Legal question: If these motherfuckers are caught, and if it could be proven that their little stunt directly contributed to the death of a patient, could they be charged with murder/manslaughter? Seems to me that they could, but then again I’m not a lawyer.
Great googly-moogly.… :smack: I mean World War I.**
[sub]Perhaps it is because it is getting so blurry with time that historians are beginning to see WWI and WWII as the same conflict with a 20 year pause, of course that would make Italians look very silly for changing sides 4 times during the global war of the 20th century.[/sub]
Sure, you could. Except there’s no way this is actually going to happen because these guys don’t live in the US or the UK or Europe.
My hospital is part of a fairly large regional system. Up until two years ago, you could only access a large part of the electronically-stored medical records if you rolled back your computer’s version of Java to the version from when the software was installed–back in 2007.
They finally fixed that, at least, but we did get hit with a system-wide ransomware attack last fall. It was a nightmare–everything took twice as long, lab and radiology results were handwritten scrawls if they came back at all, and a lot of what happened during that time is simply lost. And we don’t even have a full-fledged electronic medical record. They let it go on for three weeks while they looked for a recourse, but eventually they just paid the ransom. No one will tell me how much it was, and from what they tell me they genuinely don’t know who it was.
No, just that the Italians figured out … which way the wind was blowing. 
Reuters is reporting a possible North Korean link.
Yes, I’ve heard that hospitals are a favorite target of these scum. They often don’t have the most up to date systems and their data is life and death critical. So they often pay up fast.
OTOH, the last I heard these losers hadn’t cracked $70k in ransom.
Sure, you could have some legacy software, a perfectly valid reason to run XP.
But that machine should be air gapped, or at least on a separate subnet.
There is no excuse for it being in contact with a SMB share or a email server; it is amazing they got away with that shit for so long. It is the stuff you learn BEFORE security 101.
I know this looks like victim blaming, but this isn’t “she shouldn’t have worn that dress”, it is “she shouldn’t have gone bicycling in camo, with no helmet, without lights, at night, on the freeway”.
Those people handle sensitive medical records, they really should be more secure than my granny. Hospitals should be a hard target, not the softest.
Just want to reinforce this because some people are criticizing the NHS over this (or implying “Look how cheap things are under UHC!”)
In the medical industry, “If it ain’t broke, don’t fix it” is the sacred law of IT systems.
It’s not that they can’t afford, or are too lazy, to upgrade, it’s that the worst case scenario is a glitch affecting the treatment of a patient in some way, and harming the patient.
So the cost / benefit of upgrading is very different to a home user, or an office. Even if an upgrade causes no harm, the cost of just formally retesting the system is high.
There are isolated systems used just for a handful of workflows where there’s no reason not to treat a Windows XP computer as an appliance, with no reason to update the software (though eventually you’ll be forced to upgrade the hardware).
Agreed.
How much have they netted so far? As of 5pm Monday they had $72,000us. Which they probably dasn’t touch. snerk