Thursday, February 18, 2016

Hostage Data

I was first alerted to the situation by my friend Stacey, who directed me to the story on the Daily Kos. I tend to avoid that site like the plague, but I had to read this story.  Fortunately, the author, "Medical Quack", has the information on his own blog, and the story has since been picked up by many other news outlets, including Fox.

Here are the facts from Medical Quack:
A Southern California hospital was a victim of a cyber attack, interfering with day-to-day operations, the hospital's president and CEO said.

Staff at Hollywood Presbyterian Medical Center began noticing "significant IT issues and declared an internal emergency" on Friday, said hospital President and CEO Allen Stefanek.

A doctor who did not want to be identified said the system was hacked and was being held for ransom.

There is no information that any patient or employee information was compromised, but the hospital called in computer forensics experts, and the FBI and the LAPD to investigate.

The hospital's emergency room have been sporadically impacted since Friday, Stefanek said.

The unnamed doctor said that departments are communicating by jammed fax lines because they have no email and that medical office staff does not have access to email.

9000 bitcoins is the price demanded to give the hospital back the “key” codes to open the system back up. 911 patients are being diverted to other hospitals.

The hospital seems to be keeping it pretty quiet and I guess really what else can they do as paper back up files come out as they always do in times when the EHR goes down.

This disruption is raising havoc with getting access to all the patient information needed at times. Radiation and Oncology has been shut down and they are not allowed to turn on their computers.
The Daily Kos quoted all this directly, but revealed the EMR vendor in the title of the piece:

Hollywood Presbyterian Medical Center McKesson EHR Hacked And Hospital Data Being Held for Ransom..

If you prefer a little less innuendo and speculation, here's the FoxNews version:
A Los Angeles hospital paid a ransom of nearly $17,000 in bitcoins to hackers who infiltrated and disabled its computer network because paying was in the best interest of the hospital and most efficient way to solve the problem, the medical center’s chief executive said Wednesday.

Hollywood Presbyterian Medical Center CEO Allen Stefanek said the hackers demanded a ransom of 40 bitcoins, currently worth $16,664. The FBI is investigating the attack, which began on Feb. 5.

Authorities said this kind of attack is called “ransomware,” where hackers encrypt a computer network’s data to hold it “hostage,” providing a digital decryption key to unlock it for a price.

"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Stefanek said. "In the best interest of restoring normal operations, we did this."
This implications of this sad situation are staggering. Some little twerps, most likely operating from outside of the United States, brought a hospital to its knees, forcing it to pay a ransom to continue operations (and surgeries too, we assume.) I'll bet this has happened before, but hasn't been reported by the IT and IT Security folks affected. I'd be embarrassed too. That the little miscreant involved settled for "only" $17,000 in untraceable Bitcoins suggests that he is but a lowly amateur. And that is even more frightening. If some high-school kid in an Internet cafe can do this, what could government-backed (and you know which governments I mean) hackers accomplish? What could ISIS-owned hackers do to us?

Everything we associate with daily life is hooked into the Internet somehow. Communications, entertainment, health-care, power plants, missile launchers...pretty much everything. Now I'm a firm believer in individuals, companies, enterprises, etc., taking reasonable precautions against hackers. Cybersecurity is big business and rightly so. But the relatively minor incident in California is a HUGE wake-up call, not that we really need it. Hacking our infrastructure via the 'Net is a huge national security issue. We are in just as much danger from the hackers as we are from the crazy kid in North Korea with the bad haircut and shiny new intercontinental ballistic missiles. With a few key-strokes, a hospital was taken down (proving Dalai's First Law in the process: PACS IS the Radiology Department). With a few more, a nuclear power plant could shut down. Or melt down. That's no exaggeration.

We the People need to be protected from this sort of thing, and it is our government's job to do so. Yes, they are trying, half-heartedly, without adequate time, money, or effort, to fight against a hidden enemy. I've been told by execs from phone companies that the telemarketers hacking and spoofing their systems have better software and better technology than we do. If they can bollux our phones, if we can't defend our communications networks, we're sunk.

Our administration, in its infinite wisdom, will be turning over control of the Internet to the UN. Great. Most governments of Third World nations, not to mention quite a few Second World countries,  ISIS, and other nice folks, either ignore illegal Internet activity, or actively encourage and participate in it. And there are no consequences from us. Zero.

How to solve this? Somehow we have to let our "friends" overseas know that we won't tolerate this anymore. Do we have to sever the Internet backbones? I hope not but unless the rest of the world will police their own vermin, we will have to do it for them, or at least isolate ourselves from the infection. There need to be sanctions, fines, treaty revocations, and I don't know what else to put a stop to this.

As for home-grown United States-based hackers, we have to institute some VERY severe punishments. Up to and including capital punishment for anyone whose illicit activity leads to the death of innocents. And we have to have a moon-shot level program to boost our technology to surpass that of the criminals.

I'm mad as Hell about this. Our government has failed to protect its citizens, and that has to change.


1 comment :

stacey said...

Excellent work. And.. I agree we have to do more...but here's the thing...
I see the whole "security" situation as a never ending, ever escalating arms race. The very same people that can "build the security systems we need" are also the same people that can hack it. If not the same "actual" people, then others who learn of their techniques. Nothing is hack proof if a human makes it. IF one human can know or do it, than any human can know or do it. I have to laugh when I see those apps that people use on their phones that "hold" their passwords. Really? I'm not wearing a tinfoil hat, but does anyone really think that an app that claims to "secure" your passwords, doesn't have a back door? What we really have lost and can never get back.. is trust. On many many levels. At the personal, and... scaled all the way up to nations. If we had trust, we wouldn't have to lock a door.