Comments
dclxvi616 t1_jc9x00h wrote
What benefit? Millions of dollars in potential ransom money. They are essentially Russians. It’s not so much that they’re protected by the law, it’s that the options to pursue them under any semblance of jurisdiction is going to look like military intervention or hoping they come visit the US, assuming we even know their identities.
ThinkySushi t1_jca0ww9 wrote
Ooh they are Russian...
Is, is this the modern version of being a privateer?
dclxvi616 t1_jca1dg5 wrote
I’m not sure if this particular group is state-sanctioned but many are, likely with plausible deniability. Ransomware attacks have been hitting hard and heavy over the past few years.
ronreadingpa t1_jca3m87 wrote
There also needs to be penalties for organizations that lose data. They need be held liable too beyond providing useless "free" credit monitoring.
As of now, companies basically get a free pass. If they were on the hook too, many would improve their security while also seeking ways to collect less data to begin with. Not all of it is necessary and should be treated as a liability not an asset as if often is now.
For those patients affected, they should pursue legal action. If the hospital chooses to fight, likely won't get much, if any, money, but chance they settle and pay out something and/or agree to make meaningful changes to their security practices and data collection.
ItsjustJim621 t1_jcaibw8 wrote
This this this.
As someone studying cybersecurity, I’m wondering what safeguards did LVHN have in place to even protect against something like this?
Security usually starts with endpoints….training to look for phishing emails. From there, we can bolster that with strong passwords, VPNs, creating a zero-trust network etc, honeypots, black holes…. Their IT team needs some serious training and/or network upgrades.
Then again, I get not paying the ransom because who’s to say they’d give the data back? But at that point, they’re really taking a gamble as to making a determination that the information compromised isn’t important compared to financial or business data.
Zenith2017 t1_jd3jchm wrote
Just FWIW, phishing training generally has a really poor return on investment. It's improving with products like knowbe4 but largely you can expect that around 8% of trainees will change their behavior in the short term
292ll t1_jcarr8g wrote
How can a private relatively small organization have the appropriate protections in place to compete with quasi-state funded hackers. I don’t know that we can ever get there and if 80% of companies do, they’ll find the other 20%.
IamSauerKraut t1_jcb3cid wrote
There are basic protections that many orgs are not putting into place because 1) not enough IT folks specialize in it, and 2) orgs are unwilling to pay the cost of installation/upgrades.
MartianActual t1_jcc4mp2 wrote
This. It would make you scream to see how inadequate cybersecurity is at a lot of major corporations or the lack of funding for it because its a cost, not a revenue generator.
ItsjustJim621 t1_jcas94b wrote
It’s always going to be a cat and mouse game.
My company got hacked a year or so ago before I came on board. And since then, there’s been a concentrated effort to batten down the hatches so to speak.
292ll t1_jcasnb8 wrote
It’s tough, I think an appropriate level is are you protected from 90% of these clowns, but most businesses don’t have the $ or resources to be fully protected.
IamSauerKraut t1_jcb3hfj wrote
No health system should go without protection. Time for them to belly up.
Zenith2017 t1_jd3jo50 wrote
Nobody can be fully protected, but I think it might shock you to see the reality out here. I have Fortune 50 customers whose security programs are woeful. Seriously, that bad. Cringeworthy, nail biters. Hell, my mom worked for a top 3 insurance company for years and from day 1 she was an admin on her laptop, handling HIPAA compliant data locally. It is often that bad, and a lot of companies are hardly trying.
BluCurry8 t1_jcbw88g wrote
That is a really ridiculous statement. LHV is not small and they are just as responsible for their data security as any other company holding PII data. Patient data should be secured from enterprise business applications.
delcodick t1_jccq147 wrote
Perhaps an organization that is unable to comply with its legal obligations shouldn’t be in business then 🤷♂️ I wouldn’t say that an Operating income: $78.4 million is particularly small 🤔
Zenith2017 t1_jd3j6xb wrote
Cyber guy here. I totally agree that protections and consequences need to be heavier, and I'd like to see that extend to organizations that get breached due to negligence and poor practices. The patients are the victims here 100%, but this medical org also has potential culpability based on what they did or didn't do to prevent and contain a breach
_Mr_Jay_ t1_jc8ufst wrote
Wow, that's sad.
FlipAround42 t1_jc8qkin wrote
Their complete losers and wastes of human beings to do something so despicable. What goes around, will definitely come around for them.
tinymonesters t1_jcaqpf9 wrote
I'd prefer my photos leaked than have my hospital pay these scumbags.
alternatingflan t1_jc9nh5n wrote
Whatever the maximum penalty is, it should at least be double for these jerks.
dream_bean_94 t1_jcaiygm wrote
This happens more often than you’d think, unfortunately. Healthcare industry is a big target for this stuff.
MartianActual t1_jcc4c3g wrote
People that ransomware a fucking hospital and display information about the patients deserve to be hung in the public square.
Zenith2017 t1_jd3kai5 wrote
I have respect for hackers who stick it to giant behemoth companies, who pursue an agenda of conscientious hacking and target shitheads and bad guys, and who do it for fun more than harm.
But people who hack a hospital? Straight to the boiler room of hell. What level of shit head do you really have to be? And I know these are just schmucks employed by a state actor but God damn have some spine to you
WinterWontStopComing t1_jcaixf6 wrote
That’s fucked up. Hopefully someone in their own community goes after them for the exceptionally tasteless practice
IamSauerKraut t1_jcb34gu wrote
The patient has filed suit...
angeloistrash t1_jcaicoj wrote
my jaw dropped. you have to be a real sicko to do this
PerformanceRadiant t1_jc8x1o6 wrote
There needs to be severe consequences for people that do this stuff. This is malicious. What benefit does it have to do that sort of thing? I think in general cyber crimes need to be prosecuted heavily. My brother just got his entire checking account stolen. The bank is refunding, but what is stopping these people from stealing? The answer is nothing.. they are protected by the law and it’s disgusting