Submitted by CrankyBear t3_zsuzg3 in technology
Comments
Ein_Death t1_j1bd22h wrote
This doesn’t sound true (the part about GE). Can you elaborate and show a source?
HanaBothWays t1_j1be3ic wrote
Which part about GE? They do make medical devices. And I just used them as an example, any company that makes medical devices behaves the same way.
If you look up anything about cyberattacks on medical devices or medical device vulnerabilities there is a reason that the VA is the only American hospital system that’s vocal about it (and they have a program to address it) while all others are rather conspicuously quiet.
Ein_Death t1_j1dm5wm wrote
The part about GE being able to sue people for saying they’re insecure.
cuisinedossier t1_j1bflkg wrote
>but if you are a hospital system and say something like “our IT system got locked with ransomware because of an insecure GE device,” GE will sue you into bankruptcy, so nobody dares to say anything and the problem does not get fixed.
this sort of thing is probably everything
HanaBothWays t1_j1bg96n wrote
It’s kind of unique to medical devices. You can talk about Windows or Oracle databases having bad vulnerabilities and how you traced a hack of your company to that and they won’t come down on you like a ton of bricks, but it’s different if you say it was unnecessarily open ports (that you couldn’t close) in X company’s heart monitor.
This has gotten better in the past decade or so. There are better standards for manufacturers to secure medical devices and more established practices for hospitals to patch them and such (because you don’t want a ventilator to go through a patching cycle while a patient is using it, ya know?), but it’s still bad out there for this and other reasons.
AnhedonicSmurf t1_j1a38u3 wrote
This happened to a major hospital in Iowa a few months ago. Took like over a month to get things fully running again.
CrankyBear OP t1_j1a1xb1 wrote
Now, this is downright scary!
HanaBothWays t1_j1bihht wrote
It happens a lot. Hospitals or entire hospital systems (including the NHS) have been getting knocked out like this at least every couple of months for the last several years. Ransomware gangs love hospitals. And school systems.
HanaBothWays t1_j1a4gc8 wrote
A lot of hospitals have piss-poor cybersecurity. This is not just a problem with hospitals, but it is a particularly big problem in the healthcare sector.
One issue is that medical device manufacturers don’t do anything to secure their devices which are on hospital networks and they provide an easy way to get in and attack the networks, but if you are a hospital system and say something like “our IT system got locked with ransomware because of an insecure GE device,” GE will sue you into bankruptcy, so nobody dares to say anything and the problem does not get fixed.
The only hospital system that can (and does) push for medical device security is the VA hospital system because they can’t get sued out of existence.
ETA: Applies in America, not necessarily elsewhere. Under-resourcing of cybersecurity for healthcare systems seems to apply worldwide though.