1. 39
  1.  

    1. [Comment removed by author]

      1. 8

        I hope this is a wake up call for hospitals to get their stuff together with regards to updating and securing their computer system. decade old software running on windows XP because ‘it still works’ is not acceptable.

        1. -1

          This is one of the reasons I can’t get behind government standardization and control of the medical system. Just as genetic diversity offers statistical protection against biological disease, diversity in organizational “genetics” offers statistical protection against organizational attacks. Hospitals in countries with robust private medical systems use a mish-mash of different digitization systems, which introduces overhead, but also means that all hospitals won’t simultaneously shut down due to an electronic attack.

          1. 23

            This doesn’t seem to have anything to do with the standardization of the hospital-specific IT systems themselves, just with the standardization on Windows. I believe in the U.S. there is approximately the same level of diversity in medical IT operating systems (i.e. almost none, everyone runs Windows). Note that this same wave of attacks also hit FedEx, using the same malware.

            1. 4

              Note that this same wave of attacks also hit FedEx, using the same malware.

              I told their head of INFOSEC, risk management, or whatever title that would happen years ago when I ran into him in a Barnes & Noble. I said, “Really, man, that pile of Windows books tells me you’re going to be in trouble with finances or security.” He agreed but said it was a Microsoft shop. No way around it. Legacy system effect from CIO down combined with proprietary lock-in from quasi-malicious vendor = big trouble down the road.

              1. 2

                Then why isn’t this ransomware taking down a similarly alarming percentage of hospitals in the US?

                medical IT operating systems

                There is obviously more to security than operating systems. In particular, the homogeneity of NHS IT systems allowed attackers to take down many hospitals at the same time, whereas in the US this almost certainly would not happen. There’s too much variance to automate an attack. It’s easy to hit any hospital, sure, but hard to hit all of them.

                Note that this same wave of attacks also hit FedEx, using the same malware.

                Further demonstrating my point. FedEx has a homogenous, standardized IT system, which allowed the entire organization to be attacked at once.

                1. 7

                  You’re imagining the varaiance. EPIC is dominating the market in the USA for hospital EHR systems. They’re all vulnerable to the same attack vectors.

                  edit: over 50% of the US population has their medical records in EPIC. Over 100,000 medial practices/hospitals. The next one is under half that.

                  1. 2

                    Then why isn’t this ransomware taking down a similarly alarming percentage of hospitals in the US?

                    Happenstance?

                    Canada was also unaffected, which would tend to run counter to your idea that single-payer healthcare was the primary vulnerability here.

                2. 14

                  There are no such countries.

                  1. 3

                    You mean no such countries with robust private medical systems? That’s false. I have been to some of them. If that’s what you mean, I’m concerned that a bunch of people here apparently agree with you; it indicates an unfortunate lack of exposure on this subject. I hope most people aren’t under the impression that good private medical care doesn’t exist; it does, just not in countries that software developers typically come from. Maybe I have inflated expectations as to people’s awareness of foreign societies/economies.

                    (In particular, the private care in both Mexico and India is excellent. Truly remarkable. Previously, I didn’t think “good customer experience” and “medicine” were in any way compatible concepts.)

                    1. 7

                      I’m pretty sure the health tourist/wealthy-people medical system in the UK survived too. India has a really anemic health care system if you are out of the 1% ( https://en.wikipedia.org/wiki/Healthcare_in_India ). Calling that a “robust private medical system” is laughable. NHS almost certainly was vulnerable because the Conservative government has starved it of funds for 10 years - hence Windows 98 ( https://www.theregister.co.uk/2016/12/08/windows_xp_nhs_still/ ) . US hospital/medical software is enormously concentrated but a massive investment in such systems since 2010 when Obamacare passed has upgraded a lot of them to their current (crappy) state. Libertarian dogma is a poor base for any kind of analysis.

                  2. 6

                    Why would you think this? The horrible state of computer security is not confined to government regulated industries.

                    ETA: what market pressure is exerted in any industry for security best practices? I don’t see how the market would make this situation any better short of a fundamental change in liability, which sort of solves the problem in the large, anyway.

                    1. 1

                      Why aren’t we seeing an article “Hospitals across US shutting down”?

                      I never said US hospitals have good security; however, they aren’t standardized, which provides exactly the (limited) protection I described.

                      1. 7

                        Why aren’t we seeing an article “Hospitals across US shutting down”?

                        Because someone managed to stop the worldwide spread first: https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

                        There’s no reason to believe the US (or Canada, or Chile, or Bolivia) would have fared any better if it reached us.

                        1. 1

                          thanks for the link. What a story!

                3. 5

                  This is what happens when people don’t update Windows!

                  1. 1

                    How can you determine that? Are you joking?

                    1. [Comment removed by author]

                      1. 3

                        It was specifically this patch, released just under 2 months ago.

                        1. 0

                          So, if I don’t update, I will get this virus?

                          1. [Comment removed by author]

                            1. 1

                              Do you have a source for that? The trackers seem to still be counting up for infections. I don’t see anything in a quick scan of the news about a kill switch?

                              1. [Comment removed by author]

                                1. 2

                                  Thanks! Wouldn’t it be relatively easy for someone to repackage this without that vulnerability though?

                                  1. 2

                                    Incredibly. It’ll be a long weekend for ops folks everywhere.

                                    1. 1

                                      Yup, absolutely.

                      2. 3

                        US health records business is also very interesting - and kind of obscure. This article is a good glimpse into some of the business/tech issues. https://www.forbes.com/sites/zinamoukheiber/2013/03/04/behind-epic-systems-a-low-key-health-it-company-called-intersystems

                        The NHS problem seems to involve the UK government deciding to neither migrate out of Win98 nor keep paying MSoft for patches https://www.theregister.co.uk/2016/12/08/windows_xp_nhs_still/

                        1. 2

                          It should be noted that even though Caché supports other languages and has an SQL layer, it’s still all using the MUMPS data structures underneath, and those abstractions start leaking pretty quickly. The newspaper I worked for replaced the Rails CMS I built with a “newspaper-specific” one based on Caché, and I could not get out of there fast enough after the transition period.

                          Fun fact: mentioning “I’ve worked with MUMPS” at a tech meetup and watching who twitches involuntarily is a great way to see if someone’s​ worked for Epic in Wisconsin.

                        2. 4

                          Is there any way to help situations like these? I feel I have better technology choices that I could deploy but I’m not sure anyone wants them, even if they are safer.

                          1. 1

                            For some reasons, “internet of surgeons” doesn’t sound like that good an idea now…