
Ransomware takes Hollywood hospital offline, $3.6M demanded by attackers - tapp
http://www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-36m-demanded-by-attackers.html
======
heinrichf
Very interesting article about the subject from November 2015: It’s Way Too
Easy to Hack the Hospital, [http://www.bloomberg.com/features/2015-hospital-
hack/](http://www.bloomberg.com/features/2015-hospital-hack/)

~~~
logicrook
Hospital equipment is a sector where we need to push strongly for open
solutions. Besides their own security, they are putting people's life in
danger. An informed citizen should have a way to check the running software
and that the equipment is working properly. An example is X-ray equipment. In
some cases, patients have been exposed to strong doses of radiations because
of malfunctioning equipment for more than 1O years. Nobody checked. And then
you add the risk of hacking.

~~~
stcredzero
_Hospital equipment is a sector where we need to push strongly for open
solutions. Besides their own security, they are putting people 's life in
danger._

It's a sector where there needs to be a push for software/hardware quality,
period! One of my former coworkers from years ago used to write software for
medical equipment. The software ran on the cheapest Windows boards the company
could find. There was no standardization apart from window dressing. Attitude
of management was to just get it out the door, and it would be fine.

------
rogersmith
The internet of things... what could possibly go wrong?

~~~
diego_moita
Very good point.

It reminds me a comment from the Usenet, a long ago: "if your VCR is still
blinking 12:00 then Linux is not for you".

Most people playing with technology don't know what they're doing. Giving them
more power means giving them more danger.

~~~
logicrook
Basically every piece of hardware with a clock in my house is blinking, yet
I'm fine with Linux. The problem isn't that it's too hard to set, but usually
they will get unplugged at some point, and you have to set the clocks again.
It gets boring very fast.

~~~
ne0n
Somebody should make a simple alarm clock with wifi to sync time via NTP. I
guess once you open that can of worms, most alarm clocks add other features,
too.

~~~
viraptor
You don't need NTP. There are lots of clocks which can synchronise to radio
signal, which is much easier and doesn't require internet connection.

([https://en.wikipedia.org/wiki/Radio_clock](https://en.wikipedia.org/wiki/Radio_clock))

------
klunger
This was quite low, even for a ransomware attack. What's next, daycare
centers?

~~~
noxToken
How do you figure? If I'm targeting digital data for ransom, I'm going after
the easiest targets. I don't care if it's hospital records, online obituary
guestbook, daycare records, a memorial Facebook account - anything that gives
me what I'm looking for. This goes doubly so for how notoriously insecure
(relatively speaking) hospitals are.

~~~
tzs
Even criminals tend to have some moral standards. They are not all complete
sociopaths. For instance, go to jail for murdering an adult male and you will
be accepted and perhaps even respected by other prisoners. Go to jail for
murdering a child and you will be despised and quite possibly abused by the
other prisoners.

~~~
stcredzero
_Even criminals tend to have some moral standards. They are not all complete
sociopaths._

I've met a lot of "techie-trash" who even outwardly portray themselves as
sociopathic, as if that made them seem smart and cool. Hell, I've been meeting
people like that since the 90's! (They are a very slim minority of the tech
populace, but their lack of self-awareness makes them tend to be very
visible.)

------
LoSboccacc
so who's gonna serve the HIPAA violation sentence?

~~~
viraptor
Why are you sure there was a HIPAA violation? HIPAA includes disaster recovery
plan, which is what they should be doing now.

I guess it wasn't a great plan if it's a week in and they're still dealing
with it, but still...

~~~
LoSboccacc
Well, there are plenty provisions under the security chapter, funnily enough
now that I look at it again (been long time) it seems both 'accountability'
(tracking every media in and out) and 'protection from malicious software' are
not listed as required. duh.

The emergency mode operation plan is however listed as required, and this
place was basically shut for a week.

I remembered it being more stringent that what it really is.

~~~
viraptor
Yes, I'd love for HIPAA to say: if we're talking about a medical centre,
you've got to be able to snapshot and reimage within X hours with data loss of
less than Y hours. One can dream...

~~~
15155
Part of the problem is that HIPAA must be easy for small private practices as
well as massive hospitals to follow.

Another standard may be needed for the larger businesses.

~~~
technofiend
Totally agree, but in 2016 that doesn't take much: spin up two instances in
different AWS datacenters and fail between them and you have Disaster
Recovery. Regularly operate in each datacenter and you have Sustained
Resiliency. A small business probably won't have staff to maintain such a
solution but surely this is a space for a nice niche startup?

~~~
otterley
> in 2016 that doesn't take much: spin up two instances in different AWS
> datacenters and fail between them and you have Disaster Recovery

Things that look simple on the surface are often not easy to implement in
practice - especially when you're not starting with a green field.

~~~
technofiend
Why am I not starting with a greenfield? In my example I did mention a niche
start up.

------
newobj
Frackin' toasters. The old man told us to keep those computers off the
network.

~~~
abrkn
"They're through the fourth firewall!"

[https://www.youtube.com/watch?v=cZnhzAo2Ozk](https://www.youtube.com/watch?v=cZnhzAo2Ozk)

------
bawana
Exactly what happened? Most hospitals use proprietary electronic medical
record systems. These are layered constructs of different networks requiring
different passwords and VPNs for their different functions. Is there an actual
url that one can visit to verify this? Did the internet archive capture this
in a snapshot I can see? Or is this smack that a neighboring hospital is
pushing to capture market share in this era of declining reimbursements and
increasing regulation?

~~~
FLUX-YOU
Probably locked down the physical machines at the hospital.

>Most hospitals use proprietary electronic medical record systems. These are
layered constructs of different networks requiring different passwords and
VPNs for their different functions.

That's idealistic. Usually they're giant pieces of shit.

~~~
bawana
So really the data is unaffected. Just the OS on the client machines is borked
and throwing up a scare screen. If that is the case, they can 'just' reimage
the machines from backups. I agree, the EMRs are repurposed shit , but honed
to an incredibly complex and fine edge.

------
gaur
I'm sure they'll just pass the cost (either of the ransom, or of the missed
profits) onto the patients.

~~~
kristiandupont
..rather than, say, not pay nurses their salaries for a while?

~~~
gaur
Heaven forbid that top executives ever have to take a pay hit.

~~~
at-fates-hands
I never understood this attitude.

Most executives are either life long doctors, or worked their way up the
corporate ladder. I don't understand why people who work hard to get to these
positions are suddenly vilified as being somehow overpaid?

Take for example the CEO at Cedars-Sinai Health System in LA. They guy has
held his CEO position for 17 years and worked his way up thought the ranks. He
also went to school and got an undergrad and masters degree. He started in
1979 as an assistant admin and took the top job in 1994. So after 15 years of
working his way up to CEO, he's should somehow not be paid in accordance with
what other Health Care CEO's are getting paid?

If you want a villain, look at the system that's broken, or the government
regulations, but seriously, get off the executives back for fucks sake. They
aren't "gifted" CEO spots, they had to work hard to get there, and most have
done amazing things for the industry.

~~~
TACIXAT
I think the idea is that they can afford to take a hit on their income. A
nurse or patient doesn't have as much flexibility.

------
maratc
So instead of targeting random people in opportunistic attacks, the malware
writers had a very clear target here. It's like "spearansomware". I only
wonder why it took them so long to get to this idea.

~~~
ianlevesque
It didn't, they've been doing this to police departments for nearly a year at
least.

[http://www.darkreading.com/attacks-breaches/police-pay-
off-r...](http://www.darkreading.com/attacks-breaches/police-pay-off-
ransomware-operators-again/d/d-id/1319918)

------
sergers
not sure if they are being specifically targeted, or hospital networks are
easy targets, but i work with a vendor who supports this hospital.

this is the 3rd major healthcare org hit with this in like past 3 weeks. last
one just got hit last week.

RIS/HIS/PACS/EHR/any systems all hit, with like 80-90% of network equipment
compromised

------
JohnLeTigre
wow, talk about a lack of morals, I wonder how many years he would get if he
is caught for endangering so many lives.

------
contingencies
Doesn't sound like a major hospital. The major hospital in Hollywood is
Cedars-Sinai, IIRC.

~~~
bkmartin
And that matters because? Real people needing real treatment are being
affected... Major hospital or not.

~~~
contingencies
It gives insight in to the probable investment in, maturity and/or scale of
infrastructure. Unlike your emotional rah-rah there.

