Ransomware, Data Breaches at Hospitals Tied to Uptick in Fatal Heart Attacks(krebsonsecurity.com)
This study may be biased toward smaller/rural/poorer locales.
In big-city Canada, patients with heart attack symptoms will usually have an ECG done by paramedics before arriving.
In the US, this has quite survival advantage.
I don’t know if it’s standard practice to do another upon arrival, but it is redundant and should probably take a back seat to activating other processes that need to happen.
It also helps send them to the most appropriate facility.
So, don't ask me how I know this...
If you are having chest pain, call 911. If you mention "chest pain" to them, you hear a beep in the background, and everything else is a machine.
In my locale, the paramedics carry a portable EKG. If they decide to take you for a ride, they have an EKG machine in the ambulance that's networked to the hospital, and a cardiologist is now on your team. When you arrive, you get wheeled into a special room where an entire heart attack team is standing there, waiting for you.
At that point they do another EKG, and as I understand it, their machine has a larger number of electrodes, so they can get more detailed information from it. The patient is never off an EKG at this point, and it's not a discrete step, but is a continuous monitor.
A blood test will confirm the presence of an enzyme that's produced if the heart muscle is stressed. This is a rapid test, the lab is ready and waiting for the sample.
So, the second EKG isn't really consuming time, since other stuff is happening concurrently, and they need the EKG running continuously to make minute by minute decisions. Regardless of what happens, you're on the EKG until you go home.
I don't know if rural or poorer locations have less sophisticated processes.
If you are having chest pain, call 911.
Wow I had no idea they were linked in remotely. Thanks for sharing.
Is it possible that increased security after breaches is actually what's slowing down medical staff?
I doubt it. Desktop pc's in hospitals are usually just thin clients. Ransomware targets the client pc and implementing security at this level is not cumbersome.
from the article...
“Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” the authors found. “Remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes.”
Without any arguments it's just data. Is a lack of spending on key infrastructure, tied to poorer outcomes something we can discuss? I'm not sure this is the best article to discuss the causes/mitigations.
There was one interesting data point, but no source of cause listed. >for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.
Is this while they were prevented from performing care? Thankfully PBS's article goes into more details
>hospitals that experienced a data breach, the death rate among heart attack patients increased in the months and years afterward. This increased mortality doesn’t appear to be due to the perpetrators themselves — the hackers are not controlling the allocation of medications or doctors. Rather the issue may lie with how health care systems adjust their cybersecurity after an attack
Which makes a much different argument: the hospital response to a Cybersecurity incident increases mortality (thus: can we expect a similar uptick in negative outcomes amongst healthcare organizations who implement similar security polices?)
Research paper: https://onlinelibrary.wiley.com/doi/full/10.1111/1475-6773.1...
The PBS article points out that security practices applied to clinicians led to this problem.
Do we have evidence that the hacking took advantage of the EMR's security issues?
>Time from door to ECG significantly increased after a breach and the elevated time to ECG persisted at 4 years after the breach. Security typically adds inconvenience by design—making it more inconvenient for the adversary. For example, stricter authentication methods, such as passwords with two‐factor authentication, are additional steps that slow down workflow in exchange for added security. Lost passwords and account lockouts are nuisances that may disrupt workflow. The persistence in the longer time to ECG suggests a permanent increase in time requirement due to stronger security measures.
So what compromise is possible to ensure fast login? Can two factor login be limited to new login devices? (Thus limiting impact to those working in new locations?)
Login devices which aren't recognized? (Ie: external servers)
Should EMR login be separated from local PC login within a hospital/emergency department? (Cold booting a PC and logging into windows would be the slowest response time).
Can we tie logins to employee badges to skip all password entry? (Lost badges would thus warrant reporting loss.)
> Can we tie logins to employee badges to skip all password entry? (Lost badges would thus warrant reporting loss.)
You can, but typically you'd use a badge with a PIN. If you use something like this with virtual desktops (VDI) that don't terminate your session when you disconnect, you can get the "time to login" down to a few seconds, since it's the same RDP session following the user around.
Most hospital PC's allow this as an alternative, also thumbprints.
We use: https://www.imprivata.com/
The solutions you propose are pretty much the norm already. PC logins are typically LDAP or AD however. ymmv whether your eme login is on the same domain as your pc login. For example, on Cerner emr they are typically separate but this has more to do with the hosting infra more than anything else.
All the emr security in the world wont help you if a random piece of critical equipment that is compromised locks you out.
I'm not sure I buy the causal link between a small increase in door to ECG time and an increase in 30 day mortality (AFAIK, there's no other research explicitly linking those two stats). Door to reperfusion (or "door to balloon") time matters a lot, but the article doesn't mention those stats.
Possibly to get more data. Not everyone is coming in with a STEMI.
Another win for cryptocurrency! Truly, it has changed the world. We couldn't have this kind of progress without it.
Would you please not post flamebait to HN? That's against the site guidelines:
Long flamewars or long tit-for-tat arguments about a generic thing like cryptocurrency, which you unfortunately did a couple times in the last few days, are also against the site guidelines (see "generic tangents").
I reluctantly agree with you.
The main use case right now (and in the foreseeable future) for crypto is difficult-to-trace payments for illegal activities.
Cryptocurrency isn't going anywhere. It exists now, people value it. It will remain so.
We need to focus on building systems that mitigate this as a potential attack vector
It’s a core feature.
Interesting. So you can 'invest' in cryptocurrency and then release ransomware for your chosen scrip to boost your share. Wonder what sort of pen-and-paper white collar crime this would correspond to.
Securities fraud and something under the Computer Fraud and Abuse Act I'm sure ^_^ fun thought exercise.
On the other hand, it's a world-readable leger. It would be easy enough for the government to permanently blacklist any downstream transactions from such coins as "proceeds of terrorism", and impose strict liability prison sentences on any regulated person (or exchange) found in posession of them...
They can certainly legislate about that, and I suspect they will, but there are issues. The ledger doesn't have a concept of a specific unit of currency that changes hands. It has transactions, which have one or more inputs and outputs. Lets say Alice has 3 blacklisted bitcoins and Bob has 2 whitelisted coins. They both sign a transaction which takes all 5 of their coins as inputs, and gives 2 coins as an output to Carol and 2 coins as an output to Dan. The remaining coin is left as an implicit miner's fee. Who got Alice's 3 blacklisted coins? You can make up an arbitrary rule dictating who got which coin in a legal sense (based on order of inputs and outputs or something meaningless like that), or say that any coins output from a transaction with any blacklisted coins are themselves blacklisted, but you can't actually track individual coins. Applying such rules to Monero would make even less sense, as the coins essentially go through a mixer during each transaction. Back to Bitcoin, it's also not clear what it means to possess a coin. We can make fairly arbitrary (though Turing incomplete) scripts for the validation of ownership, a signature is just the most common. Next-most common is probably the m-of-n signature; if I possess 1 of 2 signatures that can spend a coins from an output, do I own those coins? What if I have 1 of 3 signatures, and at least 2 are needed to spend the coins? What if the coin is only spendable by solving a non-cryptographic math problem? If I know the answer to the math problem, do I own the coin? If I make a transaction with blacklisted funds that has outputs spendable by anybody who solves the script by putting in the answer to the problem 2+2, does everybody aware of that transaction now jointly own the coin? I'm not saying you can't legislate about this, I'm just saying it gets silly. Also, I doubt there is a single legislator in your entire government who understands the properties of a Bitcoin transaction that I just described. I bet that their first attempt at regulation will be totally ignorant of what it is that they're actually regulating, and it will be hilarious.
Why do you think this is the fault of cryptocurrency?
One of the useful features of cryptocurrency is regulatory arbitrage. Without this ability, ransom payments in cash, or electronic bank transfers would drastically reduce the feasibility of receiving the ransom payment without also revealing the identity of the payee.
A side effect of the anonymity is that crypto provides the opsec cover for these undesirable operations.
Ransomware relies on there being safe ways to collect the ransom.
There were a few predecessors (https://en.wikipedia.org/wiki/PGPCoder) using stuff like Liberty Reserve (long since shut down by the Feds), but Bitcoin made it pretty easy.
One tried "mail money to a PO box" back in the 80s. https://en.wikipedia.org/wiki/AIDS_(Trojan_horse) The downsides of that approach for a criminal should be fairly obvious.
Downside? Sounds like a great way to get anyone you want arrested by the FBI without them knowing who made this all happen.
Ransomware doesn't really work without it. In fact, they specifically call out WannaCry which demands ransom in BTC.
it doesn’t work without the internet or strong open source cryptography either
Don't you see the obvious logical failure of that rebuttal?
is the failure "i don't see cryptographers as my ideological opponents"?
ransomware existed before bitcoin; it used moneypak, western union and similar services as the payment vehicle.
It also doesn't work too well without Microsoft Windows.
you will be pleased to learn there are ransomware families that target macos and linux as well
He's a resident cryptocurrency hater, so he never misses the opportunity even though ransomware long predates cryptocurrency.
I am :) but there's no doubt that cryptocurrency has made ransomware easier to write/execute, makes it harder to catch people responsible, and availability thereof has led to massive worldwide spike in ransomware.  Seriously, what options did you have to obtain the value before? A wire transfer?
They used moneypak transfers, from what I remember.
Personally, I would rather live in the world where we have financial privacy and financial freedom even if that means dealing with ransomware. (which is mitigable with proper planning).
If a ransomware author doesn't have financial freedom or privacy then that means you don't either. Edward Snowden is being financially censored right now by US Government in a move to take away the proceeds of his book. It is no wonder then that Snowden is a fan of cryptocurrencies which have no such mechanism.
Likewise, WikiLeaks was financially censored by PayPal, VISA and Mastercard under unofficial pressure from the US Gov.
You don't even have to break any laws to be financially censored. PayPal regularly freezes people's balances for 180 days and does not even provide a reason. The sometimes do this at the behest of political activists looking to use financial pressure to censor their opponents.
So, I will accept ransomware as an unavoidable consequence of the greater good - because if all of these people are censored then so am I.
The only place it has any advantage is crime.
The problem is a social one: we need to lobby the government to ensure folks like Snowden are protected, and not allow the tyranny of the minority through spending money in a way that can't be traced or censored.
We can all agree sending money to North Korea is bad.  Funding ISIS is bad.  Ransomware is bad.  Wikileaks and Snowden? There's a debate to be had. You're actively circumventing democracy by preventing us from having that debate and by refusing to abide by democracy's decisions.
You're attacking symptoms, not problems, with tools that are just broadly worse. Social problems need social solutions, not anarchy and magic beans that live in your computer. Of course that's harder, but it is better, and there's no "number go up" to compensate you.
>The only place it has any advantage is crime.
What? Wikileaks was censored without even being charged with a crime.
The reality is people who have committed no crimes are financially censored on a regular basis.
According to the EFF:
>The actions of a small number of payment intermediaries— like payment processors, banks, and credit card companies like Visa and Mastercard—can heavily influence what kind of speech can exist online.
For example, Subscribestar was censored by political activists - they committed no crime.
Paypal censored people for selling erotic fiction. What law did they break?
The ACLU is currently suing New York state for financially censoring an organization which likewise committed no crime.
>The problem is a social one: we need to lobby the government to ensure folks like Snowden are protected, and not allow the tyranny of the minority through spending money in a way that can't be traced or censored.
The problem is 9 times out of ten not the government. Here's a better idea: let's make censorship impossible in all forms.
Addendum: Not to mention the millions of people who live in censored countries (Iran, Venezuela, etc) who are totally innocent. Or the billions of people worldwide who are cut off from western monetary institutions in the name of anti-money laundering laws - people censored purely because they were born in the wrong country.
Or how about the billions of people who live under authoritarian governments which outright censor them. Are they expected to lobby their masters to achieve political change?
>Here's a better idea: let's make censorship impossible in all forms.
It seems like you're proposing government ownership or extremely heavy regulation of private businesses.
For your ACLU/NRA case, you have a good case: this appears to be action by a state government to restrict funding to an organization that is not charged with a crime.
However, for PayPal and erotic fiction authors, this isn't government censorship at all. This is a private company declining to do business with someone. One of the hallmarks of the American business and legal system is the right to free association. You can't force people to do business with other people, unless (due to specific legislation, namely the Civil Rights Act) you can show that one side was discriminating against someone in a "protected class" (race, sex, religion, etc.). "People selling erotic fiction" are not a protected class, so companies are free to do business with them, or not. Personally, I think it's pretty ridiculous, and I have no idea why PayPal would single them out when they provide services for so many others, but again, they're not a public utility, they're a private company. The authors are still free to receive money from clients through cash, checks, bank transfers, competing services like Stripe or Venmo, merchant accounts, etc. Yeah, it sucks that a really convenient payment processor for small entities is off-limits, but it's not like they can't get any money at all, even though it probably would affect their business.
Do we really want to have government in the business of forcing companies to do business with other companies or organizations? What if it's the KKK? What if it's a drug cartel's shell company? What if it's a terrorist organization, but one which the government happily looks the other way for because they're antagonizing some political foe?
And it's not just finances, it's other kinds of business. Should an advertising firm be required to do business with anyone? What if the KKK wants them to post ads? Or some religious cult? This would be a pretty horrible precedent.
>It seems like you're proposing government ownership or extremely heavy regulation of private businesses.
Not at all! I respect their right to do business as they see fit. I believe cryptocurrencies should be adopted as an alternative.
I actually feel a bit bad you wrote all that based on a big misunderstanding. I need to be more clear with my writing.
*I accidentally quoted the wrong line when I made this post, causing some confusion.
> Not at all! I respect their right to do business as they see fit. I believe cryptocurrencies should be adopted as an alternative.
B does not follow A. Theres an entire universe of better options.
You failed to address literally all the things I pointed out.
> The problem is 9 times out of ten not the government. Here's a better idea: let's make censorship impossible in all forms.
PayPal and Visa only make money when they process payments. Not processing payments means they don't make money. Not processing payments for Snowden is therefore likely outside pressure from the government. Not processing "immoral" transactions is likely outside pressure from investors or advertisers, or heck, probably their risk management team.
PayPal is a private company and can choose not to process payments for anyone, for any reason. The Fed/ACH doesn't have the same issues because they are a service in the public interest. They will process payments for anything legal for 1/10th of a cent each over the span of a couple of business days. By the end of the year, instantly, via RTP.
> The ACLU is currently suing New York state for financially censoring an organization which likewise committed no crime.
Luckily being a public institution remediation exists through the courts. BTC's irreversibility makes remediation impossible. You're pointing to a big feature as though it's a bug. Just ask the victims of the ransomware.
> Addendum: Not to mention the millions of people who live in censored countries (Iran, Venezuela, etc) who are totally innocent. Or the billions of people worldwide who are cut off from western monetary institutions in the name of anti-money laundering laws - people censored purely because they were born in the wrong country.
Take it up with your government. That's how government works. You don't like it, change it, don't circumvent it. It's like setting up your own parallel government because you don't like who's in power: that's not how it works. Do I agree with sanctions policy? Lord no. However, I can always lobby to change it. I think you'll find the majority do agree with sanctions policy and that you're undermining democracy.
> Or how about the billions of people who live under authoritarian governments which outright censor them. Are they expected to lobby their masters to achieve political change?
No, they're expected to overturn the government. Freedom isn't free, and all that. The censorship of their transactions is literally the least of their problems. Social problems require social solutions. Or phrased glibly: bitcoin won't help you as you mine minerals in the gulag. It won't help you avoid the gulag and it sure won't do anything to help you once you get there.
In fact, I'd be more worried about transacting on the indelible public (pseudonymous) blockchain than transacting in say, cash, if I didn't want the government to know what I was doing. You don't think the PRC would build automatic deanonymization tooling?
>PayPal is a private company and can choose not to process payments for anyone, for any reason. The Fed/ACH doesn't have the same issues because they are a service in the public interest. They will process payments for anything legal for 1/10th of a cent each over the span of a couple of business days. By the end of the year, instantly, via RTP.
Sure, PayPal is a private company and can do what they want. That doesn't mean they don't censor individuals. You said nobody ever got censored except for illegal deeds so I pointed out how that is wrong.
Also, can an ordinary guy open a bank account at the federal reserve? I don't believe so so your point is moot.
>Luckily being a public institution remediation exists through the courts.
How about why the hell should we allow this kind of behavior in the first place? You shouldn't need millions in legal fees to participate freely in the economy. Most people couldn't even pay that.
>Take it up with your government. That's how government works. You don't like it, change it, don't circumvent it.
Why? If the policy is not moral there is no good reason to follow it. Civil disobedience. Besides, you see this changing any time soon?
>No, they're expected to overturn the government. Freedom isn't free, and all that.
Oh great. Who will pay for that?
>In fact, I'd be more worried about transacting on the indelible public (pseudonymous) blockchain than transacting in say, cash, if I didn't want the government to know what I was doing. You don't think the PRC would build automatic deanonymization tooling?
Luckily there is Monero which provides actual privacy.
> Oh great. Who will pay for that?
Are you kidding me?
How will a revolution against an authoritarian government be funded if the money system is surveilled and censored?
We will never forget that Parliament burned the tally sticks.
We will never forget that FDR banned private ownership of gold.
We will never forget that Kennedy killed the silver certificate.
We will never forget that Nixon killed Bretton-Woods.
We will never forget that bankers and financiers repeatedly take advantage of moral hazard, producing bubble economy crashes, such as the 2001 dot-com bomb and the 2007 subprime mortgage bust. Remember tulip mania? That was in the 1630s. Cleverfolk have been running market-wide financial scams for 400 years of recorded history, from a position of leverage near the controllers of money.
The problem is that governments everywhere have always been taking away control of money from the public, and transferring it to parties that either operated with complete impunity already, or became effectively unchecked once they controlled the money.
The function of money in civilization is too important to allow any one party to put a fence around it, to start collecting tolls whenever it so much as twitches.
While current cryptocurrencies don't yet do it well, it is theoretically possible that everyone in civilization could issue their own scrip, circulate it in trade via a trust web, and later redeem it for the goods and services that they provide, without anyone ever physically printing onto forgery-resistant notes. The credit function of trade would no longer belong to banks and their credit scores, but whether the people who know the people you know believe that you can honor your commitments. The futures, trading, and securities function of markets would no longer belong to financial firms.
We don't need to lobby anybody. We just need to use money that destroys itself if too few of the participating entities can collectively control too much of the system. If anybody tries too hard to be Visa or Mastercard, they end up with x% of nothing instead of x% of everything.
...So cryptocurrencies definitely have an advantage as fertilizer for bullshit libertarian pipe dreams, if nothing else.
Are you quoting me? Cryptocurrencies appeal to more than just libertarians. Richard Stallman, who is a downright socialist recgonizes the anti-censorship properties of cryptocurrencies as important.
You clearly don't remember when they used to ask for moneypack transfers.
It's easier to tie them to the real-world identity of the criminal distributing the ransomware.
It's not impossible to do it with BTC, but at the moment, law enforcement isn't doing much about BTC, unless it involves drugs or CP.
No, you'd tie them to the real-world identity of some unwitting mule.
Unless you have better OpSec than the KGB, or a cartel-like reputation for inflicting incredibly disproportionate amounts of violence unto the friends, family, household pets, and lawyers of snitches, pressure on that mule works wonders.
As far as I know, no, moneypak transfers cannot be traced.
They cannot be reverted once spent, they can absolutely be traced. Police can subpoena records from Moneypak, which is more than happy to comply. You also actually have to go out to a physical location, and swipe your Moneypak card, to buy something. That physical location will keep records, may have security footage, etc.
If you're doing Moneypak fraud, and live in any country with a funcitonal rule of law, it's just a matter of time until you either find yourself booked for processing, or, alternatively, ziptied, and with a brown bag over your head, put on a flight to the US.
The Wikipedia article seems to suggest otherwise.
Select quote: "In August 2012, the FBI also issued a warning that scammers were taking advantage of MoneyPak's untraceability to coerce unwitting victims into paying a "ransom" to unlock their computers infected with malware."
Yes, it's pushed companies to have real backups and security. Great! Before, data would just be covertly stolen and sold.
This, along with its absurd energy consumption "pushing people into renewable energy" is fascinating. Why don't we set fire to buildings downtown to motivate investment in fire departments? Why don't we steal things and smash things to motivate investment in police departments? How about dumping toxic chemicals into lakes to invest in the EPA and bolster environmentalism?
Why don't we in general actively engage in the behavior we want to stop in an attempt to motivate different people to stop us?
I think this is the main idea behind "The Purge," and if "The Purge: Survival" is any indication, it's unlikely to work ;)
Your analogy makes no sense. Are there building fires we aren't aware of? Are there smash and grabs happening without police being notified?
The last one actually does happen and it would be great to have a better way to know when and where by who.
Why on earth would you cheer on a company dumping toxic chemicals into the lake just because they raised awareness?! It's caused material harm. That's madness. You punish them for that, and anyone who enabled them.
If buildings catching fires easily was a real problem, then yes one major event would be a wake-up call to everyone else to provide a real solution to the problem.
But you wouldn't reward the arsonist would you?! Or the negligent builder? Or the planning department who failed to stop this insanity when it could have? You wouldn't lobby for systems that fail catastrophically just to point out shortcomings.
Cryptocurrency is a tool used by bad actors long after they have compromised the system.
YOU PIECES OF SHIT JUST HAD TO SPIKE, MONKEY WRENCH AND POISON PEER-TO-PEER FILE SHARING, AND I HAVE NO FUCKING SYMPATHY FOR ANY OF THE SUBSEQUENT DESTRUCTION, HOWEVER RAMPANT THIS MAY BE.
AND FUCK MICROSOFT WINDOWS, ESPECIALLY FOR IT'S PERPETUAL VULNERABILITY/EXPLOIT/PATCH/UPDATE HAMSTER WHEEL. WHAT A FUCKING JOKE. KILL YOURSELF IMMEDIATELY, BEFORE RANSOMWARE FILLS YOUR HARD DRIVE WITH ENCRYPTED CHILD PORNOGRAPHY NEXT TIME, INSTEAD OF JUST LOCKING YOUR FILES.
NO LAW ENFORCEMENT ORGANIZATION OR GOVERNMENT AGENCY WILL REFRAIN FROM SACRIFICING YOU TO AN INMATE INFLICTED CHOMO DEATH SENTENCE, THE DAY YOUR IDIOTIC OPERATING SYSTEM IS USED TO FRAME YOU FOR A CRIME YOU DIDN'T COMMIT, ALL FOR THE GLORY OF A GEEK SQUAD'S $500 FBI INFORMANT MERIT BADGE.
THIS IS THE FUTURE YOU DESERVE FOR LINING STEVE BALLMER'S POCKETS.
The actual moral is fuck the Ransomware.
It's just a fancy name for a broken computer.
How many people does a broken computer kill? How many people does a slow computer kill?