back to article Russian ransomware strikes Queensland doctor

A medical practice in the Australian state of Queensland, the Miami Family Medical Centre, has been hit by ransomware said to originate in Russia. ABC News reports staff arrived at the practice last week, turned on computers and found messages proclaiming that patients' records had been encrypted. Seven years' worth of …

COMMENTS

This topic is closed for new posts.
  1. corestore

    Offsite backups!

    Offsite backups!

    Offline backups!

    Offsite backups of the archives.

    And did I mention offsite backups?

    Sometimes only the burned hand will teach.

    1. Anonymous Coward
      Anonymous Coward

      Re: Offsite backups!

      A lot of small business owners have no IT knowledge, and can't afford full time IT support. I'm not sure how you get around this problem of not performing regular backups, other than education. Given the potential impact on the community of data loss, data theft and stolen identities, perhaps the government should foot the bill for basic education and advice to small business owners. Perhaps a carrot and stick approach might be in order.

      1. Thorne
        FAIL

        Re: Offsite backups!

        It's not a small business, it's a medical practice. It has to keep patient's medical records. There are already laws concerning the protection of medical records. At least the medical records software I've installed all have had automatic backup systems

        If they haven't done backups, then they need to be bitchslapped back to the stoneage. This isn't their data, it's someone elses. No excuse.

    2. Steven Roper
      Thumb Up

      The burned hand does indeed teach

      I call this "the 15,000 dollar lesson", because back in the 90s I failed to back up vital customer and invoice records, as well as essential work files, for a souvenir business I was a partner in. A hard drive failure one day obliterated the lot. Hundreds of postcard images (used in things like keyrings, fridge magnets etc) were lost, as well as our transaction, client and invoice records. Total costs resulting from the loss: 15 grand.

      That was definitely a hand-burning experience. Backing up is not optional. I've never let it happen again since. I have the feeling, neither will this doctor.

    3. Oddb0d
      Facepalm

      Re: Offsite backups!

      Source article clearly states: "The server with encrypted information is being held offline and an IT contractor is working with the practice to restore a backup of patient records."

  2. Mayday
    Facepalm

    Pretty Uncool

    ... that their "confidential" and otherwise critical data is somehow accessible from the internet. What is ok is that they are not giving in and paying up. That will only set a precedent.

    Having said that, I'm sure that paying someone to fix it would cost more than the $4k too.

    I recall a time where I was working in a medical imaging company (they were a client of my employer) many years ago and they required an Ethereal (now known as Wireshark) trace run on their network to check a performance issue. I performed the tests, and to my horror I could see confidential patient data appearing on my screen in the dump. This data was not a part of the application which required the performance test, but was still being presented in cleartext anyway. One would think this sort of thing should be encrypted by default, even on a LAN, and even a "trusted" person such as myself should NOT be able to read it even accidently like I did. This whole thing where the crooks can get to it from the internet just takes it to a whole new level, and I am sure they are not alone in being this vulnerable.

  3. mathew42
    Pirate

    Ideally you want two separate networks - one for patient data and one for internet access. This is what the military use. More realistically you need a partitioned system, with strong authentication (either tokens, certificates on USB key, mobile phone authentication (bluetooth) or a combination).

    It will be interesting to read the trade magazines this weekend to see what coverage it gets.

  4. Big-nosed Pengie
    FAIL

    Windows

    Anyone using it for anything more important than Angry Birds should be prosecuted.

  5. Wombling_Free

    How it happened... my guess anyway....

    "Hi I'm from Symantec, and we've logged a problem with your server, we need to log into it, ok?"

    You can have the strongest password, the best OS (you can secure Windows, you know, and *x are all vulnerable too) in the world, and still fail if someone smooth can phone you.

    I've had 2 of these calls in the past week alone, from people claiming to be from Symantec and Microsoft claiming that they need to login to my server.

    Training your staff properly is probably the best security. I feel sorry for them, they are just a bunch of medicos trying to do the right thing.

    1. corestore

      Re: How it happened... my guess anyway....

      Hah.

      I had a couple of those.

      "Oh, you want to log in to my *server*?"

      "Sure... OK, I'll talk you through it. First, fire up your tn3270 client..."

      (Where's the dinosaur icon when you really need it?!)

    2. silent_count

      Re: How it happened... my guess anyway....

      You know Wombling_Free, I'm with you up to a point. Sure, it's possible to make Windows nigh bullet proof with a bit of knowledge and effort, but "doing the right thing" does involve taking your responsibilities seriously.

      If you're going to have sensitive data, it's very much *your* responsibility to take care of it. That does involve hardening the system it's stored on or, if you lack the expertise in-house, getting someone else to. That does involve doing backups. And, as you point out, it does involve training the people who are using the system.

      The fact that they're, "oh bugger, we're screwed over by one bit of malware" rather than "no worries, the data was encrypted so it's useless to the malware authors and we'll just have to restore our system from one our backups" is a pretty clear indication that they haven't been "doing the right thing".

    3. Steven Roper

      Training your staff properly

      "Mum, Dad - If ANYONE rings you up asking about your computer, wanting to access your computer, or saying there's something wrong, don't listen to them, just immediately hang up. No matter who they say they are, Microsoft, your bank, the government, the police - doesn't matter. If it's about your computer, it's a scam. Just hang up. Same if you get any emails saying the same thing. Just delete them, even if they look official, even if they claim to be from your bank or the police."

      That's all the training needed to solve that problem. It works as well for staff as for retired parents.

      Incidentally, the other lesson I imparted to my parents was, "Mum, Dad - don't click on any links or open any attachments in emails, even ones from your friends. If you don't know who sent the email, just delete it. If you know who sent the email, ring them up first and ask if they sent you an email with such and such on it. If they say yes they did, then and only then can you click it or open the attachment. If they say no they didn't, phone me immediately and keep the email aside until I can look at it."

      I've caught out several malware infections of my parents' friends with this method. It works out well for me too; while I don't charge my parents or their friends for the IT services I provide for them, it does ensure a good supply of nice single-malt Scotches for me come Christmas!

      1. sniperpaddy

        Mum, Dad - If ANYONE rings you up

        EXACTLY.

        My 82 year old parents now know the difference between Phishing and Phreaking and have already hung up on one of these chancers..

  6. Terrance Brennan

    Typical

    I have worked at a hospital system among other diverse industries and the root cause for problems like this is the bottom line. Most would like to do the right thing, as long as it was free. The IT infrastructure and the data on it have become critical to most businesses; but, most businesses still look at IT, and especially security, as a cost to be contained. Horror stories like this are either not read by the decision makers, or they just decide it couldn't happen to them. I currently work at a defense contractor and it is no different. Government rules and regulations are helpful, but every business works to simply be able to check the boxes without really trying to accomplish the purported end goals.

This topic is closed for new posts.

Other stories you might like