A Quarter of Healthcare Orgs Say Ransomware Attacks Result In Patient Deaths (esecurityplanet.com) 61
Slashdot reader storagedude writes: Nearly a quarter of healthcare organizations hit by ransomware attacks experienced an increase in patient mortality, according to a new study from Ponemon Institute and Proofpoint.
The report, "Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care," surveyed 641 healthcare IT and security practitioners and found that the most common consequences of cyberattacks are delayed procedures and tests, resulting in poor patient outcomes for 57% of the healthcare providers, followed by increased complications from medical procedures. The type of attack most likely to have a negative impact on patient care is ransomware, leading to procedure or test delays in 64% of the organizations and longer patient stays for 59% of them.
The Ponemon report depends on the accuracy of self-reporting and thus doesn't have the weight of, say, an epidemiological study that looks at hospital mortality baseline data before and after an attack, but the data is similar to what Ponemon has found in the past and there have been a number of reports of patient deaths and other complications from ransomware attacks.
The new report found that 89% of the surveyed organizations have experienced an average of 43 attacks in the past year. The most common types of attacks were cloud compromise, ransomware, supply chain, and business email compromise (BEC)/spoofing/phishing.
The Internet of Medical Things (IoMT) is a top concern for survey participants. Healthcare organizations have an average of more than 26,000 network-connected devices, yet only 51% of the surveyed organizations include them in their cybersecurity strategy.
Healthcare organizations are better at cloud security, with 63% taking steps to prepare for and respond to cloud compromise attacks, and 62% have taken steps to prevent and respond to ransomware — but that still leaves nearly 40% of healthcare organizations more vulnerable than they should be.
Preparedness is even worse for supply chain attacks and BEC, with only 44% and 48% having a documented response to those attacks, respectively.
The high costs of healthcare cyberattacks — an average of $4.4 million — mean that healthcare cybersecurity tools likely have a high ROI, even though roughly half of the survey respondents say they lack sufficient staffing and in-house expertise.
The report, "Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care," surveyed 641 healthcare IT and security practitioners and found that the most common consequences of cyberattacks are delayed procedures and tests, resulting in poor patient outcomes for 57% of the healthcare providers, followed by increased complications from medical procedures. The type of attack most likely to have a negative impact on patient care is ransomware, leading to procedure or test delays in 64% of the organizations and longer patient stays for 59% of them.
The Ponemon report depends on the accuracy of self-reporting and thus doesn't have the weight of, say, an epidemiological study that looks at hospital mortality baseline data before and after an attack, but the data is similar to what Ponemon has found in the past and there have been a number of reports of patient deaths and other complications from ransomware attacks.
The new report found that 89% of the surveyed organizations have experienced an average of 43 attacks in the past year. The most common types of attacks were cloud compromise, ransomware, supply chain, and business email compromise (BEC)/spoofing/phishing.
The Internet of Medical Things (IoMT) is a top concern for survey participants. Healthcare organizations have an average of more than 26,000 network-connected devices, yet only 51% of the surveyed organizations include them in their cybersecurity strategy.
Healthcare organizations are better at cloud security, with 63% taking steps to prepare for and respond to cloud compromise attacks, and 62% have taken steps to prevent and respond to ransomware — but that still leaves nearly 40% of healthcare organizations more vulnerable than they should be.
Preparedness is even worse for supply chain attacks and BEC, with only 44% and 48% having a documented response to those attacks, respectively.
The high costs of healthcare cyberattacks — an average of $4.4 million — mean that healthcare cybersecurity tools likely have a high ROI, even though roughly half of the survey respondents say they lack sufficient staffing and in-house expertise.
40% (Score:4, Funny)
Re: (Score:2)
Re: (Score:3)
40% of all statistics are completely made up.
49% of all people are below average
Re: (Score:2, Funny)
How's life down there?
Re: (Score:2)
Re: (Score:2)
People believe odd-numbered statistics more than even, and especially avoiding multiples of 10. A made-up statistic that ends in 7 is the most "believable".
https://uxdesign.cc/odd-vs-eve... [uxdesign.cc]
57% of random survey respondents agreed with this statement.
The deaths are on the heads of the administrators (Score:4, Insightful)
Not to whitewash criminal activity, but the enabler is insecure software that might equally fail from "being held wrong" or otherwise be unavailable at a critical moment. Think botched upgrade, or just forced updates that run longer than expected on an ill-scheduled moment.
In sports, that last bit can cause a scoring board to be unavailable for over fifteen minutes after official start of the match, because its driving laptop is still stuck busy with its applying the updates and thus a default win for the visiting team, as has happened at least once already. In medicare, such a thing might even last but five minutes, and cause patient death.
Thus, while ransomware is bad, kiddies, it is the suspectibility of the software that's the real culprit, and choosing to use and keep on using that software anyway while it's become widely known that it is suspectible, is the administration's choice.
And that means, wilfully running and keeping on running that risk is on the administration's head. They are culpable for that decision. Or lack of decision to move away from known-vulnerable software.
The ransomware attackers are culpable for their deeds. The administration is culpable for their own deeds. And sticking with buckets of fail waiting to get ransomed is the administration's decision.
Re: (Score:3, Interesting)
Not to whitewash criminal activity, but the enabler is insecure software that might equally fail from "being held wrong" or otherwise be unavailable at a critical moment. Think botched upgrade, or just forced updates that run longer than expected on an ill-scheduled moment.
You are absolutely right and this sort of thing will keep happening until companies are help responsible for producing shit software.
People avoid updating software because:
The updates are buggy and break something
The updates don't just fix actual problems, they make stupid pointless changes that break something
And, if nothing else, it just takes too fucking long.
Updating software is literally nothing more than copying some files from one location to another. (An over-simplification, but not much).
Re: (Score:2)
The real mistake is making these things network accessible. Often it would be illegal to update the software. You've got to get the appropriate approvals first.
Just keep the stuff off the network, and then you can choose which updates to apply when. And you're also protected from ransomware attacks, and many other malicious attacks. (Not all, unfortunately. This won't deal with supply chain attacks, e.g.)
And when copies of info *is* put onto the network, make them read-only. So if someone *does* get t
Re: (Score:2)
The real mistake is making these things network accessible.
Being able to monitor, datalog and control multiple machines from a central location is hugely beneficial though. It is why if you are lucky they will see your vital signs declining and send help immediately instead of waiting till you hopefully push the OOB distress button clipped somewhere on your bed.
Re: (Score:3)
The more complex the system, the more chances it has to fail. This notion of needing to always update software, has led to developers pushing out products that are questionable quality because they can 'always fix it later with an update.' Back in the 90s and early 00s, released software was more rigorously tested than today. Now its just a constant stream of fixes and sometimes introducing new problems by trying to fix old ones.
If people are dying due to this 'improved system' how much of an improvement is
Re: (Score:2)
Not quite true. There are "read only interfaces" that are quite secure and, if properly implemented, unhackable. But they are *read only*.
FWIW, I've implemented such interfaces to display data that was frequently updated on one system on another system. It was a really simple approach, and you couldn't even ask for particular data, or for a more frequent update, but I believe it was unhackable.
So the comment in the GP about "vital signs" is only "sort of" correct, If you need to put that data on the in
Re: (Score:3)
this sort of thing will keep happening until companies are help responsible for producing shit software.
No. This sort of thing will keep happening until paying the ransom is prohibited by law.
Re: (Score:2)
Someday you should read up on Godel's incompleteness theorem means and what it implies about writing software that is bulletproof in a general computing scenario. (Hint: it's impossible.)
Re: (Score:1)
Hint, Goedel's proof, translated into Turing Machines and therefore equivalent, assumes an infinite tape. Last I checked, computer systems were finite. If you are going to cite mathematical results, you need a complete background lest you quote them out of context.
Re: (Score:2)
You need to understand that theorem. If you're talking about a general purpose program, you're correct, but in this situation what we're talking about is internet based malware. Godel's incompleteness theorem makes several initial conditions required. The original HTML (before Javascript) was safe against attacks. Limit the capabilities that you allow, and you can have a safe interface. (Guarding against crashes requires a bit of extra effort. You need to do things like limiting message length. I
Re: The deaths are on the heads of the administrat (Score:1)
Re: (Score:1)
As a software developer and manager for 40 years, bullshit.
No scheduled update carries the risk of an unexpected downtime coupled with complete loss of access to data that occurs with ransomware. When patients die due to ransomware, it's felony murder.
and as the other poster says, it is literally impossible to write bug free software at a reasonable cost. And for anything sophisticated there may no be enough time in the universe to test every flow and branch of the code.
All that's going to come of your p
Re: (Score:2)
Absolutely! And if the perps can't be prosecuted for that, they can always be sued for Wrongful Death, which is a civil matter, not criminal. And, if there's more than one death, it can become a class action.
Re: (Score:1)
again... bullshit.
You wouldn't do work that exposed you to unlimited risk. No one will.
So the work stops until the legal structure corrects the irrational solution.
Ponemon Institute? (Score:2)
Re: (Score:2)
Turns out the MissingNo glitch was worse than we thought.
For-profit industry is the main culprit. (Score:3)
Here's the real mind-warp: Ransomware attacks on for-profit healthcare are literally just taking their own business model to the extreme. It's the patients who pay the attackers for the "privilege" of living, not the businesses that essentially hold the patients captive. Ransomware gangs/states just cut out the middleman and the hypocrisy.
Mark my words, some day it will be discovered that a for-profit health organization staged attacks on its own patients to increase profits. And then it will happen again, and again, until the industry is indistinguishable from a protection racket.
Profits Only (Score:5, Insightful)
I quit a healthcare IT job when the CIO override the manager and refused to let us spend time or money to implement atomic two-phase commit for data about patient mediations transiting two database systems.
Our statistical model estimated eleven medication errors per year with three in the extremely serious category.
"It'll be cheaper to settle the lawsuits" still rings in my ears today. The Medical Director didn't want to "make waves."
Same attitude towards security.
Re: (Score:1)
It seems some CIOs (and CEOs) need to go to prison for criminally negligent homicide before this changes. You did the only right thing by quitting, because if there ever was a reason for this to go to court, they would have tried to blame it on the IT people for sure.
Re: (Score:2, Insightful)
You think the politicians care? As long as the bribes, I mean "campaign contriobutions" flow, they will allow any and all shoddy practices that reduce cost for the operators.
Re: (Score:3)
And when the "crime" was committed outside the US? A lot of the attacks come from India, China, and Russia. There are other sources. I suppose you could try for extradition, but I wouldn't expect any results.
Re: (Score:2)
Probably it would be cheaper for American for-profit health corporations to start bribing (say) Indian and Chinese local politicians to shut down Indian (Chinese) attackers than to implement better software security in America.
Are political bribes a tax-deductible expense for US businesses? This is clearly a
Re: (Score:2)
We are better today than we were 5 years ago at catching people
Oh that's easy. Here's what you do:
Dig a big hole, about 5 feet wide, and 8-10 feet depending on the height of the human you want to catch.
Then chop down 10 or 20 trees, depending on the size of the tree, and make a huge bonfire. Once it burns out, take all of the ashes, and fill the hole with them. Not so much that it's rounded, you want it to be relatively flat with the surrounding terrain.
Then, get a case of canned peas from the grocery st
Re: (Score:1)
If someone is dies because you were committing a crime, it's felony murder.
If someone is dies because you participated as part of a group committing a crime, it's felony murder.
I look forward to the day they catch these people. We are better today than we were 5 years ago at catching people. And in another 5 years, we'll be even better. Getting away with a crime today doesn't mean you won't be caught via A.I. or forensic accounting or someone who was arrested giving you up in the future.
Being in a different
medical system causes deaths. (Score:1)
The U.S. medical system is the largest cause of deaths in the USA.
Check the book "The Lethal Dose".
Re: (Score:2)
Ummm (Score:4, Interesting)
Why not implement proper cybersecurity, then?
Implement hardened Linux rather than some security-deprived Microsoft OS (or something of comparable security), use tamper detection/HIDS software to ensure no binaries have been corrupted, run all software with the fewest privileges possible, have a firewall (with NIDS) that prevents outsiders and at least some malicious software from getting in in the first place, and have a proper backup regimen.
None of this is hard. If a medical facility refuses to use software that is actually RATED as capable of providing the level of security needed (and Microsoft's OS' aren't) within a secure network environment then the medical facility is choosing to be vulnerable to ransomware and should be held culpable for any deaths their active choice resulted in, in just the same way that a drunk driver can be held culpable for deaths their state of inebriation caused.
If a medical facility is taking all reasonable precautions (and I'd call running hardened Linux behind a firewall one way to do this) then you can't blame them for doing their best.
This is sort-of victim blaming, sure, but I hold that the choice of OS is far closer to choosing to drive sober or drunk, as opposed to getting attacked because of a choice of clothes. I defend this on the grounds that Windows incapacitates the operator and technical staff from implementing adequate security, rather than Windows users being targeted specifically because they're running Windows. Ransomware isn't anti-Windows, it's pro-exploits. The OS doesn't matter in that sense, it's down to whether the victim is running an easily exploitable system and it just so happens that Windows has a very high defect density compared to Linux.
Re:Ummm (Score:4, Insightful)
Indeed. It _can_ be done and it is not even that expensive or difficult. But the for-profit medical system of the US values profit over everything else, including patient life.
Re: (Score:2)
That isn't acutally possible. Some systems could be switched to Linux, but many medical machines have special versions of a particular OS (usually MSWindows) that cannot be updated. Yes, the records could be switched to Linux, and I agree with you that they should be, but that doesn't guarantee security against malware. It's more important that systems be isolated from the internet. And any data that needs to be internet accessible should be a read-only copy.
Re: (Score:1)
I don't disagree with you, but in real life (I work in Health IT) I can tell you that NOT running windows would result in a massive red flag in any security audit and your managers/Board considering you a complete whack job. Not to mention the plethora of specialist medical apps that only work in a windows OS, and not always even the most recent version.
Re: (Score:2)
Apps that need to run under Windows can't be migrated, fair enough, but those machines can usually be taken off the Internet entirely.
Re: (Score:2)
Why not implement proper cybersecurity, then?
Amen!
Implement hardened Linux rather than some security-deprived Microsoft OS (or something of comparable security), use tamper detection/HIDS software to ensure no binaries have been corrupted, run all software with the fewest privileges possible, have a firewall (with NIDS) that prevents outsiders and at least some malicious software from getting in in the first place, and have a proper backup regimen.
You lost me there.
Bad linux is probably worse than bad windows. Good linux is potentially better than good windows, but I see it so rarely I've pretty much concluded it mostly lives as a concept. In the few places I have seen it, the orgs running it have made some cyber security improvements in exchange for an increase in key person risks (because the cyber optimisations are only understood by a small group of people), the maintenance costs are through the roof and the usability is through the floor.
None of this is hard. If a medical facility refuses to use software that is actually RATED as capable of providing the level of security needed (and Microsoft's OS' aren't) within a secure network environment then the medical facility is choosing to be vulnerable to ransomware and should be held culpable for any deaths their active choice resulted in, in just the same way that a drunk driver can be held culpable for deaths their state of inebriation caused.
It
Re: (Score:2)
Arguably ransomware isn't pro-exploits, it's pro install base.
Most of the interned infrastructure runs on Linux servers, yet it is Windows that is hacked most of the time.
Windows ... 95 ....Kerberos...suffer fundamentally similar problems.
Did you just say that Kerberos security is bad like Windows 95? Are you by chance an "influencer" on Microsoft payroll?
Re: (Score:1)
Windows ... 95 ....Kerberos...suffer fundamentally similar problems.
Did you just say that Kerberos security is bad like Windows 95? Are you by chance an "influencer" on Microsoft payroll?
You've drawn the wrong meaning friend. I meant some of the features that still exist in Windows networks to this day are drawn from that era i.e. 1995 (I should have been clearer sorry). For example, NTLM v1 password authentication, which enables pass-the-hash attacks (where the hash is effectively password equivalent). This was rolled out in NT3.51 (maybe NT3.5 - like that is really going back).
Re: (Score:2)
Re: (Score:1)
The issue I was driving at was trust boundaries and old authentication mechanisms. Kerberos is an old authentication mechanism. The ticket passing mechanisms are okay, but initial grant suffers from weak (normally single factor) authentication. It's susceptible to cred stuffing and brute force attacks. Don't take my word for it - the exact problems I'm talking are discussed in the fortinet article you linked.
Finally, when computers are organised into implicit trust relationships the issue of one slip exposi
Why hospitals don't have good security (Score:2)
Re: (Score:2)
Why would they need to spend more? Hardened Linux is cheaper than Windows (it's free, no licenses, and runs well on lower-end hardware, so less ewaste), disconnecting mission-critical systems from the Internet is cheaper than buying AV software for them, and network intrusion detectors are zero cost. I'm seeing a massive savings here, money that COULD be spent on saving lives rather than saving Microsoft.
Re: (Score:2)
It is still 1970s OS design sitting on top of 1960s hardware architecture that has been shrunk & sped-up >5000000 times. And now its being proliferated in just about every situation and object imaginable.
Neither Linux nor *BSD will save your ass from determined attackers because they are based on C code and monolithic kernel architecture. Look around at the IT news coming out weekly... Andrew Tanenbaum was right and Linus Torvalds and Bill Gates were wrong.
The only "OS" hardening that will make a d
Re: (Score:2)
C doesn't impact security. Anyone can write C code properly and the defect density of Linux suggests that most of the good C programmers write for it.
Yeah But It's a Butterfly Effect Kind of Thing (Score:2)
If you run over someone with your car, technically your grandmother contributed to the person's death because they gave birth to your parent, who in turn gave birth to you, etc, etc
You can make connections between most any event and outcome.
It's not a very intellectually honest stat.
Re: (Score:2)
answer (Score:2)
Re: (Score:2)
Re: (Score:2)
Simple, you go after them with a vengeance and you use human life to trump any financial issues.
Pursuing it as a homicide investigation and/or a terrorist attack will carry a lot more weight than simple fraud
Even if you don't catch them you can send a loud and clear message to the hacker world that endangering human life will not be tolerated.
It's bad enough that ransomware hackers go after banks and so on, but even in war the geneva conventions and so on forbid targeting of hospitals and so on.
Two points must be made: (Score:3, Insightful)
1. Before all our medical records were made electronic, none of this garbage was possible. In the days when all our medical records were on paper in large filing cabinets at our doctors' offices, no Russian hackers could steal copies of them, encrypt them and demand payment, etc. There was also no possibility of identity theft. Before somebody screams "luddite!", allow me to point out that for a new tech to be superior, it should genuinely BE superior. Electronic records may be more CONVENIENT, but that's not necessarily superior.
2. If these organizations are truly watching patients get killed as a side effect of their mismanagement of their IT systems, and yet they continue to do insane things like putting all our medical records onto Windows systems hooked to the internet, then THEY are every bit as liable for those deaths as anybody else, and it's time for some serious lawsuits.
Re: (Score:2)
Before all our medical records were made electronic, none of this garbage was possible.
Rather than go back to the old-time plod of paper and quill pens in medicine, slowing everything to a crawl, I would rather directly attack what fundamentally makes ransomware possible: cryptocurrency. But yes, it would certainly be better security if all the medical software wasn't written for Windows.
Re: (Score:2)
It is the same argument as for anything else that has been touched by computers. Now look around your house and think about how many of your recent devices have sprouted microphones and networking capability: TV and streaming service remote controls, bluetooth speakers and headphones, cleaning robots, etc. – even refrigerators.
While the question of healthcare security is critical, the fact is that IT proliferation has made everything precarious.
Why should hospitals get away with mur (Score:1)
1. Since computer systems security is controlled by the hospital/corporations, they should prevent this and, if it happens again, the hospitals/corporations and management should be penalized -- fines ADN imprisonment.
3. I can't imagine that a surgeon would operate with dirty scalpels or a doct