Hospitals Now Seeing 20 Ransomware Attacks Per Day On IT Infrastructure

from the delayed-lobotomy dept

We've talked a lot about how while the lack of security in Internet of Things devices was kind of funny at first, it quickly became less funny as the dramatic scope of the problem began to reveal itself. Whether it's cars being taken over from an IP address up to ten miles away, to the rise in massive new DDoS attacks fueled by your not-so-smart home appliances, folks like security expert Bruce Schneier have made it abundantly clear the check is coming due.

That's particularly true in the healthcare field, where hackable pacemakers and ransomware-infected hospital equipment is becoming the norm. In fact, hospitals in England recently had to cancel hundreds of surgeries in order to "isolate and destroy" a virus that was running amok across the hospital's IT systems:
"We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," the NHS wrote on its website. "All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions."
In the kind of transparency that often is the hallmark of these kinds of attacks, the hospital in question (the National Health Service's Northern Lincolnshire and Goole Foundation Trust in the UK) couldn't be bothered to explain the precise nature of the attack. But security expert Brian Krebs notes it's likely part of the growing trend of ransomware attacks on hospitals that cripple administrative and surgical systems until the hospital is willing to pay a bitcoin ransom:
"Earlier this year, experts began noticing that cybercriminals were using ransomware to target hospitals — organizations that are heavily reliant on instant access to patient records. In March 2016, Henderson, Ky.-based Methodist Hospital shut down its computer systems after an infection from the Locky strain of ransomware. Just weeks before that attack, a California hospital that was similarly besieged with ransomware paid a $17,000 ransom to get its files back.

According to a recent report by Intel Security, the healthcare sector is experiencing over 20 data loss incidents per day related to ransomware attacks. The company said it identified almost $100,000 in payments from hospital ransomware victims to specific bitcoin accounts so far in 2016.
Twenty data loss incidents...per day, many of which aren't disclosed and have an exponential impact on human lives and privacy. Ultimately, as other researchers have noted, it's inevitable that as not-particularly-smart devices gain market share around the world, we'll begin to see more and more attacks on vital infrastructure. Another reason why before we get busy offensively waging the cyber, we need to make damn sure existing infrastructure is protected.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 10 Nov 2016 @ 6:31am

    Thank you bill gates. No wonder Microsoft prohibits use of Windows in their own offices.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Nov 2016 @ 7:03am

      Re:

      Look, I work in IT and no doubt Microslop has it's fair share of issues but this is hardly Microslops fault.

      This is a shared issue between all IT professional. In any given enterprise there is maybe one or two people that actually give a flying fuck about real security. Everyone else, including the 'Security/Compliance Department', really does not give a damn or does but lacks the fundamental expertise on how to address it. More than 1/2 of all Enterprises FUNDAMENTALLY do not understand security.

      The mantra is get the product out, up and running with the bare minimum amount of resources and time necessary to get it functional with a BIG sale hopefully at the end. Just about any security that is tacked on is usually an after thought.

      I have yet to see a single product, other than a couple I have designed that started with Security being the first or near the first part of the program.

      reply to this | link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 10 Nov 2016 @ 7:22am

        Re: Re:

        It's also true that MS does not warrant their products to be used in any critical systems. So networking Windows and critical infrastructure together is against MS advice, and also stupid. Just like connecting critical infrastructure, including SCADA systems, to the internet.

        What is even more hilarious is that hospitals being insecure is surely a HIPAA violation. Never mind a threat to the lives and welfare of patients. And as hospitals are generally now parts of mega-system healthcare, it should be easy to hold corporate central accountable.

        Well i guess it is easier to make sure our armed forces can malware-attack other countries. That will help, i am sure.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 Nov 2016 @ 7:36am

          Re: Re: Re:

          Did at stint in a Energy company too... SCADA systems have no security. It truly is shocking what can easily be done if someone with the knowledge suddenly became nasty minded.

          Most healthcare places break HIPAA all the time. Unless you have a closet where you can discuss things with your DR, Pharmacist, or their assistants just a little bit of eavesdropping can take you far. Just walking by most desks with a hidden high quality camera with everything just sitting out in the open is pretty bad.

          Society is really just a hapless and lazy group of nubs that are too lazy to give it any serious consideration. For every numb nut that says, no one is going to waste time with that there are 10 people wasting their time with that!

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Nov 2016 @ 12:52pm

        Re: Re:

        Everyone else, including the 'Security/Compliance Department', really does not give a damn or does but lacks the fundamental expertise

        "Compliance" tells you all you need to know. They might verify that their system configurations comply with internal policies and mandates from government/insurers, and maybe that the policies correspond to "industry best practices". But "best practices" are generally awful, and nobody's checking whether the policy-compliant systems are actually secure. Lots of large organizations have a single password/key that would give you full access to everything in the company, for example. A single point of failure is risky: even if it's well-protected and the policy says it's fine, it's a huge target and often not a necessary risk.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Nov 2016 @ 7:29am

      Re:

      Are we really still blaming Bill Gates for stuff that has to do with Microsoft?

      Thanks, Steve Jobs, for yet more adapters on the new MacBooks.

      reply to this | link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 10 Nov 2016 @ 9:08am

        Re: Re:

        Well, Gates really set a culture that hasn't changed much, and set the foundations of an OS that really hasn't changed much either. But yeah i am not sure why Gates is still invoked. Or Monkey-Boy Ballmer for that matter. Particularly in situations where a general-purpose OS shouldn't be in use anyway.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Nov 2016 @ 7:00am

    NEVER pay a ransom

    Ransomware attacks would largely disappear over night if the idiots stopped paying the ransom in the first place. People wouldn't be building ransomware if some idiots weren't paying them for doing it and infecting their systems.

    Sure some would still try to infect hospitals just to be malicious, and they'd still need to invest a bunch in securing their systems, but the numbers of attacks would definitely drop.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Nov 2016 @ 7:36am

      Re: NEVER pay a ransom

      "Never pay a ransom" is easy to say but the alternative is to lose all your patient records and allow your business to fold due to your entire IT system collapsing, leaving (potentially) hundreds of hospital workers jobless and (potentially) thousands of patients without healthcare.

      Sure, in such a situation you should've had an offsite backup and some kind of real-time caching, but nobody actually implements that (though they should).

      reply to this | link to this | view in chronology ]

      • icon
        Ben (profile), 10 Nov 2016 @ 8:08am

        Re: Re: NEVER pay a ransom

        If you are running a hospital/enterprise computer system, you *are* doing backups. You are doing daily/weekly/monthly rotation backups. You should *not* be losing more than a single day's data should the worst happen. A large hospital/enterprise system would also have in place disaster management plans even in the case of when the worst does happen.

        I place the most blame on email systems which permit links to be "followed." Yes there are also attachments to blame, but links are, I believe, the primary route for infecting computers; there should be a policy switch for turning that *OFF* across all mail readers.

        reply to this | link to this | view in chronology ]

        • icon
          TRX (profile), 10 Nov 2016 @ 8:10am

          Re: Re: Re: NEVER pay a ransom

          Been there, done that,

          Management typically views backups as an utter and complete waste of money. After all, the system never got trashed before, so obviously it will never happen in the future. Shouldn't you be doing something constructive?

          "Uptime is like air. Nobody notices until it's gone."

          reply to this | link to this | view in chronology ]

          • icon
            orbitalinsertion (profile), 10 Nov 2016 @ 9:10am

            Re: Re: Re: Re: NEVER pay a ransom

            Or, the system has only been trashed five times before. Whatever. Won't happen again. But if it does, it's just the cost of business and i can blame someone else or hide the fact that it happened.

            reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Nov 2016 @ 12:45pm

      Re: NEVER pay a ransom

      Sure some would still try to infect hospitals just to be malicious

      Have we seen any evidence of this? People are always attributing attacks like these to malice, but it doesn't seem true. We've seen curious hackers, undirected or badly-programmed worms, and profit-motivated criminals. But actual malice seems rare; it's happened, but normally against individuals or political targets, not hospitals.

      reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 10 Nov 2016 @ 7:15am

    It's kind of funny how everything in hospitals had to be "Y2K Compliant" and what a big deal people made over it in general, but since the rise of serious criminal malware markets people really don't seem to get any of it or give a hoot. And that is nothing new, but the seriousness of it with the spread of IoT and generically networking lots of devices that have been around for ages without such... still seems to go rather more unnoticed.

    Maybe because it is real and doesn't have enough doom and conspiracy flavouring? Or the right sort? I just don't understand why people prefer to react to imaginary threats instead of real ones. Even when it is malware and criminal hacking, they have all sorts of weird ideas and fears, but you can't get them to change behavior or harden their devices against real problems.

    reply to this | link to this | view in chronology ]

    • icon
      Ben (profile), 10 Nov 2016 @ 11:41am

      Re:

      Y2K was a deadline and people really behave differently when there are deadlines (just ask a student!)

      HIPAA was a deadline and healthcare industries scrambled and fought to be ready when it went into effect.

      HHS (or whomever is in charge of hospital regs) needs to define repercussions for hospitals not taking security (and backups) seriously. Not sure what the effect will be with the new administration, but it is certainly something that needs to get done *now*.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Nov 2016 @ 7:57am

    They only care about their bottom line, this is simply the way a for profit industry works.

    reply to this | link to this | view in chronology ]

  • icon
    TRX (profile), 10 Nov 2016 @ 8:08am

    "Don't be silly, your medical records are perfectly safe, and there's no way any outsider can get into any of our internet-connected medical equipment. Have you talked to your therapist about your paranoia?"

    "But our vendors and their equipment must be able to communicate at will, in order to provide the highest possible standards of service!"

    "What do you mean, a five-user pack of Norton Antivirus won't cover the entire hospital?!"

    "Senior management gets annoyed with passwords, so we don't use them, except with equipment that requires one, in which case it is "1-2-3-4-5".

    reply to this | link to this | view in chronology ]

  • icon
    Frost (profile), 13 Nov 2016 @ 12:23pm

    Well, what do you expect?

    It's capitalism. One very successful way to get more money, which means you get more freedom also, is to steal it. You can extort people, rob people or defraud people - and these are all done because there is strong incentive to do so.

    The system is innately broken as it encourages this kind of thing. It's everyone against everyone else, so again, why would anyone be surprised? Only by switching to a cooperation based social system where people have their needs met as a matter of course will we finally design crime away.

    That said, malware can be mitigate almost entirely. Just disable all Office documents that have unsigned macros, make it impossible for the mail app to open executables and disable windows scripting host on the computer and you're malware proofed. If hospitals can't manage to do these things, they have incompetent admins or more likely highly incompetent leadership.

    And any equipment manufacturer who has a system that can be infected with malware should be sued into oblivion for failing to create a safe device.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.