Hospitals That Are Turning Away Patients Reportedly Pay Ransomware Attackers 100
An anonymous reader quotes a report from Ars Technica: Three Alabama hospitals have paid a ransomware demand to the criminals who waged a crippling malware attack that's forcing the hospitals to turn away all but the most critical patients, the Tuscaloosa News reported. As reported last Tuesday, ransomware shut down the hospitals' computer systems and prevented staff from following many normal procedures. Officials have been diverting non-critical patients to nearby hospitals and have warned that emergency patients may also be relocated once they are stabilized. An updated posted on Saturday said the diversion procedure remained in place. All three hospitals are part of the DCH health system in Alabama. Over the weekend, the Tuscaloosa News said DCH officials made a payment to the people responsible for the ransomware attack. The report didn't say how much officials paid. Saturday's statement from DCH officials said they have obtained a decryption key but didn't say how they obtained it. The statement read in part: "In collaboration with law enforcement and independent IT security experts, we have begun a methodical process of system restoration. We have been using our own DCH backup files to rebuild certain system components, and we have obtained a decryption key from the attacker to restore access to locked systems.
We have successfully completed a test decryption of multiple servers, and we are now executing a sequential plan to decrypt, test, and bring systems online one-by-one. This will be a deliberate progression that will prioritize primary operating systems and essential functions for emergency care. DCH has thousands of computer devices in its network, so this process will take time.
We cannot provide a specific timetable at this time, but our teams continue to work around the clock to restore normal hospital operations, as we incrementally bring system components back online across our medical centers. This will require a time-intensive process to complete, as we will continue testing and confirming secure operations as we go."
We have successfully completed a test decryption of multiple servers, and we are now executing a sequential plan to decrypt, test, and bring systems online one-by-one. This will be a deliberate progression that will prioritize primary operating systems and essential functions for emergency care. DCH has thousands of computer devices in its network, so this process will take time.
We cannot provide a specific timetable at this time, but our teams continue to work around the clock to restore normal hospital operations, as we incrementally bring system components back online across our medical centers. This will require a time-intensive process to complete, as we will continue testing and confirming secure operations as we go."
Re: (Score:2)
It's perfectly reasonable for laypeople to ask for clarification.
Re: (Score:1)
You're fucking it up again, Ivan. You posted this before there even were any replies!
Re: (Score:2)
Re: (Score:2)
Funny, how you managed to post BEFORE any of those 'replies' that you are um, replying to
I mean, hey if you have the ability to time-travel. then why the fuck don't you just go back in time and tell your Admin NOT to play online Spider, or maybe keep the ransomer from being born, or learning about computers, or just making some usable backups like EVERY IT DEPARTMENT IN THE COUNTRY... but NO you (apparently) can move around in time, and ALL that you can come up with is being a defensive little cunt?
Man, Ala
Re: (Score:2)
The post format is an old Fark meme. Apparently still an effective one.
Re: (Score:2)
So, you are saying that FARK is full of petulant posers? I am actually GLAD that I have no idea what it is
Re: (Score:2)
Fark is highly entertaining. You're missing out.
Sometimes I need something even less serious than Slashdot, like Florida Man.
Re: (Score:1)
Fark is a SJW-infested shithole now days. The old conversation of Fark is long-gone, muted into nonexistence by Genevieve Marie (a moderator account there) and Adam Savage's general bullshit mindset infected Drew Curtis.
Fark got blackholed on my router years ago.
Re: (Score:2)
Re: (Score:2)
" it's pretty obvious from Khyber's posting history he's a right wing lunatic"
Way to show your inability to read and comprehend. I'm so far left-reaching that I reach backwards and you get smacked on the right side of your face, son.
Re: (Score:1)
I can't tell if you're teasing me by assuming association or if you're being shallow. I don't completely disagree though. A while back large numbers of people started using /ignored to say "I got the last word in. Forever." I do think that is something a petulant poser would do.
Re: (Score:2)
Comment regarding the original post, that is to say they are 'posing as the affected group' (Alabama hospital IT) and their pre-post sniping against obvious arguments is 'childishly sulky or bad-tempered.', i.e. petulant
I mean, wrote replies to common arguments have gone well past being 'memes' (is it on memetracker?) and are more like distractions against discussion
Re: (Score:1)
Fair enough.
So it a simple matter of no backups? (Score:3)
So it simply that these hospital are negligent and don't have up-to-date backups of their data? Or are these networks so complicated/extensive that having a backup system is prohibitively expensive?
Re: (Score:3)
Re: (Score:2)
So, one not at all familiar with hospital administration then
Re:So it a simple matter of no backups? (Score:5, Insightful)
Actually, I am _very_ familiar with hospital administration
They actively work to avoid costs, then BLAME the bad outcomes on everybody else
Just pray that their cost cutting (only to increase profits) doesn't kill one of your kids, because they will try and blame you for it and even call the cops on you
Re: (Score:2)
Actually, I am _very_ familiar with hospital administration
They actively work to avoid costs, then BLAME the bad outcomes on everybody else
Just pray that their cost cutting (only to increase profits) doesn't kill one of your kids, because they will try and blame you for it and even call the cops on you
They don't have unlimited funds. Hospitals in my area are going bankrupt at an alarming rate despite all of your virtue signaling. You aren't familiar at all with actual hospital administration other than socialist talking points.
In the real world, everyone has to get paid.
Re: (Score:2)
Re: (Score:2)
... and that right there is a problem with "for profit" healthcare.
If you cannot guarantee that folks will pay for the service you provide, and that service is a critical, needed service (you die if you don't get it) - there's something wrong here.
Re: (Score:2)
Lemme lay it out of you
Go into a hospital for a 'normal' procedure
Hospital is performing renovations on wing, with patients in it
Patient starts to have a bad reaction to medication, monitor starts beeping
Nurse seems to be watching it, making notes, etc...
Unexpected rainstorm results in water dripping on monitor
Under trained staff does not know how to react, think water has affected monitor
An hour later, family member is dead
Hospital Administrator starts digging to see if there is anything that they can blam
Re: (Score:1)
Re: (Score:2)
Add greed to the mix, and a lot of things are prohibitively expensive when the hospital has to pay for it and it cannot directly be re-sold to the patients at a fat premium.
Re: So it a simple matter of no backups? (Score:2)
"Cash cows"
Profit and income often have nothing to do with budgets unless those budgets are ones management believes are amplified back as new cash later (such as sales and occasionally research).
It's a no-win scenario for many admins: Issue warnings that more resources to guard against this and get called a pessimist, incompetent, or just a liar... then if the worst happens you're called incompetent anyway...
Re: (Score:1)
Re: (Score:1)
most hospitals operate in the red.
Yeah I'm sure they're struggling to keep the lights on when they bankrupt everyone who walks through their doors.
Re: (Score:2)
Quite the opposite. EVERYTHING is expensive because it has to conform to some ridiculous standard. Whether that standard makes sense for the particular item or appliance in question is of no concern. You have rules that SHOULD apply to the operating room where those rules make sense, but DO apply to the kitchen where they do not.
Don't get me wrong. I do want rules requiring medical equipment that is used to monitor patients to be of utmost quality or hospitals will start to cut corners. But that does not ap
Re: So it a simple matter of no backups? (Score:2)
Competent IT folks and security costs money, and hospitals can't let that cut into their profit margin, so they don't bother. In all my years of working in healthcare I've never once met hospital IT that could tell their ass from a hole in the wall.
Re: (Score:2)
One thing I have learned reading Slashdot for many years is that reputable IT people seem to make fun of hospitals admins (and in other industry execs as well) for not knowing their asses from technology from IT from a hole in the wall. I do not know if there are genuinely "good IT people" at some hospitals or not, but what I see are IT people who are good enough to make the system work for themselves, to secure their own jobs. They create, or fail to solve, myriad little problems that ensure they are alw
Re: (Score:2)
From what I have seen, the main problems in hospitals are incompetent IT staff and MDs that think they are IT experts and make IT decisions on their own that turn out badly. Also, there are still a lot of MDs in hospitals that somehow think they can continue to operate without IT. For triage and emergency care that is even true to some degree, but for ordinary business and for advanced diagnostics, it is not.
Re: (Score:2)
Yes, I had some CFO point to the wall switch and say, IT is like the power company, I pay the bill and it works
Never mind that they had been actively underpaying/understaffing their entire IT department for decades and the resulting churn had left numerous systems unprotected... they still convinced themselves they are in the right
Re: (Score:2)
You should point him to the example that Puerto Rico has provided.
Re: (Score:2)
Actually, she lit her own funeral pyre by instituting an IT purge, that resulted in the loss of some really great IT talent, and then eventually left to be CFO somewhere else when there was nobody left to blame.
also 3rd party vendors have full conrol over hardw (Score:2)
also 3rd party vendors have full control over hardware and say need to remove access to that hardware and no you can't install Xvpn to do that.
Re: (Score:2)
There are some competent IT staff at hospitals. The problem has multiple angles.
Yes, some people are incompetent, especially at the higher echelons. The other problem is that large hospitals operate, especially the IT groups, at the verge of insolvency due to government mandates such as HIPAA, EMR and Medicare paying less than 70c on the dollar. When something like this happens they get slapped with large fines anyway that are cheaper than fixing the problem.
The biggest issue in all these instances is massi
Re: (Score:2)
I have a hard time believing there are no backups. Even most Mom & Pop businesses know to backup their data these days. I'd wager they probably have backups of their most important data, but the procedure to actually rebuild and restore everything from scratch would end up being insanely time-consuming. Their immediate concern is going to be getting back up and running as quickly as possible.
Re: (Score:2)
More likely, their backups are accessible 100% of the time and were also hit by the encryption.
Re: (Score:2)
Which strongly suggests they never tested their backups!
Re: (Score:2)
Re: (Score:2)
So a few things:
1) If there are patient records, including both health and financial, then you ... what, just skip the N days of activity and act like it didn't happen?
2) I've known these attacks stay resident on the systems for a period beforehand. When they lockout happens, then the administrators find the backups are ALSO corrupted - or get re-immediately reinfected, making the backups useless unless you go back even older backups.
Remember, the goal here is to extract the highest practical payout. They
Re: (Score:2)
More likely it is an issue of time-to-recover. Some systems are likely to need more than just a backup to work, like the XP desktops controlling a CT scanner or MRI. Others it might just be faster with the decryption than using the backup system.
You need a very robust backup solution to be able to restore *everything* at once inside a month or so.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Ransom vs budgeting (Score:4, Interesting)
I wonder how much the ransom + lost revenue compares to a properly staffed and funded IT dept.
Re: (Score:2)
At the moment, paying the ransom is a lot cheaper, because the probability of being hit is low. That will change is these people continue to pay.
Re: (Score:3)
That's the exact wrong way to look at it, although I fear it's exactly how the decision makers DO look at it.
Ransomware is probably the best case security scenario, given the dataset we're talking about; the folks behind the ransomware want to be paid, and so they have a vested interest in ensuring the data is secured and available only to the "clients". However, such data can be far more valuable on the open market; if ransomware got in, then someone could get the data out. It is, in essence, a canary in
Re: (Score:2)
Spending reactively ALWAYS looks good, until something bad happens
Unfortunately, hospital administrators only care about money now, and do not perform much planning for future IT (aside from attempting to avoid all costs)
Re: (Score:2)
Spending reactively ALWAYS looks good, until something bad happens
The key factor is the probability that something bad will happen.
If it is very low, then it is better to just be reactive.
Ransomware attacks likely affect less than 1%. If you get infected, your career takes a hit. But if you don't get infected (far more likely) your career takes a hit anyway because of all the costs of proper staffing, security, backups, and testing on something that has no obvious bottom-line benefit.
The biggest difference is that in the case of an attack, it is easier to shift the blam
Re: (Score:2)
maintaining usable backups is not particular to defeating a ransomware attack, and should be a common practice in any IT shop
using tape schedules and off-site storage would provide access to data regardless of when the ransomware was applied
the slavish kowtowing to 'cutting costs' and ignoring the need for IT services that include adequate and usable backups is root cause for many problems and needs to be addressed
any hospital staff that gets caught due to lack of backups should be retrained or sacked
Re: (Score:1)
They'd never do both because they have a reputation to maintain? That's quite adorable. They don't do both, but the reason is that this is much easier, much faster, and slightly harder to trace.
Re: (Score:2)
It IS how decisions are made. Risk (as well as whether laws are followed, by the way) is measured on a very simple metric: Chance of happening times cost of incident vs. cost to avoid/mitigate/uphold. Depending on which side is cheaper, that's what you do.
Re: (Score:2)
But if you do that with a short-term focus, it may well kill you long-term. And that seems to be what is happening: Pay this scum and have a much bigger problem tomorrow because you validated their crime-model and encouraged them to expand.
Re: (Score:2)
If you only exist quarter-report to quarter-report...
There is a reason recently C-Level contracts started to include clauses that deal with long-term viability of their actions. Sorry, pump'n'dump no longer works.
Re: (Score:2)
Indeed.
Re: (Score:2)
Well, in the short run, reactively is cheaper. In the long run, it may create a catastrophe. That was basically my point.
Re: (Score:2)
Re: (Score:1)
I wonder how much the ransom + lost revenue compares to a properly staffed and funded IT dept.
Does the "properly staffed and funded IT dept" guarantee that ransomware attacks will fail? Or is it more likely that the "properly staffed and funded IT dept" will actually end up being a hugely expensive collection of fake-it-to-make-it "masters degree" posers and the system will end up ransomed anyhow, most likely because multiple members of the "properly staffed and funded IT dept" spend most of their time on sketchy porn sites collecting viruses on their machines.
Unless you can shit a number for how
Re: (Score:2)
I have to wonder if you have every worked in an 'effective' IT department if you do not know how to demonstrate that one has an effective backup and recover capability
Any IT system that requires TEST and PATCH environments should be demonstrating the creation of those environments (from backup) on a weekly basis
FYI, ALL IT systems require TEST and PATCH environments
Re: (Score:2)
Well, let's put it that way: We are a properly funded and staffed IT security department and we have avoided and averted more (estimated) cost for incidents (in terms of lost work, goodwill loss and fines) than we costed. Consistently throughout the past 5 years, i.e. as long as I've been there.
Of course it depends on what kind of target you are. Hospitals aren't exactly very interesting targets for the average hacker. But that doesn't mean that you should neglect having a few generations of backups in orde
Re: (Score:2)
Worst of the worse (Score:2, Insightful)
Those criminals, i can't even call them hackers, are psychopaths. If you're willing to risk other people's life to earn a coin, you're even less than trash.
They know damn well what kind of network they are attacking, but they put defenseless people that need care at risk. It infuriates me that criminals can go that low, most criminals have some sort of honor, those criminals obviously don't.
Re: (Score:2)
most criminals have some sort of honor
Like hell they do.
Re:Worst of the worse (Score:4, Insightful)
Most humans actually do. And just like with other humans, there are criminals who are psychopaths.
I mean, what's a psychopath to do when all the CEO positions are filled?
Re: (Score:2)
most criminals have some sort of honor
You should go volunteer at a prison, and get to know some criminals.
You will be quickly disabused of your belief in a criminal honor code.
Re: (Score:1)
What about the dumbass hospital administration that values profit above all else? Can you even trust them with you or your loved one's health? They certainly don't seem to care about it. They care about money.
Re: (Score:2)
Re: (Score:2)
Are you referring to the IT guys who did not perform backups or take precautions to make sure this didn't happen? I can tell you 100% that if I were in charge of the IT departments at these places this would not and could not happen. I am sure there would be a lot of angry and inconvenienced people as a result of the improved security measures, but in the age of ransomware good security is no longer optional.
I'd start with giving users two options. They can connect to the internet or they can run Windows, b
Re: (Score:3)
Are you referring to the IT guys who did not perform backups or take precautions to make sure this didn't happen? I can tell you 100% that if I were in charge of the IT departments at these places this would not and could not happen. I am sure there would be a lot of angry and inconvenienced people as a result of the improved security measures, but in the age of ransomware good security is no longer optional.
I'd start with giving users two options. They can connect to the internet or they can run Windows, but not both. If they want to be internet connected they have to use Linux. A locked down linux distro with a firejailed or otherwise sandboxed browser and a proper firewall that monitors outgoing connections. This means they will have to learn (and be taught) some basic Linux stuff, but I don't think Ubuntu would be a big problem for them to adjust to. Management will also have to adapt to using Linux rather than Windows if they want internet connectivity. In addition to this I would require management to have air gapped database backups updated at least once a week.
You dream well, but I am sure you know that making such a radical change at an existing hospital is not feasible. To realize your dream (and mine, I agree with you) you would have to start a hospital from scratch.
Re: (Score:2)
you plainly do not understand the influence that doctors have over hospital rules or their complete disregard for any IT security conventions
Re: (Score:2)
You are correct, but surely getting hit by enough ransomware might be convincing to at least the hospital administrators. Hell they really shouldn't be paying these things because it just contributes to the wider problem, but they are. So they should at least take more precautions against it happening again. You would think that if it cost them enough money they would rethink their entire philosophy about how and why they use computers.
Re: (Score:2)
Re: (Score:2)
People had care and arguably better care before EMR, the computer has downtime procedures because Epic requires full downtime every month for a day or two just to upgrade its crappy software.
Re: (Score:2)
Hacker Groups should be considered Enemy Combatant (Score:2)
Re: (Score:1)
The ship sailed on this one long ago, my friend. Didn't you know the military already outsourced all it's IT security operations to the same "private organizations" (Microsoft, primiarly) that you're railing against? The enemy is inside the gates.
Security costs money. (Score:1)
Re: (Score:2)
Security is actually much like an insurance against damages. It's something you pay for to put your mind at ease and hope you never need it.
MICROS~1 Windows strikes again (Score:1)
Another ridiculously bad headline (Score:2)
Headlines should tell a story - or, at least, not tell the wrong story. Lately Ars Technica seems to be employing elementary schoolchildren as editors... as well as publishing submissions from people who have no business calling themselves “writers”.
If Ars is that strapped for cash, maybe it’s time for them to close down.
The headline would seem to imply that ransomware attackers are targeting hospitals because they were turning people away - an actual problem in some jurisdictions, especia
This shit should be illegal (Score:2)
Hospitals shouldn't be legally permitted to create processes that depend on systems that can be taken down with ransomware. They should be legally required to have plans for operation when no computers are working, which can happen in an emergency situation. Otherwise, they should be nationalized, and disaster-safe processes and procedures implemented. We depend on them as part of the fabric of our society, it's unacceptable for them to go out of service like this.
Re: (Score:2)
Otherwise, they should be nationalized
Because the government has such an excellent track record in competent administration?
What it takes to change my address at my bank: 5 minutes on their website.
What it takes to change my address at the DMV: Half-a-day of unpaid leave while I stand in line, only to be told I filled out the wrong form.
Re: (Score:2)
Re: (Score:2)
How would that work, though? How would you construct a system that works even if all the files are encrypted and you don't have the key? This is like saying banks should be designed so they can't be robbed! It should be illegal to design a bank in such a way that it is possible to rob it!
Re: (Score:2)
How would that work, though? How would you construct a system that works even if all the files are encrypted and you don't have the key? This is like saying banks should be designed so they can't be robbed! It should be illegal to design a bank in such a way that it is possible to rob it!
It is too bad hospitals did not exist before computer automation became practical or we might have some examples to work from.
Re: (Score:3)
I was going to write a comment to this effect, but you have stated it so simply and eloquently that there is little left to add. I know that over many years, there have been many businesses that have been hamstrung by their computerized central systems going down, e.g. a national retailer like a department store chain losing its central servers so that retail sales could not be made, as if no one knew how to operate a cash register by hand. In recent years, we have heard of airline and hotel reservation s
Mandatory checks of hospital SW, data protection (Score:3)
Public buildings have to have periodic fire safety checks. Similarly, what about mandatory yearly inspections of the software of vital organizations, such as hospitals? Every year, check whether the hospital's software and data are protected against intrusion. Also make sure that the hospital can restore from backups within a day.
Stupid is as stupid does. (Score:2)
60 years ago, circa 1960, computers were not in hospitals.
50 years ago, circa 1970, computers provided reporting of laboratory tests as well as some behind-the-scenes business, accounting, and logistical services.
40 years ago, circa 1980, those uses were more robust, but still behind-the-scenes administrative tools not relevant to direct patient care. Clinical computing started to appear in bedside monitoring and in imaging (ct).
30 years ago, circa 1990, computers and databases helped facilitate traditiona
Re: (Score:1)
Sorry Cant Heal You (Score:1)
Re: (Score:2)