Ransomware infection cuts off blood supply to 250+ hospitals A ransomware attack against blood-donation nonprofit OneBlood, which services more than 250 American hospitals, has "significantly reduced" the org's ability to take, test, and distribute blood. In a notice today, OneBlood revealed the intrusion disrupted a "software system," and had forced the organization to use manual …
I'm not sure eating keyboards is good for lions, but I'm willing to learn.
As for the rest, I'd say slow exsanguination may be more suited to the crime.
Kind regards from a former* frequent blood donor.
* Now live in a country that cannot cope with the CJD risk (former UK resident), whereas in another placeI was even a registered donor (could be called up in case of an emergency).
but I'm thinking sausage factory..
Speaking as the owner of two sausages (one 8 months, one 6 months) I would sincerely like to *not* be a sausage factory. Need to get the boy done before the little girl comes into season..
(Not that we'd find it difficult to find good homes for the puppies - we've had a few people we know well say "if your dogs have pups, please let us know")
When I read items like this, it always gives me shivers imagining what their computer setup is like ... some Excel sheets on a PC (not backed up recently), a shared folder with write access granted to the entire org, maybe an old PC under a desk running IIS (not recently patched) ...
I don't like increasing bureaucracy, but perhaps what we need is a legal requirement for at least one data steward in any company, government unit, or NGO which receives, generates, processes, maintains, and/or transmits records of personal information (as defined in the GPDR). The data stewards would be licensed; they would have to attend classes on practical systems security, reliability, etc. and pass tests on the material, which would include manual systems, etc.
Help me flesh this out ... I know it has holes. I don't want to turn it into a "security as legislated" thing, nor make it onerous for small businesses, nor effectively force small businesses/orgs to use commercial data processing services ...
I just now checked: so far, the population of our local tax district is less than the maximum number of rows in an Excel sheet, but we're more than 3/4ths of the way there.
A monoculture - of any sort - is extremely vulnerable. At present we have something approaching that. Leaving aside any questions as to whether any other given OS might or might not be more secure that Windows the fact that it is so ubiquitous makes it a profitable target for those seeking vulnerabilities. Even if all the clients are on Windows it would be far safer for the underlying database to be run on a dedicated server running on any other OS, be it commercial Unix. Linux or a BSD and offering not other connections other than the SQL service itself. No, not even an SSH for remote admin - trading convenience for security is where the problems start.
> ...data steward [for] personal information (as defined in the GPDR)
Well, the UK GDPR (essentially the EU GDPR as modified for the UK leaving the EU) has at least made a start. If you're processing personal data, you have to nominate (as in name one or more individuals) to be the Data Controller(s), whose duties are set out in Article 24. In summary, those duties are to assess risks, and be in a position to demonstrate that policies and procedures are compliant with the Regulations.
>The data stewards would be licensed
Ah, well, AFAIK there are no UK professional standards, but there are many training opportunities, and I'd hate to be nominated as a DC without having acquired the necessary knowledge and skills to do the job.
Further reading Guide to accountability and governance [Information Commissioner's Office]
'Holes' is understating it. You want it to be a 'legal requirement' (presumably with penalties if they don't comply satisfactorily, otherwise why bother), and for the data steward to be highly educated and responsible for all the systems without making it onerous for small businesses or forcing them to use third party SaaS.
These are all incompatible requirements.
Basically this exists already, it's called the ICO in the UK. How well do they enforce breaches, as that's the most important question : https://ico.org.uk/action-weve-taken/enforcement/
Not very well is the answer. Inconsistent. Inadequate. With a reprimand in most cases. Oh no! I've been told I'm naughty, and might possibly be issued an insufficiently proportionate fine at an undefined point in the future if I get caught again. Quaking in my boots mate.
It could be implemented properly, with personal liability and jail time for CEOs. No-one is going to do that, and nobody but an idiot would sign up for a job with serious personal consequences for breaches without a substantial salary. So if it happens it'll be tenth arsed (won't even approach half or quarter arsed as a solution).
Doing it 'properly' would involve shifting small firms to use SaaS even more than they already do, and have a human and financial cost when companies go out of business from implementation and breach costs. That might be the correct course of action, but you need to deal with the consequences.
Yes, the malware-slingers are low-down, dirty pond scum, etc., but for an org in such critical position to not have sufficiently-effective alternative processing methods is scandalous.
Earthquakes, explosions, fires, floods, blizzards, terrorist attacks, volcanic eruptions, labor strikes, train derailments, falling trees, a driver in a HGV falls asleep at the wheel and plows into an electrical substation, ... there are MANY potential external causes of computer failure/denial-of-service, and by rights, they ought ro be well-prepared to deal effectively with that.
Operating in degraded mode != dealing effectively.
From their description, they are using a fallback plan. We don't know how effective that is, but there is a reason why blood suppliers from other places are sending their backup blood to this organization, not directly to hospitals. Clearly, they still have some ability to get the blood where it needs to go, just a degraded capacity.
Also, many of your alternative methods would have very different effects on their operations. An earthquake near their main computers would likely leave those in other locations (four US states covered) undamaged. A blizzard might interrupt power, but backup power would still work fine, but driving might be the problem. They would need different contingency plans for many of those scenarios, and only they know whether they have them and how good they are.
Anyone able to explain to me why there should be a highly commercialised US healthcare sector?
Because not wanting to make a profit out of other peoples' misery is pure Marxist Communist Socialist [1] evil and cannot be tolerated!
[1] Yes - I know those a 3 quite different [2] things but I suspect that most left-pondians don't realise that..
[2] After all, theistic communism was practiced by the 1st Century church. Not that US "Christianity" will take any notice of anything in the Bible other than the stuff that they think gives them license to oppress or exclude other people who don't have the approved labels attached to them..
There are a lot of nonprofits in the industry. They can still sell services at an expensive price so long as they reinvest the profits into their organization or pay it to the employees rather than having shareholders to return it to. When doing blood donations, they likely think that the potential for profit is low and people may be more willing to donate to a nonprofit. Even many hospitals are nonprofits as well, though by no means all of them. There are many for-profit parts, including insurance, independent labs and clinics, a lot of individual practices, and who knows how many middlemen, but that doesn't mean that every part is.
> explain to me what a not-for-profit is doing in a key point in the supply chain to the highly commercialised US healthcare sector?
Life-saving blood is customarily not worked for profit. Aside from the stain on your soul, there is some mistrust of people who would $ell their bodily fluids. Much blood is collected by LOCAL volunteers for the Red Cross, which in the US is nominaly non-profit.
This case seems to be about a *different* non-profit blood service. I never heard of it but I know people who prefer not to deal with Red Cross, which at the top looks like a greedy bigoted bureaucracy.
Obviously a non-profit can only go so far in capitalistic society, and there are for-Profit actors too. Skid-rows and college towns have blood-buying shops. Transporting and processing blood is good business.
Patients are nominally not charged for *blood*, but pay plenty for "services".
“OneBlood, Inc. and the American Red Cross have reached a definitive agreement to form ARC-One Solutions, LLC, a regulated software company that brings increased flexibility to managing their blood supplies.”
“ARC-One Solutions is creating a next-generation Blood Establishment Computer Software (BECS) platform”
Per their jobs website, they're looking for a principal security engineer and a data architect. Per the data architect description, they've already decided that this software will be a "cloud-native, microservices-based SAAS system".
There's a buzzword-bingo-soup list of "essential functions", prefixed with a warning that the list does not necessarily include all of the "essential functions."
Oh, and they're doing "Agile".
Don't forget that the job descriptions are usually written by recruitment specialists who get their brief from HR who only pretend to understand what IT is telling them.
That's the blind leading the blind in buzzword bingo and irrelevant and/or impossible demands for their precious checklists, like 10 years experience in AI..
Doctor Syntax: “A central service needs to be available across all the places where it needs to be available. Private networks will be far more expensive - maybe prohibitively so - than using the internet.”
So is losing your customer and commercial records to the cyber blackmailers. Setting up a company wide VPN isn't that difficult. The problem would be integrating it with the $industry $standard.
If you follow the actual threading you will realise that I was using the "Reply" button to answer the question of why such a system would be put on the internet and the word "available" was used in that context.. Are you not familiar with manglements putting budget before everything else?
And before you start going on about the budgetary effects of being hit by ransomware, let me remind you that there may not be budget to do things right but there's always budget to fix things when they go wrong.
If a law was passed the CEO of a company was CRIMINALLY liable if a company fell below reasonable data protection standards...suddenly every company with sensitive data would "find the funds" to update their systems and processes.
But as it currently stands in the US, UK and EU, the CEO and IT managers can throw an intern under the bus and escape scot free with a performance bonus for saving the company money on hardware and software/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
