Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Medicine The Almighty Buck

Hospitals That Are Turning Away Patients Reportedly Pay Ransomware Attackers 100

An anonymous reader quotes a report from Ars Technica: Three Alabama hospitals have paid a ransomware demand to the criminals who waged a crippling malware attack that's forcing the hospitals to turn away all but the most critical patients, the Tuscaloosa News reported. As reported last Tuesday, ransomware shut down the hospitals' computer systems and prevented staff from following many normal procedures. Officials have been diverting non-critical patients to nearby hospitals and have warned that emergency patients may also be relocated once they are stabilized. An updated posted on Saturday said the diversion procedure remained in place. All three hospitals are part of the DCH health system in Alabama. Over the weekend, the Tuscaloosa News said DCH officials made a payment to the people responsible for the ransomware attack. The report didn't say how much officials paid. Saturday's statement from DCH officials said they have obtained a decryption key but didn't say how they obtained it. The statement read in part: "In collaboration with law enforcement and independent IT security experts, we have begun a methodical process of system restoration. We have been using our own DCH backup files to rebuild certain system components, and we have obtained a decryption key from the attacker to restore access to locked systems.

We have successfully completed a test decryption of multiple servers, and we are now executing a sequential plan to decrypt, test, and bring systems online one-by-one. This will be a deliberate progression that will prioritize primary operating systems and essential functions for emergency care. DCH has thousands of computer devices in its network, so this process will take time.

We cannot provide a specific timetable at this time, but our teams continue to work around the clock to restore normal hospital operations, as we incrementally bring system components back online across our medical centers. This will require a time-intensive process to complete, as we will continue testing and confirming secure operations as we go."
This discussion has been archived. No new comments can be posted.

Hospitals That Are Turning Away Patients Reportedly Pay Ransomware Attackers

Comments Filter:
  • by Hrrrg ( 565259 ) on Monday October 07, 2019 @04:02PM (#59280676)

    So it simply that these hospital are negligent and don't have up-to-date backups of their data? Or are these networks so complicated/extensive that having a backup system is prohibitively expensive?

    • In hospital world, nothing is prohibitively expensive. These are cash cows.
      • So, one not at all familiar with hospital administration then

        • by garyisabusyguy ( 732330 ) on Monday October 07, 2019 @04:21PM (#59280766)

          Actually, I am _very_ familiar with hospital administration

          They actively work to avoid costs, then BLAME the bad outcomes on everybody else

          Just pray that their cost cutting (only to increase profits) doesn't kill one of your kids, because they will try and blame you for it and even call the cops on you

          • Actually, I am _very_ familiar with hospital administration

            They actively work to avoid costs, then BLAME the bad outcomes on everybody else

            Just pray that their cost cutting (only to increase profits) doesn't kill one of your kids, because they will try and blame you for it and even call the cops on you

            They don't have unlimited funds. Hospitals in my area are going bankrupt at an alarming rate despite all of your virtue signaling. You aren't familiar at all with actual hospital administration other than socialist talking points.

            In the real world, everyone has to get paid.

            • by Dunbal ( 464142 ) *
              Bet you the administrator still gets paid.
            • by Miser ( 36591 )

              ... and that right there is a problem with "for profit" healthcare.

              If you cannot guarantee that folks will pay for the service you provide, and that service is a critical, needed service (you die if you don't get it) - there's something wrong here.

               

            • Lemme lay it out of you

              Go into a hospital for a 'normal' procedure
              Hospital is performing renovations on wing, with patients in it
              Patient starts to have a bad reaction to medication, monitor starts beeping
              Nurse seems to be watching it, making notes, etc...
              Unexpected rainstorm results in water dripping on monitor
              Under trained staff does not know how to react, think water has affected monitor
              An hour later, family member is dead
              Hospital Administrator starts digging to see if there is anything that they can blam

        • Comment removed based on user account deletion
      • by gweihir ( 88907 )

        Add greed to the mix, and a lot of things are prohibitively expensive when the hospital has to pay for it and it cannot directly be re-sold to the patients at a fat premium.

      • "Cash cows"

        Profit and income often have nothing to do with budgets unless those budgets are ones management believes are amplified back as new cash later (such as sales and occasionally research).

        It's a no-win scenario for many admins: Issue warnings that more resources to guard against this and get called a pessimist, incompetent, or just a liar... then if the worst happens you're called incompetent anyway...

      • Comment removed based on user account deletion
        • most hospitals operate in the red.

          Yeah I'm sure they're struggling to keep the lights on when they bankrupt everyone who walks through their doors.

      • Quite the opposite. EVERYTHING is expensive because it has to conform to some ridiculous standard. Whether that standard makes sense for the particular item or appliance in question is of no concern. You have rules that SHOULD apply to the operating room where those rules make sense, but DO apply to the kitchen where they do not.

        Don't get me wrong. I do want rules requiring medical equipment that is used to monitor patients to be of utmost quality or hospitals will start to cut corners. But that does not ap

      • Competent IT folks and security costs money, and hospitals can't let that cut into their profit margin, so they don't bother. In all my years of working in healthcare I've never once met hospital IT that could tell their ass from a hole in the wall.

        • One thing I have learned reading Slashdot for many years is that reputable IT people seem to make fun of hospitals admins (and in other industry execs as well) for not knowing their asses from technology from IT from a hole in the wall. I do not know if there are genuinely "good IT people" at some hospitals or not, but what I see are IT people who are good enough to make the system work for themselves, to secure their own jobs. They create, or fail to solve, myriad little problems that ensure they are alw

    • by gweihir ( 88907 )

      From what I have seen, the main problems in hospitals are incompetent IT staff and MDs that think they are IT experts and make IT decisions on their own that turn out badly. Also, there are still a lot of MDs in hospitals that somehow think they can continue to operate without IT. For triage and emergency care that is even true to some degree, but for ordinary business and for advanced diagnostics, it is not.

      • Yes, I had some CFO point to the wall switch and say, IT is like the power company, I pay the bill and it works

        Never mind that they had been actively underpaying/understaffing their entire IT department for decades and the resulting churn had left numerous systems unprotected... they still convinced themselves they are in the right

        • You should point him to the example that Puerto Rico has provided.

          • Actually, she lit her own funeral pyre by instituting an IT purge, that resulted in the loss of some really great IT talent, and then eventually left to be CFO somewhere else when there was nobody left to blame.

      • also 3rd party vendors have full control over hardware and say need to remove access to that hardware and no you can't install Xvpn to do that.

      • by guruevi ( 827432 )

        There are some competent IT staff at hospitals. The problem has multiple angles.

        Yes, some people are incompetent, especially at the higher echelons. The other problem is that large hospitals operate, especially the IT groups, at the verge of insolvency due to government mandates such as HIPAA, EMR and Medicare paying less than 70c on the dollar. When something like this happens they get slapped with large fines anyway that are cheaper than fixing the problem.

        The biggest issue in all these instances is massi

    • I have a hard time believing there are no backups. Even most Mom & Pop businesses know to backup their data these days. I'd wager they probably have backups of their most important data, but the procedure to actually rebuild and restore everything from scratch would end up being insanely time-consuming. Their immediate concern is going to be getting back up and running as quickly as possible.

      • I have a hard time believing there are no backups.

        More likely, their backups are accessible 100% of the time and were also hit by the encryption.

      • by Ichijo ( 607641 )

        I'd wager they probably have backups of their most important data, but the procedure to actually rebuild and restore everything from scratch would end up being insanely time-consuming.

        Which strongly suggests they never tested their backups!

        • by Dunbal ( 464142 ) *
          The law says we have to have a backup system, it never said it had to be a working backup system!
    • So a few things:

      1) If there are patient records, including both health and financial, then you ... what, just skip the N days of activity and act like it didn't happen?
      2) I've known these attacks stay resident on the systems for a period beforehand. When they lockout happens, then the administrators find the backups are ALSO corrupted - or get re-immediately reinfected, making the backups useless unless you go back even older backups.

      Remember, the goal here is to extract the highest practical payout. They

    • More likely it is an issue of time-to-recover. Some systems are likely to need more than just a backup to work, like the XP desktops controlling a CT scanner or MRI. Others it might just be faster with the decryption than using the backup system.

      You need a very robust backup solution to be able to restore *everything* at once inside a month or so.

    • Probably negligence. But bear in mind that these ransomware stories are the tail fringe of the bell curve. When a hospital with backups gets hit by ransomware, they simply wipe the affected computers and restore the backups. It's a non-story, so it never makes the news. It's incorrect to assume that what you see reported on the news [ourworldindata.org] is in any way a representative sample of what's actually going on out there. News story selection by the media doesn't just suffer from sampling bias, it is the very epitome
    • by Dunbal ( 464142 ) *
      Apparently internal firewalls are also out of the question.
    • Comment removed based on user account deletion
  • Ransom vs budgeting (Score:4, Interesting)

    by grasshoppa ( 657393 ) on Monday October 07, 2019 @04:04PM (#59280694) Homepage

    I wonder how much the ransom + lost revenue compares to a properly staffed and funded IT dept.

    • by gweihir ( 88907 )

      At the moment, paying the ransom is a lot cheaper, because the probability of being hit is low. That will change is these people continue to pay.

      • That's the exact wrong way to look at it, although I fear it's exactly how the decision makers DO look at it.

        Ransomware is probably the best case security scenario, given the dataset we're talking about; the folks behind the ransomware want to be paid, and so they have a vested interest in ensuring the data is secured and available only to the "clients". However, such data can be far more valuable on the open market; if ransomware got in, then someone could get the data out. It is, in essence, a canary in

        • Spending reactively ALWAYS looks good, until something bad happens

          Unfortunately, hospital administrators only care about money now, and do not perform much planning for future IT (aside from attempting to avoid all costs)

          • Spending reactively ALWAYS looks good, until something bad happens

            The key factor is the probability that something bad will happen.

            If it is very low, then it is better to just be reactive.

            Ransomware attacks likely affect less than 1%. If you get infected, your career takes a hit. But if you don't get infected (far more likely) your career takes a hit anyway because of all the costs of proper staffing, security, backups, and testing on something that has no obvious bottom-line benefit.

            The biggest difference is that in the case of an attack, it is easier to shift the blam

            • maintaining usable backups is not particular to defeating a ransomware attack, and should be a common practice in any IT shop

              using tape schedules and off-site storage would provide access to data regardless of when the ransomware was applied

              the slavish kowtowing to 'cutting costs' and ignoring the need for IT services that include adequate and usable backups is root cause for many problems and needs to be addressed

              any hospital staff that gets caught due to lack of backups should be retrained or sacked

        • They'd never do both because they have a reputation to maintain? That's quite adorable. They don't do both, but the reason is that this is much easier, much faster, and slightly harder to trace.

        • It IS how decisions are made. Risk (as well as whether laws are followed, by the way) is measured on a very simple metric: Chance of happening times cost of incident vs. cost to avoid/mitigate/uphold. Depending on which side is cheaper, that's what you do.

          • by gweihir ( 88907 )

            But if you do that with a short-term focus, it may well kill you long-term. And that seems to be what is happening: Pay this scum and have a much bigger problem tomorrow because you validated their crime-model and encouraged them to expand.

            • If you only exist quarter-report to quarter-report...

              There is a reason recently C-Level contracts started to include clauses that deal with long-term viability of their actions. Sorry, pump'n'dump no longer works.

        • by gweihir ( 88907 )

          Well, in the short run, reactively is cheaper. In the long run, it may create a catastrophe. That was basically my point.

        • Comment removed based on user account deletion
    • by Tailhook ( 98486 )

      I wonder how much the ransom + lost revenue compares to a properly staffed and funded IT dept.

      Does the "properly staffed and funded IT dept" guarantee that ransomware attacks will fail? Or is it more likely that the "properly staffed and funded IT dept" will actually end up being a hugely expensive collection of fake-it-to-make-it "masters degree" posers and the system will end up ransomed anyhow, most likely because multiple members of the "properly staffed and funded IT dept" spend most of their time on sketchy porn sites collecting viruses on their machines.

      Unless you can shit a number for how

      • I have to wonder if you have every worked in an 'effective' IT department if you do not know how to demonstrate that one has an effective backup and recover capability

        Any IT system that requires TEST and PATCH environments should be demonstrating the creation of those environments (from backup) on a weekly basis

        FYI, ALL IT systems require TEST and PATCH environments

      • Well, let's put it that way: We are a properly funded and staffed IT security department and we have avoided and averted more (estimated) cost for incidents (in terms of lost work, goodwill loss and fines) than we costed. Consistently throughout the past 5 years, i.e. as long as I've been there.

        Of course it depends on what kind of target you are. Hospitals aren't exactly very interesting targets for the average hacker. But that doesn't mean that you should neglect having a few generations of backups in orde

      • Comment removed based on user account deletion
  • Worst of the worse (Score:2, Insightful)

    by Anonymous Coward

    Those criminals, i can't even call them hackers, are psychopaths. If you're willing to risk other people's life to earn a coin, you're even less than trash.

    They know damn well what kind of network they are attacking, but they put defenseless people that need care at risk. It infuriates me that criminals can go that low, most criminals have some sort of honor, those criminals obviously don't.

    • most criminals have some sort of honor

      Like hell they do.

    • by Opportunist ( 166417 ) on Monday October 07, 2019 @06:25PM (#59281232)

      Most humans actually do. And just like with other humans, there are criminals who are psychopaths.

      I mean, what's a psychopath to do when all the CEO positions are filled?

    • most criminals have some sort of honor

      You should go volunteer at a prison, and get to know some criminals.

      You will be quickly disabused of your belief in a criminal honor code.

    • by Anonymous Coward

      What about the dumbass hospital administration that values profit above all else? Can you even trust them with you or your loved one's health? They certainly don't seem to care about it. They care about money.

    • This is attempted first degree murder. They should be hunted down, caught, tried, found guilty, and punished. If any patient actually died as a result, they should be executed with extensive publicity.
      • Are you referring to the IT guys who did not perform backups or take precautions to make sure this didn't happen? I can tell you 100% that if I were in charge of the IT departments at these places this would not and could not happen. I am sure there would be a lot of angry and inconvenienced people as a result of the improved security measures, but in the age of ransomware good security is no longer optional.

        I'd start with giving users two options. They can connect to the internet or they can run Windows, b

        • Are you referring to the IT guys who did not perform backups or take precautions to make sure this didn't happen? I can tell you 100% that if I were in charge of the IT departments at these places this would not and could not happen. I am sure there would be a lot of angry and inconvenienced people as a result of the improved security measures, but in the age of ransomware good security is no longer optional.

          I'd start with giving users two options. They can connect to the internet or they can run Windows, but not both. If they want to be internet connected they have to use Linux. A locked down linux distro with a firejailed or otherwise sandboxed browser and a proper firewall that monitors outgoing connections. This means they will have to learn (and be taught) some basic Linux stuff, but I don't think Ubuntu would be a big problem for them to adjust to. Management will also have to adapt to using Linux rather than Windows if they want internet connectivity. In addition to this I would require management to have air gapped database backups updated at least once a week.

          You dream well, but I am sure you know that making such a radical change at an existing hospital is not feasible. To realize your dream (and mine, I agree with you) you would have to start a hospital from scratch.

        • you plainly do not understand the influence that doctors have over hospital rules or their complete disregard for any IT security conventions

          • You are correct, but surely getting hit by enough ransomware might be convincing to at least the hospital administrators. Hell they really shouldn't be paying these things because it just contributes to the wider problem, but they are. So they should at least take more precautions against it happening again. You would think that if it cost them enough money they would rethink their entire philosophy about how and why they use computers.

    • Comment removed based on user account deletion
    • by guruevi ( 827432 )

      People had care and arguably better care before EMR, the computer has downtime procedures because Epic requires full downtime every month for a day or two just to upgrade its crappy software.

    • Comment removed based on user account deletion
  • Enough of allowing these constant attack on our infrastructure be dealt with by private organizations We need the full weight of the Military, and that means all our World War vs Russia and China so fucking be it For nearly 2 decades now the US and our NATO have been in a state of Cyber War as we endure attack after attack by Russian and Chinese Hackers -- why isn't our Government and Military stepping in to protect us? Why must our industries be left to their own devices to deal with these actions by our e
    • The ship sailed on this one long ago, my friend. Didn't you know the military already outsourced all it's IT security operations to the same "private organizations" (Microsoft, primiarly) that you're railing against? The enemy is inside the gates.

  • Security is like a new boat vs an old boat. You can pay a lot now, or nickel and dime over time. Either way you're gonna pay.
    • Security is actually much like an insurance against damages. It's something you pay for to put your mind at ease and hope you never need it.

  • by Anonymous Coward
    MICROS~1 Windows strikes again ..
  • Headlines should tell a story - or, at least, not tell the wrong story. Lately Ars Technica seems to be employing elementary schoolchildren as editors... as well as publishing submissions from people who have no business calling themselves “writers”.

    If Ars is that strapped for cash, maybe it’s time for them to close down.

    The headline would seem to imply that ransomware attackers are targeting hospitals because they were turning people away - an actual problem in some jurisdictions, especia

  • Hospitals shouldn't be legally permitted to create processes that depend on systems that can be taken down with ransomware. They should be legally required to have plans for operation when no computers are working, which can happen in an emergency situation. Otherwise, they should be nationalized, and disaster-safe processes and procedures implemented. We depend on them as part of the fabric of our society, it's unacceptable for them to go out of service like this.

    • Otherwise, they should be nationalized

      Because the government has such an excellent track record in competent administration?

      What it takes to change my address at my bank: 5 minutes on their website.

      What it takes to change my address at the DMV: Half-a-day of unpaid leave while I stand in line, only to be told I filled out the wrong form.

    • How would that work, though? How would you construct a system that works even if all the files are encrypted and you don't have the key? This is like saying banks should be designed so they can't be robbed! It should be illegal to design a bank in such a way that it is possible to rob it!

      • by Agripa ( 139780 )

        How would that work, though? How would you construct a system that works even if all the files are encrypted and you don't have the key? This is like saying banks should be designed so they can't be robbed! It should be illegal to design a bank in such a way that it is possible to rob it!

        It is too bad hospitals did not exist before computer automation became practical or we might have some examples to work from.

    • I was going to write a comment to this effect, but you have stated it so simply and eloquently that there is little left to add. I know that over many years, there have been many businesses that have been hamstrung by their computerized central systems going down, e.g. a national retailer like a department store chain losing its central servers so that retail sales could not be made, as if no one knew how to operate a cash register by hand. In recent years, we have heard of airline and hotel reservation s

  • by myid ( 3783581 ) on Monday October 07, 2019 @10:30PM (#59281980)

    Public buildings have to have periodic fire safety checks. Similarly, what about mandatory yearly inspections of the software of vital organizations, such as hospitals? Every year, check whether the hospital's software and data are protected against intrusion. Also make sure that the hospital can restore from backups within a day.

  • 60 years ago, circa 1960, computers were not in hospitals.
    50 years ago, circa 1970, computers provided reporting of laboratory tests as well as some behind-the-scenes business, accounting, and logistical services.
    40 years ago, circa 1980, those uses were more robust, but still behind-the-scenes administrative tools not relevant to direct patient care. Clinical computing started to appear in bedside monitoring and in imaging (ct).
    30 years ago, circa 1990, computers and databases helped facilitate traditiona

    • All the more ammo for those who are engaged in trying to move the healthcare industry away from fee for service. The breaking point was passed when for profit systems had to use the public internet to automate routine tasks. There is always a price to pay for being cheap.
  • The part that should really scare you about this is the fact that they don't know how to heal people without a computer.... Or just don't want to.
    • by Dunbal ( 464142 ) *
      You can blame the lawyers for that one. It's not a healing thing, it's a liability thing.

Genius is ten percent inspiration and fifty percent capital gains.

Working...