 6 months. That's how I know. Pretty much every install image seems to assume always connected internet. I didn't say it couldn't be done. I guess it can be done if you are sufficiently good with Linux. I am not a skilled enough Linuxian to do it easily and I found the whole thing prohibitively difficult.

    • "It is unfortunate that the Linux world mostly ignores the idea that a computer might lack internet connectivity. It's a real blind spot in the software world in general where always connected computers are assumed. It will make Linux installation on an air gapped computer impractical. You'd probably have to connect to the internet at least during the initial install."

      By your use of the weasel word "probably" i can conclude that you've never actually tried this. You've probably never even installed Linux at

      • By your use of the weasel word "probably" i can conclude that you've never actually tried this. You've probably never even installed Linux at all.

        I've tried it many times. How about you provide me free tech support next time I try? I have run Linux for many years. I have Xubuntu installed right now, but my next install will probably be Arch Linux.

        • I've installed Linux literally dozens of times from media, with no internet access. I tend to be on a garbage connection because i tend to live in the sticks. So when i have multiple machines i generally install them all from one disc to save my transfer allotment. Sometimes i do one from the internet and then set up my package cache as a repo so i can install the second one from the first one, that works too.

          If you need help, feel free to ask. Hell, you can even email me.

    • by sad_ ( 7868 )

      "It is unfortunate that the Linux world mostly ignores the idea that a computer might lack internet connectivity. It's a real blind spot in the software world in general where always connected computers are assumed. It will make Linux installation on an air gapped computer impractical. You'd probably have to connect to the internet at least during the initial install."

      what are you talking about? at work we installed 100's of machines each day, none of these install happen over the internet at any point. in

  • by Shag ( 3737 ) on Tuesday October 01, 2019 @04:47PM (#59258838) Journal

    Hopefully we can stop this before it reaches the Bahamas, Bahrain, Bangkok, Bangladesh, Barbados, Beijing, Belarus, Belgium, Belize, Benin, Berlin, Bermuda and Bolivia.

  • by Ungrounded Lightning ( 62228 ) on Tuesday October 01, 2019 @04:54PM (#59258856) Journal

    Yes their IT should be more secure.

    But if law enforcement can't even go after criminals who are literally engaging in life-threatening terrorist attacks like this, what the heck use ARE they?

    What's the point of all those anti-cracking laws if they aren't enforced against people who would disrupt hospital infrastructure to for extortion? How can draconian penalties deter criminals if they are not enforced?

    How many people have to die from this sort of criminal activity before we see any visible action to find, convict, and punish the perpetrators?

    • CaptainDork's 17th Corollary: "For every motherfucker out there with a computer, there's another motherfucker out there with a computer."

      It's insane that my desktop at home is just as capable as the goddam hospital's.

    • "But if law enforcement can't even go after criminals who are literally engaging in life-threatening terrorist attacks like this, what the heck use ARE they?"

      And catching the perpetrators after the fact (which is what law enforcements SOLE job is) would be helpful how exactly? It certainly provides the capability for revenge, which is what law enforcement is designed for.

      "What's the point of all those anti-cracking laws if they aren't enforced against people who would disrupt hospital infrastructure to for

      • Pay someone to find them. Pay someone else to remove them.

        they will have absolutely no effect whatsoever.

        The corpse would beg to differ and won't bother us further.

        (to use your characterization of such activites as "crime" which is an assumption of facts not in evidence)

        Bullshit.

    • by AHuxley ( 892839 )
      Law enforcement saw the ip range and could not do much more?
      Law enforcement gave the ip to the FBI and is still waiting?
      Interpol is asking another nation to help?

      The FBI has found CCTV "somewhere" and is looking back over days and months of surrounding CCTV. Cell tower use.
      Someone has a face on CCTV and had their smartphone was on?
      The FBI is talking to another nation about a VPN company used?
      Waiting for the same person to use their VPN again? Just one more time.
      The VPN logging is now ready in some
  • by darthsilun ( 3993753 ) on Tuesday October 01, 2019 @05:04PM (#59258888)
    If you think education is expensive,
    you should try ignorance.

    How long before everyone wises up and starts securing their systems. IOW paying someone, who knows what they're doing, what they're worth, to do the job right.
    • It will never happen. The actuarial tables tell them that it is cheaper to kill a few people and pay the occasional one-time cost-of-doing-business-fee with that defective design than it is to either (a) fix it; or, (b) pay someone smarter so they can do it right the first time.

      While you may not like this (unless you are a psychopath holding an executive C-level job who usually find nothing amis with that attitude) it is how the world has worked since the big bang (which is a VERY VERY long time), so you m

    • That's never going to happen because in 2019 anyone can code and everyone is an expert. I have been studying computer systems for more than 20 years and I'm constantly amazed at how much more the average Facebook user knows about them than I do.
  • Aren't computers great? And think of all the trees we're saving by not having to print out reams of paper
    • Yeah something like a hospital should have a backup plan for when their computers go down for some reason or if their patient database gets erased. And of course they should back up their databases at least weekly to an air gapped or off site storage location. Presumably their IT departments will be hiring soon. Maybe HR will be clever enough to ask the new IT people exactly what they would have done to prevent this. I would say air gaps and Linux.

      I am old enough to remember when hospitals got along just fi

    • Yeah ... They really should use Paper Assisted Tomogrophy. Back in the days of paper nobody ever suffered as a result of lost paperwork or because someone missed an important keyword when manually/visually searching through reams of historical data and as a result prescribed a medication that was contraindicated. Backing up all that data was simple and sharing it with doctors in different states and countries was a snap. Good ole' paper.
  • That Criminal... (Score:4, Interesting)

    by TigerPlish ( 174064 ) on Tuesday October 01, 2019 @05:09PM (#59258914)

    That Criminal is the person in the office of whomever answers to all of IT in each location.

    Director, or VP.

    They're the ones who should hang, for gross incompetence.

    If there were policies and procedures in place, then obviously they failed, they need looked at, and the Director or VP should still be jobless for failure to ensure a tightly-ran ship.

    • Ding Ding Correct Everyone in the chain of accountability looses ALL their bonuses, if not their job for false and misleading signoffs the year before. Jailtime for criminal misfeasance? I was there for Y2K. Never mind the date issues, CIO and CFO had to sign on the dotted line attesting that there backups and a workable recovery DRM plan stating how long it would take to recovery. This is usually needed as well for publically listed companies. Nineteen year later we have dishonest millennial's signing f
    • Not that I disagree completely, but you have to realize that they will just claim to have been following best practices, and they got no budget to do more. Any CxO paying in any way for this is just not in the cards. C stands for chief or crook, you choose.
      • by ebvwfbw ( 864834 )

        Hire a guy like me to look. That's what I do. I'm surprised at how many places don't do the simplest things - such as automatic updates. I'm still finding passwords under keyboards, one on the screen.... one safe with the combination written on the front of it. What was it? 12345
        Know what they changed it to? Something else just as obvious.

        There was some firing there.

  • by Anonymous Coward

    If someone dies from ransomware, they're guilty of murder. Put out a bounty with proof.
    Someone will figure out who they are...

    • If there is any justice in the world, these assholes will one day end up in the hospital, and they'll go under the knife or the X-ray machine or whatever, and at just the right moment, some ransomware F's them up real good. And I want to be there to tell them exactly why they're F'd up, and why they so richly deserve it while I laugh at them heartily. Of course, there's no justice in the world, but I can dream.

  • The Australian one has affected a number of hospitals and services in a semi-rural area. Health Care in Australia is primarily State Government run with a mix of Federal and State Funding. Many services are provided by smaller government entities, private businesses who might provide services or manage hospitals and some NGO's. The model is heavily based on a local delegation model in rural areas.

    At the State Government level IT Security is taken very seriously [I have worked on Health projects here] but th

    • I hope the ASD and NSA computers are sifting the evidence, as all is recorded, plenty of metadata. If they don't catch the turkeys, then it will be a not big enough thing. Very hard to collect the cash nowadays. Then the DPP can start prosecuting the other turkeys responsible for this malfeasance.
    • by thogard ( 43403 )

      "At the State Government level IT Security is taken very seriously"

      If your not using security tags per data item, you're not taking IT security seriously. That means using things like solaris security labels or CIPSO.

      If your office worker workstations can talk to each other, you're not taking IT security seriously. Firewalls in buildings don't protect the front door, they protect part of the building from fires in other parts of the same building.

      If you aren't scanning your network using IPv6, you're not

  • by Retired ICS ( 6159680 ) on Tuesday October 01, 2019 @08:39PM (#59259476)

    "An official said it would take weeks to secure and restore damaged networks"

    They should have secured the networks last month, then they would not be having this problem. Waiting until you need to drive to the hospital because you got shot before fixing the flat tire on the car is not a very wise move.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...