Patients of a Vermont Hospital Are Left 'in the Dark' After a Cyberattack

A wave of damaging attacks on hospitals upended the lives of patients with cancer and other ailments. From a report: At lunchtime on Oct. 28, Colleen Cargill was in the cancer center at the University of Vermont Medical Center, preparing patients for their chemotherapy infusions. A new patient will sometimes be teary and frightened, but the nurses try to make it welcoming, offering trail mix and a warm blanket, a seat with a view of a garden. Then they work with extreme precision: checking platelet and white blood cell counts, measuring each dosage to a milligram per square foot of body area, before settling the person into a port and hooking them up to an IV. That day, though, Ms. Cargill did a double-take: When she tried to log in to her work station, it booted her out. Then it happened again. She turned to the system of pneumatic tubes used to transport lab work. What she saw there was a red caution symbol, a circle with a cross. She walked to the backup computer. It was down, too.

"I wasn't panicky," she said, "and then I noticed my cordless phone didn't work." That was, she said, the beginning of the worst 10 days of her career. Cyberattacks on America's health systems have become their own kind of pandemic over the past year as Russian cybercriminals have shut down clinical trials and treatment studies for the coronavirus vaccine and cut off hospitals' access to patient records, demanding multimillion-dollar ransoms for their return. Complicating the response, President Trump last week fired Christopher Krebs, the director of CISA, the cybersecurity agency responsible for defending critical systems, including hospitals and elections, against cyberattacks, after Mr. Krebs disputed Mr. Trump's baseless claims of voter fraud. The attacks have largely unfolded in private, as hospitals scramble to restore their systems -- or to quietly pay the ransom -- without releasing information that could compromise an F.B.I. investigation. [...] The latest wave of attacks, which hit about a dozen hospitals in the United States, was believed to have been conducted by a particularly powerful group of Russian-speaking hackers that deployed ransomware via TrickBot, a vast network of infected computers used for cyberattacks, according to security researchers who are tracking the attacks.

Fact:

[LenKagetsu]

Any malicious action that shuts down a hospital should be investigated as terrorism, attempted murder, and murder if a death occurs.

But but but that's manslau-

There is no such thing as an accidental attack on a hospital, same way there's no such thing as an accident with a gun.

Re:Fact:

[greenfruitsalad]

We've had the means and the know-how to avoid this for at least 15-20 years. Instant daily/hourly diff snapshots replicated (via pulling) to remote machines. Run as much as you can on a server accessed via web browser. If windows software is required, it should be storing data only on NASes (that do the snapshots) and the actual windows installation should be cloned from an image daily (or on demand). I understand this is oversimplified but it is the general gist of it.

Re:Fact:

[AmiMoJo]

Problem is there is no economic incentive to do that. It costs money and has no ROI most of the time. When a hack does happen the hospital is the victim and won't be liable because they were taking the same precautions as everyone else, industry standard practice.

Re:Fact:

[LostMyAccount]

They never spend enough even when they appear to have an incentive.

I worked with a client who implemented the parent posters' concept using well-known enterprise data protection systems *after* they had their own cryptolocker infection. Hourly(?) incremental backups replicated off site and then stored in storage vault, which only does incremental pulls.

Since they run production from leased racks, they used their on-site data center as the offsite replication location. It was a fucking joke, two obsolete air conditioners which were both broken, a whole-room hardwired UPS, also broken, and none of it they planned to fix. It just baffled me they went 75% of the way to ensuring their uptime and then stopped because the rest was too expensive.

Re:Fact:

[AmiMoJo]

That's how management works. Do the bare minimum to cover their arses and then stop. Anything more is waste in their minds and they don't want to have to justify it. If it goes wrong they were have a scapegoat lined up.

Re: Fact:

[Ogive17]

Maybe they do have proper backups. My company got hit back in June and it took about 3 weeks to get everything restored. It wasn't just flipping a switch to replace the data, all drives must be rebuilt and all devices must be cleared before restoration.

Re:

[earl pottinger]

Sounds like to me that you never checked your restore procedure, it is no good backing up data/programs if you do not have a proper procedure to restore your systems. Three weeks seems long to me unless you are scattered around the globe.

Re:

[jythie]

It is not always practical to completely test a restore procedure, even if you can afford to have a complete mirror system to test it on. You can test pieces, and samples, but there are often hickups when you need to restore an entire live system that connects to other live systems. There is also the problem that testing a restore process has a chance of damaging or contaminating a live system, which has to be weighed as a potential cost too.

Re:

[Ogive17]

It was global and the 3 weeks was to get to a point where everything was functioning again. Key systems were brought up within a couple days. It was the network drives with shared documents that took the longest to restore.

Re:

[gregarican]

Three weeks? Good God. Back in 2016 one of our remote sites got hit with ransomware and it took me all of 15 minutes to restore ~30,000 VM server files from a backup host that's mostly off-net. And this is a retail company that largely underspends on technology here...

Re:

[Ogive17]

So did you have to restore thousands of computers globally controlling production lines?

And how do you restore files to a server/computer without first making sure to contain the spread of the ransomware?

It takes more than 15 minutes to re-image a single computer.

Re: Fact:

[VTBlue]

ROI isnâ(TM)t the driver for change in this instance. Hospitals will be forced to modernize as part of their license to operate pretty soon. Underinvested IT services and skillsets will be forced out of the hospital setting. I suspect much of the funding will also come from Federal Government.

Re:

[sydbarrett74]

Charge the senior management at the hospital with negligent homicide. I bet that would align incentives.

Re:Fact:

[Luckyo]

Consider for example resource costs on the system for your suggestion. Now add to this the complexity of security requirements on relevant data. Now add to this the training for medical personnel. Now add to this the downtime caused by added complexity.

And now consider that these places need to work 24/7/365. And you arrive at the current conundrum. The costs associated with doing what you suggest become utterly astronomical. Which is the costs that will have to be run from the same budget that is used to hire doctors and nurses, get actual medical hardware, medicines and so on. And health costs are already rapidly outpacing ability to pay in single payer systems due to combination of rapidly ageing population and medical advances that extend life during the period of extreme degradation of human body.

Re:

[raymorris]

Increasing th cost of things does not, in fact, control their price.

It is, however, cute that you think you can legistlate the costs of doing thing, just like you probably think you can legistlate the value of pi.

Re:

[Luckyo]

Much lower as a whole. Consider how much it costs to pay ransom for a couple of hospitals a year nationwide vs upgrading all hospitals in the nation to security standards being talked about.

There are a lot more zeroes at the end of the cost valuation of latter than the former.

Re:

[gtall]

Fat chance Putin's Poodle will authorize any significant retribution for these attacks.

Re:Fact:

[r2kordmaa]

Hackers will not give a flying f what you investigate it as, the entire root of the problem is that you are really not capable of catching anyone but completely incompetent script kiddies that also happen to live in the same jurisdiction the hack happened in. This is not really a problem you can solve from law enforcement end of things, the only way to prevent such hacks is to invest in equipment that is not wide open to anyone that wants to screw with it.

Re:Fact:

[Luckyo]

The problem is furthered by the fact that most such criminals reside in countries where such attack may not even be prosecutable for wide variety of reasons.

A good example here would be Russia, where after a while, Russian authorities figured out that they could use FBI's request for assistance as a recruitment tool for the state's cybersecurity apparatus. To be fair, that's what US did for a long time internally, so it's not like they're original in this regard.

Re:

[Ostracus]

Indeed, but using weapons of mass unaccountability means that Russia is setting themselves up for tit-for-tat. All it takes is a group less moral than them.

Re:

[Beerismydad]

Agreed. It's also likely that the Russian people will become tired of being associated with this sort of Kremlin-driven activity.

Re:Fact:

[Luckyo]

That's one way to put it. Putin's party got voted out in the second string of towns going down the Trans-Siberian railway in favour of LDPR. That's the opposition party that campaigns on the platform of current government and president being far too soft on the West.

Russians are hard people, used to being attacked from all sides. And used to the fact that if they give an inch, they get invaded yet again. There's a reason why they're pretty much the most invaded nation on the planet. The geography is a thing of nightmares from security perspective. Remember that the origin on of the world "slave" in English comes from slavic peoples. Primarily Russians at the time, as that was the time of the Golden Horde's dominance over modern Russia.

Re:Fact:

[Luckyo]

>others have embraced the nationalism and paranoia espoused by the Kremlin.

That's not what current government espouses however. It is not even what LDPR espouses. It is what much of Western propaganda apparatus likes to tell us, but if you were fluent in Russian like I am, you'd know that is as much of a nonsense as them quoting that Russian official in Crimea after the vote that he said vote participation was 120% in subtitles. All while I can hear the original numbers being actually uttered being completely different.

For example, this claim
>Western governments have done a poor job of communicating to the Russian people directly that no one wants to invade the Russian motherland.

Is utter nonsense. Geopolitically, Russia is too dangerous for the West. Strategically, from the point of view of much of Eastern Europe, every European major and US it must be partitioned if at all possible to weaken it to more manageable levels and remove security synergies created by the internal alliance within Russia between the industrialized North-West, the agricultural South-West and the resource rich Siberia and Far East. After breakup of USSR, the worst kept secret for those who actually cared to look were the massive US efforts to push the fracture further, and split Russia itself into smaller parts. For example, it was very visible in support for Chechen rebels, which were aggressively supplied by CIA through Turkey for a decade until Russian intelligence successfully bribed Chechen elements at the end of second Chechen war to see more value in remaining in Russia. And for most Russians alive today, that is a living memory. And while intellectually, most people probably don't understand, that's what cultural knowledge is about. It makes you inherently understand how to respond in a historically correct way, even if you don't know why you're driven to this response. It's why Americans constantly have to fight between the two competing impulses of maintaining world hegemony and going into the natural isolationism. The former is the intellectual impulse. The latter is a cultural one, based on the geographic realities of US being one of the safest nations on the planet. US doesn't really need the rest of the world, and investment in it is massive from US point of view.

And for Russians, they understand that they're in their usual position. Under siege from all sides. It's what Russians consider normal, something that is very hard to comprehend for most Westerners. Pretty much the only people I can think of that are on our side in this that understand this mentality are Poles. They're about as invaded of a nation as Russians, and about as geographically insecure. And that shows in their behaviour, which is just as if not more "nationalist and paranoid" than Russians. Because that's what they have to be to survive. The moment Russians and Poles start being less nationalistic and paranoid is historically the moment their civilization is conquered yet again.

It's why Russians instinctively push. They know that because of nightmare that is their geography, if they stop pushing, their neighbours, be they Europeans, Americans, Japanese, Chinese or Turks will have a new Chechnya or two ready to go. Because to their neighbours, strong Russia is an existential threat because it has to push to guarantee its security.

And considering their near terminal demographics, chances are that this time they won't be able to stop it. So they must push harder, and they must push while they still can.

And so they act like a nation pushed into a corner by enemies from all sides has to act to survive the next fifty years intact. They turtle up and create barriers from likely directions of approach to give themselves a fighting chance. Current government, unlike Western propaganda likes to paint them is mostly Western liberals in terms of policy. They're far more liberal and Western-minded than most Russians at their core, because the current government comes from the clique of people from St. Petersburg. T

Re:

[Tablizer]

Putin is more interested in poking around in foreign endeavors than building up the economy. Having a strong economy is another way to avoid being invaded.

Re:

[Luckyo]

That's more of a silly narrative. Russia cannot have a "strong economy" because of what happened in the 1990s. When it was promised massive investments by West in exchange for Yeltsin surrendering economic control. These promises were reneged on, as you can read in memoirs of people who were sent from the West to actually integrate new Russian Federation into Western European economy, resulting in massive brain and technology drain from Russia that crippled them economically for two decades. Not to mention

Re:

[Tablizer]

Some of your "history" appears tainted there. But anyhow, sanctions would be lifted if Putin stops screwing around. US has no desire to screw with countries who mind their own business, we have our hands full with problem nations.

Democracies tend to be tamer, but Putin undermined democracy and free press in Russia.

Re:

[Luckyo]

>Some of your "history" appears tainted there.

"You disagree with me, therefore I'll use scary, evil sounding words that mean nothing to accuse you of something that cannot be defined, so you cannot defend yourself". Not a good start for an argument, poisoning the well like this.

>But anyhow, sanctions would be lifted if Putin stops screwing around.

At what point in history where old Soviet sanctions lifted on the new state of Russian Federation? What did Yeltsin in his near total surrender of economy to

Re:

[quax]

All of this overlooks one simple fact:

Nukes make these kind of major wars utterly impossible. As long as Russia has nukes, no one will invade them.

The cultural memory is irrational.

Re:

[Luckyo]

This shows deep lack of understanding of how MAD functions.

Go back in history a bit and remember that Sino-Soviet conflict happened. Remind yourself that ultimate outcome of that conflict was in fact Russian Federation ending up ceding the islands in question about ten years ago. Then dig a bit deeper, and realised that Chechnya happened twice. With full support from CIA channelled via Turkey.

MAD holds against full on world scale warfare. It does not hold against regionally constrained, heavily localised wa

Re:

[quax]

igniting civil war within your enemy.

As far as I am concerned that is exactly what Russia tries to do to the US.

Re:

[Luckyo]

Of course. Russians can't just stand by and not go on offensive after decades of US efforts to ignite a civil war within Russia proper. That's my point. MAD doesn't stop covert efforts.

US pushed Chechnya on Russians for a decade and then some, and it's still an open wound for many Russians. It would be shocking if this wouldn't result in strong desire for revenge. Consider the US reaction after twin towers, then google "Beslan". Empires do seek vengeance over things like that. And MAD only stops the full on

Re:

[Luckyo]

You seem to think that Russians are the ones who started it. Whereas in reality, the original cyberattack was committed by US against Soviet gas pipeline in Russia back in 1982, when CIA successfully planted software in turbine control equipment modules that caused the pipeline to explode with what is the biggest non-nuclear man made explosion to ever occur.

Reagan wrote about this event in his memoirs.

Re:

[Ostracus]

As the saying goes, it's not who "starts it" but who finishes it, and continuing the behavior will just encourage others to finish it*.

*Targeting industries like healthcare would be tantamount to blowing up schools. There's just some lines that shouldn't be crossed, even in war.

Re:

[Luckyo]

False assumption: targeted nature of the ransomware attacks. Almost all of them are not targeted, but opportunistic.

Re:Fact:

[Mishotaki]

yes, and the culprits should be brought to justice... so go get the hospital administrators who let their systems be vulnerable! They are the ones who didn't budget their IT department to make sure such an attack would never happen or would have minimal impact...

Re:

[Alain Williams]

Mod parent up.

Re:

[Luckyo]

The actual people responsible would be tax payers for refusing to elect people who would massively increase the tax burden, so such vulnerabilities could be addressed while still being able to meet the primary functions of medical system that are already stretched to the limit of their ability in places like Canada due to ageing of population.

Re:

[dgatwood]

yes, and the culprits should be brought to justice... so go get the hospital administrators who let their systems be vulnerable! They are the ones who didn't budget their IT department to make sure such an attack would never happen or would have minimal impact...

Limiting the impact is to do when every operating system update to at least some systems requires the whole system to go through FDA-approval again, which takes months. Government regulation is often part of the problem, ironically. The cost of compliance greatly exceeds the cost of a complete systems loss.

I'm not sure what the solution is, but ensuring that the cybercriminals are immediately captured or killed must be the first step, to send a message to anyone else who might think about committing such

Re: Fact:

[NoMoreACs]

I'm not sure what the solution is

I am: Outlaw Cryptocurrency worldwide.

That may not completely eliminate it; but it will reduce it to a millionth of what it is now.

Re:Fact:

[Luckyo]

Fact: most of the time, ransomware criminals don't even know who will end up being infected. Theirs is the ultimate scattershot approach, with opportunistic infections being the primary method of getting into the systems.

Doesn't take away from seriousness of the crime, but pretending something is different from what it is isn't going to help solving the problem. It's only going to hurt it.

Re:Fact:

[dgatwood]

And that's why if you're pulling these crimes, you don't destroy the system until you know who it belongs to. Pull the data, and if you start seeing medical records, disable your attacks and walk away. No one ever has to know, and nobody has to die.

If an attacker isn't willing to do that, then as far as I'm concerned, it is no different than if that person attacked the hospital deliberately. The attacker is a terrorist attempting to commit mass murder.

Re:

[Luckyo]

There are few people who don't make stupid conclusions in anger. And your conclusions suggest that you're utterly furious.

Because if they actually wanted to "commit mass murder", they wouldn't want to ransom the system's encryption keys back to you. In most cases, these people literally have no idea who will be the one to install their software. It's why sums being asked are often chump change for large organisations compared to how much it would cost to do full system recovery, and why most appear to pay r

Re:

[dgatwood]

There are few people who don't make stupid conclusions in anger. And your conclusions suggest that you're utterly furious.

Because if they actually wanted to "commit mass murder", they wouldn't want to ransom the system's encryption keys back to you.

Their intent actually doesn't matter in this case. If you go into a store with a loaded gun and intend to rob the place, but in the process, somebody gets shot and dies, you will be charged with murder 2, because you showed reckless disregard for human life. So from a legal perspective, what I said is correct: If the attacker does not show even a modicum of concern for human life in their attacks, they can and should legally be treated like their intent was to commit murder. That's what the law says. I

Re:

[Luckyo]

>somebody gets shot and dies, you will be charged with murder 2, because you showed reckless disregard for human life

Why are you charged with murder 2 and not murder 1? Because intent matters.

Re:

[dgatwood]

>somebody gets shot and dies, you will be charged with murder 2, because you showed reckless disregard for human life

Why are you charged with murder 2 and not murder 1? Because intent matters.

Second degree is the best-case scenario. In all but six states, it is murder 1. And either way, it is still murder.

Re:

[Luckyo]

Notice how you didn't answer my question, because to answer it would require debunking your previous assertion.

Re:

[dgatwood]

Yes, I concede that intent matters in six states out of fifty plus the District of Columbia.

Re:

[Luckyo]

In those states is it possible to get a different punishment even if accusation is under the same specific legal formulation, because even within that specific legal formulation, there is a significant range of punishment depending on factors like intent?

Re:

[nospam007]

"Any malicious action that shuts down a hospital should be investigated as terrorism, attempted murder, and murder if a death occurs."

I guess you mean the administrators who refuse to replace these Windows95 and XP computers?

Re:

[sjames]

Specifically, it's Felony Murder [wikipedia.org].

Felony Murder doesn't require intent to kill, just a death that happens during a Felony.

There's a special place in hell for people who carry out ransomware attacks. It's a very special place in hell when they hit a hospital.

Re:

[jon3k]

Wouldn't this be felony murder? Or is that a state by state thing? IANAL but I thought if someone died during the commission of a felony, they were guilty of felony murder.

Re:

[LenKagetsu]

Yes, if you're committing a felony and someone dies, everyone involved in it can be charged and convicted for murder in varying degrees, including first degree + death penalty. Crimes that cross state lines or international borders are a very different beast with sharper fangs. Firing a bullet from Canada to America will get just as much heat on your ass as firing it from Tennessee to Kentucky.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Just block cryptocurrency exchanges

[Pinky's Brain]

Block cryptocurrency exchanges from electronic banking, cryptocurrency dies and ransomware dies.

Win win.

Just the facts ma'am.

[AndyKron]

What is this a story about, chemotherapy? I hate it when people turn information into a fucking novel. Just the facts ma'am.

Units?

[msauve]

"milligram per square foot "

They're doing it wrong.

Re:

[MrL0G1C]

Go easy on them, it can't be fun having square feet.

Corrupt Vermont

[branmac]

Vermonter here... My wife, who is recovering from cancer, can't get treatment along with many many others while UVM attempts to fix its problem. Perhaps if they had properly protected their systems instead of continuing to make themselves bigger at our expense this wouldn't be an issue. The entire state IT infrastructure is a mess. While state agency management has grown exponentially over the years in comparison to the people who actually work the state is still saddled with obsolete systems that benefit the procurement whores who's names can be found attached to the lobbyists that haunt the halls of the statehouse. Look for background on the state's failed contract with HP to re-do the DMV system some years ago for an example of malfeasance. Al "Revolving Door" Gobeille is the VP of operations for UVM Health Network. Funny thing is he took that job just two months after leaving as chair of the Green Mountain Care Board, the regulatory body that regulates health care spending, including hospital budgets. In 2009 the entire Agency of Human Services (the largest network in the state) got shut down due to a failure to update antivirus signatures and they had to bring in outside consultants to "fix" it. If they (and UVM) had competent professionals and not bullshit artists running the show this wouldn't have happened. I'm livid at the waste of money and time. If the fucking legislators in the capital spent even a quarter of their time dealing with these types of issues as they did with legalizing weed and playing in their ideological sandbox schlubs like me wouldn't be worrying if our family members are going to be able to get the medical care they need. Currently, they can't. Don't get me started on the state's health exchange which still is a mess.

Re:

[Luckyo]

Sad reality is that you get what you vote for in nations where you get to elect your leaders. Most people don't really care about these things until they get experience like yours. But they might care about weed.

And frankly, would you want to work for such an organisation if you were an IT professional who is actually competent?

Re:

[Luckyo]

I don't understand the question. Kindly rephrase it?

Re:

[Ostracus]

It's a statement. For those that voted for something different, the blame game doesn't work, even if they had to suffer under the same consequences as those who did.

Re:

[Luckyo]

The entire point of democracy is that everybody who's enfranchised gets a vote. And as a result, everybody who's enfranchised accepts the result as legitimate even if it isn't one they voted for.

Re:

[jellomizer]

Vermont has a low population and for a northeastern state a low population density.
This makes finding IT workers difficult, which than causes them to outsource, which then makes it difficult for IT workers in or near Vermont to find work there. So any people with IT skills will go to New York, or Massachusetts.

This is more than just normal IT Grunt workers, but Experienced IT Managers, who know how to deal with vendors and consultants, and propose an actual solution to the organization vs just letting some

The hackers should be done for murder

[Viol8]

... if a patient dies, but just as important the hospital management and IT staff should be charged with death by negligence or whatever its called in the US. Its about time the complacency of operators of critical civilian computer systems we given a hard kick up the arse.

Re:

[dargaud]

Military computer systems have to fulfill an heap of (very harsh) requirements. Why is it not the same for medical/hospital systems. I saw some X-ray machines running XP without password recently. It would be trivial to hack into those and change the dosage to the cancer-inducing maximum, even by mistake (for the hacker).

Re:

[cavalamar]

The military has an almost unlimited budget, and when they want more, they can just ask the feds for another handout, and they get it no questions asked.

Hospitals, not so much. Most hospitals run on a shoe-string budget, and many barely manage to continue to scrape along. (and many don't, and close)

There is no way hospitals can afford to protect their systems like the military does, unless the government gives them a budget to support it like they give the military. The trend, however, seems to be going

Re:

[mikeebbbd]

You know (or should know) that in most of the US there is no longer anything like "unlimited malpractice suits." Many if not most states have enacted liability limits for medical malpractice. In addition, most medical practices and hospitals have terms of service similar to software, banning class actions and forcing most disputes into individual arbitration. The insurance companies in the malpractice field have made sure such laws and terms are in place.

That's not to say that hospitals (especially) and med

here's a question

[c-A-d]

why do these systems even need internet access ?

Re:

[nagora]

why do these systems even need internet access ?

A lot of them don't, but they need access to some other system in the same network. Pull on the thread long enough and you'll find some place on the system that does need Internet access. That's the entry point.

Re:

[Ostracus]

"I wasn't panicky," she said, "and then I noticed my cordless phone didn't work."

Sounds like they were knee-deep in it if the cordless phone didn't work.

Re:

[mikeebbbd]

When you see "cordless phone" in this kind of story, you have to understand that it's usually not "cell phone." It's literally a cordless phone connected to a base station then a PBX for internal communication and through that to POTS. Most of those systems are digital. If connected to the intranet or internet, it's vulnerable and probably not as well protected as the hospital's servers.

Re:

[Solandri]

Most of the individual computers don't. But they need to be connected to a central EMR (electronic medical records) database system, and HIPAA requires that system to have Internet access. HIPAA requires EMR systems be able to transmit patient records over the Internet. So if for example you moved and visited a new doctor, your old patient records could be transmitted electronically to your new doctor. (There's a provision that lets you send records via fax, but it's rarely used.)

Most of the tenants in

Re:

[mikeebbbd]

I use Kaiser. They've had mainframe-based patient records for decades. Windows interfaces on that have been more common in recent (maybe 10) years. And they do have fairly strict protocols; doctors never leave a screen open longer than needed to look up and/or enter data. My doctor only needs to hit one key or mouse click to blank the screen after which a new login is required, and it'll time out in only a few minutes anyway (sometimes requiring re-login during an office visit). Not sure how well they're is

Why? Really, why?

[misnohmer]

Can anyone explain to me why these systems which control chemo-therapy were not isolated from the internet or random USB drives (whatever was the attack vector was)? Even if the system needs to transfer data from another location, is it really that difficult to isolate them? Heck, send the patient files via serial port between an internet gateway and the internal system, using a very strict protocol, so worst case the internet gateway is corrupted and no new files can be transferred until the gateway is restored, but the internal network remains untouched. Do some basic threat modeling of the system and draw some clear trust boundaries, internal network should be separate from anything accessible from the internet, and any data transfers across that trust boundary should be scrutinized, secured and authenticated - no "oh, just send a query to the database on the internet" bullshit. How many ransomware attacks will it take for the designers of these systems to take security seriously? Stop connecting everything to the internet because it's easy.

Re:Why? Really, why?

[Stonefish]

I heard numbnut comments like this all the time. The answer is simple, systems are more valuable and useful when they are networked.
Limiting their ability to network detracts from their value. For instance a networks chemo-regulator can check if the dose of medicine is correct and that the patient is not allergic to the medicine and also that he's the right patient.
Schmucks who think that isolated networks add value are morons.

Re:Why? Really, why?

[misnohmer]

And getting hacked does not detract from their value? Putting a lock on a home front door also detracts from usability value, but nobody will argue it that locks make the home less valuable.

Your answer sounds like one of those managers who thinks they know everything and assign absolutely zero value to cybersecurity because it's something they cannot themselves see or understand (Oh look! We enforce "strong" passwords for all staff who logs in, we are unhackable!), and assume that customers don't get it either (which sadly often they don't, until a breach hits them financially).

Properly securing a network does not need to limit its functionality. All the information such networks need can be clearly identified and their transmission secured (and the information itself, such as allergy information can and should be also be authenticated). Sure, it takes more effort to do this than just issue an SQL query to a database with a password which never changes (so you can hardcode it in your scripts) or no password at all (even easier, less problems getting it to work), but that is the cost of security.

Let's see how valuable those networks are they after you subtract the costs of cyber attacks. Economics will show us who is right. Or, if governments of the world mandate hacking/ransom insurance, the insurance companies will calculate precisely what the cost of not securing your network is.

Re:

[bhetrick]

Or perhaps have been members of organizations under active, persistent attack by nation states. Isolating from the Internet, and having only low-bandwidth, passive data connections (like Kermit or CD sneakernet -- nothing USB, think about it) is inconvenient for sure, but certainly doable

Re:

[1s44c]

That's just crazy talk. A nurse workstation in a chemo ward doesn't need internet access. It doesn't need to talk to other workstations. It doesn't need very many things each of which is a small security risk. All it needs is to be able to read patent records for the day's patents and access to essential patent related systems such as medication inventory management and a scheduling interface.

You can allow unlimited internet access from machines you manage, but leave healthcare alone. You would just get peo

Re: Why? Really, why?

[deepthought90]

In the Department of Defense, we have "isolated" networks for classified work. I put isolated in quotes because, while not connected to the internet, they are fairly vast networks useful in their own right. They actually physically run over the regular internet but are essentially one huge VPN that is not addressable from the regular internet and are heavily encrypted. And you can't just plug something into a connected computer - there are physical and logical barriers after Bradley Manning. Knowing what

Re:

[Oligonicella]

How's the value of that non-isolated system now?

Re:

[RKThoadan]

Most of the software in hospitals is running in some kind of client-server setup. The application on the workstation communicates with the application server, which probably communicates with a database server, interface server, and possibly a web server. Some of those servers may be combined depending on load and how granular your virtualization is or just how the vendor licenses things. There will also be similar servers for the test system (usually more consolidated). All those servers are generally fire

Re:

[misnohmer]

"Server" does not mean it has to be on the live internet reachable by anyone in the world. Servers can physically reside in the hospital IT room isolated from the internet, or they can live in a datacenter somewhere however they should only be accessible from a private network, to which the hospital network is VPN'ed into. Neither the hospital network, nor the servers, should have any internet access (only the VPN tunneling servers between the sites). Furthermore, you can design server-client to not trust t

Cut them off

[Fuzi719]

Why do we even have Russia or North Korea connected to the internet? Cut them off from the rest of the world already, they provide nothing of value and are nothing but leeches and criminals. A virtual blockade would be much easier to "patrol" and prevent a lot of this crap.

Re:

[mikeebbbd]

A "virtual blockade" from the outside is impossible, even for countries as isolated as North Korea. They have multiple connections through friendly countries that won't cooperate with any blockade, at best (may actively participate in avoiding it). China and Russia are far more connected. So there's always a way to get in or out. Frankly, it's unlikely that the attacks happening now are actually hosted in China/Russia/NK - they're hosted elsewhere, often in well-regarded commercial systems. The cloud works

Re:

[account_deleted]

Comment removed based on user account deletion

to many 3rd party vendors need remote access to sy

[Joe_Dragon]

to many 3rd party vendors need remote access to systems on the local network and in some cases you can't even install windows updates as the FDA may need to test each update.

If we know the country these attacks come from

[RitchCraft]

then perhaps we need to pressure these countries into tracking these criminals down. If we are certain these attacks are state-sponsored then definite sanctions need to be put in place until the attacks cease. This goes for us in the US as well. I'm sure we have groups, perhaps even state-sponsored groups, that are up to no good. This needs to stop. The individuals/groups that target the health industry are of a particular kind of evil.

Microsoft Windows strikes again

[Walter.Koschach]

‘A wave of damaging attacks on hospitals upended the lives of patients with cancer and other ailments. “I have no idea what to do,” one said.’

Stop using Microsoft Windows to store your patent records.

Re:Russian Cybercriminals?

[denzacar]

Where is the evidence that it was the Russians?

In the link(s) [nytimes.com] in the article. [nytimes.com]

Which is linked right there in the title.

Patients of a Vermont Hospital Are Left 'in the Dark' After a Cyberattack (nytimes.com)

The .com bit is the link.

Re:

[Astramensis]

Thank you!

Now I can see.

Re:Russian Cybercriminals?

[1s44c]

Every time a story like this breaks there are many unknowns but the nationality of the hackers is always known with absolute certainty.

Re:Russian Cybercriminals?

[raymorris]

People who are into sports often debate why exactly a team lost. Which teams played is rarely in question.

Those who watch Fancy Bear 9-5, whose job it is to keep up with what Fancy Bear is doing today, pretty much know they are watching Fancy Bear.

Now I can understand where you're coming from. If you showed me a headline that says "Lemieux drafts Lafrenier", I wouldn't know if that's about people in Montreal or New York or where. Just like you don't know who APT29 i, why would you. But those in the hockey business know exactly Lemieux is and where they are from. Same in my business - we pretty much know who is who.

Re:

[1s44c]

The sports analogy is just wrong, sports are not played remotely by invisible parties.

I've got to admit I'm skeptical, mostly due to the perpetrators of cyber crime supposedly being from whatever country is out of favor this week. The stories about elite teams of crackers from North Korea seem most hard to believe. Where are these North Korea elite hackers now? They seemed to stop existing right when the US stopped needing a reason to show North Korea as evil.

Re:

[raymorris]

It is true that countries which routinely attack the US are indeed out of favor with the US. I'm not sure why you find that surprising.

Re:

[1s44c]

That's a classic example of begging the question.

Re:

[raymorris]

Begging the question is when someone tries to prove something in particular style of formal debate, but starts their argument with an assumption that is essentially the same as the conclusion they are trying to prove.

There's conclusion being proved here, and no debate.
You said you find it odd that a country at war with the US would attack the US. I said I don't understand why you find that surprising.

Or maybe you're trying to prove something between and the lines and that WAS supposed to be an argument? If

Re:

[mikeebbbd]

We have a country that is in a declared war with the US (North Korea) and others that are on politically unfriendly terms if not fighting an undeclared war (Russia, China, and possibly others). Attacks from "state-sponsored" hacking groups identified with those countries can be expected, since essentially this is an active but cold (kinetically) war. I strongly suspect that criminal groups hiding behind state-sponsored hacking profiles are not fully independent - it would be dangerous (kinetically) to do th

Letters of marque and reprisal

[raymorris]

> I strongly suspect that criminal groups hiding behind state-sponsored hacking profiles are not fully independent - it would be dangerous (kinetically) to do that without at least tacit approval.

To expand on that, one of the powers that the Constitution delegates to the federal government is the power to "issue letters of marque and reprisal". A letter of marque is essentially a license to engage in piracy, against any ships from an adversarial country.

The privateer (licensed pirate) gets to take whatev

Re:

[1s44c]

You know China sells goods and services worth $330 billion a year to the US? It would not be in their interest to harm a country that literally runs up national debt to send them money.

It's true the US is technically at war with North Korea. Can you explain how a country with no tech industry to talk of, with extremely limited access to computers of any kind, unreliable electricity, that's cut off from most of the world's education systems, could be reasonably accused of successfully pulling off high profil

BECAUSE they don't have aircraft carriers

[raymorris]

You bring up a good question. Really, you do. I can see why it might seem surprising that a small country has a relatively strong cyber program. I'll get to the why; first let me explain the how.

> with extremely limited access to computers of any kind

A couple things on that.

Yesterday my brothers were commenting on the fact that my laptop is about ten years old, older than either of theirs - and I'm the professional hacker, while their computers are for using Google Docs. I think mine's a Core i5, mayb

Re:

[NoWayNoShapeNoForm]

If he can fix the problems at UVM I might...just might consider contacting him-her (what are the preferred pronouns for this person, assuming it's a person).