This keeps happening and has been happening for several years now; why isn’t more being done to improve security and find the criminals? I can’t walk into a hospital with so much as a pocket knife because of physical security concerns, but cybercriminals keep taking down a new system seemingly every week, and this article says the software used has been seen for years now.
why isn’t more being done to improve security and find the criminals?
It is but Law Enforcement and Healthcare I.T. can’t keep up with the growing number of threats and threat actors. From the perspective of someone in Healthcare I.T. I’ve watched lots of money, time, and effort get spent on securing systems but it’s never quite enough and it never happens fast enough.
MFA all the things, HIPS on everything, EDR on everything, Zero Trust everything, regular patching of all systems, High End Firewalls, encrypt all the things, bi-annual security reviews, DNS Filtering, regular network sweeps for unknown or unmanaged equipment…and you can still end up getting whacked by a 0 Day exploit in a commercial helpdesk tool. (This is what got Change / Optum).
The criminals typically belong to overseas hacking groups, many of which are in places that Western Law Enforcement can’t reach like Russia, Belarus, China, and North Korea.
It’s a nearly impossible challenge and it’s never going to end as long as these systems have any path to the public internet.
The FBI et al. do try to find the guys. Arrests happen relatively frequently.
But security improvements don’t happen because they cost money, and nobody is making them do it, though this is slowly changing.
When permitting security failures costs more than preventing, then companies will do something.
Can I sue a company for inadequate data protections if my data is breached? I assume I would have to prove damages, and maybe that becomes harder if I can’t tie the victimization to a specific breach. And probably the terms of service make it harder, like I might have to use arbitration and can’t join a class action suit.
The healthcare industry has as much incentive as the financial industry to maintain a high security environment. Fines for exposing PHI can be astronomical if a large number of records are compromised.
This is a new cold war that we’ve been in for a while now. Government backed hacker groups from foreign nations are constantly targeting high profile organizations. Healthcare, Finance, and Government are three of the top targets.
I work in I.T. for a healthcare company. Ascension is a pretty large one. The bigger a company gets and the faster it grows, the more it takes on a diversity of varying technologies that all need to be managed, migrated, killed off, merged, hardened, etc. It’s a difficult job especially for healthcare. I know that the company I work for is working very hard to keep up with things, but it’s a logistical nightmare. You MUST have very smart people in charge that have the right priorities. You have to have information channels open to make sure administration knows what the potential issues are. Compartmentalization of information and access. There are so many potential points of failure it’s insane. And then there’s the most important thing of all: making sure all employees are educated enough that they don’t let their credentials get compromised.
Things are getting worse in general because of how hard it is to stay on top of everything nowadays. I just recently got a couple of letters in the mail about my info being leaked by some companies that had my info. I just have to do my part to stay on top of my own responsibilities, watch my own identity and finances, and make sure those around me are being secure, as well. Everybody needs to know how important this is, and many do, but I don’t think enough people really understand or make it a priority.
HHS is instituting new rules for healthcare (and other industries) to help track and respond to these things. The government is getting very involved with this now. I hope it helps.
I’m in IT in a healthcare-adjacent sector. Never underestimate the motivation or tenacity of foreign state actors, organized crime and chaotic neutral hacking collectives. You have limited time and budget, and both financial and risk based approval processes to deal with. They have time, ideology¹, and financial incentives.
You can’t win in the face of that.
¹ sometimes it’s hacking for hackings sake, but more typically it’s to disrupt critical services and extort modest capital to go away. Rinse, repeat, make that bank on volume.
Fixing the issue doesn’t line the pockets of investors. People aren’t going to stop going to the hospital, so why fix it?
Fixing the issue doesn’t line the pockets of investors.
Yeah it does. Cyber Security companies are making tons of money selling things like EDR, High End Firewalls, DNS Filtering, MFA, and so on. Healthcare Institutions are buying the stuff but none of it is enough.
It’s the age old race of Arms vs Armorer.
If a hospital can’t operate because some asshole was able to remotely hack it bad enough to basically shut it down, we might need to rethink how things are run.
They can operate, just slower. Life threatening gets priority, the rest are diverted to nearby hospitals.
Think of when your gps shuts down. You can navigate by paper map, just slower and you need to pay more attention to avoid mistakes.
This also doesn’t just happen and is apparent. They probably spent way too much time trying to fix the problem before diverting to older ways while the problem is being diagnosed and fixed.
Some hospital networks just continue to operate slower to the detriment of their patients and just lie to everyone so that nobody finds out they were hacked.
Happened in Germany recently. They could continue to operate since everything is still backed up in paper, but everything went slower and new emergency patients couldn’t be accepted.
It is shocking that the digital level of the hospitals is still in the 70s.
It is about funding. The corners IT has to cut is because lack of money.
Also the amount of legacy operating system to keep hardware like scanners running is a lot. Medical devices are delivered with a workstation that never updates. It is hard to justify buying a new mri of 1.5 million when the accompanied workstation is outdated.
Sure you can vlan and firewall the hell out of it. But they still have a large attack surface.
The whole health care sector is capitalism and it should be government lead.
And also that many contracts to improve on IT are performed by the lowest bidder.
This is the best summary I could come up with:
Downtime procedures are typically when health providers revert to backup processes, including paper records, that allow them to care for patients when computers are down.
Four sources briefed on the investigation told CNN that Ascension suffered a ransomware attack, in which cybercriminals typically try to lock computers and steal data for extortion.
Those sources said that the type of ransomware used in the hack is known as Black Basta, which hackers have used repeatedly to attack health care organizations in recent years.
Senior US officials have been in repeated contact with Ascension CEO Joseph Impicciche since the ransomware attack to understand how the hack might impact patient care, two sources familiar with the matter told CNN.
“We are actively supporting our ministries as they continue to provide safe, patient care with established downtime protocols and procedures, in which our workforce is well trained,” Ascension said in its statement Thursday evening.
It’s only the latest major hacking incident that has hobbled a big US health care network and sent US officials scrambling to offer support.
The original article contains 495 words, the summary contains 174 words. Saved 65%. I’m a bot and I’m open source!