Forgot your password?
typodupeerror
Operating Systems Medicine Security Technology

Malware Is 'Rampant' On Medical Devices In Hospitals 234

Posted by Soulskill
from the physician-heal-thine-pc dept.
Dupple sends this quote from MIT's Technology Review: "Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable. While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion. [He said], 'Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.' ... Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed."
This discussion has been archived. No new comments can be posted.

Malware Is 'Rampant' On Medical Devices In Hospitals

Comments Filter:
  • Meh... (Score:4, Interesting)

    by Anonymous Coward on Wednesday October 17, 2012 @01:56PM (#41683809)

    When someone does get hurt, it will be a very clear case of negligence on the part of the manufacturer, and the lawsuit will bring everyone else in line.

    Sad that this is the way it works in America though.

    • Re:Meh... (Score:5, Funny)

      by robthebloke (1308483) on Wednesday October 17, 2012 @02:05PM (#41683939)
      Everyone would just start leaving hospital with an enlarged wanger, and a $12,000,000,000,000,000 bank deposit from a Nigerian prince.
    • Except for when they pinpoint the nurse or tech who used to device to connect to another site.

      It is a Damn if you do and Damn if you don't situation.

      You don't update your OS you could get hacked. You do update the updates makes the device unusable.

      • Re:Meh... (Score:5, Informative)

        by Anonymous Coward on Wednesday October 17, 2012 @02:45PM (#41684459)
        The question is why would medical devices get malware on them just because the OS is unpatched? The frigging device could be Win95 but it shouldn't matter if all it ever runs is the vendor's software.

        If people are browsing the internet on them or sticking USB drives in them they are doing things very wrong.

        Medical people should be familiar with the terms "quarantine" and "isolation".
        • Re:Meh... (Score:5, Insightful)

          by HideyoshiJP (1392619) on Wednesday October 17, 2012 @03:03PM (#41684675)
          While this should be true, these devices are increasingly being connected to networks to offer integration with EHR/HIS for polling information, and especially in radiology, where images are being sent digitally to PACS. These machines often stay unpatched, yet get connected to the network for transfers. It's important to maintain a separate "medical device" network, but this only goes so far, especially when vulnerabilities bypass the Windows firewall on the medical device, allowing some infected PC/device/server to broadcast worms all over the place.
          • Re: (Score:2, Informative)

            by Dishevel (1105119)

            Why would you use a "Windows Firewall" on your separate "Medical Device Network".
            I would set it up as a physically separate network that only connects to the local network in one place and have my firewall there.
            I can guarantee you that it will not be a windows server sitting on that hot seat.
            Every bit of information entering the "Medical Device" network will be a known entity.
            Only specific IPs will ever be able to send into that network and those IPs will still have the content of the information locked do

            • Re:Meh... (Score:5, Informative)

              by radtea (464814) on Wednesday October 17, 2012 @05:07PM (#41686261)

              I would set it up as a physically separate network that only connects to the local network in one place and have my firewall there.

              Your whole reply can be summarized as, "I have never worked in anything like a hospital IT environment."

              Moving many gigabypes of information around transparently and quickly between subtly incompatible devices (DICOM isn't so much a "standard" as a "suggestion" if you look at the way vendors actually implement) coupled to a bespoke PACS network is barely possible without any additional list of pie-in-the-sky requirements of the kind you list.

              Add to that fun requirements such as that many hospitals are also teaching environments and so have to interface (again, transparently and at very high speed) to university networks, and then bring in external consulting scienctists (Hi) who may need access to some patient data AND who may be hooking up research devices to your pristine medical network for clinical trials (this is how progress gets made, you see) and your cartoon locked-down network becomes competely useless in the real world because you've only considered about 60% of the actual uses it has to support.

              • by Dishevel (1105119)

                What medical device needs high speed data transfers?
                A few pics from MRIs maybe. You are talking mostly about devices that will trickle small amounts of information.
                There is no reason not to separate medical devices onto their own network. What could possibly make that a bad thing?
                Is it more difficult than just slamming them onto you local network and hoping it works out? Yes.
                Is it even close to responsible? Not even.
                Most devices on the "Medical Device" network will be small intermittent communication or sm

                • Re:Meh... (Score:5, Informative)

                  by ChumpusRex2003 (726306) on Wednesday October 17, 2012 @07:15PM (#41687633)

                  You're right about the network architecture, but things rapidly get complex.

                  Let's take the example of MRI/CT. How much data is in a CT or MRI study, or even an X-ray study? A single X-ray image (e.g. a Chest X-ray) taken with a modern digital machine, is about 60MB (30 megapixel image, 16 bits per pixel).

                  My new CT scanner, if I prescribe a "full neuro" protocol, generates 16000 files of 500 kB each. The reason I'm doing a "full neuro" it means that minutes count. I need to have that data set sent to not just a PACS (image repository and viewing software), but also to a PC with 3rd party software (which has the complex software capable of analysing the data) and I have to have it ready within 5 minutes. Not only do I need to have it in my office in 5 minutes, the doctor who is dealing with the patient in the ER, needs to have (some) of it in the ER within 5 minutes. Then, after everything is said and done, I need to send the data to my office at the university, so that I can run it through my research software.

                  If it was just PACS - no problem. You put the scanners and the PACS incoming-data server on a restricted VLAN. Have the incoming PACS server communicate with the main PACS application and data-store servers over a private VLAN, and have the PACS app servers face the hospital clients on the main hospital VLAN (or individual departmental VLANs).

                  However, at my hospital we also get several hundred CTs/MRIs sent in from outside per day, that need to get onto the PACS. Many come on CD/DVD. Some come via VPN tunnels. Some come via 3rd party proprietary transfer services. (The DICOM protocol used to transfer medical images doesn't support encryption, so must be tunnelled in some way). Now you have to somehow connect all these incoming points to your restricted VLAN (or you open your wallet to your PACS vendor for another software license at a cost that makes oracle enterprise look like chump change).

                  What if your PACS vendor has you buy the balls on your SAN contract, so that you are paying $10 per GB + $2 per GB per year? Do you really want to send that 8GB dataset to PACS (which can't actually do anything useful with it- and remember, as a medical-grade archiving device, you can't delete)? Or do you now need to start putting PCs with 3rd party software on your restricted VLAN so they can talk to the scanners?

          • by eth1 (94901)

            While this should be true, these devices are increasingly being connected to networks to offer integration with EHR/HIS for polling information, and especially in radiology, where images are being sent digitally to PACS. These machines often stay unpatched, yet get connected to the network for transfers. It's important to maintain a separate "medical device" network, but this only goes so far, especially when vulnerabilities bypass the Windows firewall on the medical device, allowing some infected PC/device/server to broadcast worms all over the place.

            Yep. It's nigh-on impossible to isolate stuff any more, because at some point, everything needs to talk to something outside it's play pen.

            I manage firewalls for a large chain of hospitals, and we have to deal with this all the time. Vendors need to VPN in to support their gear, PACS images need to go to off-hours remote radiologists, etc. We ended up having to put separate firewalls in every facility, and any "no-patch" system gets locked away in its own solitary confinement DMZ with very tight access rule

          • by CAIMLAS (41445)

            My experience in several different hospitals is that it largely depends on the size of the hospital.

            Smaller hospitals have shit for IT skill or capabilities, usually. You'll 50-200 workstations with a dozen proprietary systems, many of which may not even run Windows (eg. legacy stuff that runs eg MUMPS). You'll have multi-million-dollar grant funded xray machines running Windows NT or Windows 95sp1 because that's all they'll run. These will probably all be on a topographically flat network with a half dozen

      • by Krojack (575051)

        Hospital IT tech to patient: Sir, I need to reboot the computer controlling your heart pump to install some Windows updates. I need you to keep squeezing this "squeeze bulb" a few times a second while the computer is rebooting.

        • Re:Meh... (Score:5, Interesting)

          by CodeheadUK (2717911) on Wednesday October 17, 2012 @04:43PM (#41686029) Homepage

          This is why some hospitals in the UK got hit hard by Conficker. Microsoft had patched the vulnerability months before, some systems were deemed 'too important' to reboot or suffer any downtime. As a result, they went unpatched and got floored when the shit hit the fan months later.

          A system I was working on got hit badly by Conficker because we had a four month approval process for patches. We were still waiting for approval to install the patches when the whole network got infected.

          Needless to say a much shorter approval process is now in place.

  • What about networks (Score:5, Interesting)

    by Anonymous Coward on Wednesday October 17, 2012 @01:59PM (#41683841)

    I don't know about medical devices, but I do know that the last time I was in the emergency room I brought my laptop since I knew I would be there for a few hours. After getting tired of games and slashdot I decided to poke around the wifi network that I was on. I found an unsecured smb share on the network and downloaded a 17gb .bak file of patient records. Needless to say I deleted the file and sent an anonymous email to the administrator. 3 months later nothing had changed....

    • by FacePlant (19134) on Wednesday October 17, 2012 @02:05PM (#41683943)

      Hospitals are notorious this this kind of IT stupidity.

      • by ackthpt (218170) on Wednesday October 17, 2012 @02:36PM (#41684331) Homepage Journal

        Hospitals are notorious this this kind of IT stupidity.

        Most institutions are, including the financial sector, government, schools as well as millions of homes.

        Back when Windows 95 rolled out Microsoft was incredibly naive. Where for decades mainframe operating systems were hardened against attacks, Microsoft failed to learn from those experienced in the field and some clever lads found they could manipulate financial software remotely, thanks to a complete lack of security with ActiveX. Shocking. For over a decade Windows continued to be loaded with security holes and a lack of internal checks to ensure software should be allowed to do things it was. Where we had process monitoring applications on RSTS and *nix systems, there was no means to track what was going on, particularly with DLLs on your desktop or laptop Windows system. Yet Windows attempted to be able to do everything and uneducated users (for who is truly educated where a home computer is concerned?) trusted it to be a good steward of their data and other assets. Meanwhile good Bill Gates and Chair-tosser Steve Ballmer were plotting next conquests and becoming fabulously wealthy. Honestly, should anyone be surprised? A good bet would have been requiring a standard operating system, a good clean one, for medical systems as life depends upon them. Nope, everyone gets cheap - use Windows and commodity hardware.

        They really should include a warning that the healthcare facility may have information of a personal nature about you on Windows or that the maching going 'Bing' which keeps you alive may also and you accept these risks and relieve them of responsibility when it all goes to pot.

        • Windows, 95, in your case, was a single user multimedia operating system, not a hardened Unix implementation. It was never meant to be. It was as vulnerable as DOS and Windows before it, just the way people liked it.

          ActiveX libraries are DLLs that have COM classes which expose IDispatch. They have the same security as any other DLL. You can't blame THAT technology. You can, however, blame Windows Scripting and Internet Explorer to allow these DLLs to be loaded via remote and untrusted content.

          Windows is
      • by BVis (267028) on Wednesday October 17, 2012 @03:10PM (#41684761)

        Probably more accurate to say that hospital administrators would rather rip their own arms off than fund IT adequately. Hospitals are *notorious* for under-funding IT departments.

    • by drainbramage (588291) on Wednesday October 17, 2012 @02:12PM (#41684023)

      Same thing I've seen in hotel web sites, but I digress.
      An additional problem in a HIPPA perspective is that (per your experience) the data was not encrypted...
      That may seem to be a huge oversight to someone on /. but a lot of medical staff are not terribly computer security conscious.
      Heck, too many IT staff don't understand security.

      When devices, networks, and users fail to protect data individually or collectively there will be issues.
      That is no excuse for wide open access to medical devices. I do wonder if they have to go through a full FDA acceptance period for software/firmware updates? I suspect that could be an issue.
      --
      No brain, no pain.

    • by Anonymous Coward on Wednesday October 17, 2012 @02:38PM (#41684353)

      I found an unsecured smb share on the network and downloaded a 17gb .bak file of patient records. Needless to say I deleted the file and sent an anonymous email to the administrator. 3 months later nothing had changed....

      Usually anyone who dares tell the Emperor that he's actually naked and not wearing any "new clothes" gets his head chopped off for pointing out the truth.

      Lemme tell you what would've happened at one particular hospital I know of: The IT administrator would've contacted law enforcement and provided them with all the video footage from the multitudes of security cameras around the place, along with the patient and visitor lists, as well as all the the wifi access and activity logs containing your mac address and anything else logged and/or identifiable about your laptop, to try to find out your real identity for criminal prosecution purposes.

      Despite the fact that they are extremely weak in securing their network resources in the first place nor do they have any realtime alerting mechanisms to detect any kind of unauthorized access while in progress.... they do go to ridiculous lengths to log and record everything necessary to try to identify you so they can come and get you long after the fact.

      • by AmiMoJo (196126)

        The only sensible thing to do is send the file to multiple newsrooms with an explanation of where it came from. Do it anonymously, of course.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      I don't know about medical devices, but I do know that the last time I was in the emergency room I brought my laptop since I knew I would be there for a few hours. After getting tired of games and slashdot I decided to poke around the wifi network that I was on. I found an unsecured smb share on the network and downloaded a 17gb .bak file of patient records. Needless to say I deleted the file and sent an anonymous email to the administrator. 3 months later nothing had changed....

      Deleting the file and sending an anonymous email to the hospital administrator is like deleting a tape and telling a car thief that he was videotaped and to be more careful next time. If their network is still unsecured, why not be awesome and protect other patients by filing a complaint and cc'ing lots of people at the hospital that you have reported their irresponsible negligence to the US Dept of Health & Human Services at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html

    • by shentino (1139071) on Wednesday October 17, 2012 @02:53PM (#41684549)

      That's because they have no incentive to listen to you.

      Report it as a HIPAA violation and stay anonymous (5th amendment implications for you downloading it yourself), and watch them get burned.

      If the regulators don't even care, then give up.

      The system may be broken, but it sure as hell doesn't belong to you.

    • Why was he in the emergency room yet capable of deliberately bringing a laptop for the long wait?

      Because he was using the ER for something he should have gone to the doctor paid through his insurance rather then the ER which is free if you don't have insurance.

      And he wonders why hospitals have no money to spend on IT security.

      • by CowTipperGore (1081903) on Wednesday October 17, 2012 @03:09PM (#41684745)

        I get your point but this a stupid example to use for it. Should he have gone to his GP for a severely twisted ankle or for a high fever on Saturday evening? For that matter, he could have been there with his significant other, child, or friend.

      • by Hillgiant (916436) on Wednesday October 17, 2012 @03:51PM (#41685351)

        ... rather then the ER which is free if you don't have insurance.

        No. While it is true that the ER cannot deny you care, they will bill you if you do not have insurance. Failure to pay will have all of the same implications of ignoring any other bill.

        This "we don't have to insure the poor because they can just go to the ER" trope has got to stop.

      • Few people in the E.R. got there alone.
        If you ever have to transport someone to the hospital you can probably expect a wait.
        Bring a book or something because you may not be able to enjoy the view from there.

      • Gashing your leg open and needing stitches is an emergency. You are more than capable of bringing a laptop on your way out. Sorry to break it to you, but the emergency room doesn't exist solely for gunshot victims and people who lost their limbs in tragic accidents, despite what you might see on TV.

        The emergency room is also far from free in the United States. They might treat you up front, but you still owe them a severely exaggerated amount of money for the effort, which they aim to collect.

      • by narcc (412956)

        Because he was using the ER for something he should have gone to the doctor paid through his insurance rather then the ER which is free if you don't have insurance.

        Someone is grossly misinformed. The ER is not even close to free if you don't have insurance. Some hospitals will offer a small discount to the uninsured, but most of the time you'll pay full price for the visit -- and it is incredibly expensive.

        Over-reliance on the private insurance system is what keeps those costs (artificially) high. Why do you think it's standard practice to perform unnecessary tests and procedures? The patient isn't directly paying for those services, so doctors and hospitals milk t

      • by sumdumass (711423)

        Or he took someone else who was injured to the emergency room and had to wait on them to be treated.

        In my area, if you show to the ER on your own, you do not get any pain medications and sometimes the pain it too much to drive on your own. There are simple processes a regular doctor would send you to the ER for in the first place like stitching up a cut or getting an MRI or Xrays for an ankle injury does not effect your ability to use a laptop even if you are there for yourself.

        There are plenty of reasons t

      • by mspohr (589790)

        The ER isn't free. Ever.
        If you don't have insurance, you will be charged the hospital's highest "rack rate" (much higher than those with insurance).
        They will then hound you with professional bill collectors until you pay up. They even have bill collectors stalking patients in the hospital.
        The ER isn't free. Ever.

        Hospitals don't pay attention to IT security for the same reason most large organizations don't do it... it's hard and confusing and costs money and we haven't got caught yet.

    • by Dishevel (1105119)

      My wife is a Director of a Drug and Alcohol Rehab.
      One Saturday during a car wash fund raiser I was asked by my wife if I could fix their Wifi. It was down.
      I told her I would look at it. I also informed her that since the company had a corporate IT guy, that because of the information they had that I would not be able to do much.
      So I went into the office and sat at her computer.opened the browser and hit 192.168.1.1 nothing.
      192.168.0.1 Connected. Checked default login for router. Worked. Wifi network was

      • by sumdumass (711423)

        Not to seem like I'm sticking up for their IT guy ( i have no clue who he is or his competence levels), but I've seen some off the shelf wireless routers that tend to reset themselves if subject to multiple power outages or surges. These are the consumer grade devices which I think shouldn't be used in a business environment but I've been over ruled many times in that thought process because of the costs associated with more robust and reliable business centric solutions.

        So just keep in mind that the defaul

        • by Dishevel (1105119)

          That could be the case. But since all the computers did hook up to the recognized, named network once it was reset I would say that it was set up that way.
          Can not name the network because that would cause problems but it was not a default Netgear network type name.

    • by Kalriath (849904)

      That means the hospital you went to was incompetent. Our publically available wifi is VLANed away from the corporate network, and accesses only the internet, via a gateway proxy server (we use TMG, but you could easily use Squid too) at the edge of the network. No way would you be able to access any of the internal computers and servers.

  • by Anonymous Coward on Wednesday October 17, 2012 @02:01PM (#41683879)

    Windows is not intended to be used in life-critical situations such as medical hardware or nuclear reactor control. It's right there in capital letters in the EULA.

    Someone's being a cheapskate here and decided to use windows instead of paying to develop a custom medical OS.

    • by dubdays (410710) on Wednesday October 17, 2012 @02:42PM (#41684415)

      Windows is not intended to be used in life-critical situations such as medical hardware or nuclear reactor control.

      I totally agree. However, this, to me, is the main question: Why in the FUCK would these devices be connected in ANY way, shape, or form, to the INTERNET in the first place??!?!? That's just asking for it, no way around it. It's stupid, careless, and shouldn't be allowed under any circumstance (barring VPN via a WIRE and ONLY when absolutely necessary). We're dealing with people's health and lives here, and this is a totally preventable situation.

      I can understand the issue with USB drives, but there need to be policies in place that prevent the use of them unless absolutely required.

      • It's as simple as this.

        The doctors demanded it.

        They're the goose with the golden egg, so they get what they want.

        End of story.

        • by NoKaOi (1415755)

          It's as simple as this.

          The doctors demanded it.

          They're the goose with the golden egg, so they get what they want.

          End of story.

          Um, no. You clearly have no idea how doctors work. The whole point of it is to give doctors easier access. Doctors don't live at the hospital. Most doctors aren't even at the hospital full time, they have an office where they see patients and do all of their paperwork. It's extremely useful to be able to access patient records, lab results, imaging (x-rays, MRI, CT etc) remotely. It makes things much, much faster (they can get information critical to the patient in minutes rather than days). The whol

      • Let's see. Doctors doing remote diagnosis. Looking up if patients have insurance. Filing medical claims. Transferring medical files. Getting test results from a 3rd party lab. All of these things are done over the internet every day.

      • Why in the FUCK would these devices be connected in ANY way, shape, or form, to the INTERNET in the first place

        It is obvious to us geeks the same way it is obvious to a race car driver how to bank a turn at > 100MPH. Being that I never drove a race car and it looks so simple on TV, I might be inclined to think that the car does all of the hard stuff for me... I just turn the wheel.
    • by Darinbob (1142669)

      I agree there's some idiotic stuff out there. But hospitals are cheap and so a lot of things are just boards in PCs. I'd hesitate to say malware was rampant, except for all the thousands of generic windows machines out there which are turned into medical devices by running an app.

      There is a bit of lax security even in embedded devices. The goal is not to stop terrorists or hackers, but to prevent someone from breaking your licensing or cloning your machines or firmware. Most embedded medical devices don

    • by lysdexia (897)
      Oooh! A Custom Medical OS! Can we write it in MUMPS?
  • Sad but true (Score:4, Interesting)

    by kheldan (1460303) on Wednesday October 17, 2012 @02:01PM (#41683887) Journal
    I used to work for an ophthalamic ultrasound company. You'd think that doctors, having all those years of college and medical school, would know better than to browse the internet on a medical device, or know enough to ensure that the USB flash drive they're carrying around and using to transfer images from one ultrasound to their computer is free of malware, but the sad reality is they're not, and while I can't speak for other devices manufactured by other companies, ours couldn't run antivirus and still run the ultrasound application effectively, so it was essentially wide-open to malicious software.
    • by whoever57 (658626)

      You'd think that doctors, having all those years of college and medical school, would know better than to browse the internet on a medical device

      IMHO, doctors have over-inflated views of their own abilities outside the narrow field of their medical training. For example, this respected neurosurgeon claims to have scientific evidence of the existence of an afterlife, based on his own experiences.

      • by nigelo (30096)

        Nice catch.

        I want to learn more about these 'outer-body' experiences he refers to (paragraph 4).

        Of course, it could just be another damp squid ;-)

    • by NoKaOi (1415755)

      I used to work for an ophthalamic ultrasound company. You'd think that doctors, having all those years of college and medical school, would know better than to browse the internet on a medical device, or know enough to ensure that the USB flash drive they're carrying around and using to transfer images from one ultrasound to their computer is free of malware, but the sad reality is they're not, and while I can't speak for other devices manufactured by other companies, ours couldn't run antivirus and still run the ultrasound application effectively, so it was essentially wide-open to malicious software.

      You'd think that an ultrasound company, with all their engineers and software developers with years of computer science education, could figure out how to block unnecessary websites from the computer running the ultrasound and figure out how to keep their software and the software the computer is running on up to date. They charge enough for their product for f's sake. I want my doctor spending his/her time specializing in medicine, not computer security.

  • by slashmydots (2189826) on Wednesday October 17, 2012 @02:03PM (#41683915)
    I worked at a hospital for about a half year and noticed that their policy was if it isn't a "normal" computer, we don't touch it. We leave it up to the lab techs and pharmacy staff and cardiology people. So there's 99% of the problem.
    • by jader3rd (2222716)

      if it isn't a "normal" computer, we don't touch it.

      Who is 'we' in this case? The Board of Directors?

    • by RKThoadan (89437) on Wednesday October 17, 2012 @02:34PM (#41684295)

      I work in hospital IT and we have an entire separate department for working with any clinical equipment. In most cases they can't do anything either because the vendors do not allow us any admin level access and none of them are part of our regular domain/AD. The lab/pharmacy techs quite literally have more access to those systems than we do. It's extremely aggravating.

      • by shentino (1139071)

        Why are your vendors allowed to have admin access in the first place?

        That sounds like a HIPAA violation right there.

        • by Kalriath (849904)

          Where did he say "in the US"? You can't violate HIPAA if you aren't American.

          (We have this same problem too. But those systems are embedded analyzer devices so we aren't interested in managing 'em anyway).

    • by Darinbob (1142669)

      The IT people can't touch that stuff anyway. It's not Windows, it's not Mac OS, it's not even Unix. Trying to get IT people to put better security on it would be like asking your IT staff to put an antivirus in your Prius.

  • Willful Ignorance (Score:5, Insightful)

    by Anonymous Coward on Wednesday October 17, 2012 @02:05PM (#41683937)

    Dad has owned an ultrasound service business since the late 70s. My brothers and I all worked for him in varying capacities, before becoming engineers ourselves.

    In my experience: the amount of willful ignorance towards all manner of IT in the medical field is nothing short of astounding.

    I hate to say it, because I love alot of these people- but I chalk it up to the arrogance of the doctors and administrators. They treat anything IT related on the same level as an issue regarding say, HVAC or sanitation. That is to say, beneath them.

    Which is fine, except in this case the "HVAC" can be programmed by a remote intruder to emit Zyklon B.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I chalk it up to the arrogance of the doctors and administrators. They treat anything IT related on the same level as an issue regarding say, HVAC or sanitation. That is to say, beneath them.

      Then computer security isn't their only problem. There have been cases of screwed up HVAC in a hospital routing the exhaust from a TB ward onto passers-by. And sanitation? Few things are more important in a hospital. The US has a terrible rate of nosocomial infections (i.e. acquired in hospital). Norway has one of the lowest rates because they spend money training people how to properly clean doorknobs in a hospital rather than potted plants and pictures in the lobby. It may sound silly at first, but little

  • by MrLint (519792) on Wednesday October 17, 2012 @02:06PM (#41683955) Journal

    The technical issues that cause this are "easy" to remedy. You don't allow people to use the instrument to have administrator access. A good portion of applications can be remediated to work in a low privileged environment via file system ACLs. Those that cannot need to be network isolated and stripped down to the bare essentials needed to do the task it is for. *These are technical steps*

    Administrative steps to take is to demand that the outside vendors don't get to dictate your network policies. Frankly in a hospital you can go all HIPPA on their asses.

    To give an anecdote, we had a vendor who delivered an instrument, for with the edict was that *NO* settings could be changed. They shipped it with a manually configured IP of an ISP in Germany. Presumably they wanted us to buy the IP block to get it on the network.

    • by drinkypoo (153816) <martin.espinoza@gmail.com> on Wednesday October 17, 2012 @02:15PM (#41684061) Homepage Journal

      You don't allow people to use the instrument to have administrator access

      I guess you've never heard of a privilege escalation exploit. If you're not performing updates then you're vulnerable, end of story. It's a good argument for eliminating the full-fledged computers inside of general-purpose medical devices, and making them instead some kind of peripherals used with computers of some sort when an interface is needed.

    • Re:"easy" to remedy (Score:4, Informative)

      by chill (34294) on Wednesday October 17, 2012 @02:24PM (#41684187) Journal

      Admin access is a red herring. If I'm after patient medical or billing data and that is readily accessible by the logged-in user account, why do I care about Admin rights?

      Yes, it helps for propagation and hiding, but for data access it is superfluous.

  • by ShooterNeo (555040) on Wednesday October 17, 2012 @02:06PM (#41683965)

    Ok, I'm only a student. So I don't know anything. But I sorta THOUGHT that the standard for a mission critical system (aka something like a heart monitor, blood gas analyzer, etc etc etc) would be to NOT use any software in your system that you don't have 100% control over.

    You know, rather than picking some version of windows, use an embedded linux. Add the bare minimum graphics libraries you need in order to draw a gui. Isolate the threads that actually do the mission critical stuff (say, reading the sensor and displaying the output) from the ones that do other tasks (like handling all the complex menus and the network connectivity and so on). Heck, use a separate physical CPU for the mission critical stuff, and give it it's own dedicated display so that no matter what, it keeps displaying the important data. The hardware to do this is cheap.

    And firewalls should be integrated into the devices themselves - even Linux can theoretically catch a worm, and so it should apply strict filtering rules on any communications with the network.

    I can fully understand the reluctance of the manufacturers to issue software patches. Building the system so that it's practical to not ever patch it (well, maybe patch it a couple times to eliminate any bugs found after release) is a good thing. Everyone here must know that the best way to break a working machine is to shut it down and change something.

    • by dgharmon (2564621)
      "Ok, I'm only a student. So I don't know anything. But I sorta THOUGHT that the standard for a mission critical system (aka something like a heart monitor, blood gas analyzer, etc etc etc) would be to NOT use any software in your system that you don't have 100% control over.

      You make a lot of sense for a student ...
    • by TheCarp (96830) <sjc&carpanet,net> on Wednesday October 17, 2012 @03:30PM (#41685035) Homepage

      Ahahahahahahah I totally understand why you would think these things, but, you need a little history.

      I worked in Healthcare IT for about 6 years, until a few short months ago. Before that, I actually started my career as a service tech. The thing to realise is...the group I worked in moved out of the office they were in while I was there.... the original office had a room full of chest high benches, with a built in shelf above, and lots of plugs. If this sounds like the kind of setup that would have soldering stations, then you are getting very warm...because that what they used to do!

      In fact, some of the same guys I worked with...had been there since core memory that was tacked to the wall was decommed.

      That sort of attitude makes perfect sense if you are building a new network, in the total absence of road blocks. A hospital environment however... well.... we are talking about an environment thats been in CONTINUOUS operation since the early 1800s. (not all hospitals are that old, of course) all new equipment, all upgrades, all troubleshooting, all goes on, while operations continue. There is no weekend downtime. There is no middle of the night downtime.... thats just to START.

      Add to that the federated 'academic' model that most hospitals use for their budgeting (ask your professors to explain how departments are budgeted and why money gets suddenly spent before the end of the fiscal year, and thats very much like how hospitals work). They started bringing in all this equipment before they even had central IT. They have their own budgets and egos, sometimes bigger departments will have their own mini-IT staff even! It is utter chaos.

      Now the departments decide what they want, get most of the way down the path of purchasing it, then bring in IT late in the game. IT fights with them and the vendor about their standards, but can't fight too hard or else they will tell IT to go fuck themselves and just go do it with their own money, since IT can't actually say no. (or they make a stink up to a level where IT gets the smack down)

      Then patching and OS upgrades.... often you can't patch or upgrade because the vendor claims they wont support it. Occasionally they blame the FDA saying they certified it on the OS version its on (we often questioned whether that held water).

      In short, the vendor and department often act like they are on the same team and IT is the roadblock, rather than the department and IT working as a team. The department, especially if they are clinical, but sometimes research too, has more clout than IT, because the trustees are from the medical professions and they are the final say.

      Very early on in my career I got a stack of work orders. First I was told "they can't have windows 95 because their department hasn't been upgraded yet" (and there were internal reasons involving training and federation that meant each dept needed one or two people trained before it could be upgraded).

      A week later the hardware arrived and I was told "they are getting Windows 95, OEM build, not ours" (which was a HUGE exception for them)....from that point on, every day I showed up to do something for them based on what we were doing yesterday, and every day they had already had a meeting that I wasn't privy too, and my department had made new concessions to them, totally changing what I was supposed to do ..... the ego maniac who was making them do all this, of course, just got mad at me for constantly doing the wrong thing, even though, nobody had told me the plans changed.

      Eventually I heard, through more connected people than me, that he had a huge and prestegious grant and was threatening to take his grant and go to another institutiuon if they didn't give him everything he wanted....and he got it.

      Now.... tell me how you control what you are using when the final say on policy comes from people who don't understand IT, and are willing to see it as a roadblock rather than part of their team? Believe me when I say there are a lot of people (not everyone of course) who know what they should be doing, and want to do things right, but, they lose a lot of battles.

      • by radtea (464814)

        From the vendor side there's such a huge amount of pressure to ship stuff--and an embedded belief that "software is easy... if it was hard it would be called hardware". I've been told by prospective clients that they could "hire a twelve year old" to do what I do. This is apparently because managers are idiots who can't tell the difference between a web page and an embedded algorithm that does something that was impossible the year before and won't be easy for another decade.

        The bottom line is the bottom

  • by ShooterNeo (555040) on Wednesday October 17, 2012 @02:10PM (#41683993)

    All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices.

    Validated. That costs a bunch of money. And this basically is saying that if the manufacturer DOESN'T validate the changes to the FDA's satisfaction (meaning do a heck of a lot more testing than just applying the patch real quick and booting it up and making sure it's still working) then they are totally vulnerable to lawsuits.

    Also, just as importantly : the manufacturer does not receive money from medical devices already sold. Their new ones (with new hardware which is why they can't back-port the software) are where the revenue is. In fact, it's sort of beneficial if the hospital's old equipment starts running slowly and badly because they can push their new gear (now with enhanced cybersecurity!)

  • by concealment (2447304) on Wednesday October 17, 2012 @02:14PM (#41684041) Homepage Journal

    In industries where arrogance and demanding people are common, the only people who work the jobs are those with a tolerance for such behavior.

    This means you're picking your IT guys by whether they put up with your drama or not.

    If you wonder why many law firms and hospitals have such bad IT staff, this is the reason. High turnover, low investment beyond what is demanded. Mainly because the demands are constant and irate.

    These people are probably dropping 4000 Windows XP machines into a hospital, and then complaining about the reboots for patches and/or that weird orange browser they have to do now.

    As a result, they get a ton of malware. The solution is obvious: turn on Windows update, and train staff to rein in their egos and drama for just a few minutes every day.

    • by TubeSteak (669689)

      The solution is obvious: turn on Windows update, and train staff to rein in their egos and drama for just a few minutes every day.

      First off, this is not how enterprise software management works. It's a terrible idea and you're a terrible person for suggesting it.

      Secondly, medical software management is a whole nother ball of wax, because the manufacturer has to certify the software to a higher level of confidence (regardless of whether or not any update has to go through regulatory review).

      • Not only that, but for many such pieces of software, they will only work with certain versions of Windows, Java and many Windows Updates will hose them.
  • Unless I'm mistaken, it is illegal to create and distribute a computer virus, but "malware" somehow does not fall into this category because it's not deliberately destructive I guess. It *is* however, destructive in so much as the security holes it usually creates along with the system resources it takes.

    Shouldn't we just be able to follow a piece of malware to it's source company and have the DOJ take care of them?? I recall legislation against spam having been written and people even being convicted fo
    • The in-efficiency of trying to do that...is mind boggling. Most of the malware authors probably aren't even within the U.S. Extradition is very slow and expensive and does not always succeed. It is possible for malware authors to cover their tracks so effectively that even finding out who they are is de facto impossible.

      Basically, I see trying to eliminate malware as being about as practical as trying to eliminate bacteria from the planet. Much better to secure your system so it can't get through.

      • This is true of certain types of malware yes, but there is still a whole industry of companies out there who create spyware and software that does all kinds of 'malware' tasks which are doing it right out in the open due to the current legality of these practices. There is no industry segment of companies openly generating virii due to the legality. I'm just saying, I think we need some legislation for this stuff. Virii still exist regardless of the legislation but much less than it would without the legisl
    • "Malware" does not refer to a specific type of software; rather, it is a blanket term used to define all malicious software, including virii, trojans, worms, adware, et. al.

      I surmise the reason for not creating a law to specifically outlaw malware is twofold: The first (and, IMO, rational) reason being that criminalizing malware in general would cripple the efforts of businesses and academics who make their living researching and creating countermeasures for such code.

      The second, less rational (again,
      • So basically you're saying spammer's should have bought a lobby about 10 years ago, god knows they were raking in the dough.
  • by SpzToid (869795) on Wednesday October 17, 2012 @02:15PM (#41684067)

    Okay, this is a valid point, and people need to pay attention when they engineer, build, support, and actually use these things. Still, what is done is done and paid for, and I imagine hospitals retain some I.T. department services of some sort, and all this gear is networked behind a firewall or two.

    New gear absolutely must take these concerns into consideration and address them long-term because the threat will not go away. But what is the current threat on the legacy devices? What can an attacker hope to accomplish? What would be the motivation of a hacker or two, to reverse-engineer the MRI scanner, oh and by the way where did these guys get a redundant MRI scanner (etc.) to reverse engineer for their evil motivations?

    Oh wait, much of this gear is beased upon Windows XP and that is the vector. Uh huh. Well that sort of shelf-lifes the security on your hardware I suppose. It might be best to support a long-term and truly open-system like Linux or FreeBSD rather than base your product on what the Microsoft Corporation can deliver for your own business requirements.

    Or, if Microsoft is so good for (medical equipment) developers to base products on, than why can't the software be upgraded to support Windows 7 or 8?

    • by 0123456 (636235)

      Or, if Microsoft is so good for (medical equipment) developers to base products on, than why can't the software be upgraded to support Windows 7 or 8?

      My guess is: certifying medical software on a new OS costs about a gigazillion dollars and no-one is willing to pay for it.

      • by SpzToid (869795)

        yes, TFA mentions the regulatory costs for such updates. So there's the thing: you based your (hardware) product on Windows XP and now XP is end-of-lifed and either you support your hardware with software upgrades and get that approved, OR your hardware gets either end-of-lifed, or your (supported) patients might end-of-life prematurely themselves (so you also have the risk of malpractice costs to consider).

        Looking at this lesson in security, if I was a manufacturer of MRI gear (or whatever) I'd get away fr

  • Not so simple (Score:5, Informative)

    by kullnd (760403) on Wednesday October 17, 2012 @02:31PM (#41684255)
    I worked as an IT Manager in a hospital for a few years, and know a little bit about this... The first issue is that these systems typically CAN NOT be upgraded, and this is not due to the MFG not wanting to upgrade, this is a FDA compliance issue... If they upgrade the software, they have to do some very expensive certifications with the FDA, these same certifications delay the release of medical equipment to the point that much of the technology is already close to being outdated when it hits the market.

    Our solution, which seems simple enough, was that every type of medical equipment was located on a different physical network (for critical pt. monitoring equipment) or at a minimum a seperate VLAN on the main network. All network access to this equipment was blocked except for very specific exceptions that were allowed based on the absolute need of that piece of equipment. We had no issues with any of these infections or malware, although it did increase the man-hours overhead especially when working with the vendors that would sometimes wonder why they could not hit the internet from the X-Ray machine ... but we managed just fine.
    • by Arker (91948)
      So what you are telling us is that this is a regulatory problem. It's the regulators who are, at least in effect, demanding that medical devices be built using old insecure operating systems and then not be tampered with, and since they have the power of the state behind them everyone else is helpless in the face of their incompetence.
      • So what you are telling us is that this is a regulatory problem. It's the regulators who are, at least in effect, demanding that medical devices be built using old insecure operating systems and then not be tampered with, and since they have the power of the state behind them everyone else is helpless in the face of their incompetence.

        That is half of the problem.

        The other half of the problem is that equipment makers still choose to use off the shelf consumer operating systems on their equipment in the full knowledge that these things need upgrading while the regulations prevent it. There are plenty of embedded system options for OSs that are not linux or windows. If the equipment maker isn't building a system that is safe within the context of the regulations, then they are incompetent.

        • by Arker (91948)

          If the equipment maker isn't building a system that is safe within the context of the regulations, then they are incompetent.

          I appreciate what you are saying, but consider it from another POV. If the market is regulated like this, it actually minimises liability for this sort of technical incompetence. It's very hard to sue someone that can demonstrate they were under regulatory oversight and complied in all ways with it. Understanding that, from a business point of view, if I can make the product cheaper b

  • by ChumpusRex2003 (726306) on Wednesday October 17, 2012 @02:38PM (#41684351)

    The term medical device has a broad definition; it includes obvious things such as laboratory analysers, X-ray equipment, etc., but it also includes PCs running specific types of software, such as medical records software. Most of these things run general purpose OSs - some embedded; some desktop.

    E.g. Windows XP is a common platform for things like ultrasound scanners, MRI scanners, etc. XP embedded is quite common on things like laboratory equipment. Variants of linux are also in widespread use - albeit, often old. E.g. I work with an MRI scanner that runs a 2.2 kernel.

    Now, things like analysers and scanners are usually on their own VLAN (or should be) with connections only to their application servers, with the servers heavily firewalled from the general purpose VLANs; however, this often isn't the case, and I've seen a number of installations where you can just sit down at a random PC, and SSH into an MRI scanner (these things usually have generic root passwords which are written in the service manual - once you know what the passwords are, you can get into any device of that make and model).

    The biggest problem, however, is that these machines never get updated. The manufacturers often won't support any updates to the OS, or even permit hotfix installation, nevermind a 3rd party security package (for more general purpose devices). For example, one hospital earlier this year, upgraded their PACS system (software for storing and displaying X-ray/MRI/CT images) and bought a new set of dedicated workstations (quad core, Xeon E5, 8GB RAM, Dual Quadro), but because the PACS client software had to interface with a number of other client software packages, and those vendors had strict requirements; these machines ended up being loaded with XP SP1 32-bit and Java 1.4. Unsurprisingly, these aren't regularly patched, and more importantly, they can no longer update their anti-virus software as the current version of their chosen AV software won't run on this configuration (so they're stuck using an obsolete, unsupported version).

    I saw an extreme example of this a few years ago when the Confiker worm hit. There were a group of hospitals in a major city, which shared the same infrastructure, and they had a very large PACS system. The worm got onto the PACS VLAN, and essentially killed the servers. The system was completely down for days, because as soon as the servers we rebooted or re-imaged; the worm killed them again. The vendor stubbornly refused to apply the hotfix and refused permission to install the hospital's antivirus system on the servers/workstations. The only thing that got it moving was when the CEO of the hospitals made a conference call with the hospitals lawyers and the CEO of the PACS vendor, telling them that they were going to f**k them so hard with the SLA stick, that they wouldn't be able to sit down for a month. After that call, the vendor agreed to install the hotfix, and the system came back online.

  • by jader3rd (2222716) on Wednesday October 17, 2012 @02:39PM (#41684377)
    A little over a month ago I was in a hospital and noticed a work station in a hallway that was obviously setup for visitors to use. I checked it out and it was running XP. Since the OS had noticed that a user had woken it up the balloons from the task bar started fighting with each other for my attention. Norton said it was months out of date, it also said that it had 400+ issues that needed looking at (found active virus's running, or something). I half wonder if someone with mal intent setup the computer and no one questioned it being there (the IT guys must have set it up), because the hospital sure wasn't taking care of it.
  • by Kaldesh (1363017) on Wednesday October 17, 2012 @02:40PM (#41684393)
    Before I begin let me preface this post by saying I work in a hospital in the IT Staff, and I have for the past 10 years now (as scary as that sounds to me typing it out). At any rate I can say that malware, spyware, virus' etc are a constant concern for the staff here. When I started working here it was the 'Wild West' for computing, people did what they wanted, when they wanted to on their computers, and we've slowly curbed that. Especially now that electronic medical records are being used. The key we've found to keep malicious software off computers used for medical purposes, or with confidential data is actually three fold -- First segregate those devices with ePHI (electronic protected health information) off onto their own network, strip the computers of all but the most essential software, and the medical staff all have to sign agreements when they're hired that strictly prohibit them from using computers for personal tasks. Want to check your e-mail? Bring in your smart phone, or laptop etc, and do it with that device (we actually provide a wireless for the entire staff to use 'just' for that purpose). Nobody can keep 'on task' all day, so allowing them the outlet with some caveats has been a great success. However, all machines that have access to the ePHI network are imaged once put into service, but we re-image the machines on a staggered schedule so every 6 months they're a fresh install. Virus software (AVG) is installed and on an automatic update / scan schedule as well -- with a central server that reports results to us. Also for security concerns every Laptop is encrypted (thank you Truecrypt), and every device that accesses ePHI comes through a VPN. If a Laptop get's stolen (and one has in the past), the VPN access for that device is revoked immediately. So between the VPN and Encryption, the odds of a 'break' in our security are astronomical. Anyway all these procedures may seem a bit excessive, but we've yet to have a PC with ePHI or EMR softwaret be compromised where I work thanks to them. I sleep slightly better at night thanks to this system actually. I do know of several other hospitals / medical facilities that are far far less secure though, and frankly it scares the hell out of me how cavalier they are about the whole ordeal. One of our doctors is Per Diem and his home office supplied him with an unencrypt, unsecured, laptop with full admin rights, and their EMR software installed on said Laptop for his free use. PS -- A tip to anyone working in a medical facility, one of the ways we had our providers (Doctors) agree to this stringent of a system was to point out that infractions where ePHI is compromised put their necks on the line, even more so then they do ours. So all this security is for their benefit as much as yours. Also, this goes double if you have a counseling staff because the rules around ePHI regarding counseling services are even more strict and crazy. Anyway hopefully that helps someone out.
  • I once worked for a company that produced equipment used in hospitals, and I can vouch for the issues installing updates as well. Moreover, hopelessly stupid things were done such as hard-coding the hosts file for remote diagnostics, and logging in and running applications as the Windows Administrator account. Furthermore, the hospital IT staff was equally incompetent, in that even if (by some miracle) we wanted to patch the products we had to jump through hoops to do so, and even simple things like DNS r
    • Yea, well my experience working in labs has shown me that the vendors and support for different manufacturers can be very different. Some are very proactive and take the time to contact us, explain what they will do, give us copies of the software, etc; Other vendors don't even want to update/patch, etc; Some field support people are really on top of things, others very much aren't and from what I've learned after dealing with many of them is that morale has a lot to do with it.
  • Publicize the Manufacture and Models vulnerable, then wait for the malpractice trial lawyers to sink their teeth in. Doesn't matter if no one was actually hurt because of the vulnerability. If a device was in use when the patient suing was being treated and the device had malware (or even could have) they will latch onto that and suck in the device maker into the lawsuits. Fighting malware with malpractice lawyers. Seems dirty somehow.
  • Just why in the hell are embedded medical devices running on a full blown windows system that is prone to malware infection, and likely to break functionality of the device if regular system updates (many of which will be for functionality that isnt being used) are installed?

    Such devices should be using a custom, minimalist OS which is configured specifically for the purpose it serves, has no extra unnecessary functionality, and support for the entire package (device, hardware, application and os software)

    • Yea, that is the real question, why Windows? Almost funny if it wasn't such a house of cards ready to collapse. Well, it might be Windows for much of it because the client-side piece and/or server software only runs on Windows, so they just port it to run on the devices/instruments also.

      But yes, you're absolutely correct, the OS "footprint" should be small and tight and secure for these types of applications. But they're not.
      • by Arker (91948)

        Why windows? Because any monkey can throw it on and stitch together something that works.

        Not something that works properly, of course, but that would cost extra. As long as the buyers are totally clueless about the tech and believe whatever marketing tells them, then the company that puts the money into marketing and gets a monkey to slap xp on a white box and call it a custom control console beats the one that hires real techs and does a good job everytime.

  • Jail terms for those guilty of reckless endangement by selling or using medical devices running Windows.

  • by Sir_Eptishous (873977) on Wednesday October 17, 2012 @03:30PM (#41685037) Homepage
    Anyone who works in laboratory environments knows about this problem. Certain lab instruments that run a certain firmware that can only be supported on a certain version of windows. The firmware can't be updated because that instrument is no longer supported, but the lab keeps using it because it works and its too expensive to replace... Were talking Windows NT or 2000 here.

    The computer systems at fault in the monitors were replaced several months ago by the manufacturer, Philips; the new systems, based on Windows XP, have better protections and the problem has been solved

  • It's clear that diagnostic manufacturers prefer XP for various reasons, not least because it's really easy to develop for.

    This leaves a gap in the market for:

    a) retrofitting existing wayward devices with better software that's less vulnerable (wine/XP ++, or another win emulator??)

    b) offering a secure medical OS

    Seems like the kind of challenge the /. crowd would be keen to take up, GPL or no :)

    Hey it's medical, so there's serious dosh to be made here!

  • Used to work in a medical environment and this does not surprise me at all. The whole "FDA regulated device" argument is just another sham by device manufacturers, software vendors, and lazy admins to avoid patching their systems. The medical community is completely out of touch with the current state of IT. They talk about needing continuity and up-time and all this, but have no idea what that means. You get a department file server trying to infect the entire network (including pcc devices) and they f

The meat is rotten, but the booze is holding out. Computer translation of "The spirit is willing, but the flesh is weak."

Working...