Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Healthcare Organizations Under Siege From Cyberattacks, Study Says

Soulskill posted about 7 months ago | from the it's-hip-to-ignore-hippa dept.

Security 61

BigVig209 sends this report from the Chicago Tribune: "A new study set to be officially released Wednesday found that networks and Internet-connected devices in places such as hospitals, insurance companies and pharmaceutical companies are under siege and in many cases have been infiltrated without their knowledge. ... In the report, the groups found from September 2012 to October 2013 that 375 healthcare organizations in the U.S. had been compromised, and in many cases are still compromised because they have not yet detected the attacks. ... 'What's concerning to us is the sheer lack of basic blocking and tackling within these organizations,' said Sam Glines, chief executive of Norse. 'Firewalls were on default settings. They used very simple passwords for devices. In some cases, an organization used the same password for everything.'"

cancel ×

61 comments

Sorry! There are no comments related to the filter you selected.

So much for HIPAA... (2)

Buck Feta (3531099) | about 7 months ago | (#46284339)

Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.

Re:So much for HIPAA... (0)

Anonymous Coward | about 7 months ago | (#46284407)

What scale of organizations are we talking about here? I don't know of any small private healthcare organization that doesn't consider the owners'/partners' time-efficiency and working preferences to infinitely outweigh the importance of procedures to ensure accountability regarding access to confidential data.

(Posting AC deliberately because I see this foolishness firsthand as a consultant!)

Re:So much for HIPAA... (0)

Anonymous Coward | about 7 months ago | (#46285549)

We run into this all the time. One radiologist group in town does both hospitals and their own clinic. They always complain about having to change their passwords at our facility, as well as other security settings that we implement. 90% of them use the same password on their own systems.

Re:So much for HIPAA... (0)

Anonymous Coward | about 7 months ago | (#46284473)

Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information.

No threat of punishment == no compliance.

Well, then perhaps this is where HIPAA needs to take a fucking page from the financial lessons-learned playbook and start handing out actual punishments and fines, starting with some form of Federal-level ban on the kinds of insurance claims they can accept.

Put pressure to cut out the moneymaker that is Medicare/Medicaid support on any hospital and see how quickly they comply. Old, obese people are worth a LOT of money.

Re:So much for HIPAA... (4, Insightful)

Opportunist (166417) | about 7 months ago | (#46284557)

The problem is, comply with WHAT? Have you ever read the various "standard compliance requirements"? They're usually worded in a way that leaves holes big enough to move planets through. You'll find a lot of talk about "reasonable" and "adequate" security without any kind of definition whatsoever what these words would mean.

You will NEVER EVER find something that they could be pinned with, like "leave no default passwords" or "no guest accounts" or even "stateful firewall with [[list of features]]". Never. No chance.

Of course it's a consultant's dream because no matter what you sell, you're complying. And it's of course no problem for the customer in question to be compliant to rules like that.

Re:So much for HIPAA... (1)

jythie (914043) | about 7 months ago | (#46284929)

There is where having a department doing auditing and certification would do the trick. I know people bristle at the idea of centralized bureaucracies , but this is a time where having some group (like CERT) in charge of training auditors and preforming the certifications.

Years ago when I worked in a lab that needed to be HIPAA certified, our upstream contractor (a hospital) had people who`s job it was to make sure our setup meet the needs otherwise we would not get the data, and yep, we met them. I could see this basic pattern scaling up.

Re:So much for HIPAA... (0)

Anonymous Coward | about 7 months ago | (#46286329)

had people who`s job

People who is job? You mean that old guy in the bible?

Or are you simply semiliterate and meant "whose"? If so, what grade did you drop out of, sixth? Read a few books, dumbass, and you won't make stupid mistales like that. Honestly, if I couldn't read well enough to know who's from whose and there from they're and their and lose from loose, I'd be embarrased to make a logged-in comment.

Oh, and your job at the lab, what did you do there, wash glassware? Clean toilets?

Please go back to reddit, this is a nerd site. Nerds are literate, not aliterate or illiterate as you seem to be.

Re:So much for HIPAA... (1)

hawkinspeter (831501) | about 7 months ago | (#46286793)

If you're going to be so uppity about someone's mistake, then at least spell "embarrased" correctly (and put a hyphen in "semi-literate"). I appreciate the attempt to improve people's writing skills, but you're doing it in a way that makes you look like an arse.

MOD PARENT BULLSHITE (0)

Anonymous Coward | about 7 months ago | (#46285857)

The problem is, comply with WHAT? Have you ever read the various "standard compliance requirements"?

Yes I have. I've read the entire HIPAA and HITECH acts, including the data transfer standards. It takes weeks just to get through the non-standards documents. Luckily I'm paid to do it.

They're usually worded in a way that leaves holes big enough to move planets through. You'll find a lot of talk about "reasonable" and "adequate" security without any kind of definition whatsoever what these words would mean.

That's not entirely false. There are many references to clarifications that will be provided by the Secretary of HHS (who tends to pass the buck to NIST these days) and also implicit references to industry best practices and explicitly to the "reasonable man" legal standard (which seems to be what you're referring to).

You will NEVER EVER find something that they could be pinned with, like "leave no default passwords" or "no guest accounts" or even "stateful firewall with [[list of features]]". Never. No chance.

Wrong. The only people who can't be "pinned" are the government regulators themselves - the compliance standards, as officially and legally clarified by the Secretary, explicitly reference things like FIPS 140-2 [hhs.gov] which have exact requirements. Failure to comply with those is punishable. The weasel-wording you've pointed out serves to protect and empower the regulators who are outside of the congressional legislative process, it does nothing to protect non-compliant hospitals [eweek.com] , for example.

Of course it's a consultant's dream because no matter what you sell, you're complying. And it's of course no problem for the customer in question to be compliant to rules like that.

It's a consultant's dream alright, for two reasons - one, it's a gold mine because the rules constantly change as the Secretary makes "statements", and two, because people like you are spreading inaccurate information about liability. I can't tell you how many times I've heard fools say that "nobody will prosecute us for this... [nyu.edu] " setting themselves up for a board-mandated takeover of the IT department by consultants.

Re:So much for HIPAA... (4, Informative)

rhsanborn (773855) | about 7 months ago | (#46285089)

Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.

That's not the case at all. HIPAA makes a distinction between covered entities (usually hospitals, doctors, insurance companies), business associates (people providing services for covered entities such as medical coding, transcription, IT services, etc.) that require access to protected health information, and everyone else who isn't allowed to access protected health information. If a covered entity loses or discloses protected health information, or is breached, that entity is responsible for fines under HIPAA, which are being levied regularly. e.g. http://www.healthcareitnews.co... [healthcareitnews.com]

Re:So much for HIPAA... (1)

jbmartin6 (1232050) | about 7 months ago | (#46286125)

"Regularly" is vague. HIPAA was passed in what, 1996? The first fines weren't levied until after 2010. So I think the parent's point is still valid, the act was pretty toothless as far as consequences for quite some time. The ratio of incidents to fines is still very heavily in favor of the careless. If you had a choice between paying $2 million in security or a remote chance of a $1 million fine, which would you take?

Re:So much for HIPAA... (0)

Anonymous Coward | about 7 months ago | (#46286257)

And to think, all of this HIPAA nonsense would be practically nonexistent if we had real first world healthcare. (Single payer socialized healthcare, you limp wristed conservative toadies) The point of these regulations is to protect you from health insurance companies that can and do everything in their power to deny you coverage when you get sick.

Re:So much for HIPAA... (0)

Anonymous Coward | about 7 months ago | (#46295509)

Oh god you mean I'll have to pay 5,000$ fine or higher several 100k per year employees that still cannot guarantee security?

Re:So much for HIPAA... (2)

Medievalist (16032) | about 7 months ago | (#46286191)

No threat of punishment == no compliance.

Don't worry, there's no lack of authoritarian punishment [hhs.gov] built into the system.

But you know, if merely punishing people stopped them from complying with rules we'd be living in paradise. Our punishment-oriented culture serves to gratify the sadism of our rulers, and doesn't really do much to prevent crime. In real life the most effective way to prevent crime is to ensure the availability of rewarding work... and hospital paperwork, I have to tell you, is the opposite of rewarding labor.

Sorry about the busted grammar (1)

Medievalist (16032) | about 7 months ago | (#46286289)

sed 's/complying with/breaking/' <previous post >coherent post

That'll teach me to use preview mode... oh well, at least the link worked.

Bad news (0)

Anonymous Coward | about 7 months ago | (#46284353)

We're sorry to tell you that your child passed away from a ping timeout...

Re:Bad news (4, Funny)

Opportunist (166417) | about 7 months ago | (#46284575)

BSOD just got a very new meaning.

Re:Bad news (2)

Chris Mattern (191822) | about 7 months ago | (#46285523)

Well, that gives a whole new meaning to Time To Live...

I bet this is the Muzzies (-1)

Anonymous Coward | about 7 months ago | (#46284411)

I bet this is the Muzzies. They have it in for anything that would improve health [cnn.com] , as their abominable religion thrives where there is pain, suffering, and misery.

Re:I bet this is the Muzzies (0)

Anonymous Coward | about 7 months ago | (#46284447)

... their abominable religion thrives where there is pain, suffering, and misery.

So do Christianity, news organizations and weapons manufacturers to name a few ... what's your point?

Re:I bet this is the Muzzies (-1, Troll)

Chrisq (894406) | about 7 months ago | (#46284469)

I bet this is the Muzzies. They have it in for anything that would improve health [cnn.com] , as their abominable religion thrives where there is pain, suffering, and misery.

I don't think it is. Whereas you are 100% correct about islam, I would expect physical attacks rather than DDOS attacks from them.

One password. (1)

Savage-Rabbit (308260) | about 7 months ago | (#46284435)

In some cases, an organization used the same password for everything.'"

That's not negligence, it's just the Navy keeping up with the times and implementing Single-Sign-On.

Re:One password. (1)

oodaloop (1229816) | about 7 months ago | (#46284601)

Glad to see you're keeping up with the times, being that this article is about healthcare and not the Navy.

Re:One password. (1)

cold fjord (826450) | about 7 months ago | (#46284831)

The Slashdot editors exploited their superior agility and got inside his posting decision cycle. His defeat is now assured.

Re:One password. (1)

oodaloop (1229816) | about 7 months ago | (#46284925)

and got inside his posting decision cycle

You mean his OODALOOP [wikipedia.org] ?????

Ha Ha Ha Ha!!

Where's me beta? (-1)

Anonymous Coward | about 7 months ago | (#46284449)

I've had a taste. Give me my beta! This old site feels ancient now!

Re:Where's me beta? (1)

Cenan (1892902) | about 7 months ago | (#46284585)

Stop posting AC timothy

Why is C# .Net used for medical devices? (2)

IgnorantMotherFucker (3394481) | about 7 months ago | (#46284463)

Recall that at least the original license agreement for Sun Java specified that it must not be used to operate nuclear power plants. That got a lot of ridicule but was arguably a good idea.

From time to time I see posts for medical device coding jobs on craigslist and the like. Quite commonly they require one to have experience with C# .Net.

That doesn't make a whole lot of sense to me. Heart disease runs in my family. If I get a pacemaker, is it going to be running Microsoft Windows?

Re:Why is C# .Net used for medical devices? (1)

gl4ss (559668) | about 7 months ago | (#46284475)

no but the ui is going to be written in c#.

(...so that it'll be deprecated in a few years)

Re:Why is C# .Net used for medical devices? (3)

Chewbacon (797801) | about 7 months ago | (#46284523)

Rapid application development perhaps. Hospitals are trying to get these systems up and running for the sake of cash deposits and reimbursement from Uncle Sam and every company who can write software, good or bad, wants a piece of it. And yeah, it may run on windows. One of the fluoroscopes in my lab runs Win2K.

Re:Why is C# .Net used for medical devices? (0)

Anonymous Coward | about 7 months ago | (#46285607)

I see you have a modern fluoro room then. We have a room that is still running NT4. Our biomed guy just had to rebuild a CR reader system that was running Win2K. They are on segregated vlans though.

Re:Why is C# .Net used for medical devices? (1)

melikamp (631205) | about 7 months ago | (#46284849)

From time to time I see posts for medical device coding jobs on craigslist and the like. Quite commonly they require one to have experience with C# .Net. That doesn't make a whole lot of sense to me. Heart disease runs in my family. If I get a pacemaker, is it going to be running Microsoft Windows?

This is yet another symptom of a very common disease: enter computers, and all of the sudden medical professionals simply ignore patient privacy and security. May be it's for the lack of understanding on the part of individual doctors, but then where are their governing bodies looking? They are selling us out. They must be corrupt three times over.

Last time I went to a doctor for a regular checkup, I almost asked her: are my responses private? [Yes, I assume] Then why the bloody hell are you typing them into a Windoze? You are sharing them with Microsoft and its affiliates as you are typing them in front of me, so where do they go when I am not looking? I didn't confront her, though, opting instead to be very discrete about my medical condition.

Re:Why is C# .Net used for medical devices? (1)

Anonymous Coward | about 7 months ago | (#46285871)

You are sharing them with Microsoft and its affiliates as you are typing them

This is called "paranoia". It's a medical condition.

opting instead to be very discrete about my medical condition

So you won't tell your doctor about your paranoia, but you'll tell a random group of people on Slashdot?

Face it, you're squarely in "wingnut" territory. Microsoft does not keep copies of your data unless you send it to one of their services. They don't care that you're paranoid because it doesn't make them any money. They also don't care about anything else you do or don't do. Nobody is paying attention to you or "spying" on you. You're not that important. Nothing about you is valuable to them. At a certain point, continued paranoid behavior crosses into the realm of narcissism. At that point, everyone laughs at you, not just near you.

Re:Why is C# .Net used for medical devices? (2)

jythie (914043) | about 7 months ago | (#46284953)

"Medical devices" covers a lot of area. I suspect things like pace makers are developed using some RTOS while desktop apps designed to connect to devices are written in some commonly used language like C# or Java.

Though there is probably a lot of pressure due to what kinds of programmers they can find. One thing that pushed LISP out of certain industries, even when it worked really well for individual companies, was difficulty finding experienced programmers.

Medical devices should probably be programmed using something like Ada, but finding developers for it is getting harder and harder.

Re:Why is C# .Net used for medical devices? (1)

flyingfsck (986395) | about 7 months ago | (#46287859)

Hell, an RTOS in a pacemaker makes me shudder. The first pacemaker used a single transistor.

Re:Why is C# .Net used for medical devices? (1)

jellomizer (103300) | about 7 months ago | (#46285439)

Why use C#? Well it is actually rather simple. In many areas they are easier to find developers, then with Java or C.
Microsoft Products don't suck as much as Slashdot makes them out for. Windows 2000 onward have been very stable, and for the past decade I have seen more Linux Kernel Crashes than Blue Screens of Death. Making your product in C# vs Java isn't that big of a deal, the real issue that I find, is that you are Stuck on Windows, and that sucks because you may want to be flexible with your next upgrade, and at least be able to stick it to Microsoft the next time you renegotiate your licences. (Well all our key apps are Java, if you don't lower your license rate by 20% then we figure it will be cheaper to migrate it all to Linux)

Healthcare has this other problem. It has been 10 years behind the rest of the technology. You go events pushing state of the art healthcare technology and you see it is stuff that other industries have been using for year. Right now their big push is adding Business Intelligence to their software.

Re:Why is C# .Net used for medical devices? (1)

maple_shaft (1046302) | about 7 months ago | (#46285757)

Right now their big push is adding Business Intelligence to their software.

If you ask any IT upper manager or executive in a US health system what Business Intelligence is then if they can give you any answer at all it is some recited drivel fed them by the plethora of vendors selling snake oil at the last HIMS conference.

Having nearly a decade of experience working as a software engineer for healthcare ISV's and healthcare systems, I have earned a bit of a perspective to why healthcare IT struggles behind nearly every other industry. To understand why things are dysfunctional and why such organizations are teeming with incompetence you need a bit of history into how many of these healthcare systems came to be.

These large non-profit organizations didn't spring up overnight, they usually started as a loose agreement between a university medical school in need of bright medical professionals for research and teaching, and a number of different hospitals that always have a need for top medical talent. These resulted in a loose confederation of hospitals. When healthcare became big business then the ranks of many of these healthsystems started to be run by MBA's and other executives with more of a business background. At this point things began to be more centralized and federated by consolidating all of the IT resources in the different facilities into one place. Many of these people though used to be nurses or were self educated kids who really knew nothing about IT outside of installing software on a doctors workstation in a small community hospital. Through tenure many of these people rose through the ranks and became the very managers and executives that run many of these healthsystems today.

So now we have a world today where non-profit health systems reaping MASSIVE profits and having MASSIVE budgets need reasons and excuses to spend so much of their money or else they risk losing their non-profit status. Incompetent management that is in over their head, highly political system of rank and advancement, duct-taped together legacy systems from a number of different hospitals with medical records, money-hungry vendors cashing in on easy sales for "Business Intelligence" and "Analytics" software packages that either don't work or aren't needed, and grueling death march projects that at times seem like a government jobs program with no other reason to exist than to spend money because the board of trustees in these health systems can only take so much of the profits.

This is all really a massive bubble propped up by massive amounts of money that must be spent, run by people who don't know what they are doing.

Re:Why is C# .Net used for medical devices? (1)

ljw1004 (764174) | about 7 months ago | (#46287617)

C#' is an ISO standard that runs (great) on ios, android, desktop Linux, netduino, as well as windows

of things beyond repair, not worth fixing.... (0)

Anonymous Coward | about 7 months ago | (#46284721)

we start anew... free the innocent stem cells... see you there

audubon soc. building replica byrd drones? (0)

Anonymous Coward | about 7 months ago | (#46284763)

so our patrons can still have something to watch... they say. right away the WMD on credit cabalists are hacking the repli-byrds causing them to viciously attack the innocent (until now) byrd watchers, & their keepers. uncomplicate remains the keynote...

Firewall it. (2)

Karmashock (2415832) | about 7 months ago | (#46284815)

By which I do not mean putting some off the shelf software or hardware between your network and the federal ACA system. Rather, have an isolated system distinct from the rest of your network which interacts with the ACA. Give that system no access to the rest of your network or vice versa except through very tightly controlled protocols. Effectively, assume that machine is compromised or at least in extreme danger of being compromised.

Then carry on. Worst case, that isolated system will be infiltrated. But since the Federal ACA system is compromised that's nothing special. Your internal network will remain safe from that vector and you can continue to comply with this federal boondoggle.

Government... we only take them seriously because they threaten to shoot us. No really. Absent threats of violence who would be complying with the ACA at this point? No one. That's all that keeps this bullshit going.

Simple solution (2, Insightful)

Anonymous Coward | about 7 months ago | (#46284837)

We need a law (or laws) that place very painful penalties on any business or organization that suffers a data breach through their own negligence.

The right wingers who run a lot of these businesses just love to talk about the magical results we can get by relying on the free market. Well, let's see them put their money where their mouth is. Currently, they can be sloppy with their IT practices and pay virtually no price even when something goes wrong that causes considerable pain to their customers/users and society at large. It's a classic externalized cost. Internalize it via triple-damages penalties or something similar, and I guarantee that their IT practices will improve dramatically in a matter of weeks.

Re:Simple solution (1)

jythie (914043) | about 7 months ago | (#46284971)

the problem is, within that philosophical system (I can not call it economic, that set of economic theories were debunked decades ago) the customers would be the ones to punish the company by going somewhere else and there are no "external costs", the only thing that matters is what on their side of the interface and everything outside that the market magically fixes.

Re:Simple solution (1)

maple_shaft (1046302) | about 7 months ago | (#46286311)

That doesn't work in many areas where many of these healthcare systems have a practical monopoly in their respective regions. There is often no other choice for customers (Let it be known I find that term offensive, they are really patients). They really aren't broken up because they are also "non-profit" which is lately becoming an ethically dubious term for many health systems.

Re:Simple solution (1)

jythie (914043) | about 7 months ago | (#46286635)

*nods* and even when there are choices in a particular region, often one's health coverage makes the choice for them, and forgoing one's employer provided health care and going to the individual market is often a bad economic choice for individuals or families. So the barrier to voting with one's dollars becomes very high.

Re:Simple solution (1)

rhsanborn (773855) | about 7 months ago | (#46285043)

There is a law, it's called HIPAA. Healthcare organizations are very cognizant of HIPAA and do work to avoid breaches of healthcare data. The Department of Health and Human Services does hand out significant fines for breaches. http://www.hhs.gov/ocr/privacy... [hhs.gov] Additionally, for large breaches, healthcare organizations are required to notify prominent news media, which arguably has a larger financial impact than the fines themselves.

mod 0p (-1)

Anonymous Coward | about 7 months ago | (#46284963)

ove8 the same trouYbled OS. Now

Summarize (0)

sociocapitalist (2471722) | about 7 months ago | (#46284997)

Let me summarize the situation so we can avoid having an article for every industry.

Any business worth any substantial amount of money is, and has been for years, under constant 'cyberattack'.

Cost of IT (0)

Anonymous Coward | about 7 months ago | (#46285053)

I have been working in health care IT strictly for 6 years now and the problem is not the lack of security at all from my standpoint. It is however the lack of spine in the industry. We have no one that will stand up in this time of change (read up on meaningful use in health care) and say no.....I will not continue to put the customer at risk just to get this project running. Why not? Because it will cost them their job....why? Because the people leading us into things like the government website fiasco don't get what it is they are asking their IT to do - thus causing IT to continuously lay down project after project that is just barely stood up let alone implement it correctly or bother to maintain it properly. I can speak from experience in the small to midsized markets - the give a hoot is broken in favor of timelines and making some ones project a success for their resumes. It will not change until someone has the spine to stand up and explain in layman's terms the how/why these projects cannot continue to be pounded out in neck breaking speed. As an IT person in health care I can honestly say no one listens to us until something is way past broken and it costs them dearly, which causes me to just want to put my head down in defeat and only do what I am told. Why not.....Every one else can right? Feel free to email tyroniuz (the at sign) Gmail dot com if you care to get any more feedback from the downward spiraling trenches of IT

Not surprising (1)

jbmartin6 (1232050) | about 7 months ago | (#46285061)

I've been there. The organizations just don't care, it is more important to keep doctors happy. There is very little appreciation for IT and its value. And since there are limited consequences for breaches, there is no motivation to change.

We are constantly under attack (1)

hsmith (818216) | about 7 months ago | (#46285215)

We are a healthcare startup and we get the usual metasploit attacks, but more important we are phished like crazy.

The information is valuable and because it is, healthcare firm staff will be easy pickings for being targets.

They simply don't know what they are doing (for instance, there is a 90% chance your doctor is using SMS/MMS to communicate about patients)

I'm guessing its insurance companies. (1)

mark_reh (2015546) | about 7 months ago | (#46285243)

Who else would benefit from knowing your health info? Drug companies could spam you with ads, I suppose, but insurance companies have the most to gain by denying coverage to the "accident prone, chronically ill, and those who might inherit propensities for certain health problems. For health insurers, this has supposedly been fixed under Obamacare, but like taxes, there are many lawyers looking for loopholes and they will certainly find them. And what about life insurance? Those guys would love to have all your medical records...

Re:I'm guessing its insurance companies. (1)

CrimsonAvenger (580665) | about 7 months ago | (#46286461)

but insurance companies have the most to gain by denying coverage to the "accident prone, chronically ill, and those who might inherit propensities for certain health problems.

Which is illegal under the ACA, hence irrelevant.

Re:I'm guessing its insurance companies. (1)

mark_reh (2015546) | about 7 months ago | (#46286779)

Right. And rich people pay income taxes like the rest of us, too.

Nothing to see here! (1)

erroneus (253617) | about 7 months ago | (#46285599)

This story doesn't indicate that this is largely the NSA collecting information in support of further executive adjustments to the Afraudable Care Act. This is just how they operate. "It's better to beg for forgiveness than to get permission or follow legislation. It's even better to deny that you did it than to beg for forgiveness." --Eric Holder

Low-level DDOS (3, Interesting)

ahs_boy (125818) | about 7 months ago | (#46285651)

One of my clients is an umbrella organization for a few local community health centers, and there has been a steady stream of empty POST submissions to their website -- at the rate of about 2/second -- for about 4 straight months now. Virtually every hit is from a unique IP address, so the spoofing is either great, or the botnet is enormous. This is normally a VERY low-traffic site, so the attack constitutes about 99% of their traffic at this point.

I'm assuming that the timing of the start of the attacks -- just as the Affordable Health Care Act came into effect -- is not a coincidence. It's a brain-dead attack, and easy to mitigate, but I'm a bit dumbfounded that it continues to this day, despite having no effect on the accessibility of their site at all.

Re:Low-level DDOS (0)

Anonymous Coward | about 7 months ago | (#46287947)

Don't the health centers have their own IP ranges? Can't they filter their traffic?

Also, POST requests *cannot* happen with spoofed IPs. That's a ridicules idea. TCP handshake does not complete for spoofed IPs hence no POST requests.

spoofed SYN -> server ACK -> ???? oops

NSA (1)

Lawrence_Bird (67278) | about 7 months ago | (#46285797)

just wants to know which terrorists are going to the hospital and for what treatment. ordinary citizens have nothing to fear, it is only collecting meta-data about your bloodwork, x-rays, mri's......

How Rude (0)

Anonymous Coward | about 7 months ago | (#46285817)

"...and in many cases have been infiltrated without their knowledge."

That's just a lack of basic courtesy. Whatever happened to the common decency of letting someone know you're about to sneak into their house?

Interesing, but I wonder..... (1)

sgt_doom (655561) | about 7 months ago | (#46289363)

An acquaintance of mine, several years back, worked at a medical coding company called Meddata (based out of Ohio, I believe, and owned by a private equity/leveraged buyout firm) which kept having computer problems, which their inept and incompetent IT sleazoids were unable to prevent. She monitored their systems inhouse, and ascertained that they were being hacked at mercilessly, within the USA region. It didn't take her long to figure it out: the executives there, from a previous company but now in top levels at Meddata, had screwed over numerous people at their previous company (there was, and may still be, a dedicated web site to the lawsuits against that outfit), and people were attempting revenge. Sometimes, it really is that simple.

JCAHO to the rescue! (0)

Anonymous Coward | about 7 months ago | (#46291503)

The Joint Commission (the new name for the organization which used to by known as JCAHO) has recently started to cover the IT side of laboratory systems. Failling this leads to the lab losing their license.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>