tony9 wrote:

They would attack that sort of organisation because they are soft taegets, known for sloppy practices, nothing to do with morals.

However those same organisations have a moral responsibility to look after patient data as if it were health critical - as it is.

Imagine if they changed consultant's instructions to ward specialists, changed dosing pumps etc. etc.. All possible from a network these days.

Nothing to do with morals?

Everything has a moral component. That is my point.

These hackers are dispicable cowards, and I look forward to their shame being made public.

oh_hunnihunni - 2021-05-29 09:33:00

Be interesting to see how it goes when they no longer have region dhbs.

There is such a range of applications across dhbs. The Auckland (and northland) based ones have over 2000 clinical and business applications alone.

Some of these are quite complex apps, and a lot of these aren’t used nationally and are specific to only one dhb. Even those in Auckland are different.

Hospitals are like little towns of their own in a way, they have a wide variety of departments. Schooling, medical, finance, engineering, plumbing and other services in-house, kitchen and food, chaplains etc. it’s not just medical although that alone is complex when you’re looking at patient systems, radiology, theatre, cardiology, eye, dental etc.

christin - 2021-05-29 10:04:00

oh_hunnihunni wrote:

These hackers are dispicable cowards, and I look forward to their shame being made public.

Yes they are. But the chances of them being caught are around ZERO.

nice_lady - 2021-05-29 10:07:00

Pity.

Just a thought, but terrorists have more morals than these guys. At least they take responsibility for their carnage.

Edited by oh_hunnihunni at 10:38 am, Sat 29 May

oh_hunnihunni - 2021-05-29 10:37:00

Well yes that is true, because terrorists generally may believe that they are fighting for a certain cause or ideology perhaps, however the hackers in this case are most likely just criminals.

I am not defending terrorism in any way and think that mostly they are doing the wrong thing, but I am just talking philosophically here.

tygertung - 2021-05-29 12:22:00

In the current setup there was an opportunity for patients to be treated at an other DHB, the separation allowing for some level of availability for critical patients.

If they all ran on the same system then they would have all been knocked out with a similar breach.

The reality is that system are all shiny and well setup on day 1 by well funded project people, then as the months and years pass the 'cracks' form with the lesser skilled and funded operational team having to deal with changes and exceptions.

Did the hackers actually target the DHB or was it a case of a random recipient doing the wrong thing?

soundsgood - 2021-05-29 14:36:00

soundsgood wrote:

Did the hackers actually target the DHB or was it a case of a random recipient doing the wrong thing?

Or was it an inside job by someone that knew the vulnerabilities and system architecture?

Also seems a bit odd to me that (a) there are 700 servers on site and (b) every one of the 700 servers was 'locked'. I've been involved in the business for 30+ years and even in the big London hospitals, there would be a max of 10 servers (each with their own remote mirror image on failover duty).

Edited by tegretol at 2:59 pm, Sat 29 May

tegretol - 2021-05-29 14:59:00

tegretol wrote:

Or was it an inside job by someone that knew the vulnerabilities and system architecture?

Also seems a bit odd to me that (a) there are 700 servers on site and (b) every one of the 700 servers was 'locked'. I've been involved in the business for 30+ years and even in the big London hospitals, there would be a max of 10 servers (each with their own remote mirror image on failover duty).

The desktops are generally Windows whereas the servers are Unix-based.

It would be interesting to know what sort of virus it is and whether it has disabled the windows-based systems, through which staff generally access the main applications, or whether it has actually somehow disabled the main applications like PMS and Clinicals.

soundsgood - 2021-05-29 15:36:00

soundsgood wrote:

The desktops are generally Windows whereas the servers are Unix-based.

It would be interesting to know what sort of virus it is and whether it has disabled the windows-based systems, through which staff generally access the main applications, or whether it has actually somehow disabled the main applications like PMS and Clinicals.

Agree, it'd be v interesting. You are obviously in the same business!

tegretol - 2021-05-29 15:52:00

nice_lady wrote:

They say they have backups but that's only part of the issue. I think the attack locked their computers. And they have thousands of them. It's a huge issue to fix.

Ive never seen ransomware do this. Typically it just encrypts any files it can in the documents folders and network drives.

All because some stupid idiot clicks on a link on a random email expecting you to pay for delivery of a NZ post parcel!

Many questions to be asked, if they do have backups, especially if its in the cloud, a rollback should be fairly easy.

What about their antivirus? They were probably using some crappy system such as norton or something.

Still dont understand why pacients cant be treated at their hospital and need to be taken elsewhere for treatment?
Supposedly they didnt have access to their medical records, so why would it be any different at another hospital?

Makes me think there is much more to the story than they are letting on, perhaps it was a targeted attack and the infection not only encrypted data but corrupted windows installations too?

nzoomed - 2021-06-02 11:43:00

Having used Linux for 10 years, I don't understand how the Health Board's OS allows code to be executed when that code is not approved and installed properly. Maybe they should use a decent OS.

trade4us2 - 2021-06-02 11:54:00

trade4us2 wrote:

Having used Linux for 10 years, I don't understand how the Health Board's OS allows code to be executed when that code is not approved and installed properly. Maybe they should use a decent OS.

Every time I see ransomware it is the user that has opened an attachment they shouldn't of or other equally problematic scenarios, it's called social engineering...
No OS is immune to users giving permission to run code when they probably shouldn't

king1 - 2021-06-02 12:41:00

Linux doesn't generally use executable files very much, and when it does, they are a bit tricky to get them to execute, like you really need to know what you are doing. With Windows for example you just double click and say "Yes" when it asks you if you want to run it.

tygertung - 2021-06-02 12:52:00

the point I was delicately trying to make was that no OS can prevent users doing dumb stuff. Having said that in a situation like a hospital/corporate, one would think that the workstations would be strictly locked down.

There were definitely failures but I personally think it's a bit disingenuous to try and turn this into a 'my OS is better than yours' situation, without all the facts...

king1 - 2021-06-02 13:07:00

nzoomed wrote:

Many questions to be asked, if they do have backups, especially if its in the cloud, a rollback should be fairly easy.

from here - last paragraph
https://www.stuff.co.nz/business/125180968/ministry-of-healt
h-abandoned-cybersecurity-system-for-waikato-and-other-dhbs-
due-to-budget-issues

“They said they hadn’t backed up in the past year, across the whole domain.”

Edited by king1 at 1:27 pm, Wed 2 Jun

king1 - 2021-06-02 13:26:00

king1 wrote:

the point I was delicately trying to make was that no OS can prevent users doing dumb stuff. Having said that in a situation like a hospital/corporate, one would think that the workstations would be strictly locked down.

There were definitely failures but I personally think it's a bit disingenuous to try and turn this into a 'my OS is better than yours' situation, without all the facts...

Maybe, but it is a lot harder in Linux:

https://sites.google.com/site/tipsandtricksforubuntu/executa
ble-files

tygertung - 2021-06-02 13:34:00

The member deleted this message.

kittycatkin - 2021-06-02 14:24:00

gyrogearloose wrote:

A common trend is to use virtual servers, and make backups by taking snapshot images of the entire virtual space - the operating system, application and data.

Malicious software can lie dormant for weeks, and make copies on other connected servers, workstations and embedded controllers like MRI machines. So all of your backups going back for some time could be riddled with it - and that's a good word, it's a riddle to figure out which of your servers, workstations, embedded controllers and backups are safe to use.

There's a suggestion that this DHB has been in turmoil for years, .cast your mind back to the Canadian CEO Nigel Murray.

And I recall a senior DHB executive(can't remember which one) in the last few years losing their job because of issues around the contract regarding that DHB's IT security.

brouser3 - 2021-06-02 14:27:00

kittycatkin wrote:

I have; in several languages and from several centuries.

It is despicable enough to do it to a business, but this could have cost lives.I must say that if I am ever in hospital, I will want a printed copy of any documents.

They MUST NOT pay the ransom. 'Once you have paid him the Danegeld/ You never get rid of the Dane.'

Israel has a policy of never paying ransoms, so there's no point in kidnapping an Israeli and expecting a ransom. With any luck, this will send the same message as well as making the Board tighten up its security. No one, though, could have imagined anyone being so disgusting as to do this to hospitals.

I have to say this is no-where near the first time hospitals have been hit.

nice_lady - 2021-06-02 14:37:00

I know a small organisation here in Wellington in the health field that was hit earlier in the year and had their email traffic 'stolen', as in copied. Now all of their customers occasionally receive email which appear as replies to messages that they had actually sent. Those new emails contain ZIP files.

There will always be some recipients who just see the incoming email address, assume it is valid, and click without thinking further.

soundsgood - 2021-06-02 15:37:00

This message was deleted.

kittycatkin - 2021-06-02 15:41:00

This message was deleted.

kittycatkin - 2021-06-02 15:43:00

This message was deleted.

kittycatkin - 2021-06-02 15:45:00

tygertung wrote:

Maybe, but it is a lot harder in Linux:

https://sites.google.com/site/tipsandtricksforubuntu/executa
ble-files

maybe that's why noone uses linux

king1 - 2021-06-02 15:53:00

kittycatkin wrote:

One company was mystified that an invoice/receipt was being sent out to all and sundry; John Smith had ordered this, that and the other. It was someone's actual purchase and there seemed little point to this. I had one and looked up the company to see if it was real, then contacted them to tell them about it.

Usually invoice scams are about intercepting the invoice and changing the bank account or payment options. Maybe they couldn't identify the actual client in the client list and just decided to send it to all of them... it would look 'normal' to the correct client

Edited by king1 at 3:59 pm, Wed 2 Jun

king1 - 2021-06-02 15:58:00

king1 wrote:

maybe that's why noone uses linux

Yes, I think you are right. No one does use Linux. It is a system with zero users worldwide.

tygertung - 2021-06-02 17:47:00

nzoomed wrote:

Ive never seen ransomware do this. Typically it just encrypts any files it can in the documents folders and network drives.

All because some stupid idiot clicks on a link on a random email expecting you to pay for delivery of a NZ post parcel!

Many questions to be asked, if they do have backups, especially if its in the cloud, a rollback should be fairly easy.

What about their antivirus? They were probably using some crappy system such as norton or something.

Still dont understand why pacients cant be treated at their hospital and need to be taken elsewhere for treatment?
Supposedly they didnt have access to their medical records, so why would it be any different at another hospital?

Makes me think there is much more to the story than they are letting on, perhaps it was a targeted attack and the infection not only encrypted data but corrupted windows installations too?

No doubt EVERYTHING is driven through the system - eg timetabling, material supply, staffing, vital sign recording, medication administration etc etc. Not just a case of putting a patients name on a clip board.

brouser3 - 2021-06-02 18:57:00

Probably correct. Total reliance on the system - an insecure system

Ooopppss.

nice_lady - 2021-06-02 19:16:00

king1 wrote:

from here - last paragraph
https://www.stuff.co.nz/business/125180968/ministry-of-healt
h-abandoned-cybersecurity-system-for-waikato-and-other-dhbs-
due-to-budget-issues

“They said they hadn’t backed up in the past year, across the whole domain.”

Huh, I hadn't read down to the end of the article. Thank you for pointing it out. However I *had* gone to the publically available Health Select Committee submission put in by Waikato DHB, to read through their answers for the CyberSecurity section. Waikato's full answer was:

"Full recoveries were performed of database restores, virtual machine restores, file and folder restores and exchange mailbox restores. We have not tested a restore of our entire domain, individual file servers or entire application systems in the last financial year."

Comparing Waikato's answers to Canterbury's, and Auckland's submissions, even I, and non-techie person, can see that Waikato were recognising alarmingly low levels of cyberattacks to their firewalls etc.

Far too much info available publically in my opinion.

sumstyle - 2021-06-02 19:31:00

kittycatkin wrote:

I have had odd ones in the past telling me that I have a parcel from FedEx or someone like that. They are stupid enough to make this visible so that the email can be deleted unread.

Usually they come as an email with a link you click on, then it asks to download a .zip archive with the ransomware.
So many steps and hoops to get through and these same people often have trouble trying to follow instructions to download and run teamviewer over the phone, yet they manage this!
Still dont know how so much of this stuff gets through most antivirus software.

king1 wrote:

from here - last paragraph
https://www.stuff.co.nz/business/125180968/ministry-of-healt
h-abandoned-cybersecurity-system-for-waikato-and-other-dhbs-
due-to-budget-issues

“They said they hadn’t backed up in the past year, across the whole domain.”

WTF!

nzoomed - 2021-06-02 19:32:00

nzoomed wrote:

WTF!

Yeah but sometimes the activation is hidden in a .doc or .xls or .pdf file the Ms Office files can have autorun macros and if that function isn't locked down on the target system then BOOM. (I'm not quite sure how a pdf can harbour ransonware or viruses but they can apparently).

Many office staff wouldn't even know that a macro could be dangerous and if even IF the system is locked down to ask permission to run macros they might just say YES.

Edited by nice_lady at 7:37 pm, Wed 2 Jun

nice_lady - 2021-06-02 19:36:00

nice_lady wrote:

Yeah but sometimes the activation is hidden in a .doc or .xls or .pdf file the Ms Office files can have autorun macros and if that function isn't locked down on the target system then BOOM. (I'm not quite sure how a pdf can harbour ransonware or viruses but they can apparently).

Many office staff wouldn't even know that a macro could be dangerous and if even IF the system is locked down to ask permission to run macros they might just say YES.

PDF can simply have a link to a payload. when they get the right person who just follows instructions, they do all manner of stupid like opening the links regardless of warnings it might be a malicious. Even seen people disable security software simply because they were told to (in the email/link/attachment) in order to open the 'document'

Edited by king1 at 8:38 pm, Wed 2 Jun

king1 - 2021-06-02 20:38:00

Ah. Yes. Ouch.

nice_lady - 2021-06-02 20:58:00

end of the day the biggest problem with computers is the organic interface

sirrab - 2021-06-02 21:07:00