back to article If someone could stop hackers pwning medical systems right now, that would be cool, say Red Cross and friends

Following the surge of cyber attacks on medical facilities, the head of the International Committee of the Red Cross (ICRC) and more than 40 other international leaders asked the governments of the world to do more to safeguard critical medical organizations amid the coronavirus pandemic. In an open letter published on Tuesday …

  1. Dwarf

    Whilst their logic may be good, I wonder if anyone has explained to them that the attacker doesn't know what the endpoint is, nor do they generally care.

    Its easy to see why the compromised will happen since people click links with interesting titles and pandemics definitely tick the box for that.

    The only way to really fix this issue is to ensure that the tools that you need to do your job are properly protected, a bit like how you lock the the other things in the hospitals and vehicles. Its time for organisations world-wide to realise that IT security budgets are really important and that its not wasted money. On the other hand, paying a scammer is.

    1. Anonymous Coward
      Anonymous Coward

      We make medical devices and saw a big uptick in malware deliveries after they added a COVID statement to the corporate web site. I expect that in today's world the malware is delivered by bots, not people who only get involved once the malware executes.

    2. veti Silver badge

      That's true for the regular spammed attacks, but there's a whole lot of spear phishing and other highly aimed hacking that's being directed at the medical industry right now.

      If I had to speculate, I'd guess it's happening because unaccustomed amounts of public funds are being poured very quickly into medical care and research. Anytime that sort of money is sloshing about in places that aren't fully accustomed to it, there will be opportunities for scumbags to siphon some of it off.

    3. sad_loser
      FAIL

      Haven't they heard of the Streisand effect?

      I work in medical informatics and the sad fact is that most of the kit is abysmally bad, and is held together with the IT equivalent of duct tape, and completely deserves to be hacked.

      The root cause for this is that there is still a mindset in healthcare that good data / information is a 'nice to have' rather than being part of the core.

      To its credit, this is something that HMG have been actively trying to remedy and this increased post Wannacry.

      There are good standards in healthcare IT e.g. 27001 / 13485 / OWASP but they are not properly enforced, and we have got a load of cowboy wannabe healthcare IT clowns who have been allowed to deliver kit that is not up to scratch.

      1. fnusnu

        Re: Haven't they heard of the Streisand effect?

        You've also got a load of cowboy wannabe healthcare IT clowns who have allowed kit to delivered that is not up to scratch.

      2. Danny 2

        Re: Haven't they heard of the Streisand effect?

        @sad-loser

        "The root cause for this is that there is still a mindset in healthcare that good data / information is a 'nice to have'"

        Kind of, but I disagree slightly. My take is there has been a bias against security in the healthcare industry because there is a bias, an assumption, that people are basically good and rational and so would never attack healthcare.

        It's arguable and perhaps provable that most people are basically good and rational, but it's easily provable that some people are the opposite.

  2. jake Silver badge

    Obvious answer is obvious.

    "The Register asked the ICRC what it hopes to accomplish by demanding governments do more"

    Because they want to get into more column-inches, silly!

  3. Blackjack Silver badge

    Hacking hospitals costs lives

    No matter how you may feel about certain medical institutions, messing up with their computers systems can has has ended with the loss of life.

    1. Rich 11 Silver badge

      Re: Hacking hospitals costs lives

      Some people just don't care. They'll see it as the medical institutions' fault for not having better security. Even if it was their mum who died as a result, they'd find some way to justify blaming anyone but themselves. It's like the bully or abusive spouse/parent who exclaims, "Now see what you've made me do!"

  4. Anonymous Coward
    Anonymous Coward

    "ICRC argues that the world has agreed to spare healthcare facilities from attack during wartime"

    Well that's going well then. It appears that it has become standard practice to bomb all hospitals and schools as "first class" targets - at least in certain parts of the world.

    And, as a programmer. I am paid to split hairs, so I will: it isn't wartime in most of the world and therefore that agreement clearly isn't relevant - however the fourth estate wants to style the pandemic and our efforts to contain it.

    And, don't forget, there countries out there that would love to sow discord and confusion in "The West" so are unlikely to do anything about all that clearly targeted BOT action any time soon.

    1. Peter2 Silver badge

      ICRC argues that the world has agreed to spare healthcare facilities from attack

      I think that people are expecting that an awful lot of "rouge" hackers are in fact under defacto government control, which truthfully is probably not too far off of the truth given that it's reasonably well established that both China & Russia do this.

      Applying the geneva conventions to these people is perfectly reasonable, as if you've been trained equipped and armed people to form a militia then your responsible for ensuring that they follow the laws of civilsed warfare. Asking states to exert similar influence they have over people they may well have trained equipped and armed with digital tools instead of firearms is not too much of an ask. I doubt it'll work, but asking doesn't hurt or cost anything.

    2. Anonymous Coward
      Anonymous Coward

      Well that's going well then. It appears that it has become standard practice to bomb all hospitals and schools as "first class" targets - at least in certain parts of the world.

      In "certain parts" of the world people are using the school buildings and hospitals as ammunition dumps and command centres, which is a violation of the geneva conventions of civilised warfare and which use forfeits their protected status and makes them legitimate targets, especially when your looking at schools re-purposed as ammo dumps that don't have any kids at them.

      The big question is why this happens. Glad nobody asked that, but the answer is that the sort of people who will use a school as an ammo dump aren't below putting on a really good show for the media with dragging kids bodies out of the rubble afterwards, even if the kids are alive and have to be buried just before the shots. One particularly egregious example was done in the middle east where careful analysis showed that the same kid had been buried and dug out of three different buildings for the media.

      As a quid quo quid for the brilliant footage the media won't point out it's staged or why the buildings were targeted as they might lose out on juicy, first class pure propaganda in the future that might win a presenter a journalism award for doing a voiceover.

  5. Frumious Bandersnatch

    While, um, ...

    stories that have apparently been going around are worrying, I would be more worried if the appropriate paperwork wasn't filed in, um, a reasonable timescale. So, uh, if you could all file these TPS reports by tomorrow morning, that would be, um, great.

    (what's the worst that could happen, right?)

    1. jake Silver badge

      Re: While, um, ...

      Can't get you the TPS reports until we have the results of the Perk Test.

      ( When I worked for Bigger Blue, back before the days of VisiCalc and Word Star, if middle management wanted to know how long it'd be before any given project would be finished, the stock answer from us techies was "We're still waiting on the results of the Perk Test" ... the manager would mindlessly nod his head, usually slack jawed, and wander off. Many of them actually had open-ended bars on their hand-drawn Gantt charts labeled "Perk Test" ... the mind boggles.

      Computing's a hurry-up-and-wait kinda career. Sometimes we need coffee ... but actually, I coined the phrase after a soils engineer came out to my property to evaluate the location I had chosen for my new leach field. Do with that what you will.)

      1. Bronek Kozicki

        Re: While, um, ...

        As usual, can't say if you are making this up or not, but it's a cool story anyway so have an upvote.

      2. Woza
        Joke

        Re: While, um, ...

        A new leech field? You are Dr. Hoffmann of Stuttgart and I claim my $5.

        1. Teiwaz

          Re: While, um, ...

          @Woza

          Nice Blackadder ref.

  6. Anonymous Coward
    Anonymous Coward

    The obvious solution to the obvious problem

    Don't want to be hacked? remove that exterior internet cable.

    There is little reason for majority of the medical devices to be on the world wide web.

    1. jake Silver badge

      Re: The obvious solution to the obvious problem

      "There is little reason for majority of the medical devices to be on the world wide web."

      Then I'm absolutely certain you'll be overjoyed to hear that very, very few medical devices are connected to the world wide web.

      Unfortunately, however, many such devices are connected to The Internet, which turns out to be a bit of a problem.

    2. Anonymous Coward Silver badge
      Facepalm

      Re: The obvious solution to the obvious problem

      Medical devices, like their remote access server? You know, that think that facilitates working from home for a significant proportion of the staff; those doing admin things such as ordering meds, PPE, etc or completing other 'paper'work.

      Yeah, I can see how they shouldn't have any form of internet connection for that.

  7. Loud Speaker

    Windows

    Surely here is proof that Windows should never be used in medical (or other life threatening) situations (Or Xboxes).

    1. Glen 1

      Re: Windows

      Why?

      What difference does it make if there isn't anyone shepherding the machines with updates etc?

      Or are you naive enough to think there aren't machines out there that are still vulnerable to (or haven't already been compromised by) <flips chart> heartbleed? <flips chart> Meltdown?

  8. Roger Kynaston

    Securing/Ask People(scumbags) To Play Nice

    it is easy to scoff at what the ICRC and others are trying to achieve here. Others, more conversant with the specifics of both security and medical IT have pointed out that the former is woefully inadeqate in the latter. I am sure that many in the medical world still see IT in general and security in particular as a cost centre to be minimised rather than a core part of the business. After all, good security is a pain as it stops you doing things. We can also observe that many players do not respect the international law that attacking medical facilities is not allowed. No one is immune from this. There are more egregious examples and less so but it happens all the time.

    On the other hand, by making it a crime, it at least forces the bad players to try to hide it and gives a chance after the atrocity to take the neer do wells to the Hague. Everyone knows that they shouldn't do it even if they do. It is just that it is acknowledged as a bad thing which may give some people some pause before firing a rocket into a hospital or launching a bot attack on their IT systems. However useless the framework of international law may be, it is still there which is better than it was in the past.

    Maybe the state players encouraging the phishing, spearphishing and outright attacks on medical bodies at the moment will, at least once in a while, think twice.

    1. Anonymous Coward
      Anonymous Coward

      Re: Securing/Ask People(scumbags) To Play Nice

      "by making it a crime, it at least forces the bad players to try to hide it and gives a chance after the atrocity to take the neer do wells to the Hague."

      Not necessarily. Rules, like taxes, are for the little people. Those in charge don't have to worry about irrelevancies like justice and the law of the land. Most of the time they don't even need to think about the Court of Public Opinion.

      E.g Blair, Cummings, and many many more.

  9. TeeCee Gold badge
    Facepalm

    Slight snag.

    I'm pretty sure that those doing this are already breaking quite a few rules and adding more for them to break won't slow them down.

  10. Pascal Monett Silver badge

    I hope it will amount to something

    Maybe governments will make an effort to increase blocking of bot traffic or somesuch, I really haven't a clue what they can do though. Spam and phishing is only malware when it reaches the endpoint, when it's on its way there's next to no way to tell.

    Yesterday, I received the laptop from my friend the postman. It was sent by a customer so that I can work on a project on their servers in a secure VM configured by them. Coincidentally, I also received a mail telling me that my package was waiting for me and there was a €2 transport charge to pay. With a friendly link, of course.

    Out of sheer habit I checked the URL of the link, which immediately made me suspicious because of the strange name that had nothing to do with the company that the mail alleged to represent. Then logic kicked in and I realized that, even if there is a transport charge to pay, it's my customer that should pay it, not me. Finally I trashed the mail and thought nothing more of it.

    But I am certain that such a mail would make many a person click on the link and just follow instructions blindly. Especially these days where Amazon is becoming king of the hill. Now transport that kind of attack to a hospital environment, with a nurse that has a thousand other things to do and just wants this mail out of the way. It's easy to hack hospitals, they are trying to save people, not computer hardware. They already have their minds full of medical knowledge, cramming security procedures on top is a nuisance they don't have time for.

    I don't know what the solution is. Maybe a filter machine that all email is sent to by default before a human checks that it is legit and lets it continue to its intended recipient ? Put a fancy statistical analysis machine with oh-so-vaunted "machine learning" and maybe something automated could be tuned to be useful.

    1. Anonymous Coward
      Anonymous Coward

      Re: I hope it will amount to something

      Ban email for internal use and sanitize all external email through a gateway that may or may not include human gatekeepers, preferably in both directions. Assign or generate a unique externally facing email address per recipient, or better, per topic. Archive all traffic and have it searchable and by all means tagged into whatever internal messaging systems are in use. Email was never meant to be instant so users shouldn't expect it to be.

      Having the digital equivalent of the envelope-steaming secret policeman on the case ought to go quite a long way to knocking this sort of thing on the head.

  11. crayon

    "and gives a chance after the atrocity to take the neer do wells to the Hague"

    We know how well that doesn't work out. The biggest perpetrators of illegal wars will not let their citizens stand trial in any international court and would threaten any organisation and their personnel if they dare to prosecute.

  12. genghis_uk

    Chinese Stealing Research

    The FBI say that there is an increased number of attacks on pharma companies originating from China with an intent to steal their research.

    Of course you could say that in a time of a global pandemic it would be nice if the same pharma companies shared their research rather than keeping it secret so they can monetise it and surround everything with patents. Profits and dividends first!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like