the fact that someone would hack a hospital knowing they could be the indirect cause for so many deaths is disgusting, and they get whatever they want quickly because the hospital needs to take care of their patients.
When you don't see the direct impact on people it's easier to have no morals. Also People look at it in a similar way to stealing from a big chain store like walmart. "oh these big companies have plenty of money they won't notice five bucks". It's sad but its the world we live in.
Most of the time these are automated attacks that exploit security problems that have been known, and fixed, for years. If such an attack works against you, you have been grossly negligent with your software security. For something as critical as a hospital, *all* used software requires frequent, periodic security audits and any available update needs to be live on the system within 12 hours of the release of the update at the absolute latest. They don't want to pay for that. That, and ONLY that, is the issue. Every possible security problem in software development is theoretically solved. It's just not practically applied due to cost.
@@AnpanatorYeah, I've experienced the other end of that firsthand as a now-official CEH. You send your resume to a business in the medical field looking for a position as a penetration tester or SOC engineer, and they respond by ghosting you. Then they finally learn the hard way in examples like this why that was a bad move.
I'm an IT tech at a small critical access hospital. We were hacked and had a data breach. Luckily, it didn't really shut us down and we were still able to take care of patients. We pushed our administration to invest in better cybersecurity, but they didn't think it was an issue until it happened to them. Then they basically gave us a blank check. Administration has to realize that they have to invest in security infrastructure NOW. It's not a matter of if it happens...it's a matter of when.
Yeah... As someone that used to MSP for medical offices, the problem is entirely with penny pinchers refusing to upgrade software and hardware with the times and pay for basic security features. A lot of fun also comes from hos doctors can have hissy fits like toddlers and get exceptions to security policies as well. I was supporting Win XP until a few years back on frontline internet connected machines because offices *refused* to spend to buy new computers. As in, patient checkin computers where your money was handled and not some fancy medical equipment controller. Straight up the average carpenters office was better on security and buying new computers to keep things up to date than the average medical client I had!
@@sparky8251 Hit the nail on the head. Especially as an MSP, admin just thinks they're being upsold on services that are actually vital. And yes, some doctors definitely have too much pull and are too used to being catered to. We have started rolling out 2fa and talk about backlash...even some threats to just not come back to the hospital and work.
@@pkjacobg I truly loathe doctors. They think they are so smart they also know computers when they really *really* dont. its even worse when they are also the admin/owner. Had one demand we do an OS upgrade of a single server in a way that didn't disrupt his business, but also refused to give us even an hour to do it in because he swore he worked 24/7/365... Took us legitimately months to get that done as a result when it shouldve really just been me spending 2-3 hours on a weekend at midnight. But noooo....
As someone who works in the cybersecurity industry, I can confidently say that business leaders across all industries often times will skimp out on IT resources, then when an incident happens they suddenly "didn't know / are disappointed to learn their security measures were so inadequete" while they actively refused allocating resources that were in-budget for IT projects that could have mitigated most of their serious risks of facing an incident. Recently the FDA tightened the screws and mandated that medical devices are audited before they're launched on the market, which is a step in the right direction, but once they are approved, they are no longer subject to recurring mandated security testing. Many vulnerabilities that will lead to incidents such as the insertion of ransomware are routinely being identified in tech used by these manufacturers in IoT medical equipement, which means their device may now be vulnerable to new threats that weren't known or used when they launched on the market, leaving them at risk now. It's always a money problem ultimately. They'd rather risk millions in non-compliance fines than spend a few thousand bucks to improve their cybersecurity. It's really madness. The skilled cybersecurity professionals are out there, the expertise exists and there are countless providers out there that can help. It's just hard to convince boomers that barely understand how a printer works that risks are real and tangible.
And now, when the infrastructure is strengthened, the staff needs to have a robust and regular cybersecurity training. Even audits, if necessary, to catch them unprepared and see how strong the system really is within the organisation. Social engineering is a thing.
This cyber attack has affected healthcare tremendously. I work for a large healthcare company & we have been working HARD for months to try & recover from how this has affected us.
My parents both work for one of our largest local healthcare companies (leaving anonymous), this happened to their company last year, and I think they're still working to recover from it (though I don't know the specifics).
“Literally killing people” is 100% true. As a nurse, I lived it last month and it was a nightmare. In my hospital on the first day, a patient coded because nurses were not able to access life-saving medication‘s. This will never be acknowledged publicly by the hospital, but it is the truth. The hospital administrators wanted to present the picture that they could still safely take care of patients even though truthfully they could not.
"Literally killing people" is 100% true. As a nurse, I lived it last month and it was a nightmare. In my hospital on the first day, a patient coded because nurses were not able to access life-saving medication's. This will never be acknowledged publicly by the hospital, but it is the truth. The hospital administrators waned to present the picture that they could still safely take care of patients even though truthfully they could not.
Yet no one hears about it when an insurance company (BCBS) does an internsl audit and decides they overpaid claims for years and the chargebacks they issued forced a lot of smaller mental health practices to close their doors. We need more mental healthcare, not less!
Yet no one hears about it when an insurance company (BCBS) does an internal audit and decides they overpaid claims for years and the decides they overpaid claims for years and the chargebacks they issued forced a lot of smaller mental health practices to close their doors. We need more mental healthcare, not less!
I bet if chargebacks by insurance companies were made illegal, suddenly the insurance companies would magically come up with a better system that substantially reduces mistakes… 🤔
As a Cyber security professional, awareness is half the battle so the fact this is being covered well by someone outside the field with such a wide veiwer base is awesome to see.
Why don’t hospitals have an intranet with an air gap for medical records? I don’t know a ton about cybersecurity, but I’ve always found that very odd that that isn’t standard practice
As a cyber security professional, awareness is half the battle so the fact that is being covered well by someone outside the field with such a wide viewer base is awesome to see.
I did IT for a hospital that is dealing with a Cyberattack at this very moment (probably the one you're talking about)… And it's their own fault. As someone that talked and worked directly with their Cyberteam, the hospital company wouldn't listen to them about updating OSs and fixing CVEs for their own servers and systems. They also had plenty of money to make the needed changes, as their corporate team was still getting fat checks and bonuses.
If you're talking about Ascension (yep, I'll just name drop them because they deserve it) yep. They are a private equity fund posing as a hospital system so of course there's no incentive to maintain those systems when they can skim those profits instead.
@@MiniiCitrus My local system was just sold from Ascension to another system and those poor buyers are running around like chickens with their heads cut off trying to clean up this mess. CERNER is garbage and now it's causing a huge mess.
From a competing Healthcare netadmin, you have my condolences for your sanity. For other HC admins, seriously, stress test your backup systems and downtime procedures. The middle of falling back to paper charting is THE LEAST best time to find that backups didn't work.
My brother was recently featured in a Forbes article for finding a huge hole in "sealed" court records. He found many counties that have court records accidentally left wide open for the public to access. Everything from psychiatric exams, other medical records, and even name changes of children to protect them from abusive parents. It seems this type of problem is all over. Those who have sensitive info on people really need to have it secured properly. Courts, hospitals, etc..
This is why cybersecurity awareness is something that needs to be carried out not just for us students In IT, but rather for every industry and its staff. Its really frustrating that even in our country, the only people being educated on cybersecurity are the ones who are already aware, educated and even funding courses on it at universities. There needs to be some sort of awareness and understanding of the risks of cybersecurity coming from major organisations that deal with this towards susceptible industries.
My hospital here in canada was cyber attacked last october for ransom money (which wasnt paid, so tens of thousands of peoples information was published), we went 3-4 months with zero systems, so incredibly dangerous and stressful. We got our documentation system back but most of everything else is still down and will be until november. If you havent experienced it you cant fathom how dangerous it is or just how much is affected, you would truly have no idea. I would take peak covid days any day over our cyber attack, what a nightmare.
I thought this was the hack he was going to talk about. It lasted months. Think it was part of the reasons I had complications after having my baby due to things not being noted properly
The hospital I work at just recovered from a huge nation wide hack. We were 100% paper charting for over a month, and it was pure chaos at first. Labs were getting lost, orders missed, medications had to be manually entered by nurses and the risk of error was so great. I caught many medication errors written incorrectly on patient’s MAR. As nurses our daily load and mental stress increased soo much. It was truly awful 😭
I used to work for a tech support firm that supported various hospitals across the usa. Hospital cyber security barely exists. When we did phishing tests to see how many people would give us their passwords if we just asked, almost everyone did. Most passwords were also from the top 10 most common passwords list. Honestly your average high schooler could probably crack the most secure american hospital
Another thing is that a lot of vendors of medical equipment have major issues in delivering systems that are halfway current in terms of software, often with no plan to keep them updated, etc. so this leads to many systems that are very easy to exploit. In a hospital setting it will always be that availability of a system is more important than securing it. I work in a different field, but where the same behaviour from vendors has cost many companies a lot of money.
@@calyco2381 Luckily for all of us, that is not needed when things are done right. A world where that is a requirement is usually a good indication of someone in power not understanding security.
I’ve had coworkers fall for the phish or will message us and ask. If it’s from an outside person we absolutely should be reporting it. It’s messy. I work in the coding department and we have to do two step logins from our phones now to get on the VPN due to all the hospitals getting hacked.
I work in the cyber security industry selling these solutions to hospitals and other businesses. The BIGGEST Hurdle to getting a properly secure set up is not budget, its 100% the bureaucracy. A dozen people or more updating or changing requirements every other week ends up stalling these projects for literally years. Ironically, the most success we've experienced in getting these solutions implemented in a reasonable time frame has come when the customer's own insurance companies come to them and say their rates are about to go through the roof becaue they know how expensive recovering from these attacks are and they know there are several realistic options to defend against them. These boards suddenly get a lot more cooperative when the hypothetical expense of inaction quickly becomes a real expense.
That's the issue still... companies (not just healthcare) are not getting the concept of what is "worse", the price of an MDR service/solution or them getting hit by a ransomware from someone buying the toolkit online and pitting it in just to see if it works. The responsibility is theirs ofcourse, but they should be presented with a real-life example (of which, I'm positive, every cybersec tool vendor or MDR provider has at least a handful) with every presentation/POC/demo.
Healthcare is a cyber security nightmare. A lot of medical companies are stuck in the year 1999 where they didn't really worry about cyber security. Some companies producing medical devices and their software still use "admin" and "password" as default.
My daughters hospital St. John’s illinois was hacked from one of the employees doing her Christmas shopping on a work computer. They lied to all the patients and said they had a system error and was using paperwork instead of computers for weeks before finally admitting they got hacked. It was catastrophic and made me lose trust in them. My daughter has Down’s syndrome and cancer and I have no other choice in the area for her specialized care. Hospitals are suspicious at best right now.
My hospital won’t even let us access those websites, including social media-why would someone use a work device for shopping? I’m remote but I would use my personal devices for that.
Woooooow, hacked through christmas shopping... Idk if it actually helps much, but I'm going to print out my medical records. That way if they get hacked they at least have my history+current meds. I'll print out any additions such as meds changing when they happen, to keep it up to date. It's ridiculous that we have to think about this to begin with, but I advice you do something to keep those records yourself- on paper or on a usb maybe. Also best of luck to you and your family with the treatment🍀
@@undefinederror40404that should be done anyway. Even if cybersecurity wasn’t an issue outside of the hospital, they could have a disgruntled ex-employee get into the system and do nefarious things with that info.
@@undefinederror40404 have no fear she is almost two and in remission ! odd fact kids with DS are more likely to get the deadliest version of leukemia, (myeloid) but have much higher survival rates than kids with 46 chromosomes. so shout out to my girls extra chromosome because it most likely saved her life ! she is running around and the happiest toddler ever :)
Thats just incompetence. I work for OSF and most things like that are blocked from access on workstations. But yes you're never going to have a company/IT department admit they had a data breach as it happens for various reasons. We don't even tell our own workers its been breached.
I was a NOC SOC Analyst once, and i was always surprised at the amount of cyber attacks attempted to Hospitals from ALL Over the world... And i mean ALL OVER.
How are you surprised.... hospitals generally have lots of money or tied to it, and they have horribly outdated systems and have tons of private info that is perfect for blackmail or stealing identities. Thats a hackers dream
That shouldn't be a surprise. Anybody who has hosted a public server on the internet knows that your pretty much attacked by everybody and their grandmother. Just setup a honeypot server and install CrowdSec on it, and just watch and see how many alerts are generated on a server that has no purpose.
To quote Al Capone when asked why he was robbing banks: "That is where the money is". There's a lot of different reasons why those that hack hospitals don't care/don't know if the target is a hospital. People that make a living from this line of work already have made some moral choices and that means empathy for the hospital likely is in short supply.
@@ahooogerhuis its because most of these attacks are funded by hostile governments, and until the US government gets down in the mud and sends more destructive attacks back this will keep happening. Purely defensive measures will always be circumvented by offensive ones.
My father ended up going through withdrawals because of a cyber attack. They weren't able to refill his pain management meds hes been taking for YEARS. He got so sick. Thankfully hes okay but it is ridiculous that people are doing this.
As someone who has worked in IT before, it's very common for businesses to put IT security concerns on the back burner because they don't want to pay for updates or change policies.
When IT is doing its job correctly, nobody knows they are there, and they start questioning why they have an IT budget. When I worked for a medical MSP, I literally would sit at a remote PC most of the week just keeping an eye on things via a dashboard connected to 50 servers and a thousand computers. My boss got in the habit of sending a tech out for a "drop in" visit once a month just to check in with the front desk or the non-owner doctors had complaints that hadn't been passed along to us - it was amazing how much good will you could build up just by replacing someone's old keyboard with a broken key or taking care of the weird error message they were getting from some software that wasn't even used any more, just by asking around. These days I work in software as a business analyst, but it's the same deal. Whenever I visit a client that I know uses our software, I'll just gently poke and ask if they've seen anything weird or something that bugs them, because I HAVE THE POWER TO FIX IT IF THEY JUST TELL ME. The look of surprise, then relief when someone hears that I've got magic burger powers for their schedule screen is always a blessing. If they stop paying for the IT staff or MSP and let it run on its own for a few months, they quickly find out why they had an IT budget.
I work in cybersecurity and this is so frustrating. Healthcare was, for awhile, considered off-limits to hacks/ransomware attacks but that changed and now health care is definitely being heavily targeting. The bad actors are seeing money and clout from these hacks (which is super gross). Cybersecurity professional are definitely needed in healthcare.
As someone who works in billing for a very small nonprofit, this attack was CATASTROPHIC. The insurance companies did everything in their power to make it work, but the amount of damage it did is absolutely insane. Thankfully, every website that I personally use has switched to requiring more authentication for login, but this is still an incredibly dangerous scenario for anyone even remotely involved.
Do you have a proper business continuity plan, disaster recovery plan, and incident response plan? When was the last time you attempted a restore of your backups?
This is why Software-As-A-Service subscriptions should be regulated to require operational, local, and cloud-disconnected backups with offline license codes retained by the distributor ✊
Yeah, Tay! Tell em. But tbh, even if the infrastructure can be setup, the way they'd handle costs would make it completely inaccessible to a very large majority.
Yes! I worked for SAAS healthcare company for 15 years as a developer and my honest opinion, a properly configured on premise server and off-site/offline backup are much safer for a medical practice. Hospitals are different but for medical practices SAAS was awesome as a trend as the internet evolved and more software became web based but it's honestly a novelty and liability. The convenience of practice owners or office staff not having to deal with IT companies and know whether they are good or not is the reason SAAS is still successful.
@@FirestormX9 Thank you for your thoughts. Part of the reason for the high cost is the hardware and software design incentive towards proprietary APIs and infrastructure used to horizontally integrate product lines and build oligopoly- rather than modular, open-source APIs and design specs that invite robust competition for replacement or substitution at each stage. Every business faces great pressure on the design level to maximize future dependency on themselves- which should not happen but is sadly the norm.
Hackers are going to hack. You are blaming the incompetence of the executives in the wrong people. Are hackers evil? Yes. But executives who take bonuses instead of investing in Cybersecurity are the real villains of this story. If a bank lets anyone inside their coffers, are you going to blame a bandit if your money goes missing or the bank?
My community organization got hacked and asked an absorbitant amount of money. We're an NGO and it really fucked us up for a while. Never understood why targeting an organization that has no money and helps homeless people and drug users.
This is happening in the UK too. The hackers attacked Synnovis- a private company that processed blood tests, both routine and urgent, for a number of London-based NHS and private hospitals (among other things). Urgent procedures, including cancer surgeries, were postponed because the hospitals couldn't process blood tests efficiently. We won't know how much patient information was stolen for some time. And yes, due to the cancelled surgeries and vastly extended A&E waits, it's likely some people will die/died due to the hack. Makes me so angry to think about. I'm so sorry this is happening elsewhere too.
I mean i think there will be much job opportunity in that field! If i could get an education and work a normal job i would 100% choose cyber security! In Denmark, the military is now hiring people for a new cyber force to combat this new rapidly growing thread :)
The other thing we need is people in management who actually BELIEVE THE THREAT IS REAL. The penny pinchers view IT and security as a cost center, not an investment or a form of insurance, and do everything they can to avoid upgrades. Your hospital or software company can have the best cybersecurity team in the world but that doesn't mean anything if the CEOs don't believe them when they tell them they need to change security practices top to bottom. Change is hard.
My Dad had to have an emergency surgery to have a pace maker put in when Ascension Health Care had a cyber attack. He was able to have the surgery and has made a full recovery, thank God. However, my Mom overheard how frustrated the nurses were because they couldn't chart properly, order meals for patients, schedule procedures and other surgeries, etc. It's truly scary how much patient information is online and isn't secure.
I am happy to hear your Dad did well after his surgery. When Ascension hospitals had to ‘turn off their computers’ during the cyber attack, every department had to go back to paper. Orders, chart notes, prescriptions, exam results, lab results, everything had to be written like it was in the 1980’s era on carbonless forms. This generation of healthcare professionals was not trained with that technology and it was a nightmare for everyone. In my area, patients started avoiding the Ascension hospital for another hospital in the area which caused longer wait times in that ER. Now that the incident is over, all those paper notes still have to be transcribed into the patients’ medical records.
@@silverscalederg8632for Ascension, they were bringing in a new set of nurses and they did show them paper charting because the system was down so they couldn’t even train on the system used. And of course the newer nurses that were working on the unit used paper because that was the only thing available.
I bet if medical executives suddenly become liable for lack of security with prison terms attached, the level of cyber security in this industry goes through the roof.
I work in a pharmacy and it was HELL for an entire month because of this cyber attack. No insurance would adjudicate and everyone was upset and couldn’t afford their meds!
We're still dealing with the Change HealthCare hack. I reported it on my 2nd channel months ago when it happened bc there was massive issues with pharmacies and we still can't post electronic payments from major companies like Aetna, BCBS, Cigna, etc. It's been a headache.
I've been in IT for 20 years. Dr. Mike did a good job of presenting this. This topic goes so much deeper than this. You could honestly probably do hours of worth of videos covering different aspects of this topic. As far as IOT devices. While I understand the convenience of a device being able to talk directly to a companies server on the internet. Great for an emergency alert like a heart monitor. Not so great if it grants control of a device. I've never been a fan IOT devices. It's a bit like parking a nice car, unlocked, in a bad neighbor hood and hoping nothing bad will happen. Local Network control will always be safest. That also means you would need infrastructure locally to support it. Not great for patients sent home with devices. Fine for large hospitals with the infrastructure and cash to support it.
As a cybersecurity major this absolutely terrifies me, this is why training and consistent check ups are important! I cant believe the rate of success for a hack is 90 PERCENT
My hospital got hacked huge and it shut down for a day and a half. It's so scary that they had been locked out of everything, and especially weird that there's no way to just do the hospital stuff without the computers...I don't know
@@justguy-4630 they need to have physical ways to get everything, though, or just ways they can work around it. People died because the computers went out? Like...how did we do this before computers?
I don't know what it was like in the hospitals, but I work in a pharmacy and during this hack every single manufacturer savings card stopped working. Most of our patients who were on brand-name drugs had to start paying hundreds of dollars more for their prescriptions or, as I saw many times, just not take their medication. It's no surprise to me that this kind of thing can cause people to lose their lives.
Pardon my lack of knowledge, but were there no generics available or why couldn't they switch to those right away? Switching from brand-name to a generic sounds like a no-brainer especially if one's life is on the line, so there is probably something I don't know about the US system at play here.
@@justanotheryoutubeaccount2270 Drug patents in the US last for 20 years. Any drug released in the last 20 years won't have a generic available yet. This is so the original patent holder can recoup their investments in R&D and make a profit before other companies are able to get in on it. Thus, they can charge however much they want until the generics are out. So if a patient needs a specific drug, there isn't always a viable alternative. By default, all prescriptions are dispensed with generics whenever available unless otherwise requested by the patient, prescriber, or insurance provider.
@justanotheryoutubeaccount2270 guessing they're either not available or, not sure if this applies in the US, you'd need to get your doctor to switch your prescription to generic
@@justanotheryoutubeaccount2270 Generic meds are still ridiculously expensive in the US. Most people who are getting their meds with insurance can't afford any meds otherwise. In Canada, even a pharmacist can switch you to a generic brand.
This isn't true these days. People will hack anything they can that will make them money....Unfortunately healthcare is very behind as far as cybersecurity goes in spite of being subject to more stringent data protection laws (HIPAA).
Some rasomware groups had informally agreed to not hack critical infrastructure or healthcare but that wasn't all of them and it's not some honourable code they abide by, it was to stop them from getting so much heat.
@@akr4s1a It's not being honorable, it's about not pulling to much heat in. You mess with big capital, they'll usually pay you off and won't even admit it happened because it is a BAD look for your clients. You hack a water treatment plant, power distribution station, or hospital? You put people's lives at risk, you make the news, the FBI takes a keen interest. Smart hackers pick their targets carefully. I work in IT and while we certainly have some fools trying to go after our medical clients it's mostly factories, logestics, and big capital; companies that REALLY don't want to admit it happened to them. I have it on good authority S&S Tire/S&S Bridgestone has been hacked more then twice in a single year but because it's privately owned they never once told anyone that didn't work there. A buddy of mine worked there and he spent weeks getting them back online. They didn't have proper backups for most servers, the head of IT credentials were used in the hack indicating he shared his password with other websites and they got stolen, or something similar. My buddy was stressed the entire time and once things got taken care of they let him go without reason. The problem was their VPN wasn't secured with 2Fa like industry standard dictates and that allowed someone with just a password into the entire network and since they went after the head admin they had access to EVERYTHING. My buddy about two months prior to the hack made a big stink about how unsafe not having 2Fa was; then they fired him after he helped fix the issue. To me it looks like management was embarrassed and didn't want THEIR bosses finding out they had been warned in advanced and just failed to take reasonable action.
I love that you took time to review this. I work in Health insurance and this breach impacted claims and our ability to determine their level of Medicaid eligibility. I even suggested to my peers to check this video out so they could get a more rounded understanding of how impactful this was
My husband is a cybersec specialist for a big hospital network and after he started they haven’t had a single incident. Because he spends all day tracking down technology and updating and cleaning it. Too many ppl neglect updates and that’s a big part of vulnerability.
Most healthcare companies don’t like to be the first to try new technologies. This results in them being decades behind other industries in basic tech infrastructure
@@christygruber2283 what’s really shameful is most government entities operate the same way. It’s like the most sensitive entities are always the furthest behind in advancements
Okay, I agree. So I wish they would look at the VA! Largest healthcare provider in the US, has to meet the standards for any government agency / department (aka NSA) and has in implemented security solution based off NIST and such. Source: ex ISO at a VA. We spent years getting this going, making sure it was working. Look to us, dang it! :wry:
My dad works IT for a hospital, and another part of why tech is so out of date is because updating stuff may cause temporary outages in some scenarios. If you mess up, you could take something important down.
Mental Healthcare provider biller here. This cause a HUGE mess. So many claims were piled up. Had to go to old format (drop claims to paper). Patients were extremely upset as their claims weren't billed in the usual time frame. Pt billing were delayed. Thankfully, caught this early enough and stayed on top of those claims to keep things moving.
Hey Mike, glad you’re tackling this subject. I’m finishing my degree in Cybersecurity and my final paper of the degree was on the Cyber vulnerabilities of telehealth in the start of the pandemic.
I work in an outpatient pharmacy, we were using Change as our sole switch and this kept us from using insurance on people's meds for several weeks. We couldn't even use the hospital discount card we have. The only reason we came back up so quickly is because we got a contract to work with a different switch instead. Even then, we only got back the ability to look up insurance eligibility ourselves a week or two ago, before that we've been relying on hospitals scans of cards or patients having them on hand.
Thank you so much for covering this! We are a small behavioral healthcare practice and we’re so impacted by this, and yet it was not on the news anywhere. It was so frustrating to watch something so huge get ignored, despite the obvious impact and this it is so nice to have people at least acknowledge what is happening!
It happened in Ireland a number of years of ago where patients records were hacked from what we call the Health Board. I got a letter in the post sometime later informing me my records were one of the ones accessed.
I work in a billing office, and this was a nightmare. Insurance is a nightmare. It's a scam, but we just keep letting ourselves be scammed because... what can we do?
As someone in the infosec industry, people and companies have been ignoring warnings for attacks like this for years and continue to do very little to prevent and protect themselves.
Nice to see a video crossing-over with my field. It's a hugely important problem that a vast majority are woefully uninformed about. Pro tip: If it's easy for you to login, then it's even easier for hackers to break in.
I thought this was about the recent attack in the UK. It's so sad to see so many countries saying this is a problem in their hospitals too. People targeting Healthcare locations and holding medical records and treatments hostage are disgusting.
I remember when this happened, it impacted the pharmacies in our areas. I had to pay cash for a prescription at the time. I'm always suspicious when someone says the system is down for an unspecified amount of time. Thanks for covering such an important topic!!
The most eloquent way to describe a clearinghouse that I've ever seen. Working in the healthcare industry, we still see providers and facilities struggling from the long shut down of CHC.
I want to start this off by saying that I love Dr. Mike he’s an amazing person to go to if you have any questions. There is only a small bit of information on this topic that I wish he would have covered, that being how society sees and views the cyber attacks and how this could scare a lot of people into not trust hospitals and doctors. You video was very informational about all the doctor stuff as per usual but I do wish you would have touched on this as to reassure anyone who worry’s about being safe in a hospital. ALSO I LOVE YOU AND BEAR!!!!❤
Another massive issue is that facilities will use old equipment that doesn't have the security needed today. It's not that they don't want to upgrade, it's the cost of the equipment that makes it difficult for them to do so. If a small hospital has to rely on old tech, they can definitely affect a larger hospital that has upgraded with the shared data. This is another problem with the private industry and every hospital, clinic, and office on its own for affording and building out a secure and updated network of shared data. But without the shared data, care is compromised, too.
Don't worry, it's not matter of private industry. I live in country with public health care. Here hospitals cyber security is almost non existent on the same level in every hospital, not in only some of them.
They don't get to charge absurd amounts of money and then complain that Cybersecurity is too expansive. No sympathy. I am only sorry for the patients. The hospitals deserve to lose money and should also be fined and lose even more.
This happened at Ascension in Wisconsin. My mom thought she has an apendicitis. She went to the ER, found a tumor and they sent her home. She couldn’t get an appointment with her urologist because of this cyber hack. Thankfully she found a urologist at Aurora Hospital. She then finds out that it’s a massive tumor, and then later after the biopsy it’s cancer. We’re hoping she’s going to be ok. The doctor says she’s got a good chance. But this definitely delayed her care.
I feel like this was an issue for a while before it was announced. When I would log into Livewell. I couldn't link to Ascension like normal. This was going on for a while before Ascension got locked out of their system.
Yeah, well, I'm sick of unknown health companies calling me, trying to get information about my health care by pretending I'm already a patient of theirs.
as someone working a drs office i am sick of them faxing us garbage and calling pretending to say that the patient said they want xyz BS thing they are selling. its the worst. some of them even pretend to be real pharmacies like walgreens or CVS
I work at Oracle Cerner as a full stack engineer building medical software for hospitals. I'm not sure how companies can work with medical data / processes without being up to standards with security? Seems like there is more to this story. Also goes to show - don't put all your eggs in one basket with a company. It's why it's a good idea to not monopolize a software industry incase of hackers shutting it down.
It makes me happy that you talk about this since its an important topic and also very very relevant considering the different situations going on throughout the world. I work as a cyber security analyst in Sweden and we read a lot about attacks and groups targeting healthcare systems. The attacks will keep coming and get even worse
As a HC admin, United should definitely pay fines for this. They literally didn’t do anything about this for the longest time. They also ended up buying out the small practices that went bankrupt and had to close due the problem a company they own , created. I think this was just a way for united to conduct a mass buyouts of all the small practices and to get them out in the open so that they could eventually buy them out. Food for thought🤷🏽♂️
At least they bought out those small practices. Years ago, BCBS forced small mental healthcare practices to close because BCBS decided to issue massive charge backs with zero warning because they realized they had been overpaying people for years.
That's totally bullshit. As a cybersecurity enthusiast, I can confirm that this hack absolutely happened and was definitely not started by United. They may have taken advantage of the situation. That I don't know. However, they certainly didn't cause it.
As someone who worked for CHC and now for UHG, that is definitely NOT what happened. There is no overarching conspiracy. This was extremely detrimental to the business/industry and it's insane to suggest it's being used as an advantage. UHG has paid out more than $3.3b to providers affected by the attack and they had been acquiring practices/busineses long before this attack (CHC being one of those acqusitions, which the DOJ tried to block). This is all public information. The OCR is also investigating UHG & CHC due to the attack and the DOJ is conducting an antitrust investigation into UHG, so fines may be in order. Dr. Mike has done an excellent job of summarizing the very public FACTS of this attack. Try sticking to those instead of theorizing.
One more reason for universal healthcare. No insurance companies that needs to be contacted, you will get the care needed, and the government pays the bill. I cannot understand why a country such as USA don't have this. Luckily, I live in Sweden, that has this. My country takes care of its citizens. Sure, there are improvements potentials, but the basics is that the government pays.
I was WAITING for someone to make a video about this. I'm in the medical field and one of our systems was affected by this. Thank you for talking about it! I was so curious
I work in the pharmacy, the amount of patients that had no idea what was happening was staggering. Having to tell patients their options for pricing was terrible
This might be a contributor to why over the past year I've struggled so much with getting my medications covered and actually filled. If the pharmacy can't get paid they can't pay to get the medication shipped.
Yeah, work in medical coding in South Carolina, I'm still waiting on payments for services done in Jan/Feb/Mar and turn around time is typically 30-45 days. It's been a headache!
As a security researcher, most of these hackers are *kinda bad* at what they do. Most of the times, you can decrypt it by reverse engineering the ransomware, but these hospitals are in so much of a hurry they just pay these people. It's just the world we live in, greed overtakes people's conscience and causes them to not care about others *lives* . These hackers will rather hack places that *save lives* rather than use their skills for good. I am a security researcher, and I could easily do one of these attacks, but do I? No, I don't. I decide to use my skills to *help* people rather than do insane things like these hackers. It is insane how these people hack *hospitals* and don't have any feeling of regret. EDIT: I know that Change was hacked, but this was an attack that was done semi-sophisticatedly. I am talking about the other hackers that hack hospitals themselves.
My dad runs a prosthetic business and he got an attack like this, they had to redo all the records by hand (they keep both physical and digital records) it took my dad weeks, he now does back ups just in case (weirdly the hackers never even asked for money, they just peaced out)
This is crazy and I can’t believe how quiet it’s been. Prior to this video the only thing I had heard about it was from a rite aid that hasn’t been able to get diabetic test strips since the attack. But only that, they’ve been able to fill other medications. And the pharmacy didn’t elaborate on the seriousness or the extent of the issue. Just that there was a “computer issue in February and we haven’t been able to get those strips in yet”
My mom is a therapist and hasn’t received an actual “paycheck” since before the recent attack. Somehow the 0-120$ sporadic checks have kept us afloat. But I wish the government or someone got involved others in her felid have had to take out loans or mortgage their house just to stay afloat
I work in Medicare sales and it’s been a complete nightmare. Not being able to find someone’s Medicaid ID to assist them with getting medical coverage has been a huge issue. And it’s still not fixed!
Life without parole, can't be soft on these fellows. Got to make the stakes high, playing with peoples lives en masse should not be taken lightly whatsoever.
@@debbieholoquist2059 As with most hackers, but with tech involved you potentially can find the country of origin and put pressure on that government. Not saying start a war but this isn't about money anymore, playing with American lives should call for some more severe measures.
This is the main reason why I'm so upset when some healthcare professionals disregard what I tell them about what "NOT" to record down on their notes especially when it's not even relevant to the treatment. I don't care if you think it's just for you to see. I understand and know how these technology works.
Lets talk about the risky near monopolies we have in healthcare and massive interconnectivity that allows these kinds of nationwide onslaughts to be possible.
This happened in Canada too, in the last few years across several hospital networks. (Probably still happening, I just haven’t heard about it.) It wreaked absolute havoc on already strained communities, particularly in rural areas.
Thank you for bringing attention to this!!! Its criminal that it is so underreported in the media. It really shows how dysfunctional and fragile our Healthcare system is. Uggghhh!!
I can’t tell you how much but dr Mike has change my life. I was filled with anxiety thinking bout my aspiration but now I have decided and locked in. I’m currently studying medicine at Harvard after how much you have inspired me and I’m truly dedicating every ounce and hour of my life to it. I hope the best for you and wish u well for ur boxing career. The best role model ❤
This disproportionately impacts elderly people without young(er) people helping to navigate the online world in general, and healthcare records etc., specifically. My Mom and my Aunt are perfect examples. Not only are MFA, hackable PWs, etc., incomprehensible to them, they both laugh it off and think we’re making a mountain out of a molehill. And they are the lucky ones, because our family has forcibly stepped in and taken over on medical and financial risk. The elderly who do not have anybody to stand for them are sitting in huge backups at hospitals, not getting care.
As a CFE, this is a constant conversation of security but also the potential for fraud with such sensitive information. It is such a hard conversation solely because it becomes an administrative issue and is frustrating to watch
It's unfortunate because there are people who don't understand IT infrastructure making decisions not to patch or make upgrades that would prevent or mitigate hacks because it's "too inconvenient". Would you rather have regular maintenance and planned downtime for a few hours or be at a complete standstill for weeks on end? Which one is more inconvenient?
Its just sad that people cyberhack, there is a hospital meant for babies, and a baby who was going for surgery actually died because people were hacking into the hospital system and disabled the power which led for other babies deaths.
Source of this story? Sounds hard to believe. Not because it couldn’t happen, but because I feel like it should’ve made viral headlines to raise awareness if it happened
Hey doctor mike. Would love to see a video about strangulation/choking. Signs a kid has been choked. Who you should tell if someone puts their hands on you. A trusted adult OUTSIDE the family because family can go through denial about it. Symptoms and side effects and long term effects of strangulation. And maybe something about strangulation survivors and their life span. And about how if you are a strangulation survivor the number one person to murder you is the person who strangled you or at least like percentages of like the chances of them killing you after already being strangled. Thank you.
I'd actually be concerned if the only measure was an antivirus. EDR/XDR or application whitelisting are a bare minimum nower days, there is WAY more to cybersecurity than you think.
Hey Dr Mike, big fan of your type of educational but fun content. I would love to see a video on the Black Death, and hygiene in the 1300s vs hygiene nowadays, with an explanation on what the Black Death did/does to people infected with it. I know its old news, but it is/was a interesting bacterium that killed half of europe. (Also plague doctor "costumes" look silly)
As a recently graduated student with a B.S. in Computer Information Systems, I must say you, Doctor Mike, have done your research and impressed me with your understanding of cybersecurity concepts. Honestly, I've really enjoyed your extensive knowledge of healthcare, but I must say this only makes me trust it even more since this is amazing content for you to be posting to bring awareness of cybersecurity to everyone, especially healthcare professionals who deal with sensitive life saving data.
I'm a insurance Analyst for a major insurance company and we got hit hard by the hack your mentioning Dr. Mike. I'm glad you covered it! My company has direct partnership with United and we're still picking up the pieces.
the fact that someone would hack a hospital knowing they could be the indirect cause for so many deaths is disgusting, and they get whatever they want quickly because the hospital needs to take care of their patients.
When you don't see the direct impact on people it's easier to have no morals. Also People look at it in a similar way to stealing from a big chain store like walmart. "oh these big companies have plenty of money they won't notice five bucks".
It's sad but its the world we live in.
These hacks are usually performed by Kremlin, North Korea, etc.
Most of the time these are automated attacks that exploit security problems that have been known, and fixed, for years. If such an attack works against you, you have been grossly negligent with your software security. For something as critical as a hospital, *all* used software requires frequent, periodic security audits and any available update needs to be live on the system within 12 hours of the release of the update at the absolute latest.
They don't want to pay for that. That, and ONLY that, is the issue. Every possible security problem in software development is theoretically solved. It's just not practically applied due to cost.
@@AnpanatorYeah, I've experienced the other end of that firsthand as a now-official CEH. You send your resume to a business in the medical field looking for a position as a penetration tester or SOC engineer, and they respond by ghosting you. Then they finally learn the hard way in examples like this why that was a bad move.
Hi 👋🏼 Dr.Mike watching your videos had helped me be more conscious of my living and how I treat my body so thank you
I'm an IT tech at a small critical access hospital. We were hacked and had a data breach. Luckily, it didn't really shut us down and we were still able to take care of patients. We pushed our administration to invest in better cybersecurity, but they didn't think it was an issue until it happened to them. Then they basically gave us a blank check. Administration has to realize that they have to invest in security infrastructure NOW. It's not a matter of if it happens...it's a matter of when.
Yeah... As someone that used to MSP for medical offices, the problem is entirely with penny pinchers refusing to upgrade software and hardware with the times and pay for basic security features. A lot of fun also comes from hos doctors can have hissy fits like toddlers and get exceptions to security policies as well. I was supporting Win XP until a few years back on frontline internet connected machines because offices *refused* to spend to buy new computers. As in, patient checkin computers where your money was handled and not some fancy medical equipment controller.
Straight up the average carpenters office was better on security and buying new computers to keep things up to date than the average medical client I had!
@@sparky8251 Hit the nail on the head. Especially as an MSP, admin just thinks they're being upsold on services that are actually vital. And yes, some doctors definitely have too much pull and are too used to being catered to. We have started rolling out 2fa and talk about backlash...even some threats to just not come back to the hospital and work.
@@pkjacobg I truly loathe doctors. They think they are so smart they also know computers when they really *really* dont. its even worse when they are also the admin/owner. Had one demand we do an OS upgrade of a single server in a way that didn't disrupt his business, but also refused to give us even an hour to do it in because he swore he worked 24/7/365... Took us legitimately months to get that done as a result when it shouldve really just been me spending 2-3 hours on a weekend at midnight. But noooo....
As someone who works in the cybersecurity industry, I can confidently say that business leaders across all industries often times will skimp out on IT resources, then when an incident happens they suddenly "didn't know / are disappointed to learn their security measures were so inadequete" while they actively refused allocating resources that were in-budget for IT projects that could have mitigated most of their serious risks of facing an incident.
Recently the FDA tightened the screws and mandated that medical devices are audited before they're launched on the market, which is a step in the right direction, but once they are approved, they are no longer subject to recurring mandated security testing. Many vulnerabilities that will lead to incidents such as the insertion of ransomware are routinely being identified in tech used by these manufacturers in IoT medical equipement, which means their device may now be vulnerable to new threats that weren't known or used when they launched on the market, leaving them at risk now.
It's always a money problem ultimately. They'd rather risk millions in non-compliance fines than spend a few thousand bucks to improve their cybersecurity. It's really madness. The skilled cybersecurity professionals are out there, the expertise exists and there are countless providers out there that can help. It's just hard to convince boomers that barely understand how a printer works that risks are real and tangible.
And now, when the infrastructure is strengthened, the staff needs to have a robust and regular cybersecurity training. Even audits, if necessary, to catch them unprepared and see how strong the system really is within the organisation. Social engineering is a thing.
This cyber attack has affected healthcare tremendously. I work for a large healthcare company & we have been working HARD for months to try & recover from how this has affected us.
Yep. I can say that, too. Of course, it was the company I work for that saved Change Healthcares' asses.
Our 60 provider Plastics and Derm practice has as well.
My parents both work for one of our largest local healthcare companies (leaving anonymous), this happened to their company last year, and I think they're still working to recover from it (though I don't know the specifics).
@@sarahspindler2914 Starts with a C, doesn't it?
Shucks thats unfortunate maybe all the money you get from milking the population dry for a visit should be spent on buying some norton garbage :D
“Literally killing people” is 100% true. As a nurse, I lived it last month and it was a nightmare. In my hospital on the first day, a patient coded because nurses were not able to access life-saving medication‘s. This will never be acknowledged publicly by the hospital, but it is the truth. The hospital administrators wanted to present the picture that they could still safely take care of patients even though truthfully they could not.
omg, that's a nightmare! I'm so sorry, that had to be misery for you and families
Isn’t that like a coverup??
@@allisoncastle coverup is legal if it's done in the service of shareholder profits
h
"Literally killing people" is 100% true. As a nurse, I lived it last month and it was a nightmare. In my hospital on the first day, a patient coded because nurses were not able to access life-saving medication's. This will never be acknowledged publicly by the hospital, but it is the truth. The hospital administrators waned to present the picture that they could still safely take care of patients even though truthfully they could not.
Yet no one hears about it when an insurance company (BCBS) does an internsl audit and decides they overpaid claims for years and the chargebacks they issued forced a lot of smaller mental health practices to close their doors.
We need more mental healthcare, not less!
This is just one reason why it's ridiculous to allow insurance companies to dictate healthcare.
Same w independent pharmacies. We’re dying over here! 😅
@@MorganCampbell-qs9vr I didn't know they did chargebacks on pharmacies too, but I'm not surprised. Insurance companies have far too much power.
Yet no one hears about it when an insurance company (BCBS) does an internal audit and decides they overpaid claims for years and the decides they overpaid claims for years and the chargebacks they issued forced a lot of smaller mental health practices to close their doors. We need more mental healthcare, not less!
I bet if chargebacks by insurance companies were made illegal, suddenly the insurance companies would magically come up with a better system that substantially reduces mistakes… 🤔
As a Cyber security professional, awareness is half the battle so the fact this is being covered well by someone outside the field with such a wide veiwer base is awesome to see.
Best part of this video? Send this out as awareness education and document it.
Wooohooo! A palatable source of awareness.
Totally agree ! Keep teaching good security practices !
Why don’t hospitals have an intranet with an air gap for medical records? I don’t know a ton about cybersecurity, but I’ve always found that very odd that that isn’t standard practice
True 0:12
As a cyber security professional, awareness is half the battle so the fact that is being covered well by someone outside the field with such a wide viewer base is awesome to see.
I did IT for a hospital that is dealing with a Cyberattack at this very moment (probably the one you're talking about)… And it's their own fault. As someone that talked and worked directly with their Cyberteam, the hospital company wouldn't listen to them about updating OSs and fixing CVEs for their own servers and systems.
They also had plenty of money to make the needed changes, as their corporate team was still getting fat checks and bonuses.
If you're talking about Ascension (yep, I'll just name drop them because they deserve it) yep. They are a private equity fund posing as a hospital system so of course there's no incentive to maintain those systems when they can skim those profits instead.
@@MiniiCitrus My local system was just sold from Ascension to another system and those poor buyers are running around like chickens with their heads cut off trying to clean up this mess. CERNER is garbage and now it's causing a huge mess.
Great to know that they care about revenue but not about those paying the bills.
Security by obscurity is an open door.
From a competing Healthcare netadmin, you have my condolences for your sanity. For other HC admins, seriously, stress test your backup systems and downtime procedures. The middle of falling back to paper charting is THE LEAST best time to find that backups didn't work.
My brother was recently featured in a Forbes article for finding a huge hole in "sealed" court records. He found many counties that have court records accidentally left wide open for the public to access. Everything from psychiatric exams, other medical records, and even name changes of children to protect them from abusive parents.
It seems this type of problem is all over. Those who have sensitive info on people really need to have it secured properly. Courts, hospitals, etc..
This is why cybersecurity awareness is something that needs to be carried out not just for us students In IT, but rather for every industry and its staff. Its really frustrating that even in our country, the only people being educated on cybersecurity are the ones who are already aware, educated and even funding courses on it at universities. There needs to be some sort of awareness and understanding of the risks of cybersecurity coming from major organisations that deal with this towards susceptible industries.
Oh god even name changes, what the he/|
Good that it was found, but for goodness's sake why is it so hard for these places to at least use 2fa 🤦💀
My hospital here in canada was cyber attacked last october for ransom money (which wasnt paid, so tens of thousands of peoples information was published), we went 3-4 months with zero systems, so incredibly dangerous and stressful. We got our documentation system back but most of everything else is still down and will be until november. If you havent experienced it you cant fathom how dangerous it is or just how much is affected, you would truly have no idea. I would take peak covid days any day over our cyber attack, what a nightmare.
I had many days I cried in the bathroom at work during this hack. It was ridiculously stressful.
I thought this was the hack he was going to talk about. It lasted months. Think it was part of the reasons I had complications after having my baby due to things not being noted properly
The hospital I work at just recovered from a huge nation wide hack. We were 100% paper charting for over a month, and it was pure chaos at first. Labs were getting lost, orders missed, medications had to be manually entered by nurses and the risk of error was so great. I caught many medication errors written incorrectly on patient’s MAR. As nurses our daily load and mental stress increased soo much. It was truly awful 😭
Tell them to open up a SOC and start hiring CEH-certified penetration testers. That's how these kinds of attacks are prevented.
Welcome to the way it was in the 1980’s before computers replaced all manual, paper systems!
@@wearethelarosas6395 If only we have 1980s levels of system complexity, as well. Or even just the number of patients.
I used to work for a tech support firm that supported various hospitals across the usa.
Hospital cyber security barely exists. When we did phishing tests to see how many people would give us their passwords if we just asked, almost everyone did. Most passwords were also from the top 10 most common passwords list.
Honestly your average high schooler could probably crack the most secure american hospital
Another thing is that a lot of vendors of medical equipment have major issues in delivering systems that are halfway current in terms of software, often with no plan to keep them updated, etc. so this leads to many systems that are very easy to exploit. In a hospital setting it will always be that availability of a system is more important than securing it.
I work in a different field, but where the same behaviour from vendors has cost many companies a lot of money.
as someone who just graduated high school and wants to go into the healthcare field; that's scary!!!
Because for most ppl that worked in that field, they have no more brain space left to memorize unique password for each different step.
@@calyco2381 Luckily for all of us, that is not needed when things are done right. A world where that is a requirement is usually a good indication of someone in power not understanding security.
I’ve had coworkers fall for the phish or will message us and ask. If it’s from an outside person we absolutely should be reporting it. It’s messy. I work in the coding department and we have to do two step logins from our phones now to get on the VPN due to all the hospitals getting hacked.
I work in the cyber security industry selling these solutions to hospitals and other businesses. The BIGGEST Hurdle to getting a properly secure set up is not budget, its 100% the bureaucracy. A dozen people or more updating or changing requirements every other week ends up stalling these projects for literally years. Ironically, the most success we've experienced in getting these solutions implemented in a reasonable time frame has come when the customer's own insurance companies come to them and say their rates are about to go through the roof becaue they know how expensive recovering from these attacks are and they know there are several realistic options to defend against them.
These boards suddenly get a lot more cooperative when the hypothetical expense of inaction quickly becomes a real expense.
And when their insurance premiums skyrocket due to inadequate controls.
That's the issue still... companies (not just healthcare) are not getting the concept of what is "worse", the price of an MDR service/solution or them getting hit by a ransomware from someone buying the toolkit online and pitting it in just to see if it works.
The responsibility is theirs ofcourse, but they should be presented with a real-life example (of which, I'm positive, every cybersec tool vendor or MDR provider has at least a handful) with every presentation/POC/demo.
Healthcare is a cyber security nightmare. A lot of medical companies are stuck in the year 1999 where they didn't really worry about cyber security. Some companies producing medical devices and their software still use "admin" and "password" as default.
I work in corporate insurance and I can't tell you just how many claims i had to open because of this. It was insane.
Same
My daughters hospital St. John’s illinois was hacked from one of the employees doing her Christmas shopping on a work computer. They lied to all the patients and said they had a system error and was using paperwork instead of computers for weeks before finally admitting they got hacked. It was catastrophic and made me lose trust in them. My daughter has Down’s syndrome and cancer and I have no other choice in the area for her specialized care. Hospitals are suspicious at best right now.
My hospital won’t even let us access those websites, including social media-why would someone use a work device for shopping? I’m remote but I would use my personal devices for that.
Woooooow, hacked through christmas shopping... Idk if it actually helps much, but I'm going to print out my medical records. That way if they get hacked they at least have my history+current meds. I'll print out any additions such as meds changing when they happen, to keep it up to date.
It's ridiculous that we have to think about this to begin with, but I advice you do something to keep those records yourself- on paper or on a usb maybe.
Also best of luck to you and your family with the treatment🍀
@@undefinederror40404that should be done anyway. Even if cybersecurity wasn’t an issue outside of the hospital, they could have a disgruntled ex-employee get into the system and do nefarious things with that info.
@@undefinederror40404 have no fear she is almost two and in remission ! odd fact kids with DS are more likely to get the deadliest version of leukemia, (myeloid) but have much higher survival rates than kids with 46 chromosomes. so shout out to my girls extra chromosome because it most likely saved her life ! she is running around and the happiest toddler ever :)
Thats just incompetence. I work for OSF and most things like that are blocked from access on workstations. But yes you're never going to have a company/IT department admit they had a data breach as it happens for various reasons. We don't even tell our own workers its been breached.
I was a NOC SOC Analyst once, and i was always surprised at the amount of cyber attacks attempted to Hospitals from ALL Over the world... And i mean ALL OVER.
How are you surprised.... hospitals generally have lots of money or tied to it, and they have horribly outdated systems and have tons of private info that is perfect for blackmail or stealing identities. Thats a hackers dream
That shouldn't be a surprise. Anybody who has hosted a public server on the internet knows that your pretty much attacked by everybody and their grandmother. Just setup a honeypot server and install CrowdSec on it, and just watch and see how many alerts are generated on a server that has no purpose.
I'm in Canada and we've had several
To quote Al Capone when asked why he was robbing banks: "That is where the money is".
There's a lot of different reasons why those that hack hospitals don't care/don't know if the target is a hospital. People that make a living from this line of work already have made some moral choices and that means empathy for the hospital likely is in short supply.
@@ahooogerhuis its because most of these attacks are funded by hostile governments, and until the US government gets down in the mud and sends more destructive attacks back this will keep happening. Purely defensive measures will always be circumvented by offensive ones.
My father ended up going through withdrawals because of a cyber attack. They weren't able to refill his pain management meds hes been taking for YEARS. He got so sick. Thankfully hes okay but it is ridiculous that people are doing this.
It's ridiculous that we have come to rely on computers to that extent.
As someone who has worked in IT before, it's very common for businesses to put IT security concerns on the back burner because they don't want to pay for updates or change policies.
When IT is doing its job correctly, nobody knows they are there, and they start questioning why they have an IT budget. When I worked for a medical MSP, I literally would sit at a remote PC most of the week just keeping an eye on things via a dashboard connected to 50 servers and a thousand computers. My boss got in the habit of sending a tech out for a "drop in" visit once a month just to check in with the front desk or the non-owner doctors had complaints that hadn't been passed along to us - it was amazing how much good will you could build up just by replacing someone's old keyboard with a broken key or taking care of the weird error message they were getting from some software that wasn't even used any more, just by asking around.
These days I work in software as a business analyst, but it's the same deal. Whenever I visit a client that I know uses our software, I'll just gently poke and ask if they've seen anything weird or something that bugs them, because I HAVE THE POWER TO FIX IT IF THEY JUST TELL ME. The look of surprise, then relief when someone hears that I've got magic burger powers for their schedule screen is always a blessing.
If they stop paying for the IT staff or MSP and let it run on its own for a few months, they quickly find out why they had an IT budget.
I work in cybersecurity and this is so frustrating. Healthcare was, for awhile, considered off-limits to hacks/ransomware attacks but that changed and now health care is definitely being heavily targeting. The bad actors are seeing money and clout from these hacks (which is super gross). Cybersecurity professional are definitely needed in healthcare.
As someone who works in billing for a very small nonprofit, this attack was CATASTROPHIC. The insurance companies did everything in their power to make it work, but the amount of damage it did is absolutely insane. Thankfully, every website that I personally use has switched to requiring more authentication for login, but this is still an incredibly dangerous scenario for anyone even remotely involved.
I work at my local hospital and we had a cyber incident last year. It is still wreaking havoc. We will never be 100% again.
Exploiting the sick is despicable.
Cyber hackers think what they did was funny to them
Thanks for the likes, but I didn´t mean the hackers.
Do you have a proper business continuity plan, disaster recovery plan, and incident response plan? When was the last time you attempted a restore of your backups?
This is why Software-As-A-Service subscriptions should be regulated to require operational, local, and cloud-disconnected backups with offline license codes retained by the distributor ✊
Yeah, Tay! Tell em. But tbh, even if the infrastructure can be setup, the way they'd handle costs would make it completely inaccessible to a very large majority.
Yes! I worked for SAAS healthcare company for 15 years as a developer and my honest opinion, a properly configured on premise server and off-site/offline backup are much safer for a medical practice. Hospitals are different but for medical practices SAAS was awesome as a trend as the internet evolved and more software became web based but it's honestly a novelty and liability. The convenience of practice owners or office staff not having to deal with IT companies and know whether they are good or not is the reason SAAS is still successful.
@@FirestormX9 Thank you for your thoughts. Part of the reason for the high cost is the hardware and software design incentive towards proprietary APIs and infrastructure used to horizontally integrate product lines and build oligopoly- rather than modular, open-source APIs and design specs that invite robust competition for replacement or substitution at each stage. Every business faces great pressure on the design level to maximize future dependency on themselves- which should not happen but is sadly the norm.
What language is everyone speaking here
You’re the chocolate rain guy aren’t you
It takes a different type of heartless coward to risk the lives of others for money
So health insurance companies?
Oh wait hackers
Oh wait... both
Hackers are going to hack. You are blaming the incompetence of the executives in the wrong people. Are hackers evil? Yes. But executives who take bonuses instead of investing in Cybersecurity are the real villains of this story. If a bank lets anyone inside their coffers, are you going to blame a bandit if your money goes missing or the bank?
Not really. Executives of food, pharmaceutical, and tobacco companies do it daily.
@@HariSeldon913They're still cowardly bastards
I feel like it should be illegal to prioritize making money over morals.
For something so serious, this problem totally flies under the radar. The lack of accountability for this is astounding.
My community organization got hacked and asked an absorbitant amount of money. We're an NGO and it really fucked us up for a while. Never understood why targeting an organization that has no money and helps homeless people and drug users.
This is happening in the UK too. The hackers attacked Synnovis- a private company that processed blood tests, both routine and urgent, for a number of London-based NHS and private hospitals (among other things). Urgent procedures, including cancer surgeries, were postponed because the hospitals couldn't process blood tests efficiently. We won't know how much patient information was stolen for some time. And yes, due to the cancelled surgeries and vastly extended A&E waits, it's likely some people will die/died due to the hack. Makes me so angry to think about. I'm so sorry this is happening elsewhere too.
You live in capitalism where a human life has a very low value.
these events are what keep me pushing towards my cyber secuity career, because it's a rapidly growing problem that is only getting worse
Be careful about burn out brother, I see it far to often; keep a good home/work life separation in effect.
I mean i think there will be much job opportunity in that field! If i could get an education and work a normal job i would 100% choose cyber security!
In Denmark, the military is now hiring people for a new cyber force to combat this new rapidly growing thread :)
One thing that cybersecurity can involve (and I'm speaking from experience here) is reverse-engineering malware.
The other thing we need is people in management who actually BELIEVE THE THREAT IS REAL. The penny pinchers view IT and security as a cost center, not an investment or a form of insurance, and do everything they can to avoid upgrades.
Your hospital or software company can have the best cybersecurity team in the world but that doesn't mean anything if the CEOs don't believe them when they tell them they need to change security practices top to bottom. Change is hard.
My Dad had to have an emergency surgery to have a pace maker put in when Ascension Health Care had a cyber attack. He was able to have the surgery and has made a full recovery, thank God. However, my Mom overheard how frustrated the nurses were because they couldn't chart properly, order meals for patients, schedule procedures and other surgeries, etc. It's truly scary how much patient information is online and isn't secure.
I am happy to hear your Dad did well after his surgery.
When Ascension hospitals had to ‘turn off their computers’ during the cyber attack, every department had to go back to paper. Orders, chart notes, prescriptions, exam results, lab results, everything had to be written like it was in the 1980’s era on carbonless forms. This generation of healthcare professionals was not trained with that technology and it was a nightmare for everyone. In my area, patients started avoiding the Ascension hospital for another hospital in the area which caused longer wait times in that ER. Now that the incident is over, all those paper notes still have to be transcribed into the patients’ medical records.
@@randomllama7362 And when proposed to show them to new nurses everyone is all "oh no it won't happen again" making the issue worse.
@@silverscalederg8632for Ascension, they were bringing in a new set of nurses and they did show them paper charting because the system was down so they couldn’t even train on the system used. And of course the newer nurses that were working on the unit used paper because that was the only thing available.
I bet if medical executives suddenly become liable for lack of security with prison terms attached, the level of cyber security in this industry goes through the roof.
I work in a pharmacy and it was HELL for an entire month because of this cyber attack. No insurance would adjudicate and everyone was upset and couldn’t afford their meds!
This is completely true. I work in ah hospital in Uganda and our system got hacked. This was really huge as everyone’s personal information got leaked
Ikr W
@@YTGamerboyPG3Dthank you for your support
Ya yr right
Ya
Do yu kno da way?
As someone who has directly dealt with the fallout of this, it’s horrific. It almost broke our hospital and we weren’t even hacked
We're still dealing with the Change HealthCare hack. I reported it on my 2nd channel months ago when it happened bc there was massive issues with pharmacies and we still can't post electronic payments from major companies like Aetna, BCBS, Cigna, etc. It's been a headache.
I've been in IT for 20 years. Dr. Mike did a good job of presenting this. This topic goes so much deeper than this. You could honestly probably do hours of worth of videos covering different aspects of this topic. As far as IOT devices. While I understand the convenience of a device being able to talk directly to a companies server on the internet. Great for an emergency alert like a heart monitor. Not so great if it grants control of a device. I've never been a fan IOT devices. It's a bit like parking a nice car, unlocked, in a bad neighbor hood and hoping nothing bad will happen.
Local Network control will always be safest. That also means you would need infrastructure locally to support it. Not great for patients sent home with devices. Fine for large hospitals with the infrastructure and cash to support it.
As a cybersecurity major this absolutely terrifies me, this is why training and consistent check ups are important! I cant believe the rate of success for a hack is 90 PERCENT
My hospital got hacked huge and it shut down for a day and a half. It's so scary that they had been locked out of everything, and especially weird that there's no way to just do the hospital stuff without the computers...I don't know
I mean, they can but it's pretty much working blind.
@@justguy-4630 they need to have physical ways to get everything, though, or just ways they can work around it. People died because the computers went out? Like...how did we do this before computers?
I don't know what it was like in the hospitals, but I work in a pharmacy and during this hack every single manufacturer savings card stopped working. Most of our patients who were on brand-name drugs had to start paying hundreds of dollars more for their prescriptions or, as I saw many times, just not take their medication. It's no surprise to me that this kind of thing can cause people to lose their lives.
Pardon my lack of knowledge, but were there no generics available or why couldn't they switch to those right away? Switching from brand-name to a generic sounds like a no-brainer especially if one's life is on the line, so there is probably something I don't know about the US system at play here.
@@justanotheryoutubeaccount2270 Drug patents in the US last for 20 years. Any drug released in the last 20 years won't have a generic available yet. This is so the original patent holder can recoup their investments in R&D and make a profit before other companies are able to get in on it. Thus, they can charge however much they want until the generics are out. So if a patient needs a specific drug, there isn't always a viable alternative.
By default, all prescriptions are dispensed with generics whenever available unless otherwise requested by the patient, prescriber, or insurance provider.
@justanotheryoutubeaccount2270 guessing they're either not available or, not sure if this applies in the US, you'd need to get your doctor to switch your prescription to generic
@@justanotheryoutubeaccount2270 Generic meds are still ridiculously expensive in the US. Most people who are getting their meds with insurance can't afford any meds otherwise. In Canada, even a pharmacist can switch you to a generic brand.
Amongst hackers there is an unspoken rule to NEVER EVER hack hospitals or healthcare.
Sadly some people don’t keep to those standards
This isn't true these days. People will hack anything they can that will make them money....Unfortunately healthcare is very behind as far as cybersecurity goes in spite of being subject to more stringent data protection laws (HIPAA).
Some rasomware groups had informally agreed to not hack critical infrastructure or healthcare but that wasn't all of them and it's not some honourable code they abide by, it was to stop them from getting so much heat.
cosmologist is so cool
how u know that 🤨
@@akr4s1a It's not being honorable, it's about not pulling to much heat in. You mess with big capital, they'll usually pay you off and won't even admit it happened because it is a BAD look for your clients. You hack a water treatment plant, power distribution station, or hospital? You put people's lives at risk, you make the news, the FBI takes a keen interest.
Smart hackers pick their targets carefully. I work in IT and while we certainly have some fools trying to go after our medical clients it's mostly factories, logestics, and big capital; companies that REALLY don't want to admit it happened to them.
I have it on good authority S&S Tire/S&S Bridgestone has been hacked more then twice in a single year but because it's privately owned they never once told anyone that didn't work there. A buddy of mine worked there and he spent weeks getting them back online. They didn't have proper backups for most servers, the head of IT credentials were used in the hack indicating he shared his password with other websites and they got stolen, or something similar. My buddy was stressed the entire time and once things got taken care of they let him go without reason. The problem was their VPN wasn't secured with 2Fa like industry standard dictates and that allowed someone with just a password into the entire network and since they went after the head admin they had access to EVERYTHING. My buddy about two months prior to the hack made a big stink about how unsafe not having 2Fa was; then they fired him after he helped fix the issue. To me it looks like management was embarrassed and didn't want THEIR bosses finding out they had been warned in advanced and just failed to take reasonable action.
I love that you took time to review this. I work in Health insurance and this breach impacted claims and our ability to determine their level of Medicaid eligibility. I even suggested to my peers to check this video out so they could get a more rounded understanding of how impactful this was
My husband is a cybersec specialist for a big hospital network and after he started they haven’t had a single incident. Because he spends all day tracking down technology and updating and cleaning it. Too many ppl neglect updates and that’s a big part of vulnerability.
Most healthcare companies don’t like to be the first to try new technologies. This results in them being decades behind other industries in basic tech infrastructure
Walgreens has been using the same software since 1987 😁
@@elongatedpocket1310 yes, tons in retail too! Blows my mind how many companies think they’ll skate by like that 😂
@@christygruber2283 what’s really shameful is most government entities operate the same way. It’s like the most sensitive entities are always the furthest behind in advancements
Okay, I agree. So I wish they would look at the VA! Largest healthcare provider in the US, has to meet the standards for any government agency / department (aka NSA) and has in implemented security solution based off NIST and such. Source: ex ISO at a VA. We spent years getting this going, making sure it was working. Look to us, dang it! :wry:
My dad works IT for a hospital, and another part of why tech is so out of date is because updating stuff may cause temporary outages in some scenarios. If you mess up, you could take something important down.
Mental Healthcare provider biller here. This cause a HUGE mess. So many claims were piled up. Had to go to old format (drop claims to paper). Patients were extremely upset as their claims weren't billed in the usual time frame. Pt billing were delayed. Thankfully, caught this early enough and stayed on top of those claims to keep things moving.
Hey Mike, glad you’re tackling this subject. I’m finishing my degree in Cybersecurity and my final paper of the degree was on the Cyber vulnerabilities of telehealth in the start of the pandemic.
I work in an outpatient pharmacy, we were using Change as our sole switch and this kept us from using insurance on people's meds for several weeks. We couldn't even use the hospital discount card we have. The only reason we came back up so quickly is because we got a contract to work with a different switch instead. Even then, we only got back the ability to look up insurance eligibility ourselves a week or two ago, before that we've been relying on hospitals scans of cards or patients having them on hand.
Thank you so much for covering this! We are a small behavioral healthcare practice and we’re so impacted by this, and yet it was not on the news anywhere. It was so frustrating to watch something so huge get ignored, despite the obvious impact and this it is so nice to have people at least acknowledge what is happening!
It happened in Ireland a number of years of ago where patients records were hacked from what we call the Health Board. I got a letter in the post sometime later informing me my records were one of the ones accessed.
Dr Mike and his team create the type of content I pay my internet bills for.
I work in a billing office, and this was a nightmare. Insurance is a nightmare. It's a scam, but we just keep letting ourselves be scammed because... what can we do?
Thank you for using your platform to make people aware of this Dr Mike! And not just that but telling us what WE can do about it!
As someone in the infosec industry, people and companies have been ignoring warnings for attacks like this for years and continue to do very little to prevent and protect themselves.
Nice to see a video crossing-over with my field. It's a hugely important problem that a vast majority are woefully uninformed about.
Pro tip: If it's easy for you to login, then it's even easier for hackers to break in.
I thought this was about the recent attack in the UK. It's so sad to see so many countries saying this is a problem in their hospitals too. People targeting Healthcare locations and holding medical records and treatments hostage are disgusting.
I remember when this happened, it impacted the pharmacies in our areas. I had to pay cash for a prescription at the time. I'm always suspicious when someone says the system is down for an unspecified amount of time. Thanks for covering such an important topic!!
The most eloquent way to describe a clearinghouse that I've ever seen. Working in the healthcare industry, we still see providers and facilities struggling from the long shut down of CHC.
Yeah some are still having issues with EOB
I want to start this off by saying that I love Dr. Mike he’s an amazing person to go to if you have any questions. There is only a small bit of information on this topic that I wish he would have covered, that being how society sees and views the cyber attacks and how this could scare a lot of people into not trust hospitals and doctors. You video was very informational about all the doctor stuff as per usual but I do wish you would have touched on this as to reassure anyone who worry’s about being safe in a hospital. ALSO I LOVE YOU AND BEAR!!!!❤
Another massive issue is that facilities will use old equipment that doesn't have the security needed today. It's not that they don't want to upgrade, it's the cost of the equipment that makes it difficult for them to do so. If a small hospital has to rely on old tech, they can definitely affect a larger hospital that has upgraded with the shared data. This is another problem with the private industry and every hospital, clinic, and office on its own for affording and building out a secure and updated network of shared data. But without the shared data, care is compromised, too.
Don't worry, it's not matter of private industry. I live in country with public health care. Here hospitals cyber security is almost non existent on the same level in every hospital, not in only some of them.
They don't get to charge absurd amounts of money and then complain that Cybersecurity is too expansive. No sympathy. I am only sorry for the patients. The hospitals deserve to lose money and should also be fined and lose even more.
This happened at Ascension in Wisconsin. My mom thought she has an apendicitis. She went to the ER, found a tumor and they sent her home. She couldn’t get an appointment with her urologist because of this cyber hack. Thankfully she found a urologist at Aurora Hospital. She then finds out that it’s a massive tumor, and then later after the biopsy it’s cancer. We’re hoping she’s going to be ok. The doctor says she’s got a good chance. But this definitely delayed her care.
@@hanners4895 it was country wide. Something like 80 million Americans were affected
I feel like this was an issue for a while before it was announced. When I would log into Livewell. I couldn't link to Ascension like normal. This was going on for a while before Ascension got locked out of their system.
Look into fenbendazole...it works
Yeah, well, I'm sick of unknown health companies calling me, trying to get information about my health care by pretending I'm already a patient of theirs.
as someone working a drs office i am sick of them faxing us garbage and calling pretending to say that the patient said they want xyz BS thing they are selling. its the worst. some of them even pretend to be real pharmacies like walgreens or CVS
These aren't even companies. This is just bog standard phishing attempts.
@@vectorwolf No, ya think?
@@onemercilessming1342You called them “unknown health companies”.
@@onemercilessming1342your comment reads like you believe they're legit healthcare companies
You know, i think American hospitals needing the approval of healthcare companies before giving treatment is the real problem here
I work at Oracle Cerner as a full stack engineer building medical software for hospitals. I'm not sure how companies can work with medical data / processes without being up to standards with security? Seems like there is more to this story.
Also goes to show - don't put all your eggs in one basket with a company. It's why it's a good idea to not monopolize a software industry incase of hackers shutting it down.
It makes me happy that you talk about this since its an important topic and also very very relevant considering the different situations going on throughout the world. I work as a cyber security analyst in Sweden and we read a lot about attacks and groups targeting healthcare systems. The attacks will keep coming and get even worse
As a HC admin, United should definitely pay fines for this. They literally didn’t do anything about this for the longest time. They also ended up buying out the small practices that went bankrupt and had to close due the problem a company they own , created. I think this was just a way for united to conduct a mass buyouts of all the small practices and to get them out in the open so that they could eventually buy them out. Food for thought🤷🏽♂️
At least they bought out those small practices. Years ago, BCBS forced small mental healthcare practices to close because BCBS decided to issue massive charge backs with zero warning because they realized they had been overpaying people for years.
That's totally bullshit. As a cybersecurity enthusiast, I can confirm that this hack absolutely happened and was definitely not started by United. They may have taken advantage of the situation. That I don't know. However, they certainly didn't cause it.
As someone who worked for CHC and now for UHG, that is definitely NOT what happened. There is no overarching conspiracy. This was extremely detrimental to the business/industry and it's insane to suggest it's being used as an advantage. UHG has paid out more than $3.3b to providers affected by the attack and they had been acquiring practices/busineses long before this attack (CHC being one of those acqusitions, which the DOJ tried to block). This is all public information. The OCR is also investigating UHG & CHC due to the attack and the DOJ is conducting an antitrust investigation into UHG, so fines may be in order.
Dr. Mike has done an excellent job of summarizing the very public FACTS of this attack. Try sticking to those instead of theorizing.
@@Hokie5Libra82 k
OMG I am in medical billing and this Change Healthcare issue has been a nightmare. We are still dealing with it to this day.
One more reason for universal healthcare. No insurance companies that needs to be contacted, you will get the care needed, and the government pays the bill. I cannot understand why a country such as USA don't have this. Luckily, I live in Sweden, that has this. My country takes care of its citizens. Sure, there are improvements potentials, but the basics is that the government pays.
I was WAITING for someone to make a video about this. I'm in the medical field and one of our systems was affected by this. Thank you for talking about it! I was so curious
I work in the pharmacy, the amount of patients that had no idea what was happening was staggering. Having to tell patients their options for pricing was terrible
This might be a contributor to why over the past year I've struggled so much with getting my medications covered and actually filled. If the pharmacy can't get paid they can't pay to get the medication shipped.
When this happened earlier this year, I was surprised it didn't get more news coverage. It was a nightmare at the pharmacy.
Yeah, work in medical coding in South Carolina, I'm still waiting on payments for services done in Jan/Feb/Mar and turn around time is typically 30-45 days. It's been a headache!
It’s sucks but there is a reason we don’t negotiate with terrorist / pay ransoms. It does more damage in the short run but helps in the long run
The hospital I work in missed out a big cyber attack a few years ago because our IT team are so careful
As a security researcher, most of these hackers are *kinda bad* at what they do. Most of the times, you can decrypt it by reverse engineering the ransomware, but these hospitals are in so much of a hurry they just pay these people. It's just the world we live in, greed overtakes people's conscience and causes them to not care about others *lives* . These hackers will rather hack places that *save lives* rather than use their skills for good.
I am a security researcher, and I could easily do one of these attacks, but do I?
No, I don't. I decide to use my skills to *help* people rather than do insane things like these hackers.
It is insane how these people hack *hospitals* and don't have any feeling of regret.
EDIT: I know that Change was hacked, but this was an attack that was done semi-sophisticatedly. I am talking about the other hackers that hack hospitals themselves.
Dr Mike, thank you for teaching so many interesting facts and encouraging small channels like us to keep up and improve.
Your comment has been noticed ! Subbed to your channel. Always happy to support a growing channel especially ones sharing interesting information!
I had to pay full price for a $1200 prescription because of this hack and am still waiting for my reimbursement
My dad runs a prosthetic business and he got an attack like this, they had to redo all the records by hand (they keep both physical and digital records) it took my dad weeks, he now does back ups just in case (weirdly the hackers never even asked for money, they just peaced out)
This is crazy and I can’t believe how quiet it’s been. Prior to this video the only thing I had heard about it was from a rite aid that hasn’t been able to get diabetic test strips since the attack. But only that, they’ve been able to fill other medications. And the pharmacy didn’t elaborate on the seriousness or the extent of the issue. Just that there was a “computer issue in February and we haven’t been able to get those strips in yet”
It was all over the news...CEO was also grilled by Congress, which was also all over the news...
Just got my wisdom teeth out yesterday, this video finally made my hours of refreshing TH-cam worth it!
Our practice in Jersey is still suffering the consequences of this attack. Unreal.
My mom is a therapist and hasn’t received an actual “paycheck” since before the recent attack. Somehow the 0-120$ sporadic checks have kept us afloat. But I wish the government or someone got involved others in her felid have had to take out loans or mortgage their house just to stay afloat
I work in Medicare sales and it’s been a complete nightmare. Not being able to find someone’s Medicaid ID to assist them with getting medical coverage has been a huge issue. And it’s still not fixed!
Life without parole, can't be soft on these fellows. Got to make the stakes high, playing with peoples lives en masse should not be taken lightly whatsoever.
Sounds good. But how many of the hackers are even located in the United States. I'd bet many of them are in other countries.
@@debbieholoquist2059 As with most hackers, but with tech involved you potentially can find the country of origin and put pressure on that government. Not saying start a war but this isn't about money anymore, playing with American lives should call for some more severe measures.
This is the main reason why I'm so upset when some healthcare professionals disregard what I tell them about what "NOT" to record down on their notes especially when it's not even relevant to the treatment. I don't care if you think it's just for you to see. I understand and know how these technology works.
Lets talk about the risky near monopolies we have in healthcare and massive interconnectivity that allows these kinds of nationwide onslaughts to be possible.
This happened in Canada too, in the last few years across several hospital networks. (Probably still happening, I just haven’t heard about it.) It wreaked absolute havoc on already strained communities, particularly in rural areas.
Thank you for bringing attention to this!!! Its criminal that it is so underreported in the media. It really shows how dysfunctional and fragile our Healthcare system is. Uggghhh!!
I can’t tell you how much but dr Mike has change my life. I was filled with anxiety thinking bout my aspiration but now I have decided and locked in. I’m currently studying medicine at Harvard after how much you have inspired me and I’m truly dedicating every ounce and hour of my life to it. I hope the best for you and wish u well for ur boxing career. The best role model ❤
It’s truly amazing
How much my life has changed 😅
Why would anyone just hack into a hospital indangering people’s life’s? It’s absolutely disgusting. What has society come to?
Getting patients identifying info, honestly. Then they can ransom the data or sell it or use it for identity theft
Who’s here from the add?
Yo
Me
Me
Me
Me
This disproportionately impacts elderly people without young(er) people helping to navigate the online world in general, and healthcare records etc., specifically. My Mom and my Aunt are perfect examples. Not only are MFA, hackable PWs, etc., incomprehensible to them, they both laugh it off and think we’re making a mountain out of a molehill. And they are the lucky ones, because our family has forcibly stepped in and taken over on medical and financial risk.
The elderly who do not have anybody to stand for them are sitting in huge backups at hospitals, not getting care.
As a CFE, this is a constant conversation of security but also the potential for fraud with such sensitive information. It is such a hard conversation solely because it becomes an administrative issue and is frustrating to watch
It's unfortunate because there are people who don't understand IT infrastructure making decisions not to patch or make upgrades that would prevent or mitigate hacks because it's "too inconvenient". Would you rather have regular maintenance and planned downtime for a few hours or be at a complete standstill for weeks on end? Which one is more inconvenient?
I was recently included in a class action lawsuit by Kroll done against the ambulance systems for HIPPA violations breach while I was in the hospital.
Its just sad that people cyberhack, there is a hospital meant for babies, and a baby who was going for surgery actually died because people were hacking into the hospital system and disabled the power which led for other babies deaths.
Source of this story? Sounds hard to believe. Not because it couldn’t happen, but because I feel like it should’ve made viral headlines to raise awareness if it happened
That was an episode of FBI TV show.
The screen at 9:15 saying "what is your dog's middle name?" is adorable lmao
Hey doctor mike. Would love to see a video about strangulation/choking. Signs a kid has been choked. Who you should tell if someone puts their hands on you. A trusted adult OUTSIDE the family because family can go through denial about it. Symptoms and side effects and long term effects of strangulation. And maybe something about strangulation survivors and their life span. And about how if you are a strangulation survivor the number one person to murder you is the person who strangled you or at least like percentages of like the chances of them killing you after already being strangled.
Thank you.
Now I'm a little scared to go to the hospital until they find a good antivirus
For every good antiviral program, there are about 900(at least) hackers that can dismiss them.
Punny
I'd actually be concerned if the only measure was an antivirus. EDR/XDR or application whitelisting are a bare minimum nower days, there is WAY more to cybersecurity than you think.
@@jacksoncremean1664 Yeah, I think it was actually a pun comment, not to be taken seriously.
As someone in cyber security it's not even the antivirus it's employees clicking random links
Hey Dr Mike, big fan of your type of educational but fun content.
I would love to see a video on the Black Death, and hygiene in the 1300s vs hygiene nowadays, with an explanation on what the Black Death did/does to people infected with it. I know its old news, but it is/was a interesting bacterium that killed half of europe. (Also plague doctor "costumes" look silly)
OMG I'd be mortified if someone gets access to my medical records! I have a lot of health issues and some of them are embarrassing.
As a recently graduated student with a B.S. in Computer Information Systems, I must say you, Doctor Mike, have done your research and impressed me with your understanding of cybersecurity concepts. Honestly, I've really enjoyed your extensive knowledge of healthcare, but I must say this only makes me trust it even more since this is amazing content for you to be posting to bring awareness of cybersecurity to everyone, especially healthcare professionals who deal with sensitive life saving data.
I'm a insurance Analyst for a major insurance company and we got hit hard by the hack your mentioning Dr. Mike. I'm glad you covered it! My company has direct partnership with United and we're still picking up the pieces.