Malware Is 'Rampant' On Medical Devices In Hospitals 234
Dupple sends this quote from MIT's Technology Review:
"Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable. While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion. [He said], 'Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.' ... Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed."
conventional malware = windows malware (Score:5, Insightful)
Windows is not intended to be used in life-critical situations such as medical hardware or nuclear reactor control. It's right there in capital letters in the EULA.
Someone's being a cheapskate here and decided to use windows instead of paying to develop a custom medical OS.
Willful Ignorance (Score:5, Insightful)
Dad has owned an ultrasound service business since the late 70s. My brothers and I all worked for him in varying capacities, before becoming engineers ourselves.
In my experience: the amount of willful ignorance towards all manner of IT in the medical field is nothing short of astounding.
I hate to say it, because I love alot of these people- but I chalk it up to the arrogance of the doctors and administrators. They treat anything IT related on the same level as an issue regarding say, HVAC or sanitation. That is to say, beneath them.
Which is fine, except in this case the "HVAC" can be programmed by a remote intruder to emit Zyklon B.
Re:What about networks (Score:4, Insightful)
Hospitals are notorious this this kind of IT stupidity.
Mission Critical Systems? LolWAT? (Score:5, Insightful)
Ok, I'm only a student. So I don't know anything. But I sorta THOUGHT that the standard for a mission critical system (aka something like a heart monitor, blood gas analyzer, etc etc etc) would be to NOT use any software in your system that you don't have 100% control over.
You know, rather than picking some version of windows, use an embedded linux. Add the bare minimum graphics libraries you need in order to draw a gui. Isolate the threads that actually do the mission critical stuff (say, reading the sensor and displaying the output) from the ones that do other tasks (like handling all the complex menus and the network connectivity and so on). Heck, use a separate physical CPU for the mission critical stuff, and give it it's own dedicated display so that no matter what, it keeps displaying the important data. The hardware to do this is cheap.
And firewalls should be integrated into the devices themselves - even Linux can theoretically catch a worm, and so it should apply strict filtering rules on any communications with the network.
I can fully understand the reluctance of the manufacturers to issue software patches. Building the system so that it's practical to not ever patch it (well, maybe patch it a couple times to eliminate any bugs found after release) is a good thing. Everyone here must know that the best way to break a working machine is to shut it down and change something.
Re:"easy" to remedy (Score:5, Insightful)
You don't allow people to use the instrument to have administrator access
I guess you've never heard of a privilege escalation exploit. If you're not performing updates then you're vulnerable, end of story. It's a good argument for eliminating the full-fledged computers inside of general-purpose medical devices, and making them instead some kind of peripherals used with computers of some sort when an interface is needed.
Consider yourself very lucky... (Score:5, Insightful)
I found an unsecured smb share on the network and downloaded a 17gb .bak file of patient records. Needless to say I deleted the file and sent an anonymous email to the administrator. 3 months later nothing had changed....
Usually anyone who dares tell the Emperor that he's actually naked and not wearing any "new clothes" gets his head chopped off for pointing out the truth.
Lemme tell you what would've happened at one particular hospital I know of: The IT administrator would've contacted law enforcement and provided them with all the video footage from the multitudes of security cameras around the place, along with the patient and visitor lists, as well as all the the wifi access and activity logs containing your mac address and anything else logged and/or identifiable about your laptop, to try to find out your real identity for criminal prosecution purposes.
Despite the fact that they are extremely weak in securing their network resources in the first place nor do they have any realtime alerting mechanisms to detect any kind of unauthorized access while in progress.... they do go to ridiculous lengths to log and record everything necessary to try to identify you so they can come and get you long after the fact.
From the front lines? (Score:3, Insightful)
Re:WELL, THAT'S OKAY SINCE WE ALL DIE SOMETIME !!! (Score:5, Insightful)
Re:Meh... (Score:5, Insightful)
Re:Willful Ignorance (Score:2, Insightful)
I chalk it up to the arrogance of the doctors and administrators. They treat anything IT related on the same level as an issue regarding say, HVAC or sanitation. That is to say, beneath them.
Then computer security isn't their only problem. There have been cases of screwed up HVAC in a hospital routing the exhaust from a TB ward onto passers-by. And sanitation? Few things are more important in a hospital. The US has a terrible rate of nosocomial infections (i.e. acquired in hospital). Norway has one of the lowest rates because they spend money training people how to properly clean doorknobs in a hospital rather than potted plants and pictures in the lobby. It may sound silly at first, but little things like properly cleaning doorknobs are very important in reducing infection spread. Only arrogant fools ignore such important details.