Malware Is 'Rampant' On Medical Devices In Hospitals

Dupple sends this quote from MIT's Technology Review: "Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable. While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion. [He said], 'Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.' ... Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed."

conventional malware = windows malware

[Anonymous Coward]

Windows is not intended to be used in life-critical situations such as medical hardware or nuclear reactor control. It's right there in capital letters in the EULA.

Someone's being a cheapskate here and decided to use windows instead of paying to develop a custom medical OS.

Willful Ignorance

[Anonymous Coward]

Dad has owned an ultrasound service business since the late 70s. My brothers and I all worked for him in varying capacities, before becoming engineers ourselves.

In my experience: the amount of willful ignorance towards all manner of IT in the medical field is nothing short of astounding.

I hate to say it, because I love alot of these people- but I chalk it up to the arrogance of the doctors and administrators. They treat anything IT related on the same level as an issue regarding say, HVAC or sanitation. That is to say, beneath them.

Which is fine, except in this case the "HVAC" can be programmed by a remote intruder to emit Zyklon B.

Re:What about networks

[FacePlant]

Hospitals are notorious this this kind of IT stupidity.

Mission Critical Systems? LolWAT?

[ShooterNeo]

Ok, I'm only a student. So I don't know anything. But I sorta THOUGHT that the standard for a mission critical system (aka something like a heart monitor, blood gas analyzer, etc etc etc) would be to NOT use any software in your system that you don't have 100% control over.

You know, rather than picking some version of windows, use an embedded linux. Add the bare minimum graphics libraries you need in order to draw a gui. Isolate the threads that actually do the mission critical stuff (say, reading the sensor and displaying the output) from the ones that do other tasks (like handling all the complex menus and the network connectivity and so on). Heck, use a separate physical CPU for the mission critical stuff, and give it it's own dedicated display so that no matter what, it keeps displaying the important data. The hardware to do this is cheap.

And firewalls should be integrated into the devices themselves - even Linux can theoretically catch a worm, and so it should apply strict filtering rules on any communications with the network.

I can fully understand the reluctance of the manufacturers to issue software patches. Building the system so that it's practical to not ever patch it (well, maybe patch it a couple times to eliminate any bugs found after release) is a good thing. Everyone here must know that the best way to break a working machine is to shut it down and change something.

Re:"easy" to remedy

[drinkypoo]

You don't allow people to use the instrument to have administrator access

I guess you've never heard of a privilege escalation exploit. If you're not performing updates then you're vulnerable, end of story. It's a good argument for eliminating the full-fledged computers inside of general-purpose medical devices, and making them instead some kind of peripherals used with computers of some sort when an interface is needed.

Consider yourself very lucky...

[Anonymous Coward]

I found an unsecured smb share on the network and downloaded a 17gb .bak file of patient records. Needless to say I deleted the file and sent an anonymous email to the administrator. 3 months later nothing had changed....

Usually anyone who dares tell the Emperor that he's actually naked and not wearing any "new clothes" gets his head chopped off for pointing out the truth.

Lemme tell you what would've happened at one particular hospital I know of: The IT administrator would've contacted law enforcement and provided them with all the video footage from the multitudes of security cameras around the place, along with the patient and visitor lists, as well as all the the wifi access and activity logs containing your mac address and anything else logged and/or identifiable about your laptop, to try to find out your real identity for criminal prosecution purposes.

Despite the fact that they are extremely weak in securing their network resources in the first place nor do they have any realtime alerting mechanisms to detect any kind of unauthorized access while in progress.... they do go to ridiculous lengths to log and record everything necessary to try to identify you so they can come and get you long after the fact.

From the front lines?

[Kaldesh]

Before I begin let me preface this post by saying I work in a hospital in the IT Staff, and I have for the past 10 years now (as scary as that sounds to me typing it out). At any rate I can say that malware, spyware, virus' etc are a constant concern for the staff here. When I started working here it was the 'Wild West' for computing, people did what they wanted, when they wanted to on their computers, and we've slowly curbed that. Especially now that electronic medical records are being used. The key we've found to keep malicious software off computers used for medical purposes, or with confidential data is actually three fold -- First segregate those devices with ePHI (electronic protected health information) off onto their own network, strip the computers of all but the most essential software, and the medical staff all have to sign agreements when they're hired that strictly prohibit them from using computers for personal tasks. Want to check your e-mail? Bring in your smart phone, or laptop etc, and do it with that device (we actually provide a wireless for the entire staff to use 'just' for that purpose). Nobody can keep 'on task' all day, so allowing them the outlet with some caveats has been a great success. However, all machines that have access to the ePHI network are imaged once put into service, but we re-image the machines on a staggered schedule so every 6 months they're a fresh install. Virus software (AVG) is installed and on an automatic update / scan schedule as well -- with a central server that reports results to us. Also for security concerns every Laptop is encrypted (thank you Truecrypt), and every device that accesses ePHI comes through a VPN. If a Laptop get's stolen (and one has in the past), the VPN access for that device is revoked immediately. So between the VPN and Encryption, the odds of a 'break' in our security are astronomical. Anyway all these procedures may seem a bit excessive, but we've yet to have a PC with ePHI or EMR softwaret be compromised where I work thanks to them. I sleep slightly better at night thanks to this system actually. I do know of several other hospitals / medical facilities that are far far less secure though, and frankly it scares the hell out of me how cavalier they are about the whole ordeal. One of our doctors is Per Diem and his home office supplied him with an unencrypt, unsecured, laptop with full admin rights, and their EMR software installed on said Laptop for his free use. PS -- A tip to anyone working in a medical facility, one of the ways we had our providers (Doctors) agree to this stringent of a system was to point out that infractions where ePHI is compromised put their necks on the line, even more so then they do ours. So all this security is for their benefit as much as yours. Also, this goes double if you have a counseling staff because the rules around ePHI regarding counseling services are even more strict and crazy. Anyway hopefully that helps someone out.

Re:WELL, THAT'S OKAY SINCE WE ALL DIE SOMETIME !!!

[pentalive]

Caution: This Hospital Uses Microsoft Windows 98

Re:Meh...

[HideyoshiJP]

While this should be true, these devices are increasingly being connected to networks to offer integration with EHR/HIS for polling information, and especially in radiology, where images are being sent digitally to PACS. These machines often stay unpatched, yet get connected to the network for transfers. It's important to maintain a separate "medical device" network, but this only goes so far, especially when vulnerabilities bypass the Windows firewall on the medical device, allowing some infected PC/device/server to broadcast worms all over the place.

Re:Willful Ignorance

[Anonymous Coward]

I chalk it up to the arrogance of the doctors and administrators. They treat anything IT related on the same level as an issue regarding say, HVAC or sanitation. That is to say, beneath them.

Then computer security isn't their only problem. There have been cases of screwed up HVAC in a hospital routing the exhaust from a TB ward onto passers-by. And sanitation? Few things are more important in a hospital. The US has a terrible rate of nosocomial infections (i.e. acquired in hospital). Norway has one of the lowest rates because they spend money training people how to properly clean doorknobs in a hospital rather than potted plants and pictures in the lobby. It may sound silly at first, but little things like properly cleaning doorknobs are very important in reducing infection spread. Only arrogant fools ignore such important details.