Hospital equipment is a sector where we need to push strongly for open solutions.
Besides their own security, they are putting people's life in danger.
An informed citizen should have a way to check the running software and that the equipment is working properly. An example is X-ray equipment. In some cases, patients have been exposed to strong doses of radiations because of malfunctioning equipment for more than 1O years. Nobody checked. And then you add the risk of hacking.
Hospital equipment is a sector where we need to push strongly for open solutions. Besides their own security, they are putting people's life in danger.
It's a sector where there needs to be a push for software/hardware quality, period! One of my former coworkers from years ago used to write software for medical equipment. The software ran on the cheapest Windows boards the company could find. There was no standardization apart from window dressing. Attitude of management was to just get it out the door, and it would be fine.
Having worked in hospitals doing network security: They are terribly insecure. They really are a prime example of bad bureaucracy and proprietary software making everything horrible, despite the best of intentions.
This goes beyond network security. Most hospital systems, including hardware and software, are insecure. One of the main reason for this is that hospital staff, especially doctors and nurses, tend to be atrociously bad at technology. One hospital we used to work with had removed passwords on their EMR software for all users because the chief of surgery always forgot his. Their reasoning was that inability to remember passwords slowed people down, and the EMR software was "internal anyway" so what could be the worst case scenario of not having passwords?
Well, there's too sides to this. You can say they're bad at technology, but why hasn't technology made it possible to sign in with voice recognition or some other speedy and foolproof method? I don't want a doctor switching her attention from diagnostic and treatment questions (which, let us not forget, are rather complicated and challenging in their own right, especially in an urgent care situation) in order to comply with some absent programmer's idea of how security ought to work. Why is typing in a password considered the only acceptable method of system access, given the fact of physical hospital security and so on? Why do technologists like yourself think everyone else should adapt to your standards rather than inventing something that meets the particular needs and circumstances of the clients?
One of the main reason for this is that hospital staff, especially doctors and nurses, tend to be atrociously bad at technology.
I remember that med students were early adopters of ePocrates in the Palm PDA era. I think it's more that they are atrociously bad at technology, unless it's particularly useful to them.
inability to remember passwords slowed people down
It would slow people down a lot. Someone needs to sell some sort of zero effort authentication technology for hospitals. (One where a supervising nurse could quickly auth the chief of surgery, because that sort of guy is going to forget his token/device.)
Basically every piece of hardware with a clock in my house is blinking, yet I'm fine with Linux. The problem isn't that it's too hard to set, but usually they will get unplugged at some point, and you have to set the clocks again. It gets boring very fast.
Somebody should make a simple alarm clock with wifi to sync time via NTP. I guess once you open that can of worms, most alarm clocks add other features, too.
How do you figure? If I'm targeting digital data for ransom, I'm going after the easiest targets. I don't care if it's hospital records, online obituary guestbook, daycare records, a memorial Facebook account - anything that gives me what I'm looking for. This goes doubly so for how notoriously insecure (relatively speaking) hospitals are.
Even criminals tend to have some moral standards. They are not all complete sociopaths. For instance, go to jail for murdering an adult male and you will be accepted and perhaps even respected by other prisoners. Go to jail for murdering a child and you will be despised and quite possibly abused by the other prisoners.
Even criminals tend to have some moral standards. They are not all complete sociopaths.
I've met a lot of "techie-trash" who even outwardly portray themselves as sociopathic, as if that made them seem smart and cool. Hell, I've been meeting people like that since the 90's! (They are a very slim minority of the tech populace, but their lack of self-awareness makes them tend to be very visible.)
HIPAA does require a lot of security. Having been a HIPAA architect, in reality no one in the industry cares since few are ever even accused of anything much less convicted. It's a toothless gums law.
Well, there are plenty provisions under the security chapter, funnily enough now that I look at it again (been long time) it seems both 'accountability' (tracking every media in and out) and 'protection from malicious software' are not listed as required. duh.
The emergency mode operation plan is however listed as required, and this place was basically shut for a week.
I remembered it being more stringent that what it really is.
Yes, I'd love for HIPAA to say: if we're talking about a medical centre, you've got to be able to snapshot and reimage within X hours with data loss of less than Y hours. One can dream...
Totally agree, but in 2016 that doesn't take much: spin up two instances in different AWS datacenters and fail between them and you have Disaster Recovery. Regularly operate in each datacenter and you have Sustained Resiliency. A small business probably won't have staff to maintain such a solution but surely this is a space for a nice niche startup?
Assuming it's CryptoLocker style malware, they're probably one of the few hospitals fully satisfying the encryption requirements of HIPAA at the moment.
Exactly what happened? Most hospitals use proprietary electronic medical record systems. These are layered constructs of different networks requiring different passwords and VPNs for their different functions. Is there an actual url that one can visit to verify this? Did the internet archive capture this in a snapshot I can see? Or is this smack that a neighboring hospital is pushing to capture market share in this era of declining reimbursements and increasing regulation?
Probably locked down the physical machines at the hospital.
>Most hospitals use proprietary electronic medical record systems. These are layered constructs of different networks requiring different passwords and VPNs for their different functions.
That's idealistic. Usually they're giant pieces of shit.
So really the data is unaffected. Just the OS on the client machines is borked and throwing up a scare screen. If that is the case, they can 'just' reimage the machines from backups. I agree, the EMRs are repurposed shit , but honed to an incredibly complex and fine edge.
Most executives are either life long doctors, or worked their way up the corporate ladder. I don't understand why people who work hard to get to these positions are suddenly vilified as being somehow overpaid?
Take for example the CEO at Cedars-Sinai Health System in LA. They guy has held his CEO position for 17 years and worked his way up thought the ranks. He also went to school and got an undergrad and masters degree. He started in 1979 as an assistant admin and took the top job in 1994. So after 15 years of working his way up to CEO, he's should somehow not be paid in accordance with what other Health Care CEO's are getting paid?
If you want a villain, look at the system that's broken, or the government regulations, but seriously, get off the executives back for fucks sake. They aren't "gifted" CEO spots, they had to work hard to get there, and most have done amazing things for the industry.
So instead of targeting random people in opportunistic attacks, the malware writers had a very clear target here. It's like "spearansomware". I only wonder why it took them so long to get to this idea.