[HN Gopher] Hackers disrupt payroll for thousands of employers, ... ___________________________________________________________________ Hackers disrupt payroll for thousands of employers, including hospitals Author : thunderbong Score : 118 points Date : 2022-01-16 14:06 UTC (8 hours ago) (HTM) web link (www.npr.org) (TXT) w3m dump (www.npr.org) | bluedino wrote: | How is Kronos still in business? How do they not have their stuff | back up and running? | | https://finance.yahoo.com/quote/KRO/ | | Their stock looks fine. You'd never know their business is | inoperable. | | I know customers of theirs that just said 'screw it' and wrote | their own payroll/timeclock systems. They don't have a 100% | replacement yet (not a small project) but at least they can use | cards to clock in and track hours. | | I'm surprised every employee who uses the system hasn't had their | personal information posted to the dark web yet. | [deleted] | blamazon wrote: | I truly do not understand the stock price. People who know more | about the market than me: What are the reasons not to short | this? | financetechbro wrote: | For one, Kronos is not a publicly traded company | j-bos wrote: | Could it be because large investors in Kronos are also large | investors in the companies that use Kronos, thereby having a | vested interest in keeping the money flowing? Sincere | question. | lotsofpulp wrote: | Shorting something means betting the price will go down | within a certain timespan. If you do not know that timespan, | then you will still lose. | jimt1234 wrote: | Management pays Kronos because they feel like there's no | options, even though their product is terrible and can be | easily duplicated. I know this because I attempted to do it | years ago. I was tasked with working with a consultant from | Kronos to implement their "time management" system. I was | surprised/not-surprised when I saw how lame it was. But I | couldn't keep quiet after I heard we were paying Kronos | something like $250K (early 2000s; can't remember exact $$$ | amount, but it was a lot). I told my bosses I could make the | same system over a weekend, and support it myself. Management | resisted at first (Kronos has certifications!), but then they | told Kronos we're thinking about rolling our own, thinking | Kronos would drop the price by a few bucks. Nope. Kronos | threatened to sue, saying we were attempting to steal IP. | mgkimsal wrote: | > I told my bosses I could make the same system over a | weekend, and support it myself... Kronos threatened to sue, | saying we were attempting to steal IP. | | If you were going to steal IP, stealing from Kronos would | probably be pretty low on your list, because you're trying to | build something that works, right? | niccl wrote: | I gather there's a strong tie-in with SAP payroll stuff (at | least in sunny NZ): several of the organisations I've worked | with who moved to SAP payroll/employee management have also | taken kronos for timesheeting. And since you can't get fired | for choosing SAP, Kronos keeps getting customers | tarellel wrote: | Their timeclock application is terrible. | | The org I work for transitioned their Kronos from onsite to | their multi-tenant cloud system. And it's been an absolute | nightmare. Both software suites are a mess but transitioning to | their cloud suite is like downgrading at least 10 years of | upgrades. | portman wrote: | Wrong stock. That is the share price of an unrelated chemicals | company. | | UKG is privately held. | bluedino wrote: | Explains it then, did not even see that | cebert wrote: | Why don't all critical applications at the very least not have | immutable backups to a different account. This is easy to do in | AWS. Ideally, these apps would also have better security posture, | but doing this alone would go a long way. On my product, backup | lambdas only have write access to our other account for backups. | We're backing up dynamodb and s3 continuously. | mistrial9 wrote: | .. because in money handling, there is always someone that | benefits when the money is not transferred? | blamazon wrote: | Search "Kronos" on reddit to find testimonials of end-users | affected by this. It's a broad set of large hourly employers. | | https://old.reddit.com/search?q=Kronos | TedDoesntTalk wrote: | > Ultimate Kronos Group | | The very name of the company sounds like a scam. Why would you | entrust your payroll to people who chose a name like this? | judge2020 wrote: | Anything can be a company if enough is said about them. A 2B | market cap also helps. | | https://finance.yahoo.com/quote/KRO/ | windowsworkstoo wrote: | That's a pigment company... | irfwashere wrote: | It would be nice if there was a Linux alternative to whatever | hospital infrastructure is still running windows xp. I mean it | would be lucrative, secure, and even help to pay for things like | salaries for programmer's wages, support foundations, and so on. | And it'd be kept up to date unlike windows xp. Just a thought. | unilynx wrote: | Controllers for medical equipment. If they were Linux based, it | would probably have been stuck on centos 5 and not getting | updates either way | xayfs wrote: | throwaway453325 wrote: | Crazy but true anecdote. I interviewed with this company for a | DevOps-type position. My would-be manager spent his time with me | talking about "the birds and the bees", and quipping that | prisoners smuggle cell phones in their butt. The only question of | his that I specifically remember is what video games do I play. I | held it in, went home, and declined their offer. The recruiter | told me that I was too sensitive, and ignored me about travel | expense reimbursement for months, until I contacted their head of | HR (guessing the address). I just checked and that would-be boss | is now a senior manager of security engineering there. Not | blaming him, but I do feel like Trinity dodging ten agents right | now. | nefitty wrote: | Managers are literally the ones that are supposed to take the | blame. | duxup wrote: | Agreed, if he is head of it... it's his thing. | | Reminds me of the Panera executive who got upset (seemed to | be confused) when a security researcher wanted to exchange | keys.... dude thought it was a scam / sales tactic. | | https://medium.com/@djhoulihan/no-panera-bread-doesnt- | take-s... | rnvannatta wrote: | There was a flagged comment here that thought this manager's | interviewing strategy was a good idea. | | In this world, bosses end up holding power over their | underlings. A boss who uses this power capriciously is | tyrannical. A leader should use their power to achieve the | shared mission of him and his followers, not arbitrarily. | | There's a time and a place for ribaldry, and an interview isn't | one. Generally those are optional situations that people can | avoid if they don't want to hear it. This, and other sorts of | 'tests' that some bosses use in interviews to test for 'thick- | skinnedness' is equivalent to seeing if an underling will | tolerate arbitrary abuses of power. It's equivalent to a test | for absolute loyalty and servility, to see if the underling | will be a yes man. | | If a leader crosses a line for no good reason, perhaps by | cracking a too risque joke, he or she should apologize and tone | it down. It's about using your power responsibly and respecting | your employees as you will have them respect you. | anonnyj wrote: | trs8080 wrote: | ... filtering out "gross woke types"... by showing that | you're incompetent and don't know how to do your job? | [deleted] | mtoddsmith wrote: | Maybe we need certifications for systems along with audits that | would allow us to rate companies like this. | | I know for our company to do work with DOD we had to meet a bunch | of criteria and make changes to our systems to comply. But it | wasn't a standardized process at all. | grammarnazzzi wrote: | TLDR: For anybody wondering why "hospitals" appears in the | subject line, it's purely click-bait. Hospital services were not | targeted or particularly affected more than any other industry. | | The only statistic in the article that gives a clue how many | hospitals were affected appears in the statement: | | "In Montana, more than 250 nurses at Missoula's Community Medical | Center have missed out on pay due to the hospital's decision to | pay employees by duplicating an early December paycheck" | | So in this particular company, some nurses were forced to accept | their expected regular+OT pay and will have to wait a couple more | weeks for any extra overtime they might be entitled to. | | How many healthcare workers were affected? No more than any other | industry. I couldn't find any news on the internet actually | revealing how many workers in general were affected other than | "up to thousands". So how many might be health care workers? Up | to hundreds? So maybe 0.005% of healthcare workers have been | inconvienced? | | So my question is, why has NPR specifically addressed the impact | to "hospitals"? Why is the impact to healthcare workers more | important and news-worthy than to the impact to everybody else? | | > "The outage is an unneeded administrative nightmare timed | precisely as the omicron surge is hitting hospitals, Riggi said." | | Ah! The outage was "timed"!!!! | | The evil hackers intentionally timed the attack to threaten COVID | victims!!!! My god! They're MONSTERS! attacking and murdering the | weakest of us! It's outrageous! | | What should be done? Is it's time to fire up the gas chambers for | these inhuman hacker terrorists? Or maybe it just time to click | on NPR's clickbait title? | patentatt wrote: | I personally know of at least one other hospital that was also | affected and took the same actions of duplicating previous | checks. So it's much more widespread than just one hospital at | the very least. | indymike wrote: | > The evil hackers intentionally timed the attack to threaten | COVID victims!!!! My god! They're MONSTERS! attacking and | murdering the weakest of us! It's outrageous! | | Actually, in this case, the shoe fits. | grammarnazzzi wrote: | I don't agree. | | The hackers are criminals and extortionists. No more. The | impact of the crime is embarrassment to businesses, time and | money recovering from data loss, and an inconvenience to | workers across all industries. | | NPR played up an angle that doesn't exist in any meaningful | or significant way. Why? More clicks. | | I expect criminals to be assholes. | | I expect more from NPR. They used to have more integrity and | objectivity than they do today. | bigtex wrote: | lotsofpulp wrote: | Terrorism from within the country seems like it falls under the | FBI's purview. Malware from people residing in other countries | seems like a job for a government agency that can operate | outside US borders. | legulere wrote: | If you have a stake in cryptocurrencies, you share part of the | responsibility to make this possible. | encryptluks2 wrote: | If you are alive you share part of the responsibility of | climate change. | igorkraw wrote: | For a large part of the population (though probably not yet | the majority) the reaction to this would be "...yes? That's | why we are calling for policy changes and changing our | consumption patterns" | boeingUH60 wrote: | If you use cash for transactions, you share part of the | responsibility for enabling human and drug trafficking, murder, | burglary, fraud, and so on... | | PS: I'm not even a fan of cryptocurrency. | cronix wrote: | If we're going down rabbit holes, then the internet is to | blame. Oh wait, the internet is made up of a bunch of | computers. Computers are to blame. Oh wait, computers require | electricity. Electricity is to blame. | faeriechangling wrote: | If you use US dollars you are personally culpable for the war | in Iraq. | BolexNOLA wrote: | I'm not following. Genuinely curious what you mean by this. | legulere wrote: | With time it turned out the main use of cryptocurrencies | (apart from speculation) is for illegal transactions, as they | don't normally manage to compete with legal transactions, but | provide a way to avoid law enforcement while staying | pseudonymous or anonymous when receiving or sending money. | | By supporting cryptocurrency infrastructure you are | indirectly supporting those illegal transactions. Now you | could say the same e.g. for bakers that they also feed war | criminals or whatever, however bread's main use isn't feeding | criminals. It's much more akin to providing money laundering | services. | newbamboo wrote: | It's like investing in a company that does bad things. Some | people invest in oil and some don't. People find ways to | justify it to themselves but it is what it is. It's not | something to be proud of yet many clearly feel no shame. That | will change as the problem gets bigger, which will happen if | crypto continues to enjoy success. | leoqa wrote: | I believe they're saying that crypto has enabled ransomware | to become lucrative, and therefore all supporters of a | decentralized payment method are also supporting digital | piracy. | rabite wrote: | Western militaries have bombed schools, hospitals, and weddings | across the world, and by your stated logic in this post you are | personally morally responsible for this. Maybe getting a late | paycheck and W-2 can be called tit for tat! | marnett wrote: | I don't think GP's logic extends to what you claimed. I took | their post as saying all those who are being personally | enriched by cryptocurrencies have to acknowledge and take | responsibility that the one of most widely adopted, global | use cases for crypto is allowing the ransomware industry to | mature. Your remark also assumes the poster is American. | Assuming the morally dubious personal enrichment claim from | GP, your statement would be true for anyone holding stock of | Raytheon, Northrop Grumman, or Lockheed Martin, however. | rabite wrote: | By the username I assumed he was French, whose military | frequently helps oppress and murder people across the MENA | region. | | Bitcoin is a currency, so no, any holder of any US or NATO | allied regime's currency should be equally culpable as the | currencies have their value rooted in military-enforced | petrochemical trading monopolies. Dollars and francs both. | neocodesoftware wrote: | Here is how history dealt with similar attacks | https://www.historic-uk.com/HistoryUK/HistoryofEngland/Barba... | dragontamer wrote: | Hospitals are incredibly important services that has under- | invested into cybersecurity. A lot of medical devices are on very | old systems (Windows XP) with no upgrade paths. When it comes to | ransomware, you want to attack something that's important, and | something with weak defenses. | | Hospitals are why I don't "blame" underinvestment into | cybersecurity. Their #1 goal is saving people's lives, not | messing with IT issues. You want hospitals to be paying for | important equipment, important people, important skills. The | whole IT part is just supporting the administrative tasks. | | But yes, it means that paying the ransom is the better move a lot | of the time than to actually try to restore IT services. | | -------- | | At some point, it becomes more efficient to go after the hackers, | rather than trying to defend every single Hospital. | | Ex: When REvil accidentally hacked an oil-pipeline (instead of a | more passive target), the blowback was so severe that REvil | disbanded and ran away. It caused an international incident, to | the point where Russia has caught the attackers and is offering | them up to the USA as a peace offering. | | What is rather unfortunate, is that we put more importance to our | oil-infrastructure than our hospital infrastructure. But these | ransomware attacks on health care has been going on for years. | Its not new. | wayoutthere wrote: | Our hospital system is actively collapsing right now. They have | chronically underinvested in "run the business" activities and | taken any capital out of the system through buybacks and large | capital expense budgets for building new facilities. I don't | see any way out of this crisis other than public ownership of | hospitals -- or a lot fewer hospitals and a lot more people | dying at home or in the street because the system was too | broken to care for them. | | Knowing this country, I'm sad that this choice is likely a | foregone conclusion. | dragontamer wrote: | We don't have enough nurses/doctors to open new hospitals. It | doesn't matter how much money is in the business if there's | simply not enough nurses/doctors to go around. | wayoutthere wrote: | We only don't have enough doctors and nurses because many | have simply left healthcare entirely due to the low pay, | impossible conditions and how the administrative tasks of | the hospital were being placed on doctors and nurses in | addition to their existing jobs with no additional pay. | This is all while hospital systems were doing large | dividends and share buybacks to extract capital and return | it to shareholders. | | That's a perfectly fine business model for a manufacturing | plant, but we have to ask if that for-profit model makes | sense for health care. With a public system, you can just | decide to pay doctors and nurses more until you actually | have enough of them to run the system. You can make cost / | service level trade-offs intentionally rather than "how | much capital can we extract before the whole thing | collapses"? | dragontamer wrote: | Doctors are one of the highest paid professions. | | Nursed are well paid but arguably should be paid more, | they're regularly reaching 6 figure salary. | throwthere wrote: | I don't know. Doctors work 80+ hour weeks, calls and | holidays making $50,000 a year in their twenties and | early 30s after paying for the privilege of grueling med | school. Then they come out, maybe work 60-hours but still | have the call, weekends and holidays. Then people kind of | smugly think salaries like$300,000 a year is a lot. Well | yeah; it's-a lot but it took aheluva time getting to that | point making about minimum wage and once they're finished | with training is not like they're working 40 hour weeks | with weekends and holidays off like most of us. | dragontamer wrote: | I mostly agree, but I'll point out that the $300,000 / | year part isn't the problem. | | If we just raise the doctor's salaries to $500,000/year, | it won't really solve those other, more important issues. | | ------ | | Similarly, if we lower the cost of creating Doctors, I | don't think we'll necessarily see a drop in their salary. | We're in too much of a doctor shortage for that to | happen, at least immediately. (Of course, the market / | supply+demand will shift things in the long run, but | that's over a 20+ year cycle and not over a short one) | 908B64B197 wrote: | I have no doubt this is hard work, but is it smart work? | | From having been around residents, I can tell there's a | lot of work getting done 2-3 times because of poor | communication or sleep deprived professionals making | mistakes. And there's absolutely no automation in the | field! | | Why not simply work smart instead of hard? | throwthere wrote: | Do I understand what you're saying... doctors are working | hard because they're not working smart? Maybe the answer | is they just need a sufficiently smart person to tell | them how to work? | quartesixte wrote: | Not to mention the almost impossible system of schooling, | training, credentials, and general hoop-jumping to become | a practicing doctor (and to reach that very desired | $200k+ salary) means the supply of new doctors is | incredibly constrained. | | The amount of friends and peers of mine who gave up a | career medicine because the ridiculousness of this whole | system turned them off completely is really saddening. | | I understand that we should be diligent about making sure | the people we entrust our lives to are trained and | trustworthy, but do we really need: | | - 4 years of undergraduate studies that have ZERO medical | treatment curricula | | - 2-3 years of work experience if you don't get into | medical school right away | | - Studying for the MCAT concurrently and trying to get a | high score | | - 4 years of medical school | | - A high stakes test that determines if you will receive | the residency you want | | - A lottery system that "matches" you with hospitals for | residency | | - 3-5 years of this residency in hopefully the | specialization of your choice (depending on if you passed | that test), hopefully in a location you desired. You will | be paid very little and work 80+ hour weeks | | If you track this entire system perfectly, you will | become a full fledged doctor that makes the 6-figure | salary at around 32 - 35 years old. And every step of the | way is a huge filter that break and washout many | promising potential doctors. | | And then there is the medical school debt that you will | be saddled with even if you washout. | | This system is madness and we need something more | efficient to both incentivize more people becoming | doctors and less people washing out. | 908B64B197 wrote: | > And every step of the way is a huge filter that break | and washout many promising potential doctors. | | > And then there is the medical school debt that you will | be saddled with even if you washout. | | > This system is madness and we need something more | efficient to both incentivize more people becoming | doctors and less people washing out. | | Who has the control over this? A legalized monopoly here | in America (the AMA) that also famously restrict the | number of available residency spots. This creates an | artificial scarcity and props up the price of care for | the public. Same organization that lobbied and got the | government to create laws mandating "certificates of | need" [0] to make sure they wouldn't have to compete in a | fair market. This can end at any time. But it won't | because this would go against their interests. | | [0] https://en.wikipedia.org/wiki/Certificate_of_need | tyingq wrote: | It's not the main problem, but one problem with Hospital IT is | doctors making IT decisions. I hear from others there's a | similar problem with IT around lawyers. | arminiusreturns wrote: | I can confirm the lawfirm side of things. Back when I | cofounded an msp they were some of our best clients. Why? | Because they all collude about pay stuff (illegal but what | are you gonna do, sue all the best lawyers in town?) to the | point where around 2008 they just started firing entire it | departments and sysadmins thinking they could pay less for | outsiders who could then be scapegoats if shit went wrong. | The funny thing was that they not only spent more money on | the msps and consultants, but got less work and machinery for | it. Getting anything approved was like pulling teeth, | especially in places where it all had to go to the partners | first. | | I appreciate my time working with some great lawyers because | I learned so much and still have many useful contacts (do you | know the best IP lawyer in your state?) but it really created | a quiet seething distrust of lawyers and the legal system in | general. | | Ive never seen the worst people in society hailed as the | paragons of the community as much as lawyers. | | The biggest hospital gig I had was for the neurosurgeons and | they got stuff done faster than any other hospital department | because they had their own building, the pull, and the money | to do so and due to stories I heard I just knew they were an | outlier. | dragontamer wrote: | There's a bit of responsibility from us IT / cybersecurity | folks. | | Our system is setup that we defend the networks we've been | assigned to. The greater cultural problems are someone else's | problem. We don't actually look outside of our own networks. | | Hospitals getting hacked? Well, that's sad, but not our | problem. Not until they pay us at least. | | ------ | | Granted, I'm not sure what we _should_ be doing about this | issue. But at least acknowledging our current culture would | be a step forward. Good IT security comes from the top, from | a culture of security. | p_l wrote: | Some of that is due to being told to not touch them. | There's strong cultural memory of safety, security, or just | sound planning being thrown out by non-IT people, till even | new hires quickly start getting instinct to bunker down. | [deleted] | bluedino wrote: | Hospitals have terrible budgets. There's never money to buy | anything. Doctors make big salaries, but there's so much | administrator bloat, it's similar to colleges. | wongarsu wrote: | If they can afford both administration bloat, then the | money is clearly there. I'm not sure I can pity them for | spending their money unwisely. | blackearl wrote: | People who are in highly educated fields but aren't IT | adjacent somehow get that idea that computers are not that | difficult. Doing IT for doctors and lawyers is usually | frustrating. | mindslight wrote: | > _At some point, it becomes more efficient to go after the | hackers, rather than trying to defend every single Hospital._ | | I'm sorry, but this is completely backwards. It implies some | global authority over communications, which is complete | opposite of the Internet environment of communication in spite | of hostile noise. Yeah sure it seems mighty cool that the US | can pressure Russia to go after a notable group and shut them | down. But thinking that can scale up to eliminating "Internet | crime" is hopelessly naive. Unless we want to end up with a | globally surveilled permission-required network where every | node needs some associated identity, as well as making people | even more liable for security failings (when their identity | gets used as a proxy to attack others), it's a non-starter. | | What needs to happy is that hospitals, every business, and | really every individual needs to develop a small sense of | network security. This is akin to how everybody has developed a | basic intuition about electricity - ie don't touch it unless | you know what you're doing or you will get shocked, start a | fire, and/or die. The Internet is a multi-actor environment and | connecting your stuff to a multi-actor environment is not free. | If you want to avoid increasing the cost, knowing what you're | doing can be simply consist of avoiding networked devices, | getting explicitly security support and indemnification from | the manufacturer, etc. The current culture of just plugging | whatever in, proclaiming "works for me!", and then promptly | forgetting there could be other implications is what's not | sustainable. | bluedino wrote: | > Their #1 goal is saving people's lives, not messing with IT | issues. | | Two years ago (October 2020) when COVID first started and | hospitals became cyber-attack targets, all the government | agencies put out guidelines for them to follow. | | https://www.cisa.gov/uscert/ncas/alerts/aa20-302a | | As part of this, the hospital I was a sysadmin at sent me to | cyber-security training. I was excited at first, it was part of | a big healthcare coalition, running out of the top university | in the state... | | And we get to the classes. Most of the people there were the | CISO, VP of cyber security, etc. Our entire first day was | wasted just getting people signed into the labs. Web-based | VMware client, a mix of Windows and Linux virtual machines, | depending on the excerise. | | I realize these people aren't 'hackers'. I realize all of these | people don't have VMware or Linux experience. But I felt like I | was walking my grandmother through creating an Amazon account. | And all of these people are making 6 figures and the head of | something security related at the largest hospitals in the | state. Insanity. | | Hopefully these people have very capable staff under them. The | second day, we only wasted half a day with getting people to be | able to log into a VM and follow step-by-step commands. It was | basic stuff, what you'd find in a 'Hacking for Dummies' book. | You'd run Kali Linux and do a vulnerability 'attack', analyze | some files, patch some software to it was no longer | vulnerable... | | When we got to part that was a short C program illustrating a | buffer overflow, I realized the wrong people were attending the | class. I think most others did as well as you never heard | another peep from the 30 people on the Zoom meeting until the | very last day, asking how they could get their continued | earning credits or units or whatever they are called. | pc86 wrote: | I don't find it remotely hard to believe that the skills | needed to be a 'hacker' and the skills needed to run a | security organization for a billion-dollar healthcare | organization have zero overlap. You don't want a CISO or VP | of CS to be playing around in VMware. That's got nothing to | do with their job. | bumby wrote: | > _What is rather unfortunate, is that we put more importance | to our oil-infrastructure than our hospital infrastructure._ | | Just conjecture here, but this may be because the healthcare | system is more resilient. Even as bad as it is, disruption to | the healthcare system in these attacks is more local and more | easily addressed by load shifting. Contrast that to oil | infrastructure which may have more single points of failure as | well as being more interconnected to the economy as a whole. | everforward wrote: | I'm not even sure that hospitals are under-investing in | security so much as that the current security paradigms are | dysfunctional for hospitals (and a few other key industries). | | The current security paradigm includes a _lot_ of rapid | adjustment. Upgrade this package immediately, ship a new binary | using an upgraded library, firewall this off right now, etc. | | I think that might be fundamentally incompatible with an | environment where downtime can be counted in human lives. The | risk calculations are a lot harder when death is a potential | outcome of downtime caused by upgrades. | | I don't have a magic bullet solution to that, but I do think | that gets lost in a lot of the armchair security discussions | around hospitals. They operate under very different | expectations than the rest of us. | Retric wrote: | Yes, we should in theory have an option for a completely | secure platform for such critical infrastructure. | | Several attempts at creating such systems have been made in | the past, but little effort has been put into actually | leveraging them in the wider world. | mjevans wrote: | Pay for university professors to be experts in maintaining | this civil infrastructure, for the maintenance of the | commons. Reward bounties to students and volunteers who | triage and resolve issues. | | Have an expressly stated set of goals about the above as well | as a core set of stable priority maintained software that | gets extra security vetting. Formal analysis, whole classes | of students in different locations scrutinizing and learning | every line of code, function, and the overall design. Formal | validation where possible. | wins32767 wrote: | Have you seen the kind of code professors write? | 908B64B197 wrote: | > Hospitals are why I don't "blame" underinvestment into | cybersecurity. Their #1 goal is saving people's lives, not | messing with IT issues. You want hospitals to be paying for | important equipment, important people, important skills. The | whole IT part is just supporting the administrative tasks. | | And yet everything crumbles and collapses when there's an IT | outage. How interesting. | | These organizations might not be culturally accustomed to have | IT at the core of their business/mission, but it very much is. | They might not value engineering skills and people in IT, but | they have evolved an absolute dependency on those over the | years. | | The issue here is cultural, not technical. These randsomware | attacks, breaches and outages are completely self-imposed. They | can end anytime as soon as the hospital wants it. All they have | to do is value and acknowledge IT as a fundamental pillar of | their organization. Else the cycle will endlessly repeat | itself. | atmosx wrote: | > Ex: When REvil accidentally hacked an oil-pipeline (instead | of a more passive target), the blowback was so severe that | REvil disbanded and ran away. It caused an international | incident, to the point where Russia has caught the attackers | and is offering them up to the USA as a peace offering. | | On a similar vein: Hackers Apologize to Arab Royal Families for | Leaking Their Data | | https://www.vice.com/en/article/n7nw8m/conti-ransomware-hack... | chapium wrote: | Medical devices running windows 7 or earlier are not allowed on | networks anywhere. These devices connect through serial and are | accessed over terminal servers. The terminal servers are the | vulnerable point. | thr0wawayf00 wrote: | > Their #1 goal is saving people's lives, not messing with IT | issues | | Technically, profit tends to be the #1 goal, at least in the | US. Consequentially, this also drives a lack of investment in | cybersecurity. Also, US hospitals have some of the most opaque | pricing and billing processes of any industry that I can think | of, which makes it much easier for them to recoup losses from | patients that can't pay by shifting those costs onto the | insurance provider and other patients who can pay. This is one | of the reasons why basic things like bandages cost so much in | an ER. Despite efforts to bring transparency to medical | billing, hospitals are still resisting the push to publish | pricing and explain their business models in more detail. We've | become so culturally desensitized to the state of US healthcare | that we're now just defending it as "we really can't expect | hospitals to do any better than they are right now", and that | kind of apathy really scares me. | | As the healthcare sector continues to be consumed by private | equity, I don't expect to see the situation to improve. Again, | it's all about profit, saving lives is secondary. | dragontamer wrote: | > Technically, profit tends to be the #1 goal, at least in | the US. Consequentially, this also drives a lack of | investment in cybersecurity. | | UK's hospitals fare no better in terms of cybersecurity. This | is about the culture of nursing / doctors / hospital | administrators, which is largely shared between USA and UK. | | This isn't a systemic issue that is solved by nationalizing | health care like UK did. | | USA health care system, culturally, is about saving lives. | Whether our system matches it is another story. But the | underlying people largely do the right thing. | | ------ | | I think the systemic issues regarding health care / | infrastructure / investments are wholly independent of this | cybersecurity issue. | cromka wrote: | > USA health care system, culturally, is about saving | lives. | | With all respect, but for someone who had lived in the US | after moving from EU, I'd say it's first and foremost about | making money. It saves lives where saving is needed, but | I'd argue vast majority of cases are outpatient and the | culture is strikingly blunt about milking the patient. | zdragnar wrote: | Hospitals in the US are not especially profitable. | Including federal relief, median hospital profit margin | is 2%. | | The whole market is wildly distorted- starting with | doctor education up through private insurance and | government programs like Medicare and Medicaid- that | simple answers like this totally miss the mark. | briHass wrote: | Agreed. Any simplistic statement like "the problem with | healthcare in the US is [blank]" is evidence of someone | that doesn't know very much about the many complex and | interlinked issues. Likewise, someone thinking the system | can be fixed by "just doing X" is also being | reductionist. | | The pandemic showed a number of areas in healthcare where | people were generally ignorant. For example, thinking | that hospitals have tons of reserve capacity to handle | extraordinary events. Even well before the current | situation, hospitals (community) tended to run at about | 80% occupancy. Far from being a profit-consideration, | even the department of Health and Human Services mandated | that hospitals _had_ to run at least 55% occupancy, or | they lost benefits. | [deleted] | spamizbad wrote: | Profit in this sense likely refers to the value of the | hospital (or greater provider network) rather than simply | their EBITDA or whatever. | bumby wrote: | If profit were the primary motive, wouldn't you expect | non-profit institutions (both healthcare and otherwise) | to be in much better shape from a cybersecurity | standpoint? E.g., is there evidence that a large non- | profit healthcare system like the VA is substantially | better at cybersecurity? | | While profit no doubt impacts the decisions, it doesn't | appear to be the primary driver of cybersecurity lapses. | Taywee wrote: | I wouldn't. Both goals of maximizing profit and achieving | a goal on a minimal possible budget end up cutting costs | in places that aren't immediate blockers, where security | lies. In my experience, security is a focus at places, | either non-profit or otherwise, in one of the following | situations: | | * The organization has one or more squeaky wheel | employees that force everybody else to consider security | where they wouldn't otherwise. | | * The organization or another in the same industry has | already had a very painful security breach. | | * Security itself is part of the selling point. | | Non profits are slightly different, but they still | experience many of the same problems because the goal is | still getting the most done on the budget you've got. | renewiltord wrote: | The US healthcare system cannot be primarily about saving | jobs or the AMA would not have ever lobbied to restrict | residencies to prevent a glut of doctors. | | Since the AMA is an organization of medical professionals, | one must conclude that it reflects their position: | protectionism for their field. | alisonkisk wrote: | 3maj wrote: | There is a lack of cybersecurity investments in almost | every industry. The issue is that the executives making the | decisions 1) Usually aren't knowledgable about CyberSec and | 2) don't justify the investment because it's not something | they can physically point at and take credit for. . | atmosx wrote: | The "economist" proposed a solution: tire cyber-security | incidents to the stock market. The approach proposed was | something akin to "have someone count and display the | incidents of each company and blast radius". I'm not sure | if this would actually work. | tremon wrote: | The other capitalist option is to make cybersecurity | insurance mandatory, and impose high fees both to | reimburse victims and to some government watchdog/agency | (yes, government watchdogs and capitalism can co-exist). | Then, it will be in the insurer's best interest to have | clients with adequate cybersecurity implementations, and | the market can sort it out. | | At the same time, we should make sure that any insurance | company that chooses to pay the criminals instead loses | their license to operate. | MattGaiser wrote: | In that case it is a culture of low salaries and tech being | a support function. Governments aren't paying market | salaries for tech and are not willing to have highly | technical people in many leadership roles. | pc86 wrote: | Many governments aren't willing to have highly technical | people in _any_ leadership roles. I 've worked with | government IT departments before where 100% of management | (not an exaggeration) was non-technical, as in had never | been a developer, sys admin, or any type of engineer. | From the front line managers the whole way up to the | "CIO." | MattGaiser wrote: | Oh I get it. I was a government dev too and sometimes (I | went through 3 managers in a year once) we had non- | technical management too. | [deleted] | bell-cot wrote: | I certainly agree with much of your attitude toward American | hospitals. But I don't think dragontamer's point had anything | to do with greedy American corporate hospitals. So mentally | substitute "community-owned co-ops of small rural hospitals | out in farm country" if you need to. | | The point is, just like it says in the Preamble to the U.S. | Constitution - "...insure domestic Tranquility, provide for | the common defence..." - that protecting _everyone_ from | large-scale, organized, high-skill malicious activity is a | bedrock function of _any_ national government. NONE of the | hospitals, water treatment plants, small corporations, city | governments, ordinary citizens, etc. should need to worry | about high-cost, high-skill self-protection against | ransomware groups - any more than they should have to hire | and equip private security forces to protect themselves | against mafia enforcers, Russian paratroopers, or missiles | launched from North Korea. | newbamboo wrote: | What about those that are non-profit? You can refuse to do | business with for profit hospitals. Getting rid of the for | profit does more harm than good, especially for underserved | communities. | slickdork wrote: | It should be easy to avoid for-profit hospitals as well, | since non-profits out number them about 2:1 | | https://www.aha.org/statistics/fast-facts-us-hospitals | alisonkisk wrote: | boeingUH60 wrote: | There are many "non-profit" billion-dollar hospital chains | in the US. | | A few examples; | | Ascension Health - $5.7bn net income on $27bn revenue in | fiscal 2021 [1] | | Cleveland Clinic - $1.3bn net income on $6bn revenue in H1 | 2021 [2] | | Mayo Clinic - $728mn net income on $14bn revenue in 2020 | [3] | | "Non-profit" doesn't mean they don't like profits just like | corporations. It's a designation meaning no shareholders, | as in money made by the organization stays within the | organization. | | 1- https://www.fiercehealthcare.com/hospitals/ascension- | latest-... | | 2- https://www.beckershospitalreview.com/finance/cleveland- | clin... | | 3 - | https://www.beckershospitalreview.com/finance/cleveland- | clin... | throwawayboise wrote: | I like the term "not-for-profit" rather than "nonprofit" | as I think it more accurately captures that the while the | primary goal is not profit (unlike a traditional | corporation), it does not mean that they don't make | money. Pedantic, perhaps. | dehrmann wrote: | > Their #1 goal is saving people's lives, not messing with IT | issues. | | If you're going to adopt a new tool, you maintain it. They seem | to sterilize scalpels just fine, so they should be able to | maintain second-order tools, too. | blendergeek wrote: | My only question: Did Ultimate Kronos Group (UKG) pay the ransom? | If UKG chose not to pay the ransom (the morally right thing to | do), then I think we should cut them some slack. However, if UKG | did pay the ransom, I hope they fail and go under because of this | hack. | pgrote wrote: | >A month-old ransomware attack is still causing administrative | chaos for millions of people, including 20,000 public transit | workers in the New York City metro area, public service workers | in Cleveland, employees of FedEx and Whole Foods, and medical | workers across the country who were already dealing with an | omicron surge that has filled hospitals and exacerbated worker | shortages. | | I was surprised when it first happened there wasn't more | publicity. To find out it is still going on a month later is jaw | dropping. | dragontamer wrote: | Month? Try years. | | Ransomware attacks on hospitals is a bread-and-butter move by | the hackers in these times. I've been hearing stories like this | since 2016. | | Hospitals pay the ransom and have terrible IT infrastructure. | They're the ideal target. | julianlam wrote: | I believe pgrote is specifically referring to the Kronos hack | being one month ongoing. | msoad wrote: | Tesla was impacted by this as well. Here is what Elon Musk wrote | to all: | | > Unfortunately, our payroll processor, Kronos, has been hit with | a ransomware attack, making them temporarily unavailable. We are | tracking things manually for now and will issue pay manually, if | they are unable to get back online. We are doing everything we | can from our side. Sorry for the trouble. Elon | coldcode wrote: | When you depend on third parties for critical but not directly | business related tech you are just as vulnerable to disruption | as if you directly got hacked. Even huge companies with | ridiculous valuations can fail to audit indirect suppliers like | payroll (i.e. Kronos) or air conditioning contractors, like in | the famous Target hack. | wolverine876 wrote: | The job of Tesla employees is to deliver the goods, even when | it takes super-human efforts and creative miracles. The job of | Musk is to pay them, even when it takes super-human efforts and | creative miracles. No excuses. | dlgeek wrote: | While Musk deserves a huge amount of criticism, what part of | "We are tracking things manually for now and will issue pay | manually, if they are unable to get back online." sounds like | an excuse to avoid the job of paying them? | wolverine876 wrote: | It's the 'sorry for any problems' part. Don't be sorry, | deliver on your responsibility. However, my point is more | about management in general. | d3ad1ysp0rk wrote: | Maybe I'm in the minority, but my issues with apologies | from CEOs or companies is that they are generally lacking | action or avoiding accountability. In this case, the | apology like any somewhat genuine one adds to the note. | It's the difference between "Sorry we lost your data." | and "We have taken the following significant actions to | make sure this never happens again, and have provided the | following services and/or compensation to make it right | to you. We are sorry." | | And I'm someone who generally finds Musk hard to like. | sodality2 wrote: | > Don't be sorry, deliver on your responsibility | | And it sounds like that's exactly what he plans on doing, | should there be extended problems (as much as it pains me | to defend him) | geogra4 wrote: | For a long time I used to work at one of Kronos's competitors. | This space is so incredibly behind the times that it doesn't | surprise me ar all. Up until recently time capture/entry software | was still on premise (or even via paper time sheets!) For most | large enterprises. | _fat_santa wrote: | I always wondered why. One of my assumptions is that since | payroll/timekeeping does not really change, the incentive to | update these systems is not there. | | Also I bet these systems have lots of little moving parts under | the surface no one really considers, but these little parts | prevent an upgrade. | wnolens wrote: | I worked for a medium size payroll software company. | | Payroll is highly regionalized problem - every state and city | has different rules/taxes and very unique ones as well. Its | often not so simple to generically describe a payroll tax and | plug in different configs per region. Much hidden complexity | that's grown organically over time as laws/taxes change | (which they do!). | | A rewrite would be an archaeological dig. I would have to be | paid a lot to take that problem on. | | It's also not trivial software to manage, so often it's | outsourced as a service (run by humans) on top of software | that cut the checks for your employees. Makes me think that | the margins are low? I dunno. | | Modern companies like gusto are changing this | ghiculescu wrote: | Kronos is very very good at account management, so baseball | tickets and steak dinners. Everyone agrees their product is | awful but it's very hard to break that hold. (Disclosure: | competitor) | rossdavidh wrote: | From the standpoint of not getting locked out of your data by | ransomware, one could do worse than paper timesheets. | patentatt wrote: | Calling something behind the times because it's on prem is | exactly what caused these large corps to put their trust in | this crappy vendor's 'cloud' which is what made it such a | lucrative target in the first place. If every company we're | running their infrastructure on prem this wouldn't have | happened in quite the same way. So no, the 'cloud' is not | always better just because it's the 'cloud' | judge2020 wrote: | If it were 'in the cloud', now the hacker has to interface | with the time management / payroll service as if it were a | web browser client trying to access it, assuming the network | entry was via the hospital itself or some unsecure medical | device physically present in the hospital. In absence of a | properly-segmented LAN, it's better to have a segmented-by- | design WAN in the form of SaaS and cloud vendor-based | solutions. | notwhereyouare wrote: | Travel and Leisure salary employees can't put in PTO time, and | the part time employees can't capture time. ___________________________________________________________________ (page generated 2022-01-16 23:00 UTC)