Cyber Attacks Are One of the Biggest Threats Facing Healthcare Systems (ft.com) 19
An increase in cyber attacks on the healthcare sector is jeopardising patient safety, and prompting some governments to publish new cyber security standards. From a report: Publicly disclosed global cyber security breaches between January and September last year showed that the healthcare sector suffered more attacks (241) than any other sector, ahead of government (147), and information technology including software, hardware and IT services (91), according to research by Omdia, a technology research provider. The most common type of cyber breach in healthcare was hacking, followed by supply chain attacks, "phishing" (where cyber criminals pose as legitimate organisations to trick people into disclosing passwords and payment details), and "ransomware," in which hackers use malicious software -- "malware" -- to encrypt data until the victim pays a ransom to unlock it.
"The healthcare sector is such a tempting target [for cyber security criminals] because ... you can put lives at risk," says James Lewis, a cyber security expert at the Center for Strategic and International Studies, a US think-tank. The UK's National Health Service has been hit by significant ransomware attacks. In 2017, the "WannaCry" attack is estimated to have cost the NHS $116.3mn and caused the cancellation of 19,000 patient appointments. Another hacking, in 2022, took down the non-emergency 111 service, and disrupted management systems for mental health services and emergency prescriptions.
"The healthcare sector is such a tempting target [for cyber security criminals] because ... you can put lives at risk," says James Lewis, a cyber security expert at the Center for Strategic and International Studies, a US think-tank. The UK's National Health Service has been hit by significant ransomware attacks. In 2017, the "WannaCry" attack is estimated to have cost the NHS $116.3mn and caused the cancellation of 19,000 patient appointments. Another hacking, in 2022, took down the non-emergency 111 service, and disrupted management systems for mental health services and emergency prescriptions.
money and uptime (Score:3)
Healthcare systems have money and need great uptime. Perfect target.
Re: (Score:1)
vendors in healthcare system block updates / have (Score:2)
vendors in healthcare system block updates / have old windows versions on the network.
also some vendors have it setup with you must have an vpn / open ports so that we can get to our devices on your network at your hospital From our sites / systems.
Also you big vendors like EPIC that run there own systems (my chart) that is used on lots of different hospital systems.
Re: (Score:2)
At least Linux has some actual security built in. I'm guessing all these exploits start with a windows box. Go back to green screen terminals and this shit would disappear overnight.
Re: (Score:2, Informative)
The solution for this is network segmentation.
Keep those scanners and whatnot on separate networks where they can't be laterally moved to from user systems.
And, obviously, don't allow inbound or outbound Internet connections to such systems.
In addition, don't allow any inbound management or file services from peer-to-peer, only allow from designated management hosts.
There are a bunch of other things that could be done too, like application whitelisting, least-privilege permission schemes, etc, etc.
The probl
the vendor demands Internet connections to there (Score:2)
the vendor demands Internet connections to there systems on your network so they can remote manage it
medical or financial (Score:2)
I have to wonder what is the biggest burden, safeguarding the financial/billing data or safeguarding the medical records. Both are hard, but I imagine that the financial info is:
a. interwoven with the medical in a way that is uniquely American
b. more frequently targeted
Politics (Score:5, Insightful)
This is only made worse by politics. For example, the EU wants a European patient data database, with explicit access to third parties. Yes, this is a severe violation of The GDPR and medical laws, but so are the chat control proposal, the Safe Harbor agreement, etc.
In the Netherlands, the health ministry gave away the whole medical sector to insurance companies, who demanded that all medical data came in one system.
Off course, the safe way to treat patient data is to have the data never leave the hospital or doctor's place, and only communicate the data when necessary to other doctors/hospitals, with the exception of a guarded offsite backup.
What's the long term play here, is there one? (Score:3)
It seems like at least half the traffic on the internet today is all to facilitate scams (crypto, spam, dropship, scam sellers, a lot of advertising in general online) and hacking (malware, ransomware, nonstop attack surface probing)
I understand a lot of this is because the internet is built on the foundation laid out 40-50 years which certainly couldn't have foreseen what is here today and we can't "clean build" it again but are there technical solutions possible that could be implemented en-masse to slow this down or is this still really just a societal issue, the fact that this time of crime does in fact pay so plenty of people are incentivized to do it.
We talk about enshittification and while we can blame the corporate bastards for a lot of it the criminal element also plays a part in so many stupid things we have to deal with like captchas. I understand the individual user will always have to be vigilant on security but I am curious if there are possible solutions that just require huge amounts of onboarding to maybe stem the tide of bullshit for a little while. Just in this story this ends up costing all of us money time and effort.
Dental software from vendors is bad with security (Score:2)
Dental software from vendors is bad with security and part of is running on local systems where the local office needs to do it's own IT + deal with what ever config that out side vendor needs.
StarTrek TNG Solved this in Season 1 (Score:1)
sort of... One punishment for cyber crimes, hacking, stealing passwords, phone scams, all of it... Lethal injection. Or, maybe televised gladiatorial combat, to the death of course. I'm leaning towards televised combat, myself. I can see the announcers now giving the bios of the perps and what they did as they are eaten by angry honey badgers. "This guy scammed a gradma out of 20 thousand dollars, Bob. Look at him run! Ooohh, never gonna scam anyone with that arm again."
so you want more Aaron Swartz's for EULA issues (Score:2)
so you want more Aaron Swartz's for EULA issues as doing things that EULA says no are changed as cyber crimes / hacking?
Also things like reading open data on an website (say an DB on the site is spiting out SSNs and other info) that needs no password has been changed as an cyber crimes / hacking.
Re: (Score:1)
I'm happy to refine the concept while it's on its way to adoption. People who write EULAs should beta test the new colosseum.
Not just healthcare systems! (Score:2)
It's like everywhere! :(