Ransomware, Data Breaches At Hospitals Tied To Uptick In Fatal Heart Attacks (krebsonsecurity.com) 35
New submitter byteme01 writes: Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts, a new study posits. Health industry experts say the findings should prompt a larger review of how security -- or the lack thereof -- may be impacting patient outcomes. Researchers at Vanderbilt University's Owen Graduate School of Management took the Department of Health and Human Services (HHS) list of healthcare data breaches and used it to drill down on data about patient mortality rates at more than 3,000 Medicare-certified hospitals, about 10 percent of which had experienced a data breach. As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined. The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.
Why? (Score:2)
I am not any kind of medical professional. Someone who is, please correct me as needed.
The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.
What's missing from TFS is an explanation of why this matters.
As I understand, after a heart attack, diagnosing precisely what happened and delivering the proper care is time-sensitive and accuracy is critical. The wrong treatment makes things far worse, and no treatment is only slightly less worse. Getting tests and results quickly is literally a life-or-death matter, and delays due to security processes mean patients di
Re: (Score:1)
I didn't read the anything - did they actually look at data pre and post breach ? Or just hospitals that have been breached versus those that haven't ?
Because for sure worse run hospitals will be breached more often.
But regardless, hospital IT is notoriously woefully unfunded - and I believe they get what they deserve re: IT outcomes. The nerds have told them how important it was for years, and hospitals are all about doctor worship. Obviously no one deserves it, and we should prosecute the attackers to
Re: (Score:2)
being pessimistic - if you're poorly ran in one area, you're most likely poorly ran elsewhere
Re: (Score:2)
...This is one reason why I promote security taking the form of enabling users. In these kind of situations, for example, security upgrades should not just be dictated and dropped on existing systems, but should be accompanied by hardware and process upgrades to ensure that performance is improved simultaneously.
When it comes specifically to security patches, it's about mitigating actual risk or potential risk. Performance improvements are pretty much always secondary to the initial purpose of a security patch.
Always remember why you're changing any production system. Tends to make post-change expectations to be a bit more realistic.
Re: (Score:2)
Always remember why you're changing any production system. Tends to make post-change expectations to be a bit more realistic.
In a hospital, I expect patients to die less often after a change. "Not dying" is pretty much their flagship product.
Security is always a balance of cost and benefits. My philosophy is that those should always be viewed in terms of the larger enterprise. By implementing anti-ransomware protection, a hospital reduces the statistical cost of "patients dying while systems are held for ransom", but it comes at the statistical cost of "patients dying because treatment was too slow".
Of course, management sees do
Re: (Score:3)
The time being measured is the time from the entrance of the patient into the Emergency Room to the time that an EKG is administered. And that time increases somewhere between 2:00 to 2:45 after a data breach is discovered and security procedures are changed.
The paper seems to imply that the problem is that it takes longer for doctors and nurses to get into and use the electronic records systems. They suggest that the delays caused by increased cybersecurity measures at each step in the process (nurse acc
Re: (Score:2)
Sarcasm aside, in a response-sensitive environment, the security team should have implemented tethered smart cards and biometric or PIN MFA, instead. Faster unlocks (especially if a fingerprint is available) and more secure than a passphrase.
Re: (Score:2)
I would have assumed any fingerprint method, especially in an ER setting but really any setting with higher than usual hand washing, would be enough to plunge reliability into the toilet.
My short five day stay in intensive care had 15-30 minute round the clock nurse check-ins, each with at least two hand wash and sanitations, which I assumed was the same for everyone in that wing.
One can imagine the havoc that does to the skin, let alone a fingerprint.
There they used barcode readers and their badge. Not n
Re: (Score:2)
Not to mention in the ER most people are wearing gloves a lot of the time... most bio-metric stuff would be difficult to use, at least with any sort of speed.
I like the idea of smart cards or some sort of wireless card thing that would be linked to the computers. The hospital I work at has cards you hold up to gray boxes to open doors and they have it set where most people can open some doors and a few people can open doors that lead to sensitive area's. The only issue we run into is the staff seem to lose
Re: (Score:2)
Depends on the nations ability to hire and accept only skilled staff?
Fill the "care centers" with staff who are average, below average and mediocre due to political and non academic considerations.
Everything works as the "computer" connects with the few actual experts?
Computer network is down and very average staff are doing triage with a large number of patients waiting and their lack of skill, education starts to show.
The best nations know this and would
CIO's and CTO's (Score:2)
It's the CIO's, CTO's and much of their IT staff who are having the heart attacks.
Re: (Score:2)
Re: (Score:2)
It's the CIO's, CTO's and much of their IT staff who are having the heart attacks.
IT staff? Sure. They actually have something to lose.
But why are the CxOs stressed again? Did someone actually put an executive in jail? Was a fine more than pocket change or something?
I must have missed where we started giving a shit about executives being immoral and unethical...
If people die because of cyber attacks (Score:1)
Re: (Score:2)
So who killed them? (Score:3)
Who killed them? The hackers who sent the ransomware, the user who opened the phishing email, the security person who didn't have his systems patched, the administrator who underfunded security, or the government that did not step in and mandate a less-fractured health-care system? Nah, it's probably the clinical people who took 2:37 longer to respond because their systems were down. To be fair, they do have malpractice insurance to protect them, so the pockets are deepest there.
But that's the great thing about our modern, interconnected world - there are so many people involved in anything that apportioning blame for accountability is almost impossible...
Re: (Score:2)
Gee, blame the victim much? Only one entity in your list of suspects had the intention to cause mischief.
Re: (Score:2)
Gee, blame the victim much? Only one entity in your list of suspects had the intention to cause mischief.
Shit happens. Humans make mistakes. All of them. You're either ready to deal with that in your business, or you are not. We did system backups 20+ years ago not because of ransomware and data breaches, but because we employed stupid humans who deleted shit on accident back then too. Natural hardware failures can happen that also cause deaths, and wasn't caused by mischief.
The reason to be prepared has not changed. The justification has only gotten stronger, because the risk and potential damage has in
Re: (Score:1)
The hackers. If someone sends a mail-bomb you don't blame the secretary who opened the package when it explodes you blame the person who mailed it.
Re: (Score:1)
Re: (Score:2)
That's pretty easy, it's only the man who threw his inhaler in the bin, there's no logical reason to blame the binmen - they have no intent to harm and no knowledge of the problem.
Security theater (Score:3)
Consider, for example, password rotation. We now know frequent enforced password changes are a bad idea. Yet almost every security policy I've seen still imposes them. Why? Because IT security is still an emotional exercise, not an empirical one.
Re: (Score:2)
Beating the same old drum... (Score:3)
... that correlation is not causation. Delays in administering tests and getting results and falling victim to cyber attacks are both symptoms of a similar cause, which is a disorganized and poorly run organization. There are probably dozens of other measurable outcomes that are substandard at these same facilities, such employee turnover, equipment maintenance, or even broken windows.
Intensive screening of applications is required (Score:2)
Both white- and black-lists are needed in group policy or security screening applications go a long way in preventing the majority of crypto breaches. The clients my MSP takes care of use GP filtering and have yet to experience an attack that directly affected their servers. Sure, there were a minority that got their workstations encrypted and killed, but their core data on the servers was safe and sound.
Preemptive measures go a long way in ensuring the majority of these attacks do not get very far, or ge
Re: (Score:2)
I've threatened to pack up my desk several times while isolating the servers from the users to keep things going. Fortunately, management had the brain cells to realize what was happening and pretty much sent a paper memo to the staff to fall into compliance and work with IT to ensure the security of their systems.
Microsoft Windows kills patents (Score:1)
Insurance? (Score:1)
Sounds like we need higher insurance premiums to cover these heart attack related deaths from ransomware. /sigh
Re: (Score:2)
If only someone with in-the-trenches, but also statistical, experience of life and death in healthcare, working with someone having the technology experience and resources to apply to this problem [npr.org] could work on this ... perhaps as part of some sort of joint venture ....
Study probably valid (Score:2)
Several people have suggested that the results are due to hospitals with poor security also having slow response times. However the design of the study takes this into account using the difference-in-differences method. It looks at the change in response time before and after the intrusion and compares it to the change in response time for other hospitals. A poorly run hospital may be slow, but the study shows that it gets slower after an intrusion compared to other hospitals.
Re: (Score:2)
A hospital that accepts and keeps on below and well below average staff?
The computer network allowed a few top experts to cover over the lack of staff skills.
Why is any nation allowing a "poorly run hospital" to escape years of peer review and more staff testing?
Find the failed staff allowing/covering for the "poorly run" healthcare and bring in the experts and educated staff needed.
Why should any level of gov, insurance and people paying for medical care accept "po
Capital murder? (Score:1)
Can we finally press charges for capital murder against the scum that pay ransoms and against the other criminals who use such ransomware?