Navajo Nation Hospital Targeted By Large-Scale Ransomware Hack

An anonymous reader shares a report: When Rehoboth McKinley Christian Health Care Services in Gallup, New Mexico, was hit with a cyberattack earlier this year, the hospital's staff had to revert to pen and paper to keep things running. Publicly available details about the hack are scarce, and the hospital has declined to comment beyond confirming that the security breach briefly forced its staff off its computers. But sensitive employee files posted online by a hacker group known for ransomware attacks and seen by NBC News indicated just how deep an attack the hospital had suffered: files on everything from job applications and background checks to staff injury reports.

Ransomware attacks, in which hackers gain access to a private system to hold it hostage for payment, have been a problem for businesses for more than three years. Some hospitals have poor cybersecurity, and unscrupulous gangs see them as potentially flush with cash and easily coerced with the threat of leaked patient data. Last year, at least 560 health care facilities were infected with ransomware, according to a survey from the cybersecurity company Emsisoft. In October, amid a particularly brutal wave of attacks, several federal agencies issued warnings of "an increased and imminent cybercrime threat" to hospitals. An advisory from the American Hospital Association laid out how the Covid-19 pandemic had encouraged cybercriminals "to exploit, victimize and profit" from ransomware attacks.

Re:

[Tablizer]

Projectionware Attack

Some people do not the smart

[spun]

It is time to take back our country from irrationality.

These scum need to be ended

[Major_Disorder]

Crypto a bank, or large business and I will just shrug, and figure they probably had it coming. But a hospital... I have a problem with that. I hope someone finds these scumbags and causes them to need the very hospital they attacked. At some point these vermin will be directly responsible for someone dying. I sincerely hope they are caught and charged with premeditated murder. As they deserve.

only go after hospital billing and wipe the DB

[Joe_Dragon]

only go after hospital billing and wipe the DB or better wipe out the 3rd party middle man only

Re:

[Chris Mattern]

Because everybody knows that hospitals don't need revenues to operate.

Re:

[Joe_Dragon]

and the ER must cover you even if you can't pay

Re:

[Arthur, KBE]

Because a hospital isn't a large business.

Going after Navajo Nation

[Latent Heat]

is certainly not "punching up"?

Re:

[Presence Eternal]

A dude is fed up with having birds shit on his car. So he dumps a huge pile of bread in a nearby parking lot. The birds get lured to the parking lot. They shit all over other cars and also have many, many babies. Some of the cars are so covered in shit that they get into wrecks.

The moral of the story is you should punch the guy who gave a bunch of bread to shitbags instead of simply covering his goddamn car properly.

Re:

[Gravis Zero]

At some point these vermin will be directly responsible for someone dying. I sincerely hope they are caught and charged with premeditated murder.

There is no information indicating that they knew they were targeting a hospital. Also, murder in the first degree would be a huuuge stretch. Realistically, you would be lucky to get the charge of involuntary manslaughter to stick.

Re:

[jodido]

Undertake a serious prosecution for murder, or attempted murder. Even if you allow the sociopath to plead to a lesser charge, this will undoubtedly cause some of this human scum to seek other ways to enrich themselves.

Re:

[Gravis Zero]

Seems very unlikely when you consider that they rarely face charges.

Re:

[Frobnicator]

At some point these vermin will be directly responsible for someone dying. I sincerely hope they are caught and charged with premeditated murder. As they deserve.

Yes, that's the nerve they are approaching.

Financial crimes across the globe are a dime a dozen. People have identities and bank accounts stolen every day. Insurance systems are set up for it. While some nations will have extradition, investigators won't do much work until losses are in the billions.

But start mucking around with hospitals, especially if someone dies, and you're getting into things people care about. Not only do they have strong emotional pull for investigators, but with the population an

Re:

[RightSaidFred99]

Yeah, it's getting ridiculous. I know "muh 20 VPN tunnels" but I refuse to believe with the resources the US and Europe have they can't track these fuckers down. Then either predator drone strike them or drop some polonium in their drinks, the fucking scum.

These circles need to be ended

[Ostracus]

Crypto a bank, or large business and I will just shrug, and figure they probably had it coming.

Says the person who doesn't have an account with that bank, or do business with that company. Why do people who always start a sentence with "not my problem" always finds out it eventually gets around to being their problem? At what point do people realize ransomware isn't going to stop at those things they don't like or are apathetic to, and move on to those things they do care about?

Incremental backup and restore...

[istartedi]

Incremental backup and restore, at the hardware level so nobody can mess with it. How hard can it be? Rhetorical question of course. It can be hard, and the market has to demand it. For now we've got vulnerable software solutions for this problem, and any backup is only as good as a restore test--which is the really hard part of knowing you have a good backup in place.

Re:

[Ostracus]

Still have to make Torvalds happy about ZFS.

https://itsfoss.com/linus-torv... [itsfoss.com]

Re:

[hey!]

Even better, a copy on write filesystem. The old version of everything is still there so you don't even have to wait to find and restore a backup. You just revert to the last good snapshot.

Re:

[sabbede]

They're already required to have it as part of HIPAA, so I don't know how this can happen. Apparently hospitals and doctors offices can just get away with not adhering to requirements for protecting our data. Hell, every time I go to my own doctor's office and they take me back to the exam rooms, I see an open door at the end of the hallway with an unsecured server rack just sitting there looking back at me. And they're part of one of the State's biggest provider networks.

I've mentioned this to them, w

Going after the Navajo Nation

[tdilling]

I am a physician. As a med student, I rotated there (a number of years ago). The Navajo live under great socioeconomic depression. Akin to a 3rd world country, for many of them. I witnessed people living in conditions without electricity and running water, only 20 minutes outside Gallup, on the reservation. (Interestingly, just two weeks later, I was in rural Kenya, where the issues were not dissimilar. Truly: think of third world country living situations, in the US.) The reasons are complex, beyond the sc

Ransomware attacks should be considered terrorism.

[couchslug]

Ransomware attacks should be considered terrorism and acts of war. In war it's legitimate for the state to kill enemy civilian personnel (in WWII the British, for example, bombed more than one Gestapo HQ) and it should be legitimate to kill computer terrorists without warning.

Law should not be a suicide pact and it should be understood law is not a panacea (which is why we have wars when law fails). Computer terrorism is an act of war. Start killing and get good at it or the problem will only escalate even

Re:

[sabbede]

I share your sentiment, but terrorism is the use of extraordinary violence to terrify a civilian population into political compliance. Extorting money from a hospital doesn't count. That's just simple extortion. Hacking hospitals so you could randomly kill patients until your political demands are met might be terrorism though.

How do hospitals get away with poor security?

[sabbede]

Since medical providers are under some pretty heavy data security regulations, I don't understand how they get away with such blatant non-compliance. They have both HIPAA and PCI requirements to deal with, and if they were compliant with both this wouldn't happen.

There is an easy fix. Hospitals have to be accredited by the State. The States can thus require hospitals (and large provider organizations) to follow CIS hardening guidelines and be fully HIPAA and PCI compliant if they want to see patients,

The Answer?

[kaatochacha]

Every time a ransomware group demands money, that money should be paid--into a hit contract on the ransomware group.
Why pay millions to a ransomware group with an iffy history of actually fixing your stuff, when you can pay 3 million to some psycopath to bring you the information you need AND their head?