The Worst Hack In Healthcare History 

When you don't see the direct impact on people it's easier to have no morals. Also People look at it in a similar way to stealing from a big chain store like walmart. "oh these big companies have plenty of money they won't notice five bucks". It's sad but its the world we live in.

These hacks are usually performed by Kremlin, North Korea, etc.

Most of the time these are automated attacks that exploit security problems that have been known, and fixed, for years. If such an attack works against you, you have been grossly negligent with your software security. For something as critical as a hospital, *all* used software requires frequent, periodic security audits and any available update needs to be live on the system within 12 hours of the release of the update at the absolute latest. They don't want to pay for that. That, and ONLY that, is the issue. Every possible security problem in software development is theoretically solved. It's just not practically applied due to cost.

@@AnpanatorYeah, I've experienced the other end of that firsthand as a now-official CEH. You send your resume to a business in the medical field looking for a position as a penetration tester or SOC engineer, and they respond by ghosting you. Then they finally learn the hard way in examples like this why that was a bad move.

Hi 👋🏼 Dr.Mike watching your videos had helped me be more conscious of my living and how I treat my body so thank you

Yeah... As someone that used to MSP for medical offices, the problem is entirely with penny pinchers refusing to upgrade software and hardware with the times and pay for basic security features. A lot of fun also comes from hos doctors can have hissy fits like toddlers and get exceptions to security policies as well. I was supporting Win XP until a few years back on frontline internet connected machines because offices *refused* to spend to buy new computers. As in, patient checkin computers where your money was handled and not some fancy medical equipment controller. Straight up the average carpenters office was better on security and buying new computers to keep things up to date than the average medical client I had!

@@sparky8251 Hit the nail on the head. Especially as an MSP, admin just thinks they're being upsold on services that are actually vital. And yes, some doctors definitely have too much pull and are too used to being catered to. We have started rolling out 2fa and talk about backlash...even some threats to just not come back to the hospital and work.

@@pkjacobg I truly loathe doctors. They think they are so smart they also know computers when they really *really* dont. its even worse when they are also the admin/owner. Had one demand we do an OS upgrade of a single server in a way that didn't disrupt his business, but also refused to give us even an hour to do it in because he swore he worked 24/7/365... Took us legitimately months to get that done as a result when it shouldve really just been me spending 2-3 hours on a weekend at midnight. But noooo....

As someone who works in the cybersecurity industry, I can confidently say that business leaders across all industries often times will skimp out on IT resources, then when an incident happens they suddenly "didn't know / are disappointed to learn their security measures were so inadequete" while they actively refused allocating resources that were in-budget for IT projects that could have mitigated most of their serious risks of facing an incident. Recently the FDA tightened the screws and mandated that medical devices are audited before they're launched on the market, which is a step in the right direction, but once they are approved, they are no longer subject to recurring mandated security testing. Many vulnerabilities that will lead to incidents such as the insertion of ransomware are routinely being identified in tech used by these manufacturers in IoT medical equipement, which means their device may now be vulnerable to new threats that weren't known or used when they launched on the market, leaving them at risk now. It's always a money problem ultimately. They'd rather risk millions in non-compliance fines than spend a few thousand bucks to improve their cybersecurity. It's really madness. The skilled cybersecurity professionals are out there, the expertise exists and there are countless providers out there that can help. It's just hard to convince boomers that barely understand how a printer works that risks are real and tangible.

And now, when the infrastructure is strengthened, the staff needs to have a robust and regular cybersecurity training. Even audits, if necessary, to catch them unprepared and see how strong the system really is within the organisation. Social engineering is a thing.

Yeah, Tay! Tell em. But tbh, even if the infrastructure can be setup, the way they'd handle costs would make it completely inaccessible to a very large majority.

Yes! I worked for SAAS healthcare company for 15 years as a developer and my honest opinion, a properly configured on premise server and off-site/offline backup are much safer for a medical practice. Hospitals are different but for medical practices SAAS was awesome as a trend as the internet evolved and more software became web based but it's honestly a novelty and liability. The convenience of practice owners or office staff not having to deal with IT companies and know whether they are good or not is the reason SAAS is still successful.

@@FirestormX9 Thank you for your thoughts. Part of the reason for the high cost is the hardware and software design incentive towards proprietary APIs and infrastructure used to horizontally integrate product lines and build oligopoly- rather than modular, open-source APIs and design specs that invite robust competition for replacement or substitution at each stage. Every business faces great pressure on the design level to maximize future dependency on themselves- which should not happen but is sadly the norm.

What language is everyone speaking here

You’re the chocolate rain guy aren’t you

Best part of this video? Send this out as awareness education and document it. Wooohooo! A palatable source of awareness.

Totally agree ! Keep teaching good security practices !

Yep. I can say that, too. Of course, it was the company I work for that saved Change Healthcares' asses.

Our 60 provider Plastics and Derm practice has as well.

My parents both work for one of our largest local healthcare companies (leaving anonymous), this happened to their company last year, and I think they're still working to recover from it (though I don't know the specifics).

@@sarahspindler2914 Starts with a C, doesn't it?

Shucks thats unfortunate maybe all the money you get from milking the population dry for a visit should be spent on buying some norton garbage :D

And when their insurance premiums skyrocket due to inadequate controls.

That's the issue still... companies (not just healthcare) are not getting the concept of what is "worse", the price of an MDR service/solution or them getting hit by a ransomware from someone buying the toolkit online and pitting it in just to see if it works. The responsibility is theirs ofcourse, but they should be presented with a real-life example (of which, I'm positive, every cybersec tool vendor or MDR provider has at least a handful) with every presentation/POC/demo.

This is just one reason why it's ridiculous to allow insurance companies to dictate healthcare.

If you're talking about Ascension (yep, I'll just name drop them because they deserve it) yep. They are a private equity fund posing as a hospital system so of course there's no incentive to maintain those systems when they can skim those profits instead.

@@MiniiCitrus My local system was just sold from Ascension to another system and those poor buyers are running around like chickens with their heads cut off trying to clean up this mess. CERNER is garbage and now it's causing a huge mess.

Great to know that they care about revenue but not about those paying the bills.

Don't read my name

Security by obscurity is an open door.

Another thing is that a lot of vendors of medical equipment have major issues in delivering systems that are halfway current in terms of software, often with no plan to keep them updated, etc. so this leads to many systems that are very easy to exploit. In a hospital setting it will always be that availability of a system is more important than securing it. I work in a different field, but where the same behaviour from vendors has cost many companies a lot of money.

as someone who just graduated high school and wants to go into the healthcare field; that's scary!!!

Because for most ppl that worked in that field, they have no more brain space left to memorize unique password for each different step.

@@calyco2381 Luckily for all of us, that is not needed when things are done right. A world where that is a requirement is usually a good indication of someone in power not understanding security.

Don't read my name

This is why cybersecurity awareness is something that needs to be carried out not just for us students In IT, but rather for every industry and its staff. Its really frustrating that even in our country, the only people being educated on cybersecurity are the ones who are already aware, educated and even funding courses on it at universities. There needs to be some sort of awareness and understanding of the risks of cybersecurity coming from major organisations that deal with this towards susceptible industries.

Oh god even name changes, what the he/| Good that it was found, but for goodness's sake why is it so hard for these places to at least use 2fa 🤦💀

How are you surprised.... hospitals generally have lots of money or tied to it, and they have horribly outdated systems and have tons of private info that is perfect for blackmail or stealing identities. Thats a hackers dream

That shouldn't be a surprise. Anybody who has hosted a public server on the internet knows that your pretty much attacked by everybody and their grandmother. Just setup a honeypot server and install CrowdSec on it, and just watch and see how many alerts are generated on a server that has no purpose.

I'm in Canada and we've had several

To quote Al Capone when asked why he was robbing banks: "That is where the money is". There's a lot of different reasons why those that hack hospitals don't care/don't know if the target is a hospital. People that make a living from this line of work already have made some moral choices and that means empathy for the hospital likely is in short supply.

Don't read my name

I had many days I cried in the bathroom at work during this hack. It was ridiculously stressful.

So health insurance companies? Oh wait hackers Oh wait... both

Hackers are going to hack. You are blaming the incompetence of the executives in the wrong people. Are hackers evil? Yes. But executives who take bonuses instead of investing in Cybersecurity are the real villains of this story. If a bank lets anyone inside their coffers, are you going to blame a bandit if your money goes missing or the bank?

Not really. Executives of food, pharmaceutical, and tobacco companies do it daily.

​@@HariSeldon913They're still cowardly bastards

I feel like it should be illegal to prioritize making money over morals.

My hospital won’t even let us access those websites, including social media-why would someone use a work device for shopping? I’m remote but I would use my personal devices for that.

Woooooow, hacked through christmas shopping... Idk if it actually helps much, but I'm going to print out my medical records. That way if they get hacked they at least have my history+current meds. I'll print out any additions such as meds changing when they happen, to keep it up to date. It's ridiculous that we have to think about this to begin with, but I advice you do something to keep those records yourself- on paper or on a usb maybe. Also best of luck to you and your family with the treatment🍀

@@undefinederror40404that should be done anyway. Even if cybersecurity wasn’t an issue outside of the hospital, they could have a disgruntled ex-employee get into the system and do nefarious things with that info.

@@undefinederror40404 have no fear she is almost two and in remission ! odd fact kids with DS are more likely to get the deadliest version of leukemia, (myeloid) but have much higher survival rates than kids with 46 chromosomes. so shout out to my girls extra chromosome because it most likely saved her life ! she is running around and the happiest toddler ever :)

Thats just incompetence. I work for OSF and most things like that are blocked from access on workstations. But yes you're never going to have a company/IT department admit they had a data breach as it happens for various reasons. We don't even tell our own workers its been breached.

It's ridiculous that we have come to rely on computers to that extent.

I am happy to hear your Dad did well after his surgery. When Ascension hospitals had to ‘turn off their computers’ during the cyber attack, every department had to go back to paper. Orders, chart notes, prescriptions, exam results, lab results, everything had to be written like it was in the 1980’s era on carbonless forms. This generation of healthcare professionals was not trained with that technology and it was a nightmare for everyone. In my area, patients started avoiding the Ascension hospital for another hospital in the area which caused longer wait times in that ER. Now that the incident is over, all those paper notes still have to be transcribed into the patients’ medical records.

@@randomllama7362 And when proposed to show them to new nurses everyone is all "oh no it won't happen again" making the issue worse.

@@silverscalederg8632for Ascension, they were bringing in a new set of nurses and they did show them paper charting because the system was down so they couldn’t even train on the system used. And of course the newer nurses that were working on the unit used paper because that was the only thing available.

Be careful about burn out brother, I see it far to often; keep a good home/work life separation in effect.

I mean i think there will be much job opportunity in that field! If i could get an education and work a normal job i would 100% choose cyber security! In Denmark, the military is now hiring people for a new cyber force to combat this new rapidly growing thread :)

One thing that cybersecurity can involve (and I'm speaking from experience here) is reverse-engineering malware.

Ikr W

@@YTGamerboyPG3Dthank you for your support

Ya yr right

Ya

Do yu kno da way?

Walgreens has been using the same software since 1987 😁

@@elongatedpocket1310 yes, tons in retail too! Blows my mind how many companies think they’ll skate by like that 😂

That attitude needs to change.

@@christygruber2283 what’s really shameful is most government entities operate the same way. It’s like the most sensitive entities are always the furthest behind in advancements

Okay, I agree. So I wish they would look at the VA! Largest healthcare provider in the US, has to meet the standards for any government agency / department (aka NSA) and has in implemented security solution based off NIST and such. Source: ex ISO at a VA. We spent years getting this going, making sure it was working. Look to us, dang it! :wry:

I mean, they can but it's pretty much working blind.

Pardon my lack of knowledge, but were there no generics available or why couldn't they switch to those right away? Switching from brand-name to a generic sounds like a no-brainer especially if one's life is on the line, so there is probably something I don't know about the US system at play here.

@@justanotheryoutubeaccount2270 Drug patents in the US last for 20 years. Any drug released in the last 20 years won't have a generic available yet. This is so the original patent holder can recoup their investments in R&D and make a profit before other companies are able to get in on it. Thus, they can charge however much they want until the generics are out. So if a patient needs a specific drug, there isn't always a viable alternative. By default, all prescriptions are dispensed with generics whenever available unless otherwise requested by the patient, prescriber, or insurance provider.

​@justanotheryoutubeaccount2270 guessing they're either not available or, not sure if this applies in the US, you'd need to get your doctor to switch your prescription to generic

@@justanotheryoutubeaccount2270 Generic meds are still ridiculously expensive in the US. Most people who are getting their meds with insurance can't afford any meds otherwise. In Canada, even a pharmacist can switch you to a generic brand.

as someone working a drs office i am sick of them faxing us garbage and calling pretending to say that the patient said they want xyz BS thing they are selling. its the worst. some of them even pretend to be real pharmacies like walgreens or CVS

These aren't even companies. This is just bog standard phishing attempts.

@@vectorwolf No, ya think?

Don't read my name

@@onemercilessming1342You called them “unknown health companies”.

Don't worry, it's not matter of private industry. I live in country with public health care. Here hospitals cyber security is almost non existent on the same level in every hospital, not in only some of them.

They don't get to charge absurd amounts of money and then complain that Cybersecurity is too expansive. No sympathy. I am only sorry for the patients. The hospitals deserve to lose money and should also be fined and lose even more.

Are you a bot too?? Profile made today with spam links and thirst traps?

bruh another bot

Bot

@@hanners4895 it was country wide. Something like 80 million Americans were affected

I feel like this was an issue for a while before it was announced. When I would log into Livewell. I couldn't link to Ascension like normal. This was going on for a while before Ascension got locked out of their system.

Look into fenbendazole...it works

At least they bought out those small practices. Years ago, BCBS forced small mental healthcare practices to close because BCBS decided to issue massive charge backs with zero warning because they realized they had been overpaying people for years.

That's totally bullshit. As a cybersecurity enthusiast, I can confirm that this hack absolutely happened and was definitely not started by United. They may have taken advantage of the situation. That I don't know. However, they certainly didn't cause it.

As someone who worked for CHC and now for UHG, that is definitely NOT what happened. There is no overarching conspiracy. This was extremely detrimental to the business/industry and it's insane to suggest it's being used as an advantage. UHG has paid out more than $3.3b to providers affected by the attack and they had been acquiring practices/busineses long before this attack (CHC being one of those acqusitions, which the DOJ tried to block). This is all public information. The OCR is also investigating UHG & CHC due to the attack and the DOJ is conducting an antitrust investigation into UHG, so fines may be in order. Dr. Mike has done an excellent job of summarizing the very public FACTS of this attack. Try sticking to those instead of theorizing.

Tell them to open up a SOC and start hiring CEH-certified penetration testers. That's how these kinds of attacks are prevented.

This isn't true these days. People will hack anything they can that will make them money....Unfortunately healthcare is very behind as far as cybersecurity goes in spite of being subject to more stringent data protection laws (HIPAA).

Some rasomware groups had informally agreed to not hack critical infrastructure or healthcare but that wasn't all of them and it's not some honourable code they abide by, it was to stop them from getting so much heat.

cosmologist is so cool

how u know that 🤨

@@akr4s1a It's not being honorable, it's about not pulling to much heat in. You mess with big capital, they'll usually pay you off and won't even admit it happened because it is a BAD look for your clients. You hack a water treatment plant, power distribution station, or hospital? You put people's lives at risk, you make the news, the FBI takes a keen interest. Smart hackers pick their targets carefully. I work in IT and while we certainly have some fools trying to go after our medical clients it's mostly factories, logestics, and big capital; companies that REALLY don't want to admit it happened to them. I have it on good authority S&S Tire/S&S Bridgestone has been hacked more then twice in a single year but because it's privately owned they never once told anyone that didn't work there. A buddy of mine worked there and he spent weeks getting them back online. They didn't have proper backups for most servers, the head of IT credentials were used in the hack indicating he shared his password with other websites and they got stolen, or something similar. My buddy was stressed the entire time and once things got taken care of they let him go without reason. The problem was their VPN wasn't secured with 2Fa like industry standard dictates and that allowed someone with just a password into the entire network and since they went after the head admin they had access to EVERYTHING. My buddy about two months prior to the hack made a big stink about how unsafe not having 2Fa was; then they fired him after he helped fix the issue. To me it looks like management was embarrassed and didn't want THEIR bosses finding out they had been warned in advanced and just failed to take reasonable action.

It was all over the news...CEO was also grilled by Congress, which was also all over the news...

Sounds good. But how many of the hackers are even located in the United States. I'd bet many of them are in other countries.

@@debbieholoquist2059 As with most hackers, but with tech involved you potentially can find the country of origin and put pressure on that government. Not saying start a war but this isn't about money anymore, playing with American lives should call for some more severe measures.

Your comment has been noticed ! Subbed to your channel. Always happy to support a growing channel especially ones sharing interesting information!

Unfortunately, if you've ever had a letter come in from a healthcare company, someone stole your data. It happens often.

The hacking Dr Mike is referring to in this video doesn't get into a person's medical files in order to target them specifically. Could they though? Absolutely! But this is geared towards holding a facility ransom, locking up their entire system.

@@LadyOakkbtw that’s a bot brother

@@TheChristianArab Thanks I wasn't paying attention baha

Hello 👋 can I ask you a question

Source of this story? Sounds hard to believe. Not because it couldn’t happen, but because I feel like it should’ve made viral headlines to raise awareness if it happened

That was an episode of FBI TV show.

For every good antiviral program, there are about 900(at least) hackers that can dismiss them.

Punny

I'd actually be concerned if the only measure was an antivirus. EDR/XDR or application whitelisting are a bare minimum nower days, there is WAY more to cybersecurity than you think.

@@jacksoncremean1664 Yeah, I think it was actually a pun comment, not to be taken seriously.

As someone in cyber security it's not even the antivirus it's employees clicking random links

It’s truly amazing

How much my life has changed 😅

Probably

That’s right, Dr. Mike is on it!!

I agree