Hackers steal a hospital in Hollywood

[Read the post]

A hospital is a computer we put sick people into

… what?


I remember way back around 1990, when the first virus was propagating around our office Macs by making them say “Don’t Panic”, that eventually the innocuous hacker kids with Hitchhiker’s Guide humor would be replaced by mobsters with extortion on their minds. Looks like that has come to pass.


This is why a policy of good, regular data backups (and regular restore/DR testing) is critical, especially in healthcare IT. I have had to deal with this on a smaller scale, and generally we have data unlocked and available within a few hours at most. Mind you, there may be data missing from the last 24 hours, but with the nature of ADT (Admission, Discharge, Transfer) data interfaces (and archiving), much of that data can be played back into the affected systems.

That being said, real doctors can do their job without computers. Definitely less efficiently, but they can still get the job done…


Not to mention having secure IT systems. Let’s all hope this was caused because Bob in accounting wanted to open that unsolicited Word doc he received the other day…


Well, which is it? TINY bit of difference here…


Did this place run an HIS (health information system) on Windows?
I’ve managed HIS systems running real time OS like MUMPS (Meditech) on AIX or HSI on AS400 and as I was leaving that field I heard of some HIS systems running on Windows based servers. I thought it was a joke.
I’ve also never seen an HIS connected to the same LAN as a Windows domain or anything with a public facing IP. I suppose someone thought there would be a benefit to having your HIS and other networks connected via something other than an HL7 interface.
This looks like bad design and planning from the ground up.

edit to add: I’m guessing at some point a bean counter thought they could save money by getting rid of their expensive experienced IT team and going the MCSE route because, hey they have certifications…


Some of the issues with having your network thoroughly hacked is that the hackers can hide malicious code that will survive system wipes. This happened to Sony during their infamous hack, they had to get rid of all of their networking hardware to ensure they had expunged everything that was compromised.

If i were the hospital i wouldn’t bother paying the ransom. Get rid of everything that’s compromised, salt the earth and start over again. Which would be… unreasonably expensive but you can’t assume that even after paying the ransom you’ll be clear of the hack.


You do know that the core underlying technology that HIS systems run on is dictated by the application vendors, right? It’s not like you get to go to Cerner and demand that they hand you an application suite that runs on AIX. They would laugh you out of the room. Lots of other considerations, including federal incentives for upgrading your systems to meet certain Meaningful Use criteria, and those creaky old HIS apps that run on Tandem boxen just don’t get the job done anymore.

Not disagreeing with your central complaint, I’m just saying that the move to Windows-based systems is being driven mostly by vendors and new healthcare requirements, not by bean counters within the hospital itself. That being said, there’s no excuse for cutting corners when it comes to security personnel or equipment…


It’s part of Cory’s talk on general purpose computing, his refrain. Cars are computers we put ourselves into, so are airplanes. Hearing aids are (or will be) computers we put into our bodies. When everything is powered by information and computation, everything is a computer, with increasingly fancy and complex enclosures.


Regarding workstations and servers, unless a bug is hiding in the firmware of a hypervisor host, restores can take care of that too. Think snapshot-based backups of entire systems that run as VMs, plus dumb terminals as VDI endpoints, all of the VDIs can be blown away and restored from a known-clean gold image.

1 Like

Oh hell when the melissa virus made rounds and just replicated itself out to address books everyone at work was all up in arms. I was umm it is a network traffic pain, and this kind of thing goes back to mainframes and was look at least the payload was not destructive. Annoying and users be users.
Fast forward a few months and I am seeing really odd behavior restoring some files for a user. I go over to ask our security guy have you heard anything about something making office files zero bytes, he says no so I shrug and think maybe the backup software is being odd and go back to an earlier full. While that was running said security guy comes over to me and says what was that you were seeing and I just think oh crap. We spent an entire weekend doing restores.


I get what you are saying, but IBM still makes new iSeries systems and HMS is still one of the more popular HIS to run on it. Unix, BSD, MUMPS, heck even Linux would be better than a Windows based HIS. Just because a vendor pushes you to Windows doesn’t mean you have to do it. Medical IT needs experienced IT teams who know better than to risk patient information by putting it on a Windows based system or even a network that connects to them.


I recall my buddy wanting to play a game on the LAN at our after-school workplace. And then I remember our boss calling me to his office to ask why certain programs no longer ran on his system. AV scans would later show it to be the work of the Jerusalem virus.

Look, if you can’t play a stolen copy of Leisure Suit Larry at work, then where CAN you play it??


Oh man that one caused so much pain in the university student labs I was lead for back then. We got it cleaned up but it kept reappearing and I finally figured out one of the servers had it and every time a workstation would fire up the terminal emulation which connected to the server… that finally got it fixed.


You’d think. One of my doctors has recently gone over to using laptops during the exam instead of written notes. When a prescription recently got royally f*cked up, it was because the “written records were offsite,” so they didn’t have the exact wording (which was needed because it was a compounded prescription). Took two weeks and hours on the phone with the mail order pharmacy and doctor’s office to straighten out.

Edit: added “recently”

2nd Edit: it was the office’s fault, not the doctor’s, who is a gem.

1 Like

I deal with this bumf every day, so feel free to ask questions…

It’s assumed that most hospitals are paying the ransom and not telling anyone, but I cannot directly confirm or deny that particular allegation.

Yes, most hospitals are dependent on Microsoft Windows at this point.

@anotherone, Meditech is an end-to-end solution, not an application, at this point. The first major implementation of Meditech Cloud is in progress right now (and basically terrifying to observe) but I can’t tell you much about that yet.


It’s 9000 bitcoins, which is about $3.6M. The NBC report is wrong.

1 Like

That depends – I’ve instructed clients to pay ransoms before as it was the only way to get their data back and get them running again within a reasonable timeframe.

At a hospital, it’s probably best to rebuild - just for security reasons - but you won’t just end up rebuilding desktops and servers, but lab equipment as well and maybe even flashing MRI’s which may well be running windows by now (as noted by @Jared_Kaufman via the vendors). I don’t know if you have to go to the lengths of a PLC attack to hit the MRI itself. I left the medical sector completely when the recession hit and things have changed radically since then with the HITECH act in 09 (part of ARRA) which created a legal framework for advancing health information technology (HIT).
MRI’s generate and necessitate vast volumes of data, so it’s highly likely that vendors are going to leverage the cloud to lower the initial cost and ongoing costs as the hospital won’t have to maintain data storage in their ever tightening budgets.

Once HITECH hit, MUMPS & HL7 had a target on their backs (shout out to @anotherone for i i i being a valid conditional variable assignment in M!) - here is a brief tutorial for any programmers who think Perl can be hard to read at times, but who haven’t been subjected to M.
Finding M programmers was getting increasingly difficult by the late 90’s, so I understand from a pragmatic perspective why vendors would want to switch everything away from the idiosyncratic languages and protocols used at hospitals and standardize them with everything everyone else is using.

I do know that there are MRI raw image processors written in Java and XML.

Staff is one possibility, but not the probable culprit, the most likely culprit is that those decisions are driven by the budget – Hospitals have HIPAA regulations/standards they have to adhere to, but if all you do is strictly adhere to a standard you can quite easily make yourself less secure than if you just followed/implemented common sense techniques. Another downside of standards is that it gives the money-pinchers a reason to stop spending on InfoSec as soon as they can “tick the box” on a requirement, and ticking a box can be – and quite often is – the least work possible needed to be able to argue that X has been done.

Bottom line: HITECH introduced a LOT of insecurity and it’s going to get worse before it gets better – and what do we think will happen if the .gov gets their way with encryption?


Bitcoins are the currency of liberation and freedom from Big Government^H^H^H^H^H^H^H^H^H^H^H Rule Of Law!

Also, they are trackable. Their history shows wallet information for everyone who previously owned them, so they’re all marked bills, inherently. When the mobsters start spending them, they may be traceable back to physical addresses via mail order. Of course, if their physical address is in a country without an extradition treaty, that’s not much use.