Malware Is 'Rampant' On Medical Devices In Hospitals 234
Dupple sends this quote from MIT's Technology Review:
"Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable. While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion. [He said], 'Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.' ... Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed."
Meh... (Score:4, Interesting)
When someone does get hurt, it will be a very clear case of negligence on the part of the manufacturer, and the lawsuit will bring everyone else in line.
Sad that this is the way it works in America though.
What about networks (Score:5, Interesting)
I don't know about medical devices, but I do know that the last time I was in the emergency room I brought my laptop since I knew I would be there for a few hours. After getting tired of games and slashdot I decided to poke around the wifi network that I was on. I found an unsecured smb share on the network and downloaded a 17gb .bak file of patient records. Needless to say I deleted the file and sent an anonymous email to the administrator. 3 months later nothing had changed....
Sad but true (Score:4, Interesting)
The fine print mentioned in TFA (Score:5, Interesting)
All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices.
Validated. That costs a bunch of money. And this basically is saying that if the manufacturer DOESN'T validate the changes to the FDA's satisfaction (meaning do a heck of a lot more testing than just applying the patch real quick and booting it up and making sure it's still working) then they are totally vulnerable to lawsuits.
Also, just as importantly : the manufacturer does not receive money from medical devices already sold. Their new ones (with new hardware which is why they can't back-port the software) are where the revenue is. In fact, it's sort of beneficial if the hospital's old equipment starts running slowly and badly because they can push their new gear (now with enhanced cybersecurity!)
Re:What about networks (Score:5, Interesting)
Same thing I've seen in hotel web sites, but I digress. /. but a lot of medical staff are not terribly computer security conscious.
An additional problem in a HIPPA perspective is that (per your experience) the data was not encrypted...
That may seem to be a huge oversight to someone on
Heck, too many IT staff don't understand security.
When devices, networks, and users fail to protect data individually or collectively there will be issues.
That is no excuse for wide open access to medical devices. I do wonder if they have to go through a full FDA acceptance period for software/firmware updates? I suspect that could be an issue.
--
No brain, no pain.
Re:I worked at a hospital (Score:5, Interesting)
I work in hospital IT and we have an entire separate department for working with any clinical equipment. In most cases they can't do anything either because the vendors do not allow us any admin level access and none of them are part of our regular domain/AD. The lab/pharmacy techs quite literally have more access to those systems than we do. It's extremely aggravating.
Re:conventional malware = windows malware (Score:4, Interesting)
Windows is not intended to be used in life-critical situations such as medical hardware or nuclear reactor control.
I totally agree. However, this, to me, is the main question: Why in the FUCK would these devices be connected in ANY way, shape, or form, to the INTERNET in the first place??!?!? That's just asking for it, no way around it. It's stupid, careless, and shouldn't be allowed under any circumstance (barring VPN via a WIRE and ONLY when absolutely necessary). We're dealing with people's health and lives here, and this is a totally preventable situation.
I can understand the issue with USB drives, but there need to be policies in place that prevent the use of them unless absolutely required.
Re:What about networks (Score:4, Interesting)
That's because they have no incentive to listen to you.
Report it as a HIPAA violation and stay anonymous (5th amendment implications for you downloading it yourself), and watch them get burned.
If the regulators don't even care, then give up.
The system may be broken, but it sure as hell doesn't belong to you.
Re:Mission Critical Systems? LolWAT? (Score:5, Interesting)
Ahahahahahahah I totally understand why you would think these things, but, you need a little history.
I worked in Healthcare IT for about 6 years, until a few short months ago. Before that, I actually started my career as a service tech. The thing to realise is...the group I worked in moved out of the office they were in while I was there.... the original office had a room full of chest high benches, with a built in shelf above, and lots of plugs. If this sounds like the kind of setup that would have soldering stations, then you are getting very warm...because that what they used to do!
In fact, some of the same guys I worked with...had been there since core memory that was tacked to the wall was decommed.
That sort of attitude makes perfect sense if you are building a new network, in the total absence of road blocks. A hospital environment however... well.... we are talking about an environment thats been in CONTINUOUS operation since the early 1800s. (not all hospitals are that old, of course) all new equipment, all upgrades, all troubleshooting, all goes on, while operations continue. There is no weekend downtime. There is no middle of the night downtime.... thats just to START.
Add to that the federated 'academic' model that most hospitals use for their budgeting (ask your professors to explain how departments are budgeted and why money gets suddenly spent before the end of the fiscal year, and thats very much like how hospitals work). They started bringing in all this equipment before they even had central IT. They have their own budgets and egos, sometimes bigger departments will have their own mini-IT staff even! It is utter chaos.
Now the departments decide what they want, get most of the way down the path of purchasing it, then bring in IT late in the game. IT fights with them and the vendor about their standards, but can't fight too hard or else they will tell IT to go fuck themselves and just go do it with their own money, since IT can't actually say no. (or they make a stink up to a level where IT gets the smack down)
Then patching and OS upgrades.... often you can't patch or upgrade because the vendor claims they wont support it. Occasionally they blame the FDA saying they certified it on the OS version its on (we often questioned whether that held water).
In short, the vendor and department often act like they are on the same team and IT is the roadblock, rather than the department and IT working as a team. The department, especially if they are clinical, but sometimes research too, has more clout than IT, because the trustees are from the medical professions and they are the final say.
Very early on in my career I got a stack of work orders. First I was told "they can't have windows 95 because their department hasn't been upgraded yet" (and there were internal reasons involving training and federation that meant each dept needed one or two people trained before it could be upgraded).
A week later the hardware arrived and I was told "they are getting Windows 95, OEM build, not ours" (which was a HUGE exception for them)....from that point on, every day I showed up to do something for them based on what we were doing yesterday, and every day they had already had a meeting that I wasn't privy too, and my department had made new concessions to them, totally changing what I was supposed to do ..... the ego maniac who was making them do all this, of course, just got mad at me for constantly doing the wrong thing, even though, nobody had told me the plans changed.
Eventually I heard, through more connected people than me, that he had a huge and prestegious grant and was threatening to take his grant and go to another institutiuon if they didn't give him everything he wanted....and he got it.
Now.... tell me how you control what you are using when the final say on policy comes from people who don't understand IT, and are willing to see it as a roadblock rather than part of their team? Believe me when I say there are a lot of people (not everyone of course) who know what they should be doing, and want to do things right, but, they lose a lot of battles.
Re:Meh... (Score:5, Interesting)
This is why some hospitals in the UK got hit hard by Conficker. Microsoft had patched the vulnerability months before, some systems were deemed 'too important' to reboot or suffer any downtime. As a result, they went unpatched and got floored when the shit hit the fan months later.
A system I was working on got hit badly by Conficker because we had a four month approval process for patches. We were still waiting for approval to install the patches when the whole network got infected.
Needless to say a much shorter approval process is now in place.