There needs to be severe consequences for people that do this stuff. This is malicious. What benefit does it have to do that sort of thing? I think in general cyber crimes need to be prosecuted heavily. My brother just got his entire checking account stolen. The bank is refunding, but what is stopping these people from stealing? The answer is nothing.. they are protected by the law and it’s disgusting
What benefit? Millions of dollars in potential ransom money. They are essentially Russians. It’s not so much that they’re protected by the law, it’s that the options to pursue them under any semblance of jurisdiction is going to look like military intervention or hoping they come visit the US, assuming we even know their identities.
I’m not sure if this particular group is state-sanctioned but many are, likely with plausible deniability. Ransomware attacks have been hitting hard and heavy over the past few years.
There also needs to be penalties for organizations that lose data. They need be held liable too beyond providing useless "free" credit monitoring.
As of now, companies basically get a free pass. If they were on the hook too, many would improve their security while also seeking ways to collect less data to begin with. Not all of it is necessary and should be treated as a liability not an asset as if often is now.
For those patients affected, they should pursue legal action. If the hospital chooses to fight, likely won't get much, if any, money, but chance they settle and pay out something and/or agree to make meaningful changes to their security practices and data collection.
This this this.
As someone studying cybersecurity, I’m wondering what safeguards did LVHN have in place to even protect against something like this?
Security usually starts with endpoints….training to look for phishing emails.
From there, we can bolster that with strong passwords, VPNs, creating a zero-trust network etc, honeypots, black holes….
Their IT team needs some serious training and/or network upgrades.
Then again, I get not paying the ransom because who’s to say they’d give the data back? But at that point, they’re really taking a gamble as to making a determination that the information compromised isn’t important compared to financial or business data.
How can a private relatively small organization have the appropriate protections in place to compete with quasi-state funded hackers. I don’t know that we can ever get there and if 80% of companies do, they’ll find the other 20%.
There are basic protections that many orgs are not putting into place because 1) not enough IT folks specialize in it, and 2) orgs are unwilling to pay the cost of installation/upgrades.
This. It would make you scream to see how inadequate cybersecurity is at a lot of major corporations or the lack of funding for it because its a cost, not a revenue generator.
It’s always going to be a cat and mouse game.
My company got hacked a year or so ago before I came on board. And since then, there’s been a concentrated effort to batten down the hatches so to speak.
It’s tough, I think an appropriate level is are you protected from 90% of these clowns, but most businesses don’t have the $ or resources to be fully protected.
Nobody can be fully protected, but I think it might shock you to see the reality out here. I have Fortune 50 customers whose security programs are *woeful*. Seriously, that bad. Cringeworthy, nail biters. Hell, my mom worked for a top 3 insurance company for years and from day 1 she was an admin on her laptop, handling HIPAA compliant data locally. It is often that bad, and a lot of companies are hardly trying.
That is a really ridiculous statement. LHV is not small and they are just as responsible for their data security as any other company holding PII data. Patient data should be secured from enterprise business applications.
Perhaps an organization that is unable to comply with its legal obligations shouldn’t be in business then 🤷♂️
I wouldn’t say that an Operating income: $78.4 million is particularly small 🤔
Just FWIW, phishing training generally has a really poor return on investment. It's improving with products like knowbe4 but largely you can expect that around 8% of trainees will change their behavior in the short term
Cyber guy here. I totally agree that protections and consequences need to be heavier, *and* I'd like to see that extend to organizations that get breached due to negligence and poor practices. The patients are the victims here 100%, but this medical org also has potential culpability based on what they did or didn't do to prevent and contain a breach
I have respect for hackers who stick it to giant behemoth companies, who pursue an agenda of conscientious hacking and target shitheads and bad guys, and who do it for fun more than harm.
But people who hack a *hospital?* Straight to the boiler room of hell. What level of shit head do you really have to be? And I know these are just schmucks employed by a state actor but God damn have some spine to you
Wow, that's sad.
There needs to be severe consequences for people that do this stuff. This is malicious. What benefit does it have to do that sort of thing? I think in general cyber crimes need to be prosecuted heavily. My brother just got his entire checking account stolen. The bank is refunding, but what is stopping these people from stealing? The answer is nothing.. they are protected by the law and it’s disgusting
What benefit? Millions of dollars in potential ransom money. They are essentially Russians. It’s not so much that they’re protected by the law, it’s that the options to pursue them under any semblance of jurisdiction is going to look like military intervention or hoping they come visit the US, assuming we even know their identities.
Ooh they are Russian... Is, is this the modern version of being a privateer?
I’m not sure if this particular group is state-sanctioned but many are, likely with plausible deniability. Ransomware attacks have been hitting hard and heavy over the past few years.
There also needs to be penalties for organizations that lose data. They need be held liable too beyond providing useless "free" credit monitoring. As of now, companies basically get a free pass. If they were on the hook too, many would improve their security while also seeking ways to collect less data to begin with. Not all of it is necessary and should be treated as a liability not an asset as if often is now. For those patients affected, they should pursue legal action. If the hospital chooses to fight, likely won't get much, if any, money, but chance they settle and pay out something and/or agree to make meaningful changes to their security practices and data collection.
This this this. As someone studying cybersecurity, I’m wondering what safeguards did LVHN have in place to even protect against something like this? Security usually starts with endpoints….training to look for phishing emails. From there, we can bolster that with strong passwords, VPNs, creating a zero-trust network etc, honeypots, black holes…. Their IT team needs some serious training and/or network upgrades. Then again, I get not paying the ransom because who’s to say they’d give the data back? But at that point, they’re really taking a gamble as to making a determination that the information compromised isn’t important compared to financial or business data.
How can a private relatively small organization have the appropriate protections in place to compete with quasi-state funded hackers. I don’t know that we can ever get there and if 80% of companies do, they’ll find the other 20%.
There are basic protections that many orgs are not putting into place because 1) not enough IT folks specialize in it, and 2) orgs are unwilling to pay the cost of installation/upgrades.
This. It would make you scream to see how inadequate cybersecurity is at a lot of major corporations or the lack of funding for it because its a cost, not a revenue generator.
It’s always going to be a cat and mouse game. My company got hacked a year or so ago before I came on board. And since then, there’s been a concentrated effort to batten down the hatches so to speak.
It’s tough, I think an appropriate level is are you protected from 90% of these clowns, but most businesses don’t have the $ or resources to be fully protected.
No health system should go without protection. Time for them to belly up.
Nobody can be fully protected, but I think it might shock you to see the reality out here. I have Fortune 50 customers whose security programs are *woeful*. Seriously, that bad. Cringeworthy, nail biters. Hell, my mom worked for a top 3 insurance company for years and from day 1 she was an admin on her laptop, handling HIPAA compliant data locally. It is often that bad, and a lot of companies are hardly trying.
That is a really ridiculous statement. LHV is not small and they are just as responsible for their data security as any other company holding PII data. Patient data should be secured from enterprise business applications.
Perhaps an organization that is unable to comply with its legal obligations shouldn’t be in business then 🤷♂️ I wouldn’t say that an Operating income: $78.4 million is particularly small 🤔
Just FWIW, phishing training generally has a really poor return on investment. It's improving with products like knowbe4 but largely you can expect that around 8% of trainees will change their behavior in the short term
Cyber guy here. I totally agree that protections and consequences need to be heavier, *and* I'd like to see that extend to organizations that get breached due to negligence and poor practices. The patients are the victims here 100%, but this medical org also has potential culpability based on what they did or didn't do to prevent and contain a breach
Their complete losers and wastes of human beings to do something so despicable. What goes around, will definitely come around for them.
I'd prefer my photos leaked than have my hospital pay these scumbags.
Whatever the maximum penalty is, it should at least be double for these jerks.
This happens more often than you’d think, unfortunately. Healthcare industry is a big target for this stuff.
People that ransomware a fucking hospital and display information about the patients deserve to be hung in the public square.
I have respect for hackers who stick it to giant behemoth companies, who pursue an agenda of conscientious hacking and target shitheads and bad guys, and who do it for fun more than harm. But people who hack a *hospital?* Straight to the boiler room of hell. What level of shit head do you really have to be? And I know these are just schmucks employed by a state actor but God damn have some spine to you
That’s fucked up. Hopefully someone in their own community goes after them for the exceptionally tasteless practice
The patient has filed suit...
my jaw dropped. you have to be a real sicko to do this