Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Medicine

Ransomware, Data Breaches At Hospitals Tied To Uptick In Fatal Heart Attacks (krebsonsecurity.com) 35

New submitter byteme01 writes: Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts, a new study posits. Health industry experts say the findings should prompt a larger review of how security -- or the lack thereof -- may be impacting patient outcomes. Researchers at Vanderbilt University's Owen Graduate School of Management took the Department of Health and Human Services (HHS) list of healthcare data breaches and used it to drill down on data about patient mortality rates at more than 3,000 Medicare-certified hospitals, about 10 percent of which had experienced a data breach. As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined. The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.
This discussion has been archived. No new comments can be posted.

Ransomware, Data Breaches At Hospitals Tied To Uptick In Fatal Heart Attacks

Comments Filter:
  • I am not any kind of medical professional. Someone who is, please correct me as needed.

    The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

    What's missing from TFS is an explanation of why this matters.

    As I understand, after a heart attack, diagnosing precisely what happened and delivering the proper care is time-sensitive and accuracy is critical. The wrong treatment makes things far worse, and no treatment is only slightly less worse. Getting tests and results quickly is literally a life-or-death matter, and delays due to security processes mean patients di

    • I didn't read the anything - did they actually look at data pre and post breach ? Or just hospitals that have been breached versus those that haven't ?

      Because for sure worse run hospitals will be breached more often.

      But regardless, hospital IT is notoriously woefully unfunded - and I believe they get what they deserve re: IT outcomes. The nerds have told them how important it was for years, and hospitals are all about doctor worship. Obviously no one deserves it, and we should prosecute the attackers to

    • being pessimistic - if you're poorly ran in one area, you're most likely poorly ran elsewhere

    • ...This is one reason why I promote security taking the form of enabling users. In these kind of situations, for example, security upgrades should not just be dictated and dropped on existing systems, but should be accompanied by hardware and process upgrades to ensure that performance is improved simultaneously.

      When it comes specifically to security patches, it's about mitigating actual risk or potential risk. Performance improvements are pretty much always secondary to the initial purpose of a security patch.

      Always remember why you're changing any production system. Tends to make post-change expectations to be a bit more realistic.

      • Always remember why you're changing any production system. Tends to make post-change expectations to be a bit more realistic.

        In a hospital, I expect patients to die less often after a change. "Not dying" is pretty much their flagship product.

        Security is always a balance of cost and benefits. My philosophy is that those should always be viewed in terms of the larger enterprise. By implementing anti-ransomware protection, a hospital reduces the statistical cost of "patients dying while systems are held for ransom", but it comes at the statistical cost of "patients dying because treatment was too slow".

        Of course, management sees do

    • The time being measured is the time from the entrance of the patient into the Emergency Room to the time that an EKG is administered. And that time increases somewhere between 2:00 to 2:45 after a data breach is discovered and security procedures are changed.

      The paper seems to imply that the problem is that it takes longer for doctors and nurses to get into and use the electronic records systems. They suggest that the delays caused by increased cybersecurity measures at each step in the process (nurse acc

    • by AHuxley ( 892839 )
      Re 'time-sensitive and accuracy is critical."
      Depends on the nations ability to hire and accept only skilled staff?
      Fill the "care centers" with staff who are average, below average and mediocre due to political and non academic considerations.
      Everything works as the "computer" connects with the few actual experts?
      Computer network is down and very average staff are doing triage with a large number of patients waiting and their lack of skill, education starts to show.
      The best nations know this and would
  • It's the CIO's, CTO's and much of their IT staff who are having the heart attacks.

    • Comment removed based on user account deletion
    • It's the CIO's, CTO's and much of their IT staff who are having the heart attacks.

      IT staff? Sure. They actually have something to lose.

      But why are the CxOs stressed again? Did someone actually put an executive in jail? Was a fine more than pocket change or something?

      I must have missed where we started giving a shit about executives being immoral and unethical...

  • Isn't that murder? Involuntary man slaughter? Just saying. If this can be proven, can't the individuals guilty of the cyber attacks be charged?
    • Sure. Why not? If you ever catch anyone tied to a *specific* ransom ware attack and can prove conclusively that that attack lead indirectly to someone's death then you might get them charged with involuntary manslaughter. Much much easier to cause a death by a thousand cuts than to go straight for the jugular. Ask any D.A. A felony is still a felony.
  • by frank_adrian314159 ( 469671 ) on Friday November 08, 2019 @10:53AM (#59394220) Homepage

    Who killed them? The hackers who sent the ransomware, the user who opened the phishing email, the security person who didn't have his systems patched, the administrator who underfunded security, or the government that did not step in and mandate a less-fractured health-care system? Nah, it's probably the clinical people who took 2:37 longer to respond because their systems were down. To be fair, they do have malpractice insurance to protect them, so the pockets are deepest there.

    But that's the great thing about our modern, interconnected world - there are so many people involved in anything that apportioning blame for accountability is almost impossible...

    • Gee, blame the victim much? Only one entity in your list of suspects had the intention to cause mischief.

      • Gee, blame the victim much? Only one entity in your list of suspects had the intention to cause mischief.

        Shit happens. Humans make mistakes. All of them. You're either ready to deal with that in your business, or you are not. We did system backups 20+ years ago not because of ransomware and data breaches, but because we employed stupid humans who deleted shit on accident back then too. Natural hardware failures can happen that also cause deaths, and wasn't caused by mischief.

        The reason to be prepared has not changed. The justification has only gotten stronger, because the risk and potential damage has in

    • The hackers. If someone sends a mail-bomb you don't blame the secretary who opened the package when it explodes you blame the person who mailed it.

    • Who killed the asthmatic? The man who threw his inhaler into the bin, the binmen who dumped it into the back of the bin lorry, or the man who drove the bin lorry to the dump?
      • by MrL0G1C ( 867445 )

        Who killed the asthmatic? ...

        That's pretty easy, it's only the man who threw his inhaler in the bin, there's no logical reason to blame the binmen - they have no intent to harm and no knowledge of the problem.

  • by stinky wizzleteats ( 552063 ) on Friday November 08, 2019 @10:55AM (#59394232) Homepage Journal
    I'd say about 70% of security measures associated with *any* security policy, whether there has been a breach or not, are busywork at best and/or harmful at worst.

    Consider, for example, password rotation. We now know frequent enforced password changes are a bad idea. Yet almost every security policy I've seen still imposes them. Why? Because IT security is still an emotional exercise, not an empirical one.
  • by Kiaser Zohsay ( 20134 ) on Friday November 08, 2019 @10:57AM (#59394242)

    ... that correlation is not causation. Delays in administering tests and getting results and falling victim to cyber attacks are both symptoms of a similar cause, which is a disorganized and poorly run organization. There are probably dozens of other measurable outcomes that are substandard at these same facilities, such employee turnover, equipment maintenance, or even broken windows.

  • Both white- and black-lists are needed in group policy or security screening applications go a long way in preventing the majority of crypto breaches. The clients my MSP takes care of use GP filtering and have yet to experience an attack that directly affected their servers. Sure, there were a minority that got their workstations encrypted and killed, but their core data on the servers was safe and sound.

    Preemptive measures go a long way in ensuring the majority of these attacks do not get very far, or ge

  • There, I've correct it with a more accurate title.
  • Sounds like we need higher insurance premiums to cover these heart attack related deaths from ransomware. /sigh

  • Several people have suggested that the results are due to hospitals with poor security also having slow response times. However the design of the study takes this into account using the difference-in-differences method. It looks at the change in response time before and after the intrusion and compares it to the change in response time for other hospitals. A poorly run hospital may be slow, but the study shows that it gets slower after an intrusion compared to other hospitals.

    • by AHuxley ( 892839 )
      The "slow response times" is telling.
      A hospital that accepts and keeps on below and well below average staff?
      The computer network allowed a few top experts to cover over the lack of staff skills.
      Why is any nation allowing a "poorly run hospital" to escape years of peer review and more staff testing?
      Find the failed staff allowing/covering for the "poorly run" healthcare and bring in the experts and educated staff needed.
      Why should any level of gov, insurance and people paying for medical care accept "po
  • Can we finally press charges for capital murder against the scum that pay ransoms and against the other criminals who use such ransomware?

Keep up the good work! But please don't ask me to help.

Working...