Ransomware Attack Hampers Prescription Drug Sales at 90% of US Pharmacies (msn.com) 81
"A ransomware gang once thought to have been crippled by law enforcement has snarled prescription processing for millions of Americans over the past week..." reports the Washington Post.
"The hackers stole data about patients, encrypted company files and demanded money to unlock them, prompting the company to shut down most of its network as it worked to recover." Insurance giant UnitedHealthcare Group said the hackers struck its Change Health business unit, which routes prescription claims from pharmacies to companies that determine whether patients are covered by insurance and what they should pay... Change Health and a rival, CoverMyMeds, are the two biggest players in the so-called switch business, charging pharmacies a small fee for funneling claims to insurers. "When one of them goes down, obviously it's a major problem," said Patrick Berryman, a senior vice president at the National Community Pharmacists Association...
UnitedHealth estimated that more than 90 percent of the nation's 70,000-plus pharmacies have had to alter how they process electronic claims as a result of the Change Health outage. But it said only a small number of patients have been unable to get their prescriptions at some price. At CVS, which operates one of the largest pharmacy networks in the nation, a spokesperson said there are "a small number of cases in which our pharmacies are not able to process insurance claims" as a result of the outage. It said workarounds were allowing it to fill prescriptions, however...
For pharmacies that were not able to quickly route claims to a different company, the Change Health outage left pharmacists to try to manually calculate a patient's co-pay or offer them the cash price. Compounding the impact, thousands of organizations cut off Change Health from their systems to ensure the hackers did not infect their networks as well... The attack on Change Health has left many pharmacies in a cash-flow bind, as they face bills from the companies that deliver the medication without knowing when they will be reimbursed by insurers. Some pharmacies are requiring customers to pay full price for their prescriptions when they cannot tell if they are covered by insurance. In some cases, that means people are paying more than $1,000 out of pocket, according to social media posts.
The situation has been "extremely disruptive," said Erin Fox, associate chief pharmacy officer at University of Utah Health. "At our system, our retail pharmacies were providing three-day gratis emergency supplies for patients who could not afford to pay the cash price," Fox said by email. "In some cases, like for inhalers, we had to send product out at risk, not knowing if we will ever get paid, but we need to take care of the patients." Axis Pharmacy Northwest near Seattle is "going out on a limb and dispensing product with absolutely no inkling if we'll get paid or not," said Richard Molitor, the pharmacist in charge. UPDATE: CNN reports Change Healthcare has now announced "plans for a temporary loan program to get money flowing to health care providers affected by the outage." It's a stop-gap measure meant to give some financial relief to health care providers, which analysts say are losing millions of dollars per day because of the outage. Some US officials and health care executives told CNN it may be weeks before Change Healthcare returns to normal operations.
"Once standard payment operations resume, the funds will simply need to be repaid," the company said in a statement. Change Healthcare has been under pressure from senior US officials to get their systems back online. Officials from the White House and multiple federal agencies, including the department of Health and Human Services, have been concerned by the broad financial and health impact of the hack and have been pressing for ways to get Change Healthcare back online, sources told CNN...
In a message on its website Friday afternoon, Change Healthcare also said that it was launching a new version of its online prescribing service following the cyberattack.
Thanks to Slashdot reader CaptainDork for sharing the news.
"The hackers stole data about patients, encrypted company files and demanded money to unlock them, prompting the company to shut down most of its network as it worked to recover." Insurance giant UnitedHealthcare Group said the hackers struck its Change Health business unit, which routes prescription claims from pharmacies to companies that determine whether patients are covered by insurance and what they should pay... Change Health and a rival, CoverMyMeds, are the two biggest players in the so-called switch business, charging pharmacies a small fee for funneling claims to insurers. "When one of them goes down, obviously it's a major problem," said Patrick Berryman, a senior vice president at the National Community Pharmacists Association...
UnitedHealth estimated that more than 90 percent of the nation's 70,000-plus pharmacies have had to alter how they process electronic claims as a result of the Change Health outage. But it said only a small number of patients have been unable to get their prescriptions at some price. At CVS, which operates one of the largest pharmacy networks in the nation, a spokesperson said there are "a small number of cases in which our pharmacies are not able to process insurance claims" as a result of the outage. It said workarounds were allowing it to fill prescriptions, however...
For pharmacies that were not able to quickly route claims to a different company, the Change Health outage left pharmacists to try to manually calculate a patient's co-pay or offer them the cash price. Compounding the impact, thousands of organizations cut off Change Health from their systems to ensure the hackers did not infect their networks as well... The attack on Change Health has left many pharmacies in a cash-flow bind, as they face bills from the companies that deliver the medication without knowing when they will be reimbursed by insurers. Some pharmacies are requiring customers to pay full price for their prescriptions when they cannot tell if they are covered by insurance. In some cases, that means people are paying more than $1,000 out of pocket, according to social media posts.
The situation has been "extremely disruptive," said Erin Fox, associate chief pharmacy officer at University of Utah Health. "At our system, our retail pharmacies were providing three-day gratis emergency supplies for patients who could not afford to pay the cash price," Fox said by email. "In some cases, like for inhalers, we had to send product out at risk, not knowing if we will ever get paid, but we need to take care of the patients." Axis Pharmacy Northwest near Seattle is "going out on a limb and dispensing product with absolutely no inkling if we'll get paid or not," said Richard Molitor, the pharmacist in charge. UPDATE: CNN reports Change Healthcare has now announced "plans for a temporary loan program to get money flowing to health care providers affected by the outage." It's a stop-gap measure meant to give some financial relief to health care providers, which analysts say are losing millions of dollars per day because of the outage. Some US officials and health care executives told CNN it may be weeks before Change Healthcare returns to normal operations.
"Once standard payment operations resume, the funds will simply need to be repaid," the company said in a statement. Change Healthcare has been under pressure from senior US officials to get their systems back online. Officials from the White House and multiple federal agencies, including the department of Health and Human Services, have been concerned by the broad financial and health impact of the hack and have been pressing for ways to get Change Healthcare back online, sources told CNN...
In a message on its website Friday afternoon, Change Healthcare also said that it was launching a new version of its online prescribing service following the cyberattack.
Thanks to Slashdot reader CaptainDork for sharing the news.
Despicable (Score:3)
Re:Despicable (Score:5, Insightful)
The Ransomware group or the Insurance companies?
Re:Despicable (Score:4, Informative)
As the meme goes, por que no los dos?
Re: (Score:2)
The Ransomware group
It isn't a "group" or a "gang". It's one guy working out of his basement.
Re: (Score:2)
all I see is a ransomware group showing that running the healthcare system in this way is a stupid idea...
Not even wrong. (Score:3)
Only a particularly vile life form would stoop to putting innocent bystanders in harm’s way like this for the sake of a few bucks.
You may not want to admit it but that's almost everybody. I say this because despite the fact that climate change will kill hundreds of millions of people by 2100 (and if it get really bad then almost everyone by 2200), just about everyone keeps driving around in their cars like it's no big deal because "EVs cost more money" (despite having a lower Total Cost of Ownership). It's easy to do this because they are people you will never see, never meet, and they will never have the ability to shame you. The gr
Re: (Score:2)
I'm not excusing anyone, I'm saying it's a prevalent human failing to be OK with hurting people that you cannot see and it really is despicable.
That's pretty much the meat industry too, if people saw how animals are treated and slaughtered, most would stop eating meat entirely.
Re: (Score:2)
Only a particularly vile life form would stoop to putting innocent bystanders in harm’s way like this for the sake of a few bucks.
I can no longer get my glaucoma refills because of this. Please, intelligence agencies, put the supercomputers to work and break the cryprocurrencies that ransomware operators use. That's they ONLY way to put them out of business.
Re: (Score:2)
put the supercomputers to work and break the cryprocurrencies
You are way overestimating the capability of supercomputers.
That's the ONLY way to put them out of business.
Or the insurance companies could fix the security holes on their servers.
Re: (Score:2)
put the supercomputers to work and break the cryprocurrencies
You are way overestimating the capability of supercomputers.
That's the ONLY way to put them out of business.
Or the insurance companies could fix the security holes on their servers.
You are right, but how satisfying is it to blame the victim. I mean, that woman dressed provocatively, so she deserved it, amirite?
Re: (Score:1)
Indeed. Hence life-sentences for those responsible for obviously extremely shoddy security in the systems affected for the sake of a few bucks. And, bonus, it is easy to find out who these cretins are! Glad we are on the same page!
Re: (Score:2)
Please think of the shareholders.
Explain to me again (Score:5, Insightful)
Why vendors should not be held legally liable for vulnerabilities in their software that enable such attacks?
And, of course, the US medical system once again shows the implicit problems with the complexity of the network of middlemen that "manage" heath care by adding overhead to the system to line their own pockets.
Re: (Score:2)
You think other palces are immune?
UK
https://www.theguardian.com/te... [theguardian.com]
Barcelona
https://apnews.com/article/bar... [apnews.com]
Germany
https://www.scmagazine.com/bri... [scmagazine.com]
France
https://www.bleepingcomputer.c... [bleepingcomputer.com]
Re:Explain to me again (Score:5, Insightful)
You think other palces are immune?
No. I think the US system has MANY MORE POINTS OF FAILURE.
Re: (Score:2)
Was it the common vector active directory and SMB?
I've not seen ransomware work on unix/linux, not saying it doesn't exit, just doesn't work as well.
Every time this happens to a large corp people look to blame third parties, but really, just stop using AD.
Re: (Score:2)
Why vendors should not be held legally liable for vulnerabilities in their software that enable such attacks?
bEcAuSe ThE FrEe mArKeT!!!
And, of course, the US medical system once again shows the implicit problems with the complexity of the network of middlemen that "manage" heath care by adding overhead to the system to line their own pockets.
The implicit problem is that ensuring security/correctness (which requires time/money) runs counter to their profit motive. In commercial software their is an eternal fight between profit and security, so it's no wonder nothing ever changes.
Re:Explain to me again (Score:4, Insightful)
I'll ask a much easier question: Why don't we have single payer healthcare?!
This is a perfect example of why our system costs so much. You have so many levels of companies trying to make a buck in the chain of healthcare that it creates an unsustainable model.
But back to the vulnerabilities, the vendors are linked in as middlemen to a business process. That situation will always be complex and fragile, especially when they seek to be middlemen for the broader market. Securing the mess is practically impossible. (Hence my original question.)
Re: (Score:3)
I'll ask a much easier question: Why don't we have single payer healthcare?!
This is a perfect example of why our system costs so much. You have so many levels of companies trying to make a buck in the chain of healthcare that it creates an unsustainable model.
Ding!
You have asked the right question ...and answered it. We have too many companies making too much profit for too many people to allow an efficient and effective healthcare system. The economy would lose billions! Millions would be unemployed! Profits would fall! Retirement investments would be harmed!
That is not sarcasm...just hyperbole. There would be widespread negative consequences if we fixed our healthcare system. Many very profitable corporations would be eliminated, their stocks worthless,
Re: (Score:2)
Yet somehow MS putting people out of work is ok.
Re: Explain to me again (Score:1)
Re: (Score:2)
First you need to reduce the cost of medical school. I know at least one HMO decided to open their own. Doctors are trained with the specific end-goal of working in their hospitals.
Re: (Score:2)
Why vendors should not be held legally liable for vulnerabilities in their software that enable such attacks?
If you hold vendors legally liable for vulnerabilities in their software, no one will be willing to make software.
Why risk jail or financial ruin if something goes wrong?
Re: (Score:2)
If you hold vendors legally liable for vulnerabilities in their software, no one will be willing to make software.
Why risk jail or financial ruin if something goes wrong?
That hasn't stopped people from making cars, airplanes, medical devices, prescription or non-prescription drugs, to name Just A Few industries... And to pick on Boeing, do you think it's A Good Thing that Boeing NOT be held liable for the safety problems in their aircraft? The MCAS problem was in large part a software problem.
Re: (Score:2)
That hasn't stopped people from making cars, airplanes, medical devices, prescription or non-prescription drugs, to name Just A Few industries... And to pick on Boeing, do you think it's A Good Thing that Boeing NOT be held liable for the safety problems in their aircraft? The MCAS problem was in large part a software problem.
To pick on your Boeing example... that is not an example of a vulnerability to an attack from an outside source. If a Boeing jet was shot out of the sky with a surface-to-air-missile and Boeing was to be held liable for not preventing it... that would be comparable to what you proposed.
Re: (Score:2)
In this case, they are going to be facing questions from HHS (department of Health and Human Services) and if HHS doesn't like the answers they receive they can refer them to the Justice Department for prosecution under HIPAA for negligence with a maximum jail term of 10 years.
Their defense will be "We followed HITRUST and are certified as HITRUST compliant". Never mind that HITRUST is a severely flawed security standard that has many requirements that weaken security.
It is the worst thing about working in
Given (Score:4, Insightful)
Given that they are interfering with life giving drugs, and Given that innocent people could die.
When found, they should be terminated with extreme prejudice.
Re: (Score:2)
When they are found, it will be possible to stop them without committing murder.
If your concern is that they might have killed people, it is especially hypocritical of you to insist upon their death when they can be stopped without it.
Re: (Score:2)
There's no hypocrisy there. Not all killing is equal. You act as if stopping them were the only goal. What about punishment?
Punishing people is hypocritical - they are harming people, so harming a person that harms people is hypocritical.
Drinkypoo, probably.
Re:Given (Score:4, Insightful)
It's not quite that simple though.
There's the practical argument for the death penalty, either that it deters crime and drives down rates, or it reduces rate of re-offending or that it saves money over long imprisonment. At least from what I have seen capital punishment has no, to very little effect on any of those crime metrics and generally cost's quite a bit of money to do, more that imprisonment. I think with that in mind the argument to be made in favor is what you are describing, that we should accept it is pure retributivism.
https://public.tableau.com/app... [tableau.com]
Then there is the philosophical concept of should The State with it's monopoly on violence and representative of the citizenry should not effectively murdering it's own citizens under it's custody, that removal from society is the ultimate form of punishment The State should be allowed to enact, it is a step too far to give them the authority to murder (and it definitely is murder as the criminals in question by nature of being incarcerated is not currently a threat).
There's a reason it is a very contentious issue, there are decent arguments on both sides about which is good for society, it is emotional as we all feel victims deserve due compensation, but fact is most countries are able to manage crime without capital punishment so again, I think the practical argument is weak.
I have seen some ideas that capital punishment should be a "two trial" process, that the capital punishment should be it's own trial after the first rather than appeals to the sentence itself.
Also if we are going to decide to do it as society we need to stop trying to sanitize it, that fact in itself shows a sort of half assed approach to it, we want to kill people but we want it to feel disconnected so we don't "really" feel it but that ends up with practically barbaric methods as opposed to what is actually merciful like just a straight up firing squad or guillotine.
Alabama out here just freewheeling things and torturing people:
https://www.theguardian.com/us... [theguardian.com]
Re: (Score:2)
It's not quite that simple though.
There's the practical argument for the death penalty, either that it deters crime and drives down rates, or it reduces rate of re-offending or that it saves money over long imprisonment.
This is a different argument. Given who these hacking groups are, I and many others consider it an act of war designed to kill Americans.
So I look at their early demise in the same manner I do not believe that the Imperial Japanese Army and Navy were immune from Americans retaliating after they had their little thing in Pearl Harbor in 1941.
Maybe I'm wrong. Well, I'm a 'murrican, and on Slashdot, that means Yes, wrong.
Re: (Score:2)
Maybe I'm wrong.
Maybe you are, maybe you aren't.
Having or not having the death penalty as part of our society is primarily a question of who we are as people.
Let me note for the record, I am against the death penalty for crimes. There are some crimes that require incarceration for the lifespan of the criminal. Two reasons for that. One is the likelihood of the person to kill more. Another is that at least as far as I'm concerned, I find lifelong incarceration a better punishment than death.
Do we trust ourselves and our system to be infallible, so that we never, ever execute someone who will later be found to be not guilty? Or do we accept the fact that we will sometimes find ourselves to have murdered the innocent?
Personally, since the system is (demonstrably) not infallible, I am inclined to say that murdering someone who may later be found to be innocent is not an acceptable risk to take, all other factors included. Many agree. Many disagree. The discussion is not settled, I would say, and needs to continue.
This is the bugs in the flour problem. Sounds strange, but hear me out..
How many bugs should be in a pound of flour. The obvious answer is "none". But that isn't even possib
Re: (Score:2)
If someone kills a person they can, at least in some countries, be sentenced to death themselves - even though they have stopped killing the person (on account of the person being dead and all).
This is no different. These ransomware guys have gone from hackers to terrorists literally endangering (and possibly ending) the lives of others. I am generally not in favor of capital punishment, but these guys - the actual guys, not just who we would like to think did it - deserve it.
Re: (Score:2)
If someone kills a person they can, at least in some countries, be sentenced to death themselves - even though they have stopped killing the person (on account of the person being dead and all).
This is no different. These ransomware guys have gone from hackers to terrorists literally endangering (and possibly ending) the lives of others. I am generally not in favor of capital punishment, but these guys - the actual guys, not just who we would like to think did it - deserve it.
It is a war situation, no different that say, the attack by the Empire of Japan on Pearl Harbor, or any of the other attacks that kill people.
I'm not a death penalty advocate either. But utter cowards attempting to create havoc and death need removed ASAP. So I am okay with terminating them with extreme prejudice.
Re: (Score:2)
Re: (Score:2)
When they are found, it will be possible to stop them without committing murder.
If your concern is that they might have killed people, it is especially hypocritical of you to insist upon their death when they can be stopped without it.
I see, you would have been a blast to be around in WW2 - "Don't fight back against the Empire of Japan, or Germany, and Italy. I mean sure, they're killing our people, but yo kill any of them would be hypocritical."
Anyhow, I take it you won't defend yourself either.
Re: (Score:2)
When they are found, it will be possible to stop them without committing murder.
If your concern is that they might have killed people, it is especially hypocritical of you to insist upon their death when they can be stopped without it.
Heads on pikes will convince others never to go into this line of business.
Re: (Score:2)
Heads on pikes will convince others never to go into this line of business.
Indeed when a whole bunch of these people suddenly turn up mysteriously dead, word will spread in the places on the dark web that they like to gather. They need a bit more risk to balance out the rewards.
And the trial? (Score:2)
Given that these are the lowest form of life, and
Given that they are interfering with life giving drugs, and
Given that innocent people could die.
When found, they should be terminated with extreme prejudice.
Apropos of nothing, would this be before or after the trial?
Re: (Score:2)
Given that these are the lowest form of life, and
Given that they are interfering with life giving drugs, and Given that innocent people could die.
When found, they should be terminated with extreme prejudice.
Apropos of nothing, would this be before or after the trial?
How many do you want to die while the others continue.
To me, another person in another part of the world that is actively trying to extort and kill completely innocent people who already have some big problems needs stopped.
The question might also be asked should Americans have put every Japanese Soldier on trial before terminating them? I suppose it all depends on whether you think that purposely killing innocent people in another nation is an act of war or not. If you think it is just computer fun
Re: (Score:2)
Apropos of nothing, would this be before or after the trial?
Ask ISIS how that works.
Re: (Score:2)
Per Khyber
The Ransomware group or the Insurance companies?
Re: (Score:1)
Half of the ones responsible are known: The fuckups that have "laughable" level security on critical systems. I think we should start with lining them them against a wall, which they richly deserve. Glad you agree!
Re: (Score:2)
Half of the ones responsible are known: The fuckups that have "laughable" level security on critical systems. I think we should start with lining them them against a wall, which they richly deserve. Glad you agree!
Did ya ever wonder how much of this lack of security on the user end was because the security people were hamstrung?
You identify half of the problem, but blame the victim. You know, like those pretty women that dress provocatively, you know, to turn men on, so the woman are responsible if a man molests them.
Y'all trying to claim hypocrisy, when I have made my point clear - I and many others consider it an act of war, and as such the soldiers for the other side can't demand we not fight back - of cour
Re: (Score:2)
I am well aware that often "management" will be among the fuckups. I do expect security experts to quit their jobs though when they are prevented from securing critical systems properly. And obviously, there are quite a few incompetent security people as well. So no victim blaming at all. Being incompetent while holding a critical position makes you a _perpetrator_.
Re: (Score:2)
Given that these are the lowest form of life, and
Given that they are interfering with life giving drugs, and Given that innocent people could die.
When found, they should be terminated with extreme prejudice.
We already know where the Health Insurance C suite executives live.
Re: (Score:2)
When found, they should be terminated with extreme prejudice.
If I could trust you to positively identify them rather than merely dragging out some poor souls who got caught in your dragnet, I would allow you to do so. Satisfy your rage some other way bro.
Re: (Score:2)
When found, they should be terminated with extreme prejudice.
If I could trust you to positively identify them rather than merely dragging out some poor souls who got caught in your dragnet, I would allow you to do so. Satisfy your rage some other way bro.
It is not possible to be 100 percent sure of anything. So we just let them carry on, and if they cause any problems, the victims are the real guilty party.
Appears to be the overwhelming consensus in here.
Re: (Score:2)
It is not possible to be 100 percent sure of anything. So we just let them carry on, and if they cause any problems, the victims are the real guilty party.
I am glad you are not the one responsible for thinking of solutions. You have scorched earth and doing absolutely nothing as your only options presented.
Instead of punching you, I will empathize with you. You obviously have no power in your individual life, same as myself. I know this because your answers are so extreme. You want something, anything, to fucking change for the better and no matter what you do, it keeps getting worse. So you are down to two choices. I get it.
But, you are still wrong. There ar
Re: (Score:2)
It is not possible to be 100 percent sure of anything. So we just let them carry on, and if they cause any problems, the victims are the real guilty party.
I am glad you are not the one responsible for thinking of solutions. You have scorched earth and doing absolutely nothing as your only options presented.
Instead of punching you, I will empathize with you.
Wow, you do have a temper don't you? A simple discussion, and I present something you don't like, and you are near violence. You should work on that homie.
You obviously have no power in your individual life, same as myself. I know this because your answers are so extreme.
First off, you are incorrect about any power I possess. In my present position, you are in the facility at my pleasure. I can shut what you are doing down, and if you do not leave immediately, the police will escort you out. Your interactions with them will determine whether you are released or arrested, or at my discretion, you will be arrested first.
I
When will they learn??? (Score:1)
If I wasn't so old, I'd go back to school to specialize in cybersecurity consulting.
Re: (Score:3)
When will corporations, Governments, and courts realize that high security and strong encryption are critical to prevent these attacks from happening???
* Corporations: When it stops being profitable to allow these attacks to happen.
* Governments: When politicians stop being bought off.
* Courts: When it stops being legal to allow these attacks to happen.
The real question you need to be asking is, "What is causing society to behave so badly as to allow this and how can it be rectified?"
The answer lies in changing the propaganda that society is being exposed to on a daily basis.
Re: (Score:2)
When they get the greed and stupidity of their executives under control, i.e. "never".
Re: (Score:3)
When will corporations, Governments, and courts realize that high security and strong encryption are critical to prevent these attacks from happening??? If I wasn't so old, I'd go back to school to specialize in cybersecurity consulting.
I can give you about a 99.9% confident answer that everything was encrypted in transit and at rest.
There is a huge HITRUST framework that insurance companies try and get their vendors to follow. It is about 70% good ideas, 29% meaningless, and 1% bad ideas that will undermine security. HITRUST makes the mistake of thinking that human beings are reliable if they are not malicious and it is very fond of error prone manual processes over reliable automated processes.
There is a law, and there is a detailed spec
what a nasty web (Score:3)
I have so far received 4 hack notices from 4 different places related to health care providers, all due to the same hack of a third party processor.
The problem here is that there has evolved a huge interconnected web of 3rd party processors where certain ones are essentially monopolies, providing a weak link to access everyone's data. These outfits are generally not visible to the public and probably completely unregulated.
Do you use billpay at your bank? That is processed by a near monopoly. Do you know their name?
Re: (Score:2)
The problem is that it is an industry ruled by certifications and checklists more than knowledge and ability.
There are people working at fixing the individual flaws in HITRUST but not in the flaw of think
Re: (Score:2)
You do realize this is all structured to eliminate liability. You got fucked (as did I) and there is not a single thing either of us can do. But wait, there is more, there is not a single fucking thing ANYONE will do except send some police dudes to maybe find the people and put them in a prison.
No one in a position of power to change anything will ask them any hard questions just like nobody ever asked UTSW any hard question or asked the OPM any hard questions. It is all, "it's Microsoft's fault" while ope
They still had time (Score:2)
Re: (Score:3)
I heard of at least one case where the patient's doctor demanded the insurance company doctor's prescriber number "to make sure the right party gets the malpractice suit". The denial was reversed.
And people wonder why US health care costs so much (Score:3)
Companies like this are leeches sucking US citizens dry. They inflate costs and contribute nothing but paperwork. Every time I see a story like this, I give thanks that I live in a civilized country, where health care is a right.
It's bad (Score:1)
Legacy CHC employee here, and all I can say is that yes, it's bad.
Most of us have been down or idle for 10 days, unable to login or do any real work since a lot of our tools are also down or inaccessible (jira, clarity, servicenow, etc etc).
Keep a happy thought that this shit will get straightened out soon.
Re: (Score:2)
Legacy CHC employee here, and all I can say is that yes, it's bad.
Most of us have been down or idle for 10 days, unable to login or do any real work since a lot of our tools are also down or inaccessible (jira, clarity, servicenow, etc etc).
Keep a happy thought that this shit will get straightened out soon.
Or it is all lost and DHHS finds that it was negligence of the C suite that allowed the breach to happen and people go to jail and someone has to rebuild it with security and not HITRUST in mind.
Why commercial software security will always suck (Score:2)
Commercial software has three competing groups of profit-seekers: the vendor, the corporate user, and hackers.
Re: (Score:2)
Commercial software has three competing groups of profit-seekers: the vendor, the corporate user, and hackers.
The result is businesses will continue using a bad commercial software so long as it is perceived as just good enough. Before most commercial software was deeply tied to relying on remote servers, old versions of software remained just good enough, so long as no unsolvable problems were encountered. Remote servers are now used to function as an instant unsolvable problem and thus forcing a version upgrade which has added new added vulnerabilities.
Final note: Commercial software will ALWAYS fail when pitted against nation-state actors because the cost to a nation-state is largely irrelevant as the primary motive using the information gained from the breach. As such, the only way to resist nation-state actors is to use software and hardware that is designed expressly to be secure. That said, doing this merely shifts the focus/burden to the system/people that surrounds your software/hardware.
For something like a major insurance company, they should be assuming that they will be hit by nation-state actors and that they need to have a plan B, plan C, and probably a plan D for when it fails. It doesn't seem like they were prepared.
Re: (Score:2)
they should be assuming that they will be hit by nation-state actors...
They absolutely are assuming they will be hit by nation-state actors. That said, there is literally no penalty for a breach, so spending money on security that isn't mandatory is laughable to a profit-driven entity.
Indictments for "criminally negligent homicide" (Score:1)
I hope nobody dies as a result of not getting their medications. But if anyone does, charge those responsible for homicide. If the homicide victim's jurisdiction has a "felony murder" charge that fits, use it.
Unfortunately, most of the people involved in the ransomware gang will probably never be identified, and most of those who are will never face trial. But for those who are indicted in the US, they can forget about vacationing to any country where they would face extradition.
Re: (Score:2)
Law enforcement is useless (Score:2)
Now, if these people were pushing drugs or, worse, they were black people, then law enforcement would gladly do something about them! But as it is, they do not care.
Why don't big companies backup anymore? (Score:2)
It used to be a thing, hard drives were unreliable and we had to back up everything. Not only that, additional backups were made so that it could be taken off site incase of fire or theft. Ransomware is much like a drive failure, data is corrupted. Just reformat the drives and restore backups.