Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Government Privacy Databases Medicine Security United States News IT Technology

Congressman Wants Ransomware Attacks To Trigger Breach Notifications (onthewire.io) 73

Trailrunner7 quotes a report from On the Wire: A powerful California congressman is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients. The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department's plan to issue guidance to health care organizations about ransomware attacks. The Office for Civil Rights section of HHS, which has responsibility for health information privacy, will provide guidance on how to handle ransomware attacks, and Lieu is eager to ensure that the guidance specifically addresses how ransomware attacks relate to data breach regulations. "I welcome the news of HHS providing guidance to health providers on a matter that threatens so many hospital IT systems. However, we need to make clear that ransomware is not the same as conventional breaches. The threat to patients from ransomware is typically due to the denial of access to their medical records and medical services. Not only could this be a threat to privacy, but it could result in medical complications and deaths if hospitals can't access patient information," Lieu said in a statement. He sent a letter to the deputy director for health information privacy in the Office of Civil Rights at HHS, Deven McGraw, asking him to instruct health organizations and providers to notify patients of an attack if it results in a denial of access to a medical record or a loss of functionality thats necessary to provide patient care. In the past, Lieu has called for a full congressional investigation into the aforementioned widespread flaw in global phone networks that allows hackers to track anyone's location and spy on their phone calls and text messages. He was also one of the first lawmakers to publicly express his pro-encryption view after a federal judge ordered Apple to help the FBI break into the San Bernardino shooter's iPhone, saying it effectively "forces private-sector companies like Apple to be used as an arm of law enforcement."
This discussion has been archived. No new comments can be posted.

Congressman Wants Ransomware Attacks To Trigger Breach Notifications

Comments Filter:
  • Recipe for disaster (Score:3, Interesting)

    by Andreas . ( 2995185 ) on Thursday June 30, 2016 @05:10AM (#52418143)
    This will only lead to even less reports of data breaches as the hospitals try to save face. Also, if something starts with "a powerful congressman", it is typically a bad, not thought through idea, that would've been better kept unmentioned.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      It has nothing to do with hospitals, they are provided systems by external mega-corps. They're the ones that will be shamed, and rightly so.

      • by Anonymous Coward

        It has nothing to do with hospitals, they are provided systems by external mega-corps. They're the ones that will be shamed, and rightly so.

        This isn't true. If a breach occurs it is almost always because of an incompetent IT person and/or a person with authority over the IT person who demanded something be bypassed for convenience (such as password limits or expirations.) A properly configured network is typically able to block malware and ransomware before it every makes it to the point of being able to compromise a faulty node within a system. There are some rare exceptions but they are extraordinarily rare and come to light regardless of

    • by mysidia ( 191772 ) on Thursday June 30, 2016 @06:44AM (#52418293)

      All ransomware compromises ARE malware compromises, Therefore, any files accessed on that computer during infection, Or data accessible to the operating system and programs running on a compromised computer need to be considered breached data.....

      The same with any malware compromise where exfiltration could possibly have occured.

      The standard of "We have no evidence proving that data was breached" needs to be specifically disallowed as a reason to not send a breach notification.

      • by DarkOx ( 621550 ) on Thursday June 30, 2016 @07:19AM (#52418403) Journal

        I agree. You can only assume the ransom ware is not doing anything other than for cash shake down to get the encryption keys.

        The reality is someone had code execution on your stuff and access to files. Its a breach, I think this is pretty strait forward.

        To suggest otherwise rates right up their with "kinetic military action"

        • by Anonymous Coward
          There is no reason to assume. All malware can be decompiled and analyzed to see what it does. If it simply encrypts data and prompts users to pay to get a key, great - no data was accessed and no HIPPA violation occurred. If it ex-filtrates data - well that is a different story and should trigger reporting (and already does). Just because some malware encrypted or deleted files you don't need to assume it did anything else. Find out what it did.
          • Re: (Score:3, Insightful)

            by DarkOx ( 621550 )

            There is no reason to assume.

            There is every reason to assume.

            You don't know the ransomeware was the only payload, there could be something still there you don't know about.

            You don't know that after the exfil job was completed the software did not self delete those parts of it.

            You don't necessarily know how it got there, and if something else could be delivered the same way in the future.

          • The trouble is that one of the things malware can do is clean up after itself: exfiltration is much harder to hide from network logs(if the target actually has any); but unless you are hoping to remain undiscovered indefinitely, why wouldn't your exfiltration agent delete itself after its job is done?
          • By your logic, if someone broke into my bank, but decided for whatever reason not to take anything in my deposit box (even though they could), my bank wouldn't have to tell me. Something doesn't have to be a HIPAA violation to be a data breach, or to trigger those rules.
          • by mysidia ( 191772 )

            There is no reason to assume. All malware can be decompiled and analyzed to see what it does.

            No assuming it probably did is the correct action; to do otherwise is to take a biased position irrationally dismissing the real likelihood of many different things having occurred besides what you found.

            Most of the reasons to think "everything that happened has been found" for a real-world system post breach; is along these lines, either:
            (2) You were responsible for that system, or liability or reputation i

        • Well, awesome!
          Let us ignore for the moment that you can not spell and take your argument to its logical conclusion.

          Since we are not going to examine the system and just assume that they now have access to the files and report based on the assumption.
          I propose that if a system is in any way connected to the outside world, that system should also be assumed to have been breached. Everyday. Now we no longer have to examine things or have evidence or anything.

          BREACH! BREACH! BREACH!

          The realit
          • by Anonymous Coward

            Yes, it's inconceivable that a program could encrypt many critical files on a system AND connect to port 80 on a random external server AND send a POST request.

            Your IT experience may be nonzero, but it's apparently complex, because it looks from here like the imaginary component is much larger than the real component.

            • You think that these systems do not have any security in place.
              You think that these systems are set up so that any random software can initiate connections to servers outside of the corporate network?
              You truly believe that these systems are set up this way. That these rogue chunks of code are allowed to make whatever connections they want?

              In a system like you describe, then you would have to assume that such a system is in fact compromised every sing day.
              Again.
              You have no knowledge of
              • by mysidia ( 191772 )

                Your arrogance belies your true ignorance in security principles.....
                It doesn't matter what external security systems you think are in place.

                After you have found a breach so deep into your network, then obviously those systems all failed, otherwise you would not have had an intrusion incident on your hands.

                then you would have to assume that such a system is in fact compromised every sing day.

                When you have a network, no.... You don't initiate a breach response or treat it as an incident, as long a

    • A data breach is bad. But trying to cover it up is a serious crime, I really doubt hospitals would take that chance.
    • Are you suggesting that hospitals would not follow the law, if this change was made? If that's the case then literally no laws are ever going to be feasible, because there's nothing that forces people to obey them. Rape, murder, theft, and pedophilia laws are all uselss then, correct?
  • by Anonymous Coward on Thursday June 30, 2016 @05:15AM (#52418157)

    Ransomware isn't the only thing dropped onto a system in most attacks. And we can't bank on ransomware not ex-filtrating a couple of encrypted documents along the way.

    If the ransomware hit, what other breaches occurred that they weren't aware of?

  • by SeattleLawGuy ( 4561077 ) on Thursday June 30, 2016 @05:17AM (#52418159)

    These people are basically terrorists--they are threatening the lives and well-being of millions of innocent American Civilians. Let's make them a national security priority.

    We have fought wars over less.

    • by Lumpy ( 12016 )

      I completely agree. Senators and Hospital administrators are a threat to america.

    • by Jiro ( 131519 )

      Terrorism is doing those things for political purposes. If their motive is money, it isn't terrorism.

      Holding someone hostage during a bank robbery poses the threat of their death, but we don't call it terrorism.

      • Terrorism is doing those things for political purposes. If their motive is money, it isn't terrorism.

        Holding someone hostage during a bank robbery poses the threat of their death, but we don't call it terrorism.

        There has been a lot of debate about the meaning of terrorism over the years; you are right that the lack of a clear political motive suggests this does not fit into most of those definitions. However, I would submit that an asymmetric attack made by people out of uniform deliberately threatening the lives of a large number of civilians should be considered a terrorist attack and should be treated like one.

  • They aren't already? (Score:5, Interesting)

    by Richard_at_work ( 517087 ) on Thursday June 30, 2016 @05:32AM (#52418193)

    I thought a "breach" was "someone gained unauthorised access to data, typically a persons private data"?

    Or has it magically been watered down to "its only a breach if the data has been proven to have made its way off the premises"?

    If the data has been accessed by unauthorised persons, there is no way to be 100% certain that it hasn't made it off premise, so yes, ransomware should be classed as a breach and notifications should be issued! It certainly indicates that the data was not truly secure in the first place, at the very least!

    • by Anonymous Coward

      In the past companies hid breaches to prevent them from becoming public, it was a PR issue so most people assumed breaches were rare. Nowadays it probably makes more sense to flip things around and assume every datastore has been compromised. Especially the ones that were built on top of Microsoft Windows infrastructure because of the number of attack vectors available towards that particular OS. Given its proprietary nature it's impossible to build a secure system on top of Microsoft's offerings.

      Second

    • by cdrudge ( 68377 )

      It certainly indicates that the data was not truly secure in the first place, at the very least!

      Not necessarily. PHI data may have been encrypted when stored on disk. Ransomware infection re-encrypts data making it unusable for it's intended purpose, but PHI data, even if it managed to leak out, is still protected.

      Another scenario which is probably much more likely is PHI is kept on a secured server. Client computer becomes infected. PHI was never compromised. Does that still trigger a notification?

      • by Fencepost ( 107992 ) on Thursday June 30, 2016 @09:51AM (#52419091) Journal

        Another scenario which is probably much more likely is PHI is kept on a secured server. Client computer becomes infected. PHI was never compromised. Does that still trigger a notification?

        Precisely this. I'll use 3 examples from current clients.

        • First client uses a vendor-hosted EMR system that they access via RDP connection to the vendor servers. There's literally almost nothing on their local network anymore except their timeclock software and web browsers. Even document scans go directly from the scanner to the remote using TSScan or the like. If someone infects a machine on their local network, does it trigger a breach notification?
        • Second client (actually several) uses a mixture of local desktops and terminal services, but everything patient-related is done within the EMR client software, which cleans up after itself when closed. The only patient data that might be on desktops is anything cached locally by the EMR package during that session. The items most likely to be troublesome would be EOB PDFs received from insurance companies, which are accessible from billing user logins. Does a desktop ransomware infection trigger a breach notification?
        • Third client migrated to a fully-hosted browser-based EMR package and again saves very little locally - everything's "in the cloud" for them except incidental office documents. Does a local PC infection trigger a breach?

        We've been fairly fortunate in what customers ended up infected with and have actually arranged things so there's very little impact if customer end-users end up infecting a local desktop via streaming a radio station or the like, but if customers have to report breaches for infections even on systems that don't have patient data stored or accessible that's going to turn into a real headache.

        • by tlhIngan ( 30335 )

          First client uses a vendor-hosted EMR system that they access via RDP connection to the vendor servers. There's literally almost nothing on their local network anymore except their timeclock software and web browsers. Even document scans go directly from the scanner to the remote using TSScan or the like. If someone infects a machine on their local network, does it trigger a breach notification?

          No, because no patient data ever hit the local PC.

          Second client (actually several) uses a mixture of local desktop

    • by mysidia ( 191772 )

      I thought a "breach" was "someone gained unauthorised access to data, typically a persons private data"?

      After a breach, they will use some bullshit excuse like: "We have not found evidence that any customers' data has been downloaded by the intruder."

      And if they did find evidence, the breach notification goes out only to the customers they found specific evidence of the attacker downloading.

    • If the data has been accessed by unauthorised persons, there is no way to be 100% certain that it hasn't made it off premise (..)

      There is: if the system(s) in question are air-gapped, or on a LAN that has no external network connections. Malware (ransomware included) could still make its way onto such systems. Let's say through an infected USB stick.

      For real-world scenarios that's mostly a hypothetical case I suspect. While in theory that USB stick could compromise an air-gapped system, retrieve sensitive data, and then upload that data when it (later) gets plugged into another machine that does have internet access, that's more a

  • Ransomware or NSL?
  • by Anonymous Coward

    That would put a stop to it.

  • Then let's cover the fact that IT should have more power and Say than administration or the doctors. If John in IT says no you cant have your ipad on the network then its FUCKING NO!

    What is needed is HIPPA regs appended so that the guys in charge of the hospital making the most money are PERSONALLY RESPONSIBLE for any data breaches or attacks. If this is done suddenly IT will be allowed to do their job and isolate critical systems from easy attack vectors.

    • by Anonymous Coward

      That's not the sum of IT's job. If the system is unusable they are not doing their job. Face it, IT sucks most of the time: "Just use this unwieldy password, we can't be arsed to implement security that is both more secure as well as easier and fast to use." That's the reality of IT, not some bullshit about not being allowed to lock all computers in a safe.

    • by jon3k ( 691256 )

      If John in IT says no you cant have your ipad on the network then its FUCKING NO!

      No iPads but plenty of Microsoft Windows workstations? In a post about ransomware? That's the worst example in history. I wish I could replace every single Windows PC with an iPad. We'd never have another malware infection again.

      What is needed is HIPPA regs appended so that the guys in charge of the hospital making the most money are PERSONALLY RESPONSIBLE for any data breaches or attacks. If this is done suddenly IT will be allowed to do their job and isolate critical systems from easy attack vectors.

      Won't stop a nurse from giving her password to someone else. What you do is hold the clinician accountable, which is exactly what HITECH [hhs.gov] does.

  • And, we will start to get such notices from these thousand-computer hospitals so often, that we won't even pay attention to them anymore, especially since there's nothing we can do about it.

    How come I smell the price of an aspirin going up? Thanks again, congress.
  • by Anonymous Coward

    Shouldn't all congressmen (and congresswomen?) all have the same power?

  • by Ihlosi ( 895663 ) on Thursday June 30, 2016 @09:19AM (#52418949)
    .. 'involuntary backup'.

Be sociable. Speak to the person next to you in the unemployment line tomorrow.

Working...