back to article Woman dies after hospital is unable to treat her during crippling ransomware infection, cops launch probe

A woman in Germany died after a ransomware infection prevented her hospital from giving her emergency treatment. The unnamed patient died en route to a hospital in another city after she was unable to get treatment in Düsseldorf due to the malware affecting computer systems. A manslaughter investigation is now underway against …

  1. JakeMS
    Mushroom

    Why?

    Why is a computer/device that is necessary for ensuring you can serve emergency cases connected to the internet?

    Surely, something so critical should be Offline (Installed/Configured, just works, no need for the internet)?

    If it's the case of needing to transfer patient data, say for blood type, couldn't a doctor just call another hospital (by phone) for the patients emergency records and perform the operation?

    1. big_D Silver badge

      Re: Why?

      If it's the case of needing to transfer patient data, say for blood type, couldn't a doctor just call another hospital (by phone) for the patients emergency records and perform the operation?

      It isn't just blood type, it is the full medical history.

      One of the problems is manufacturer support... They do remote support these days and access the devices and applications over the Internet. No Internet, no support when something doesn't work.

      I know the admin at a manufacturing facility, they have an old cutting machine that is bound to software running under XP - it won't install or run on Windows Vista, 7, 8 or 10. To upgrade the software to Windows 10, they'd need a new machine. The old one works fine, reliably and does what is needed of it, so why throw it away and replace it with a new machine costing 7 figures, when it is just the software that doesn't work on newer versions of Windows?

      They have isolated it and they do force the manufacturer to do remote support. The first question is the TeamViewer ID, the support are told the device is offline. They say to put it online. They are told, provide software for Windows 10 and we'll put it online. Until that happens, you will remote-control the machine operator with verbal instructions.

      That might work for a single manufacturing machine, but a whole hospital full of "machines that go bing" is another matter, unfortunately.

      Then there is patient data transfer. The Krankenkassen (health insurance companies) hold the patient data and they collect the billing information from the hospital systems. This should be over a secure Telematik system, but that is still running over the Internet, albeit in a secure tunnel.

      That individual monitors, and whole operation rooms are online is a different matter, they should certainly be isolated, whether standalone or an internal isolated network. And there should be disaster recovery scenarios to allow them to keep working if the systems go down. But re-directing patients that are en-route to other hospitals, if there are problems, is SOP - and according to local news, the woman was en-route to the hospital and her ambulance diverted, because the ER was offline and couldn't accept new patients, she wasn't transferred.

      1. Doctor Syntax Silver badge

        Re: Why?

        The germ of the solution is in your cutting machine story. The owners were able to force an admittedly not very satisfactory solution. For medical equipment there , in principle, an easier way to do this and do it better. A couple of decades or more back it wasn't unusual for servers to have remote support via dial in lines which could be unplugged when not required. Medical equipment has to be certified. A certification requirement of remote support via a disconnectable channel would cut out one weakness. The politics of getting such a requirement in place, however ....

        1. big_D Silver badge

          Re: Why?

          Part of the problem is that the equipment still has to be certified and that includes the patch level of the PCs running it. You can't apply security patches until they have been tested and certified by the manufacturer...

          1. seven of five Silver badge

            Re: Why?

            Which also is rather sensible, given Micros~1 track record of update b0rkage...

            Some days you're the dog, some days you're the tree.

          2. Doctor Syntax Silver badge

            Re: Why?

            "You can't apply security patches until they have been tested and certified by the manufacturer..."

            And there needs to be an obligation on the manufacturer to do it promptly.

            A certification process which results in the equipment becoming unsafe is not fit for purpose.

        2. Boris the Cockroach Silver badge

          Re: Why?

          For us here in the machining/widget bashing game, the thought of 'patching' and 'upgrading' fills us with terror.

          why?

          well apart from notices in the maintence manuals saying 'if pc is patched/upgraded, then the machine tool manufacturers with not be liable for any borkage'

          The thought of having an upgrade applied which causes different motion(s) to be applied to the robots can result in parts being ejected from the machining cells.

          We had a case of that 2 years ago where a fixture broke and 0.5kg of aluminium plate was spun upto about 4000-6000 rpm before being fired out of the machine and hitting the wall 40 feet away, safety screens not withstanding.

          Now you imagine that happening because of an 'upgrade' and the legal borkage that would result if anyone got injured....

          But just get another PC..... ok... maufacturer has to certify that then attatch it... then charge 1000's for the service

          But back to the subject in hand, the hackers who crashed the hospital systems in the first place... their punishment should be a go in the radiation treatment unit.... will they get off with a trivial dose or a screwed up lethal one... lets see how fast you can debug the control.....

          1. VicMortimer

            Re: Why?

            That's great and all, but if your systems can't be patched they need to be airgapped.

            And if it can't be airgapped, any manufacturer putting a notice like that in the manual needs to take full liability for any hacking incident that occurs, including being charged with manslaughter for situations like this where a system not being patched caused a death.

      2. Blackjack Silver badge

        Re: Why?

        Windows 7 Pro and the even more expensive one get Virtual XP for free.

        https://www.microsoft.com/en-us/download/details.aspx?id=8002

        I use it, is not perfect but anything that cannot run on Windows 7 64 bits because it needs an older 32 bit Windows works on it so far, even Windows 3.1 stuff.

        Granted there is the small detail of having to buy extended support for Windows 7....

        1. big_D Silver badge

          Re: Why?

          Virtual XP doesn't usually help. I had a telephone system at home (still being sold by Siemens in 2014) that only worked with XP. I tried the virtual XP environment in Windows 7 Pro at the time and a full virtual machine. No dice. It needed low-level hardware access and could only run on bare metal.

          In the end, I repurposed an old laptop just for managing the telephone system, and that device was never attached to the network. I then looked at replacing the system with a more modern alternative that doesn't need dedicated management software.

      3. Mike Pellatt

        Re: Why?

        Windows XP, how modern :-)

        I sorted out a CNC machine tool controlled by a W98 machine a few years back. Might even have been 95, memory fades. Managed to track down a spare mobo and disk drive that were compatible for spares before they became (even more) like hen's teeth.

        It also had one of those multi-serial-port cards so beloved of green screens connected to *nix back in those days, used to talk to the various components.

        1. Blackjack Silver badge

          Re: Why?

          I am amazed the hard disk still works. That probably means it must have been replaced once or twice.

        2. HellDeskJockey

          Re: Why?

          That is the problem. The physical equipment lasts a lot longer than the OS. I still have to be familiar with W95 on some systems also Windows NT and Windows 2k. You just don't connect any of it to the internet.

          As an example the helldesk today is supporting a computer problem on a 1982 CNC machine. Sadly there is no easy way to upgrade the computer.

          As for warnings we routinely warn against everything. Otherwise you get sued for failure to warn. "You didn't tell me pouring gasoline (petrol for our British friends) on a fire is dangerous."

        3. big_D Silver badge

          Re: Why?

          We also have a sign printing system (signs printed on metal and perspex). It is DOS only. We have a spare machine and "collect" old PCs, for when the controller PC dies. The spare printer cost only a couple of grand (25 years old), a modern replacement costs high 5 figures, so there is no hurry to replace a working system.

      4. overunder Silver badge

        Re: Why?

        "...because the ER was offline"

        I'm not trying to excuse ransomware, but has anyone thought that if an ER can go offline, that ER isn't a ER? You can get caught up in a fish bowl pretty quickly thinking about software, but at the end of the day 99.9% of emergency services is actually non-software related. Remember, emergency isn't LONG-TERM care. So while software related devices are always helpful, but in an emergency you can't ever factor it in.

        Man falls down having a heart attack, which software is needed to save him?

        Woman starts chocking...?

        Entering a diabetic comma...?

        Bleeding out...?

        ... Is the ransomware sharks the only party that should be investigated?

        1. Stuart Castle Silver badge

          Re: Why?

          Personally, I am surprised that the ER was unable to function on at least a basic level, it's worth remembering that, for instance, patient records in a lot of hospitals is entirely stored digitally. That might not sound that important, but bear in mind your patient record will include your health records, and, if you have any know allergies, will contain details of them. Important if your allergy is to certain drugs because if you are allergic to the drug they prescribe for you, it will likely kill you.

          1. Paul Hovnanian Silver badge

            Re: Why?

            An ER should be able to provide some level of treatment for a patient without having medical records or even an identity. If they have severe allergies, one hopes that they might have something like a Medic Alert bracelet listing them. Assuming that allergies to drugs the may never have taken before would even be on record anyway.

          2. big_D Silver badge

            Re: Why?

            They could operate, they could take care of their existing patients. The problem is the emergency procedures.

            If the systems fail, SOP is to divert all incoming patients to another hospital that is fully functional. In a catastrophe, where multiple hospitals have all lost key systems, they run manually. But the insurance says, if there is another hospital that is fully functioning, the patient has to go there. It is risk minimisation, but that doesn't take all things into account - like whether the patient can live through the extended journey time.

            Airports are the same. If their systems fail, they land the aircraft already on final manually, everything else with enough fuel gets diverted to its alternative.

        2. jason_derp Bronze badge

          Re: Why?

          "...has anyone thought that if an ER can go offline, that ER isn't a ER?"

          Yeah I'm not willing to let the hospital off so easy either. Seems a lot like passing all the blame off onto some equally guilty party.

          1. big_D Silver badge

            Re: Why?

            Again, the hospital carried on operating in emergency mode. Existing patients were still cared for. Non-essential operations were postponed, but critical care continued.

            Then the emergency plan was put in place, which says that all incoming patients get diverted to a fully functioning hospital. The problem is, the emergency plans don't always take into account the travel time, just that the affected hospital isn't running at 100%, so patients are diverted to a hospital that is at 100% effectiveness. In this case, the patient didn't survive the extended journey. There is, unfortunately, no evidence that she would have survived if she had been taken to the affected hospital running in emergency mode either.

        3. CrackedNoggin

          Re: Why?

          Exactly - what happens when the next Carrington event occurs?

      5. Anonymous Coward
        Anonymous Coward

        Re: Why?

        The simple fact is that these hacks are nothing more than for financial gain via anonymous payments with crypto currency. If that was outlawed, then the financial incentive will be taken away as their anonymity would be gone.

        1. cbars Silver badge

          Re: Why?

          It would go away if paying the ransom was outlawed or crypto currency?

          Are you suggesting that this would go away without Bitcoin etc al... are you sure...?

          1. Anonymous Coward
            Anonymous Coward

            Re: Why?

            No, it wouldn’t stop hackers looking for holes and it wouldnt make it go away, but if you take away the anonymous and untraceable pay system, they won’t be able to collect their ransom or at least make it extremely difficult for them get the cash, and makes it a less attractive and profitable proposition.

            1. EnviableOne Silver badge

              Re: Why?

              Bitcoin has a big issue, as the leger is distributed, everyone can read it, and its easy to trace procededs of the crime through the ledger, people are starting to realise that the moment you try to turn it into hard cash, it is a known endpoint and Law Enforcement pounce...

  2. Sampler

    Pretty sure hospitals were treating patients before they had computers, if the diversion is an hour away emergency patients should be seen and paperwork can be sorted out down the line.

    As much as the ransomware folk are culpable, so is the hospitals IS team, companies like mine can be a little lax, we do market research, it's not life or death, these should be isolated in groups, physically as much as possible, yes route out to the internet if you have to (such as support mentioned elsewhere can be something enabled/disabled as required) but even internet access doesn't mean they should be able to access the next machine to prevent a cascading failure.

    Yes it's complicated, but, that's why hospitals pay so much in IT. You can't take the pay-cheque that comes with responsibility and then shirk it when you fuck up.

    1. Anonymous Coward
      Anonymous Coward

      <quote>Pretty sure hospitals were treating patients before they had computers</quote>

      We don’t know the details of the situation, but my guess is that the IT reliance was for something more than “paperwork”.

      Maybe she was an RTA casualty, and needed a CT to diagnose internal injuries. You can’t use “pen and paper” to transmit the results of something like that if the network is in bits because of a ransomware incident.

      I’m pretty sure that the mortality rate for that kind of stuff “before they had computers” was not good.

      But I expect the IT staff at that hospital would take comfort from the fact that some a-hole in a marketing company thinks that it’s as much their fault as the ransomware perpetrators. Well done.

      1. Doctor Syntax Silver badge

        I've done work for a company where production, handling lots of PII was kept well separate from the office system and its vulnerabilities. It was, in fact, a condition of some of their contracts. It might be inconvenient in some ways but it would have been a lot more inconvenient to admit to their clients that they'd been breached or to have production stopped for days because some toe-rag had encrypted their systems.

    2. Doctor Syntax Silver badge

      "if the diversion is an hour away emergency patients should be seen and paperwork can be sorted out down the line."

      Wouldn't it be great if there was a technology that would let you scan in paper-work, transmit it over an ordinary telephone line and print it out at the other end. Might not have helped in this case but as a fall-back it would be worth having.

      1. hoola Bronze badge

        How do you get electronic images out of a borked system?

        With so much of the diagnosis now the output of the raw information is electronic. In the old days you had an Xray that was a bit of film. Now you have a CT scan that requires a computer to look at the images. Even a digital Xray still needs a computer to view the image. They are completely incomprehensible any other way, you cannot just screen print something as the people doing the scans are experts at working the machines, not diagnosis. They may has some ideas but that is for the radiologist to sort out.

        I requested a copy of a CT scan I had on CD and it requires a viewer (provided) to be able to do anything. The data is just a series of binary blob files. Talking to my radiologist friend what I had on the CD is what comes out of the CT scanner.

        1. VicMortimer

          Patch it or airgap it.

          Virtually no ransomware in the wild will work on a patched-up system. It can't get to a properly airgapped system to f it up.

          That CD you had may well be the result of things right, if burning a CD is the only way to get the data off the CT scan system, malware is going to have a hard time getting on.

          1. big_D Silver badge

            The Iranian government would beg to differ. Their nuclear research labs were affected, despite being air-gapped. As long as there are humans in the chain, nothing is 100% secure.

            And being full patched is a 100% guarantee either. There are still hundreds or thousands of unknown attack vectors that can be exploited once found until the manufacturer can get around to patching them.

            All you can do is minimise risk as best you can.

            We get calls from our users every day about, "is this genuine or a fake email?" I'd rather have to deal with 10 cases a day of a user being unsure than one case of a user not bothering to ask and infecting the whole network!

        2. Doctor Syntax Silver badge

          "How do you get electronic images out of a borked system?"

          You start by looking at how to avoid getting the system from which the images come from being borked. Start off by considering the system to be standalone. If it isn't terribly useful what is the minimum set of remote access facilities needed to make it useful? You want somebody to view the images remotely? Just sticking it on the hospital LAN is not minimal. Minimal might be a connection running through a firewall that only allows X-11 protocol. Even if you run the X server* on a Windows PC that gets borked X-11 is not going to be the sort of protocol to tell the CT system to go bork itself.

          It's like the old saying puts it - if you don't design a system to be secure it's hard to add on security afterwards.

          * The server is the bit that supplies display services, the one with a screen attached, not the one that provides the images.

          1. big_D Silver badge

            The problem is, that information collected by the disparate machines have to be collected centrally and put under tight access controls, so that only the relevant doctor can see the patients information, and that from the bedside, in his office, in an operating theatre etc.

            And that central patient information also needs to pull in the external medical record from the insurance company...

    3. overunder Silver badge

      "You can't take the pay-cheque that comes with responsibility and then shirk it when you fuck up."

      This is absolutely correct. Even a complete black out of all power isn't an excuse.

      However in this case, we have witnessed that when insurance company Y will up your rates and investment firm Z might stop payments along with the risk of a "Jones" lawsuit... then it's better to let people die.

  3. macjules Silver badge
    Thumb Down

    Some ransomware slingers have promised not to hit hospitals

    That’s awfully nice of them. What about doctors’ surgeries, emergency services etc?

    1. big_D Silver badge

      Re: Some ransomware slingers have promised not to hit hospitals

      In this case, they had assumed the were attacking the medical university, not the medical university clinic (hospital).

      The local reports say, that as soon as they realised what they had done, they stopped the attack and handed over the keys.

      Good of them, in the circumstances, but it would have been better if they never attacked anyone...

      1. Nunyabiznes Silver badge

        Re: Some ransomware slingers have promised not to hit hospitals

        Over here the "I only meant to rob them, not kill them" defense doesn't go very far.

  4. EricM

    patch everything as soon as you can?

    As a general rule: Sure.

    But you also must consider that patching can break things, too.

    Additioanlly and ironincally in security-relevant areas like hospitals, patching is additionally slowed down by the necessary certifications a patch has to retrieve, before it can be rolled out.

    Factual security and on-paper security might differ substantially in especially those areas that need it most...

    1. Anonymous Coward
      Anonymous Coward

      Re: patch everything as soon as you can?

      We have over 120 clinical systems, when MS release a patch BY LAW I have 14 days to patch under NIS.

      How the hell am I mean to get 120 systems tested? In truth I can't - I either patch and cross my damn fingers or delay and allow developers a chance to catch up, which in truth they never will as many of the contracts don't even require them to keep on the latest versions of third party cr@p like Java.

      It's an impossible situation which lands on low banded tech staff / infosec day in, day out.

  5. MJI Silver badge

    Time to hit ransomware criminals

    If they got splatted by various special forces they would soon stop.

    1. veti Silver badge

      Re: Time to hit ransomware criminals

      We've seen where that kind of thinking leads. Google "Andrew Finch" if you've forgotten the name.

      1. Anonymous Coward
        Anonymous Coward

        Re: Time to hit ransomware criminals

        I don't think he was suggesting getting target lists from random gamers.

        1. MJI Silver badge

          Re: Time to hit ransomware criminals

          Correct, I was thinking of proper tracing and stamping on.

          Ransomware criminals are terrorists.

          Also think I am thinking of competent people (eg from Hereford area) not gun happy yanks.

          1. Hollerithevo Silver badge

            Re: Time to hit ransomware criminals

            No, they are not terrorists. We can't label any particular nasty strain of criminal as 'terrorist', as then what do we call those groups who use crime and violence for political reasons? These guys are just criminals: extortionists, much like the goons who come to your shop to extract protection money from damage threatened by them. If the goon is using the money to finance a political group, then yep, terrorist.

            1. MJI Silver badge

              Re: Time to hit ransomware criminals

              Causing terror in hospitals, people dieing - terrorists in my book.

              1. seven of five Silver badge

                Re: Time to hit ransomware criminals

                To be fair, this could be most countries government.

      2. MJI Silver badge

        Re: Time to hit ransomware criminals

        Funny but I did not think about gun happy US law "enforcement" but proper digging by the specialist spy organisations such as GCHQ and enforcement by competents like SAS.

        1. VicMortimer
          Mushroom

          Re: Time to hit ransomware criminals

          And when the attacker is sitting in Iran or China or Russia or North Korea? What then, go to war? The last three have nukes, you know.

          You can't solve computer security problems with guns, not unless you want the whole world to burn.

  6. _LC_ Silver badge
    Facepalm

    Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

    Take away his shoes, everyone!

    Experts (the real ones) have been complaining for decades that running Windows machines in hospitals, connected to the Internet, is a recipe for disaster. We kept saying that people are going to die due to this STUPIDITY. We got brushed off.

    Then, when it happens, they just reassign the blame; (sponsored) media helps them in doing so and thereby keeping this turd afloat.

    1. LDS Silver badge

      Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

      The problem is that looking at medical images in ASCII art on a Linux terminal is pretty useless... There's a reason why the "year of the Linux desktop" is still far ahead in the future.

      1. _LC_ Silver badge

        Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

        Oh boy. The turds keep on coming...

        1. Doctor Syntax Silver badge

          Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

          At a guess it's people like this, working in hospital IT or hospitcal IT procurement, that mandated Windows over earlier, better options and brought this situation about.

      2. anonymous boring coward Silver badge

        Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

        Linux terminal?

        WTF? Did you retire in 1991?

      3. illiad

        Re: ASCII art??

        well, it looks like you are as clueless as the exec... a good linux can make many people think they are still running widows..

        1. Doctor Syntax Silver badge

          Re: ASCII art??

          A good Linux can make people regret they're still running Windows.

        2. hoola Bronze badge

          Re: ASCII art??

          Nowhere does it state in the article that Windows was the culprit "one of the software suites they use".

          Now that could be Office on Windows or more likely some specialised software that needed to access data that was scrambled. It could easily be a Windows machine that was the entry point but equally malware is not just targeted at Windows. Windows is only more vulnerable because there is more of it. If Linux had become as ubiquitous as Windows it would be the main target. At least with Windows the OS is managed by a single supplier, updates are released to a schedule and can be easily installed. Whether people install them is another matter that affects every OS and piece of software. This "Linux is more secure than windows" is a panacea because most of the people who use it understand it.

          There is plenty of Linux out there running stuff, it is either hidden or only used by specialists. Most people particularly in the workplace use Windows because of all the infrastructure that goes with it. However you look at it Linux is still trying to play catch up and unless you have a single commercial vendor that is able to compete, it will not change.

          1. Santa from Exeter

            Re: ASCII art??

            Claiming that Linux is 'playing catchup' to Windows is kind of like saying that a bulk shipping carrier is trying to play catchup with Maserati.

            One looks fancy, everyone knows the name, but it needs a lot of nursing.

            The other one just gets the job done for the whole world.

            Guess which is which.

          2. Doctor Syntax Silver badge

            Re: ASCII art??

            "updates are released to a schedule and can be easily installed"

            My experience with Windows is that updates are a complete and utter pain to install. They're slow to download hang up the entire machine for as long as they want, they fail, they reboot the machine. Linux upgrades download and install quickly unless you're doing a complete OS version upgrade. They only need a reboot - at your convenience - if they're kernel upgrades (and there are ways of patching running kernels) although if a service is upgraded it will need a restart. In my experience upgrades of services ask before restarting.

            It's worth remembering that most people who run other OSes have also suffered Windows and are in a position to make comparisons. If you only run Windows you don't know any better.

            1. hoola Bronze badge

              Re: ASCII art??

              I understand where you are coming from but in the corporate world where businesses need commercial support and consistency Linux still has issues. I am not saying there is no place for Linux there is, however it is not the "everything is perfect and rosy, Windows sucks" that many pertain to.

              It has to be patched and there can be just as many issues as with Windows. We probably have more Linux servers (1000s) than Windows but in order to maintain them there is just as much infrastructure as Windows. The testing and due-diligence is the same.

              The biggest downfall for Linux is the people who believe passionately that it is the only OS that matters and Windows is rubbish. One has to embrace both and understand where they fit.

              If Novell and eDirectory had been a bit earlier then the story just might have been different however it did not happen. Windows was already entrenched on the desktop and combined with NT Server/Exchange they became unstoppable. We ran Novell for years but in the end it went, it does not matter how much better it may have been, it simply was not viable and the costs became untenable. GEM Desktop was arguably better than Windows 1.x/2.x but Microsoft managed to convince suppliers that PCs should be distributed with MSDos & Windows. Was there a viable Linux alternative with a GUI that worked as well and could be operated by the growing number of computer users?

              One has to remember that Windows gained because it hid lots of things under the GUI and in general it worked well enough for the average user. You could install software and it worked, casual users did not want to be struggling with a terminal console trying to fix a broken repo or distribution. It is only the minority of techies that understand these things that care.

      4. sitta_europea

        Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

        "The problem is that looking at medical images in ASCII art on a Linux terminal is pretty useless..."

        Yesterday my wife bought "The Island" (Ewan McGregor, Scarlett Johansson) on DVD.

        When she got home she ripped it (on her Raspberry Pi4B) to an MKV file:

        $ ls -l the_island.mkv

        -rw-r--r-- 1 movies movies 1466848852 Sep 17 19:13 the_island.mkv

        Then we watched it, sitting on the sofa with the dogs. We played it on a Raspberry Pi2.

        The 'dollars' symbol is what thos of us who know anything about computers call a 'prompt'.

        1. LDS Silver badge
          Facepalm

          Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

          Sure, using a CLI is what physicians are well versed in... when people like you start to understand how the real world works, outside your cubicle with Linux, you'll start to understand why people keep on using Windows, and Linux keeps on with a tiny percentage on desktops - and if you from it remove IT professional that percentage becomes infinitesimal...

        2. TimMaher Bronze badge
          Pint

          Re: Dollar prompt

          There again you might be C sheller armed with a # or a sudo/rooty boy and you might have modded your favourite prompt to show you pwd and your user id .. the list goes on... korn, zsh etc.

          Great fun. And doing colour changes for ls and grep.

      5. Doctor Syntax Silver badge

        Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

        Unix windowing goes back at least to 1984 with X. The X protocol reached the current version, 11, in 1987. I'm not sure W95 was eve a gleam in Bill Gates eye in 1987. It was also possible view X with a dedicated X-terminal although I'm not sure if anyone still makes those. I'd hazard a guess that all early development of CT systems was done on Unix graphics.

        If you really think Linux and other Unix and Unix-like systems are restricted to characters you really need to get out more.

        1. LDS Silver badge

          "Unix windowing goes back at least to 1984 with X."

          Yes, the problem it's still there. Not surprisingly a large number of Linux UI applications are written in Java to shield them from the utterly fragmented windowing environment under it - and the lack of tools to make development faster.

          The sooner Penguinistas understand it, the sooner Linux will have far greater chances to become a desktop UI. As long as the status quo is defended because "Linux is never wrong", Windows will rule...

          1. Anonymous Coward
            Anonymous Coward

            Re: "Unix windowing goes back at least to 1984 with X."

            Shhh, nobody tell this guy what OS a Chromebook is running.

          2. Doctor Syntax Silver badge

            Re: "Unix windowing goes back at least to 1984 with X."

            "a large number of Linux UI applications are written in Java"

            ROFLMAO

        2. David 132 Silver badge
          Pint

          Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

          Don't rise to the bait, don't feed the troll. It thrives on it.

          Have a pint instead, it's Friday. -->

    2. illiad

      Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

      microsoft is good, they are worth ££££ , says clueless exec... loonix??? unsupported stuff... win 7?? no support!!...

      I have experienced M$ 'support'.. I have 30 years experience IT support with a big company, and they thought I was a hacker until I got my manager to shout at them!!

      That was years ago, before they went onto office365 support.. BUT some home workers are using it OK on apple, so there may still be hope... :)

      The only GOOD support out there is hundreds of users in internet forums, and many companies still support win7 and linux!!

      a quick goggle even found an ancient site, saying update win 8 to win8.1 :O - and I bet it will take the poor user straight to win 10, unwanted..

    3. Anonymous South African Coward Silver badge
      Mushroom

      Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

      and thereby keeping this turd afloat.

      As long as it floats, is shiny, and is a turd, it will be marketed to others.

      "Hey, it makes money, so what's wrong with it?" <--- the root of the problem

      Oh, and another thing. Sure, they promised not to target hospitals. Yeah, sure. Pulle the other onne, it has belles onne.

      Until you get the maverick who have absolutely no qualms and will cryptolock hospitals (and other healthcare facilities) and demand payment... and it will happen.

      Remember, ne'er-do-wells will think outside the box, and they held themselves to other standards, not ours.

      icon - everything will go up in flames sooner or later -->

    4. big_D Silver badge

      Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

      Linux isn't a magic pill (pardon the pun). It has bugs itself and can be poorly configured, just like Windows.

      There have been problems with ssh and other key services in the recent past that would have allowed hackers to capture a Linux box, especially if it hadn't been kept up to date and patched straight away... Something that is very common in such institutions - the hardware and software suppliers only guarantee and support their kit and software if certain patch levels are used. If you patch a critical flaw without their permission, you are on your own if there are any problems...

      I've worked at places where the PLC manufacturer have caused months or years of backlogs on Windows updates, because they don't keep their software current and test it in a timely manner against the critical patches coming out of Redmond. The same would be true if the PCs were running Linux, no updates without prior authorization. Medical equipment is also certified, which means it can't get OS patches until they have been certified by the equipment manufacturer, which can take an age.

      The only real option is isolating the networks, but there still has to be some automation with the outside world, to exchange patient information and billion information.

      Having a Linux admin who doesn't know how to batten down a Linux box doesn't bring you any advantage over a Windows admin who doesn't know how to batten down a Window box. Then you have the weakest link, the users...

      I love Linux and I have used it extensively and administered it. But keeping it up to date and safe is not any easier than keeping Windows up to date and safe. And the more services you are running on the computer, the more complex the issues of keeping that Linux box secure.

      1. Doctor Syntax Silver badge

        Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

        "Medical equipment is also certified, which means it can't get OS patches until they have been certified by the equipment manufacturer, which can take an age."

        Let's deal with that one straight away. No commitment to prompt certification of OS patches, no certification for your potentially lucrative piece of medical kit. And all source code must be documented and escrowed - perhaps along with a dowry to enable someone to take it over if you decide to duck out.

        1. big_D Silver badge

          Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

          The problem is, this is medical equipment, so any changes to the device need to re-certified, before they can be issued. That costs the company money to go through the external re-certification process and it also takes time (limited federal testing capacity etc.).

    5. sitta_europea

      Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

      "Experts (the real ones) have been complaining for decades that running Windows machines in hospitals, connected to the Internet, is a recipe for disaster. ..."

      Yeah, it even used to say it on the inside fromt cover of the Windows documentation.

      In the old days.

      When there was any documentation.

    6. Anonymous Coward
      Anonymous Coward

      Just saying ...

      VxWorks is used on a lot of the low-level medical equipment, and on the very rare occasion a problem is found then they always work with the medical equipment manufacturers to sort it out quickly.

      The same goes for trains, planes, automobiles, nuclear, military and all the other sectors where the application is critical.

    7. Anonymous Coward
      Anonymous Coward

      Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

      This was a targeted attack by a criminal organization (ignoring the fact that they hit the wrong target) not a malware infection caused by someone downloading an application from a dodgy site. The attackers would almost certainly have found a vulnerability to exploit in an old unpatched linux or unix system just as easily as in windows. In fact my understanding of this event from other reports is that the initially exploited vulnerability was not in windows but in VPN concentrators.

      Victim blaming in IT attacks is just as unattractive as it is in real life assaults.

  7. Anonymous Coward
    Anonymous Coward

    I don't understand how the hospital has ended up being so dependent on IT that they can't treat patients without it. Surely a hospital of all places has a backup strategy that considers what should happen if the computers aren't available so that they can continue to treat patients?

    1. Anonymous South African Coward Silver badge

      CAT scan etc requires specialized equipment to process the data. Hence the IT part.

      1. _LC_ Silver badge
        Thumb Down

        CAT scan has no business being connected to the Internet. You can have a WELL-DEFINED READ-ONLY mount to that machine, but no more. Updates can be performed by dropping SUFFICIENTLY SIGNED packages to a folder, to which the machine has only a well-defined read-only mount...

        1. Anonymous Coward
          Anonymous Coward

          The data needs to go somewhere, not like they can have clinicians lining up to request to view images done on it.

        2. Anonymous Coward
          Anonymous Coward

          (DI) COM again?

          That is not the architecture of modern medical imaging department.

          The scanners push to a central archive (PACS), the diagnostic workstations access that directly and sit on the same network. There is a webviewer for PC's on the hospital LAN.

          The department sits on a private VLAN with controlled bridges to the main LAN.

          The volume of data from a CT scanner is non-trivial and producing CD (DVD) would slow things to a halt.

          CT scanners don't have CD burners - we have a robot that does that.

          The days of printing to laser film are long gone.

          We rely on internet connectivity to do our jobs - looking up current research and best practice. as well as to access the multiple other systems in the hospital to check patient information or receive requests etc.

          When the network goes down we can't work.

          You would divert emergencies as the care possible would be extremely compromised,

          Yes there are business continuity plans but you would not take on new work.

          Core software on our scanners and digital rooms are upgraded locally by the engineers. There is no role for hospital IT to manage these machines - they are under regulatory control as you would expect for machines designed to use ionising radiation. Some still boot into XP, 7Pro - back to the machine thing - our kit is usually significant 6 figure sums.

          ps there are a variety of DICOM viewing software on linux including 3D reformatting.

    2. illiad

      RE hospital IT

      have you ever been to a gp before covid, and been in the waiting room?? and you see the gp, and see they have a computer system that has your details?? they have to document *everything*.. when I went for a hosp check, he gave me a printout, to make sure that my details got there properly!!

      1. _LC_ Silver badge

        Re: RE hospital IT

        … and they need those systems connected to the Internet, so they can watch porn on them?

        1. Hollerithevo Silver badge

          Re: RE hospital IT

          Because they often need to contact hospitals, or the patient at home later, etc. And because they also do research online, because not every GP can remember every single thing about every single illness or problem that walks through their doors.

          1. _LC_ Silver badge

            Re: RE hospital IT

            Then you switch. There are hardware switches for that. You got your "Internet system" and the internal net. If you want to move stuff from one to the other, there needs to be a defined path, otherwise you'll end up with the above problematic again.

        2. swm Silver badge

          Re: RE hospital IT

          I was in the surgery department of a local hospital and the nurses were shopping on the emergency department computers!

      2. Danny 2 Silver badge

        Re: RE hospital IT

        " they have a computer system that has your details"

        You can ask for a printout of that under DP laws. I did. They posted them to my neighbour.

    3. tin 2

      Speed. Any business that considers IT a cost-centre only, I recommend they try to run their business on paper and pen for a month.

      I've been in a few businesses, ones that can completely run on pen and paper, and ones that refuse to even put a procedure in place. But even the prepared ones work markedly slower when they're doing everything without a computer.

      1. Hollerithevo Silver badge

        Why should hospitals be 19th century?

        The problem is keeping hospital systems secure. No organisation can run on moated-fort technology or even on none. Ships abandoned masts and sails at long last, even thought hey were then dependent on coal and then oil, because finally you have to use the better technologies.

        1. tin 2

          Re: Why should hospitals be 19th century?

          You definitely can create proper air-gaps though with only-secure strictly-neccesary comms between several systems that understand what both ends want and expect, and then don't blindly execute whatever's been sent across. It's very doable.

          Problem is implementing that properly over x-hundred systems is expensive, time consuming and in most delivery cases pretty much impossible without buckets more time, energy and $ going to the people implementing. In hospitals in my very limited experience, the barest minimum of time, energy and $ aren't even on offer, never mind copious amounts of them.

    4. dkjd

      The IT is there to make things more efficient and quick. Without the IT there was a delay. If the IT doesn't make things more effective or quicker then it shouldn't be there.

      Its the same as oxygen lines, they can treat people without them, but not as well, and some people will die

  8. Rainer

    It's money, as usual

    IT-department probably asked for anything that was recommended in the comments above (separation, IDP, whatever) but management told them "No budget, make it work".

    A while ago I was at an event (yeah, it was a while ago, because it was still physical and there was food served afterwards) that was primarily some talks about DNS and DNSSEC and also hosted a panel with politicians and engineers where the audience could fling questions at the panel.

    There was one guy from a rather large and well-known hospital, begging the politicians on the podium for stricter laws so he could get the manager at his hospital to give him more money to fight the incoming threats. If it wasn't so sad, it would have been comical.

    Hospitals in Germany mostly belong to large chains that are profit driven. If they can shave a Euro from the budget by buying cheaper mice, they will.

    But if a security-measure costs money to implement and isn't obviously required by law, they'll just skip it "because we've been good so far, right?".

    1. Doctor Syntax Silver badge

      Re: It's money, as usual

      Hospitals in Germany mostly belong to large chains that are profit driven. If they can shave a Euro from the budget by buying cheaper mice, they will.

      But if a security-measure costs money to implement and isn't obviously required by law, they'll just skip it "because we've been good so far, right?".

      I assume they have insurance. The insurers should look at what they're on the hook for with badly protected systems and make sure protecting the systems is cheaper than paying the premium. If people will only do things right if it costs them less up-front then make it more expensive up-front to not do things right.

      1. Hollerithevo Silver badge

        Re: It's money, as usual

        I work for an insurance company and this is exactly what they do. We are clear that risk-prevention is both required, and will get them lots of discounts and expert help if they have done all the right things and some unknown unknown has appeared (exactly the thing insurance is there for).

        Do all companies understand their policies or avail themselves of risk prevention measures (that we help with) or do anything but whistle in the dark? }}sound of whistling wind{{

        1. Doctor Syntax Silver badge

          Re: It's money, as usual

          The in the medical area make it a regulatory requirement.

  9. Bonzo_red

    Citrix VPN

    According to a report in the Süddeutsche Zeitung, the crims exploited a known vulnerability in a Citrix VPN product.

    1. Alister Silver badge

      Re: Citrix VPN

      a known vulnerability in a Citrix VPN product

      And suddenly, all the "Shouldn't be using Windows, it's their own fault" types are looking a bit foolish.

      1. _LC_ Silver badge

        Re: Citrix VPN

        *Errm, no*. Your "reasoning" (is there any) seems to be, though.

        Citrix is a known "back-door vendor". The idea of being able to “lock out all the bad stuff from the Internet and only let the good stuff through” is heinous. Putting another patch on top of it is not going to solve the problem. It has always failed. It will keep failing.

        1. Rainer

          Re: Citrix VPN

          The vulnerability was apparently mass-exploited before patches were widely installed. Backdoors were installed and the networks were they are still accessible are now subsequently "milked".

      2. Doctor Syntax Silver badge

        Re: Citrix VPN

        And suddenly, all the "Shouldn't be using Windows, it's their own fault" types are looking a bit foolish.

        Citrix VPN might have been the entry point. It was Windows systems that got encrypted. Who's looking a bit foolish?

  10. Danny 2 Silver badge

    Failure is not an option

    I worked in an organisation whose mantra was "Failure is not an option". Of course it's not because nobody would choose it, it's just the likely outcome if you don't anticipate every possibility of it.

    1. Hollerithevo Silver badge

      Re: Failure is not an option

      But as we know, the one thing you can't anticipate can often happen. It's hard to get 'wild card' thinking from people who are process-oriented. I have seen this in projects, where we brought in a consultant that we were recommended, but dubious about, and he started throwing really crazy things at us, and we saw immediately that we had simply assumed users would do A, B or C when they were just as likely to do Q, W and G, because we were so used to our systems that we forgot that people out there are animals.

  11. Anonymous Coward
    Anonymous Coward

    Isn't the primary role of state security services

    to keep its citizens safe?

    1. Hollerithevo Silver badge

      Re: Isn't the primary role of state security services

      You sweet summer child.

  12. Binraider

    If I am not mistaken, the MS-DOS and Windows licenses since Chernobyl have had clauses put in them quite explicitly to say the software should not be used in provision of critical services; which, your average piece of hospital equipment certainly is.

    I'm aware of industrial metering and control anywhere and everywhere dependent on all marks of Windows back to 3.1 still in service. Proper PLC's and the tech support behind them are available; at a price. People use Windows because it's cheap and (relatively) well understood. Price is (often) a deciding factor on tenders. God forbid your tender for hospital gizmo x should score the tender on basis of applicability of licenses to the application intended.

    I'm quite fond of older, simpler software architectures; they are easier to audit for sure. The morass of stuff that's out there now it's just such a mess the idea of cleaning it up; it'll be easier to nuke it from orbit and start over than get it under control.

    1. Anonymous Coward
      Anonymous Coward

      Someone should have told the military.

  13. Anonymous Coward
    Anonymous Coward

    So a machine got compromised. Why is anything taking incoming connections from that machine?

  14. grumpyoldeyore

    Shades of the Spanair disaster?

    When Spanair flight number JK 5022 crashed in 2008 one of the "holes in the cheese" that lined up was that the maintenance database (or the computer systems attached thereto) had been infected with malware, which meant that it wasn't flagged that the plane in question had suffered multiple problems over several days and so should have been taken out of service on the first failed take off.

    Subsequently the crew made a configuration error and theconfiguration warning did not sound, so the second take off attempt was made with fatal consequences.

    https://www.theregister.com/2010/08/20/spanair_malware/

    http://avherald.com/h?article=40b73189/0024&opt=0

  15. SmartAlec

    So what are we blaming?

    The rain for falling through a hole in the roof?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020