Hospitals Now Seeing 20 Ransomware Attacks Per Day On IT Infrastructure

from the delayed-lobotomy dept

We’ve talked a lot about how while the lack of security in Internet of Things devices was kind of funny at first, it quickly became less funny as the dramatic scope of the problem began to reveal itself. Whether it’s cars being taken over from an IP address up to ten miles away, to the rise in massive new DDoS attacks fueled by your not-so-smart home appliances, folks like security expert Bruce Schneier have made it abundantly clear the check is coming due.

That’s particularly true in the healthcare field, where hackable pacemakers and ransomware-infected hospital equipment is becoming the norm. In fact, hospitals in England recently had to cancel hundreds of surgeries in order to “isolate and destroy” a virus that was running amok across the hospital’s IT systems:

“We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it,” the NHS wrote on its website. “All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions.”

In the kind of transparency that often is the hallmark of these kinds of attacks, the hospital in question (the National Health Service’s Northern Lincolnshire and Goole Foundation Trust in the UK) couldn’t be bothered to explain the precise nature of the attack. But security expert Brian Krebs notes it’s likely part of the growing trend of ransomware attacks on hospitals that cripple administrative and surgical systems until the hospital is willing to pay a bitcoin ransom:

“Earlier this year, experts began noticing that cybercriminals were using ransomware to target hospitals ? organizations that are heavily reliant on instant access to patient records. In March 2016, Henderson, Ky.-based Methodist Hospital shut down its computer systems after an infection from the Locky strain of ransomware. Just weeks before that attack, a California hospital that was similarly besieged with ransomware paid a $17,000 ransom to get its files back.

According to a recent report by Intel Security, the healthcare sector is experiencing over 20 data loss incidents per day related to ransomware attacks. The company said it identified almost $100,000 in payments from hospital ransomware victims to specific bitcoin accounts so far in 2016.

Twenty data loss incidents…per day, many of which aren’t disclosed and have an exponential impact on human lives and privacy. Ultimately, as other researchers have noted, it’s inevitable that as not-particularly-smart devices gain market share around the world, we’ll begin to see more and more attacks on vital infrastructure. Another reason why before we get busy offensively waging the cyber, we need to make damn sure existing infrastructure is protected.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Hospitals Now Seeing 20 Ransomware Attacks Per Day On IT Infrastructure”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

Look, I work in IT and no doubt Microslop has it’s fair share of issues but this is hardly Microslops fault.

This is a shared issue between all IT professional. In any given enterprise there is maybe one or two people that actually give a flying fuck about real security. Everyone else, including the ‘Security/Compliance Department’, really does not give a damn or does but lacks the fundamental expertise on how to address it. More than 1/2 of all Enterprises FUNDAMENTALLY do not understand security.

The mantra is get the product out, up and running with the bare minimum amount of resources and time necessary to get it functional with a BIG sale hopefully at the end. Just about any security that is tacked on is usually an after thought.

I have yet to see a single product, other than a couple I have designed that started with Security being the first or near the first part of the program.

orbitalinsertion (profile) says:

Re: Re: Re:

It’s also true that MS does not warrant their products to be used in any critical systems. So networking Windows and critical infrastructure together is against MS advice, and also stupid. Just like connecting critical infrastructure, including SCADA systems, to the internet.

What is even more hilarious is that hospitals being insecure is surely a HIPAA violation. Never mind a threat to the lives and welfare of patients. And as hospitals are generally now parts of mega-system healthcare, it should be easy to hold corporate central accountable.

Well i guess it is easier to make sure our armed forces can malware-attack other countries. That will help, i am sure.

Anonymous Coward says:

Re: Re: Re: Re:

Did at stint in a Energy company too… SCADA systems have no security. It truly is shocking what can easily be done if someone with the knowledge suddenly became nasty minded.

Most healthcare places break HIPAA all the time. Unless you have a closet where you can discuss things with your DR, Pharmacist, or their assistants just a little bit of eavesdropping can take you far. Just walking by most desks with a hidden high quality camera with everything just sitting out in the open is pretty bad.

Society is really just a hapless and lazy group of nubs that are too lazy to give it any serious consideration. For every numb nut that says, no one is going to waste time with that there are 10 people wasting their time with that!

Anonymous Coward says:

Re: Re: Re:

Everyone else, including the ‘Security/Compliance Department’, really does not give a damn or does but lacks the fundamental expertise

"Compliance" tells you all you need to know. They might verify that their system configurations comply with internal policies and mandates from government/insurers, and maybe that the policies correspond to "industry best practices". But "best practices" are generally awful, and nobody’s checking whether the policy-compliant systems are actually secure. Lots of large organizations have a single password/key that would give you full access to everything in the company, for example. A single point of failure is risky: even if it’s well-protected and the policy says it’s fine, it’s a huge target and often not a necessary risk.

Anonymous Coward says:

NEVER pay a ransom

Ransomware attacks would largely disappear over night if the idiots stopped paying the ransom in the first place. People wouldn’t be building ransomware if some idiots weren’t paying them for doing it and infecting their systems.

Sure some would still try to infect hospitals just to be malicious, and they’d still need to invest a bunch in securing their systems, but the numbers of attacks would definitely drop.

Anonymous Coward says:

Re: NEVER pay a ransom

“Never pay a ransom” is easy to say but the alternative is to lose all your patient records and allow your business to fold due to your entire IT system collapsing, leaving (potentially) hundreds of hospital workers jobless and (potentially) thousands of patients without healthcare.

Sure, in such a situation you should’ve had an offsite backup and some kind of real-time caching, but nobody actually implements that (though they should).

Ben (profile) says:

Re: Re: NEVER pay a ransom

If you are running a hospital/enterprise computer system, you are doing backups. You are doing daily/weekly/monthly rotation backups. You should not be losing more than a single day’s data should the worst happen. A large hospital/enterprise system would also have in place disaster management plans even in the case of when the worst does happen.

I place the most blame on email systems which permit links to be “followed.” Yes there are also attachments to blame, but links are, I believe, the primary route for infecting computers; there should be a policy switch for turning that OFF across all mail readers.

TRX (profile) says:

Re: Re: Re: NEVER pay a ransom

Been there, done that,

Management typically views backups as an utter and complete waste of money. After all, the system never got trashed before, so obviously it will never happen in the future. Shouldn’t you be doing something constructive?

“Uptime is like air. Nobody notices until it’s gone.”

Anonymous Coward says:

Re: NEVER pay a ransom

Sure some would still try to infect hospitals just to be malicious

Have we seen any evidence of this? People are always attributing attacks like these to malice, but it doesn’t seem true. We’ve seen curious hackers, undirected or badly-programmed worms, and profit-motivated criminals. But actual malice seems rare; it’s happened, but normally against individuals or political targets, not hospitals.

orbitalinsertion (profile) says:

It’s kind of funny how everything in hospitals had to be “Y2K Compliant” and what a big deal people made over it in general, but since the rise of serious criminal malware markets people really don’t seem to get any of it or give a hoot. And that is nothing new, but the seriousness of it with the spread of IoT and generically networking lots of devices that have been around for ages without such… still seems to go rather more unnoticed.

Maybe because it is real and doesn’t have enough doom and conspiracy flavouring? Or the right sort? I just don’t understand why people prefer to react to imaginary threats instead of real ones. Even when it is malware and criminal hacking, they have all sorts of weird ideas and fears, but you can’t get them to change behavior or harden their devices against real problems.

Ben (profile) says:

Re: Re:

Y2K was a deadline and people really behave differently when there are deadlines (just ask a student!)

HIPAA was a deadline and healthcare industries scrambled and fought to be ready when it went into effect.

HHS (or whomever is in charge of hospital regs) needs to define repercussions for hospitals not taking security (and backups) seriously. Not sure what the effect will be with the new administration, but it is certainly something that needs to get done now.

TRX (profile) says:

“Don’t be silly, your medical records are perfectly safe, and there’s no way any outsider can get into any of our internet-connected medical equipment. Have you talked to your therapist about your paranoia?”

“But our vendors and their equipment must be able to communicate at will, in order to provide the highest possible standards of service!”

“What do you mean, a five-user pack of Norton Antivirus won’t cover the entire hospital?!”

“Senior management gets annoyed with passwords, so we don’t use them, except with equipment that requires one, in which case it is “1-2-3-4-5”.

Frost (profile) says:

Well, what do you expect?

It’s capitalism. One very successful way to get more money, which means you get more freedom also, is to steal it. You can extort people, rob people or defraud people – and these are all done because there is strong incentive to do so.

The system is innately broken as it encourages this kind of thing. It’s everyone against everyone else, so again, why would anyone be surprised? Only by switching to a cooperation based social system where people have their needs met as a matter of course will we finally design crime away.

That said, malware can be mitigate almost entirely. Just disable all Office documents that have unsigned macros, make it impossible for the mail app to open executables and disable windows scripting host on the computer and you’re malware proofed. If hospitals can’t manage to do these things, they have incompetent admins or more likely highly incompetent leadership.

And any equipment manufacturer who has a system that can be infected with malware should be sued into oblivion for failing to create a safe device.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...