Ransomware takes Hollywood hospital offline, $3.6M demanded by attackers (opens in new tab)

(csoonline.com)

93 pointstapp10y ago49 comments

49 comments

Very interesting article about the subject from November 2015: It’s Way Too Easy to Hack the Hospital, http://www.bloomberg.com/features/2015-hospital-hack/

logicrook10y ago

Hospital equipment is a sector where we need to push strongly for open solutions. Besides their own security, they are putting people's life in danger. An informed citizen should have a way to check the running software and that the equipment is working properly. An example is X-ray equipment. In some cases, patients have been exposed to strong doses of radiations because of malfunctioning equipment for more than 1O years. Nobody checked. And then you add the risk of hacking.

stcredzero10y ago

Hospital equipment is a sector where we need to push strongly for open solutions. Besides their own security, they are putting people's life in danger.

It's a sector where there needs to be a push for software/hardware quality, period! One of my former coworkers from years ago used to write software for medical equipment. The software ran on the cheapest Windows boards the company could find. There was no standardization apart from window dressing. Attitude of management was to just get it out the door, and it would be fine.

CaptSpify10y ago

Having worked in hospitals doing network security: They are terribly insecure. They really are a prime example of bad bureaucracy and proprietary software making everything horrible, despite the best of intentions.

YMMV of course.

enraged_camel10y ago

This goes beyond network security. Most hospital systems, including hardware and software, are insecure. One of the main reason for this is that hospital staff, especially doctors and nurses, tend to be atrociously bad at technology. One hospital we used to work with had removed passwords on their EMR software for all users because the chief of surgery always forgot his. Their reasoning was that inability to remember passwords slowed people down, and the EMR software was "internal anyway" so what could be the worst case scenario of not having passwords?

2 more replies

rogersmith10y ago

The internet of things... what could possibly go wrong?

diego_moita10y ago

Very good point.

It reminds me a comment from the Usenet, a long ago: "if your VCR is still blinking 12:00 then Linux is not for you".

Most people playing with technology don't know what they're doing. Giving them more power means giving them more danger.

logicrook10y ago

Basically every piece of hardware with a clock in my house is blinking, yet I'm fine with Linux. The problem isn't that it's too hard to set, but usually they will get unplugged at some point, and you have to set the clocks again. It gets boring very fast.

1 more reply

klunger10y ago

This was quite low, even for a ransomware attack. What's next, daycare centers?

noxToken10y ago

How do you figure? If I'm targeting digital data for ransom, I'm going after the easiest targets. I don't care if it's hospital records, online obituary guestbook, daycare records, a memorial Facebook account - anything that gives me what I'm looking for. This goes doubly so for how notoriously insecure (relatively speaking) hospitals are.

tzs10y ago

Even criminals tend to have some moral standards. They are not all complete sociopaths. For instance, go to jail for murdering an adult male and you will be accepted and perhaps even respected by other prisoners. Go to jail for murdering a child and you will be despised and quite possibly abused by the other prisoners.

1 more reply

LoSboccacc10y ago

so who's gonna serve the HIPAA violation sentence?

coldcode10y ago

HIPAA does require a lot of security. Having been a HIPAA architect, in reality no one in the industry cares since few are ever even accused of anything much less convicted. It's a toothless gums law.

viraptor10y ago

Why are you sure there was a HIPAA violation? HIPAA includes disaster recovery plan, which is what they should be doing now.

I guess it wasn't a great plan if it's a week in and they're still dealing with it, but still...

LoSboccacc10y ago

Well, there are plenty provisions under the security chapter, funnily enough now that I look at it again (been long time) it seems both 'accountability' (tracking every media in and out) and 'protection from malicious software' are not listed as required. duh.

The emergency mode operation plan is however listed as required, and this place was basically shut for a week.

I remembered it being more stringent that what it really is.

1 more reply

DKnoll10y ago

Assuming it's CryptoLocker style malware, they're probably one of the few hospitals fully satisfying the encryption requirements of HIPAA at the moment.

newobj10y ago

Frackin' toasters. The old man told us to keep those computers off the network.

abrkn10y ago

"They're through the fourth firewall!"

https://www.youtube.com/watch?v=cZnhzAo2Ozk

bawana10y ago

Exactly what happened? Most hospitals use proprietary electronic medical record systems. These are layered constructs of different networks requiring different passwords and VPNs for their different functions. Is there an actual url that one can visit to verify this? Did the internet archive capture this in a snapshot I can see? Or is this smack that a neighboring hospital is pushing to capture market share in this era of declining reimbursements and increasing regulation?

FLUX-YOU10y ago

Probably locked down the physical machines at the hospital.

>Most hospitals use proprietary electronic medical record systems. These are layered constructs of different networks requiring different passwords and VPNs for their different functions.

That's idealistic. Usually they're giant pieces of shit.

bawana10y ago

So really the data is unaffected. Just the OS on the client machines is borked and throwing up a scare screen. If that is the case, they can 'just' reimage the machines from backups. I agree, the EMRs are repurposed shit , but honed to an incredibly complex and fine edge.

gaur10y ago

I'm sure they'll just pass the cost (either of the ransom, or of the missed profits) onto the patients.

qbrass10y ago

It's Hollywood, option the movie rights.

Next summer we'll see how many explosions can be worked into a movie "based on a true story" about cybercrime.

kristiandupont10y ago

..rather than, say, not pay nurses their salaries for a while?

gaur10y ago

Heaven forbid that top executives ever have to take a pay hit.

1 more reply

maratc10y ago

So instead of targeting random people in opportunistic attacks, the malware writers had a very clear target here. It's like "spearansomware". I only wonder why it took them so long to get to this idea.

ianlevesque10y ago

It didn't, they've been doing this to police departments for nearly a year at least.

http://www.darkreading.com/attacks-breaches/police-pay-off-r...

sergers10y ago

not sure if they are being specifically targeted, or hospital networks are easy targets, but i work with a vendor who supports this hospital.

this is the 3rd major healthcare org hit with this in like past 3 weeks. last one just got hit last week.

RIS/HIS/PACS/EHR/any systems all hit, with like 80-90% of network equipment compromised

JohnLeTigre10y ago

wow, talk about a lack of morals, I wonder how many years he would get if he is caught for endangering so many lives.

contingencies10y ago

Doesn't sound like a major hospital. The major hospital in Hollywood is Cedars-Sinai, IIRC.

bkmartin10y ago

And that matters because? Real people needing real treatment are being affected... Major hospital or not.

contingencies10y ago

It gives insight in to the probable investment in, maturity and/or scale of infrastructure. Unlike your emotional rah-rah there.

IvyMike10y ago

Hollywood Presbyterian Medical Center has 434 beds and around 1500 employees. That's pretty decent.

Cedars-Sinai is indeed about twice the size, but that's mostly because Cedars-Sinai is extraordinarily large.

j / k navigate · click thread line to collapse

49 comments

heinrichf10y ago

Very interesting article about the subject from November 2015: It’s Way Too Easy to Hack the Hospital, http://www.bloomberg.com/features/2015-hospital-hack/

logicrook10y ago

stcredzero10y ago

Hospital equipment is a sector where we need to push strongly for open solutions. Besides their own security, they are putting people's life in danger.

CaptSpify10y ago

YMMV of course.

enraged_camel10y ago

2 more replies

rogersmith10y ago

The internet of things... what could possibly go wrong?

diego_moita10y ago

Very good point.

It reminds me a comment from the Usenet, a long ago: "if your VCR is still blinking 12:00 then Linux is not for you".

Most people playing with technology don't know what they're doing. Giving them more power means giving them more danger.

logicrook10y ago

1 more reply

klunger10y ago

This was quite low, even for a ransomware attack. What's next, daycare centers?

noxToken10y ago

tzs10y ago

1 more reply

LoSboccacc10y ago

so who's gonna serve the HIPAA violation sentence?

coldcode10y ago

viraptor10y ago

Why are you sure there was a HIPAA violation? HIPAA includes disaster recovery plan, which is what they should be doing now.

I guess it wasn't a great plan if it's a week in and they're still dealing with it, but still...

LoSboccacc10y ago

The emergency mode operation plan is however listed as required, and this place was basically shut for a week.

I remembered it being more stringent that what it really is.

1 more reply

DKnoll10y ago

Assuming it's CryptoLocker style malware, they're probably one of the few hospitals fully satisfying the encryption requirements of HIPAA at the moment.

newobj10y ago

Frackin' toasters. The old man told us to keep those computers off the network.

abrkn10y ago

"They're through the fourth firewall!"

https://www.youtube.com/watch?v=cZnhzAo2Ozk

bawana10y ago

FLUX-YOU10y ago

Probably locked down the physical machines at the hospital.

>Most hospitals use proprietary electronic medical record systems. These are layered constructs of different networks requiring different passwords and VPNs for their different functions.

That's idealistic. Usually they're giant pieces of shit.

bawana10y ago

gaur10y ago

I'm sure they'll just pass the cost (either of the ransom, or of the missed profits) onto the patients.

qbrass10y ago

It's Hollywood, option the movie rights.

Next summer we'll see how many explosions can be worked into a movie "based on a true story" about cybercrime.

kristiandupont10y ago

..rather than, say, not pay nurses their salaries for a while?

gaur10y ago

Heaven forbid that top executives ever have to take a pay hit.

1 more reply

maratc10y ago

ianlevesque10y ago

It didn't, they've been doing this to police departments for nearly a year at least.

http://www.darkreading.com/attacks-breaches/police-pay-off-r...

sergers10y ago

not sure if they are being specifically targeted, or hospital networks are easy targets, but i work with a vendor who supports this hospital.

this is the 3rd major healthcare org hit with this in like past 3 weeks. last one just got hit last week.

RIS/HIS/PACS/EHR/any systems all hit, with like 80-90% of network equipment compromised

JohnLeTigre10y ago

wow, talk about a lack of morals, I wonder how many years he would get if he is caught for endangering so many lives.

contingencies10y ago

Doesn't sound like a major hospital. The major hospital in Hollywood is Cedars-Sinai, IIRC.

bkmartin10y ago

And that matters because? Real people needing real treatment are being affected... Major hospital or not.

contingencies10y ago

It gives insight in to the probable investment in, maturity and/or scale of infrastructure. Unlike your emotional rah-rah there.

IvyMike10y ago

Hollywood Presbyterian Medical Center has 434 beds and around 1500 employees. That's pretty decent.

Cedars-Sinai is indeed about twice the size, but that's mostly because Cedars-Sinai is extraordinarily large.

j / k navigate · click thread line to collapse