Botnet Attack Shuts Down Hospital Network

aricusmaximus writes "A California student is now facing felony conspiracy charges after unleashing a botnet attack that shut down the network of a Seattle hospital intensive care unit. This indictment comes a few weeks after another California man pled guilty to similar charges. Both attacks were attempts to make money off of adware affiliate programs. So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"

Student's Fault

[eldavojohn]

So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?

The students, clearly.

Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.

I don't want to hear any psychology bullshit claiming it's not their fault--that it's society's fault for making them desire more money. I don't want to hear any bullshit that they didn't know what they were doing or the hospital should have had better security. This is an aggressive act against a public service--the internet. Computer savvy students implement code that shuts down many computers for the purpose of advertising profit. They didn't realize what they were doing? Oh, come on. Even if they didn't, it's a valuable lesson and a few less spammers to ruin the world when they graduate. Tough. You like computers? How about five to ten in federal-pound-me-in-the-ass prison?

I'll bet they wished they had enrolled in Computer Ethics 101 before going on this capital venture. As an additional punishment, they should be forced to code software to stop stuff like this from happening and tailor it for medical equipment/computers.

And what kind of intensive care unit is "shut down" when they can't use computers? It's not like their work would have to grind to a stand still. I don't want to sound like a luddite but are we really that dependent on computers? They're medical professionals, I hope they did just shut down and stop working when the computers crashed.

This student is in deep trouble. He chose actions that had grave consequences and now he'll face the charges resulting from those actions.

Inignot: Your stereo is now his stereo by way of my actions.
Shake: Yes meatwad, with actions.

Re:Student's Fault

[OffTheLip]

I agree with much of what you say with exception of "And what kind of intensive care unit is "shut down" when they can't use computers?". The acute shortage of bedside nurses elevates computers and networks to a big player in short staffed ICU's. Patient to nurse ratios are improved because of computers. Sure the ICU can continue to function but things would be hectic and possibly deadly for some patients.

Re:Student's Fault

[eldavojohn]

I agree with you completely.

In fact, today we are treating many more patients and types of problems through the help of computers.

To me, the phrase "shut down" means to close up shop. I know they didn't do this but it makes me wonder how much have hospitals suffered in capabilities by accepting automation?

Advanced life support system may need to be on the network to send signals. But what about the EKG machine? The intravenous drip? These things should not be dependant on computers yet I know from a friend who works in a hospital that IVs have small computers on them to regulate the flow. I hope to god they are a safely restricted from internet access.

Re:Student's Fault

[tpgp]

Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.

Hmmmmn, nice attempt to start a flamewar. I mean there's nothing like a gun analogy to get people to discuss thing rationally is there?

Anyway, back on topic. I think you need to understand shades of grey - the students are clearly most at fault for being the ones who actually caused the damage.

However, the spy/adware companies are most certainly complicit - they operate in a manner where they encourage and facilitate botnets. To go back to your trollish example, it would be like if Colt were advertising guns as 'man killers' or 'the perfect sniper tool', selling armour piercing bullets, etc etc.

Thirdly, whilst the hospital mightn't take any of the blame for this incident, it certainly raises questions about negligence in allowing a critical network to be so open. Returning to your analogy, it would be like a gun shop not properly securing its merchandise and then shrugging its shoulders when there was a massacre using firearms stolen from said shop.

Re:Student's Fault

[strider44]

Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.

Haven't you been reading the summary? It's the victim's fault for not wearing a bullet proof vest!

Re:Student's Fault

[malkavian]

And what kind of intensive care unit is "shut down" when they can't use computers?

I work in a hostpital as one of the business continuity team; we keep the place running in the event of something just like this, and have to evaluate the problems that'll occur in an outage if it happens.
ITU is dependant on having patient records, history, full charts and responses available in a very rapid fashion. When the computers go down, they don't stop working, just all the communications that happen near instantly suddenly have to be ordered from medical records, and use sneakernet, which is a massive time overhead. In time critical requirements, this may mean the difference between life and death.

Fair enough, the hospital should have been more secure, but there again, it all comes down to how many admins they have on the job. I know my time is allocated (still) in a very small part on security. I'm pressing to have more allocated. And my budget for security tools is small. Hell, with the NHS budget cuts next year, we'll be lucky to have much budget at all. Still, it's improving slowly. I'm still not happy with it, which gives me more incentive to work harder on it.
But anyone who would attack a hospital system has to be aware that lives are at stake here, not just a few pounds/dollars. In commercial places, I'd frequently warn people if I could work out who they were, or the admin of the sytems they came in from if I couldn't. Eventually, I'd call the police if I believed they were being too persistent, as a last resort.
In the hospital, I spot an attack, police will be warned promptly. No messing around. The place I work at saved my brother's life years back in ITU (when, by rights, his injuries should have killed him). I'm a little protective of the work they do, and the systems that let them do their job more efficiently. After all, they may just make that difference between life and death in the borderline cases, and every little win by the skin of the teeth means a lifetime to somebody.

That was just a clarification, not a dispute. I'm behind you all the way in the sentiment you express. They're in trouble, and justly so.

Re:Student's Fault

[Mistshadow2k4]

Making guns isn't really comparable to an adware company offering incentives to execute botnet attacks, imho. It would only be comparable if the gun manufacturer offered rewards for shooting people, which I've never heard of any doing. If someone takes out a contract on another person's life, we don't let them walk away and just punish the hitman.

Re:Student's Fault

[v1]

So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"

YES

Though not all to the same degree as I'm sure you would agree. The student is of course the one that chose to break the law, and is most directly responsible for his actions. He was influenced by the adware company that offered incentive to break the law, "conspiracy to commit felony" or some such law. It's not as severe of a punishment as the felony (usually) but it's still illegal and clearly wrong.

"blame the victim" is a more controversial issue. I believe that "gross neglegence to protect one's own best interests" should in itself place a small amount of the blame on the victim. The world is not perfect, everyone is not honest, and you cannot possibly convince me that anyone in the world believes everyone around them is a saint. By not taking basic precautions when exposed to the general public, you dramatically increase your risk of becoming a victim, and that is your fault.

If I leave my car parked for a week downtown with the doors unlocked and the keys in the ignition, I'd be quite surprised to find it there a week later when I returned for it. Am I the one that stole the car? Of course not. But did my actions (or lack of actions) knowingly contribute to the theft? Of course. Were they easily preventable? Of course. That's why many insurance companies will not insure against theft if you leave your car unlocked and keys in the ignition, they recognize that you invited unnecessary and excessive risk.

I believe that the ones who so strongly resist blaming the victim are those that either have been victims in the past or that are afraid of becoming a victim, and believe that they have no responsibility to take care of themselves, and that the world should protect them. They are living in a fantasy world.

Looked at another way, criminals prefer easy targets, and this is a known factor. By taking less precaution for your safety and security than the average person, you attract the criminals to you and increase your odds of becoming a victim. Choosing to do that has got to be considered an error in judgement.

Re:Student's Fault

[aelbric]

How can anyone even debate this? Two words. Personal responsibility. It should be a required class in all primary, secondary and higher education school systems.

Returning to your analogy, it would be like a gun shop not properly securing its merchandise and then shrugging its shoulders when there was a massacre using firearms stolen from said shop.

So the merchant is responsible for someone stealing his merchandise (an illegal act) and then psychoing out somewhere (another illegal act)? If someone steals a car during a test drive, goes out and gets hammered and plows through a line of school children, are you suggesting the dealer is at fault for not "properly securing their merchandise"? I'm having trouble seeing the logic here.

Re:Student's Fault

[sqlrob]

But beyond that, diagnostic instruments and otherwise are so complicated they need to be on some sort of computer system.

On a computer system, yes.

WTF do they need to be on the Internet for?

Re:Student's Fault

[loraksus]

The students, clearly.
Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.

The difference is that colt doesn't pay people to fire their pistols in public. Now, this doesn't absolve the dumbass of any responsibility, but it sure as hell makes the adware company an accessory. Seriously, they didn't think anything was going on when someone gained 50,000 PCs in a couple of weeks? They knew and didn't give a shit because they were paid even more money by the people whose "content" (read: shit) they were serving up.

Kneecap 'em both (yes, there are more than 2 people involved) - and I mean this quite literally, this sort of shit would get nipped in the bud quite quickly if we went IRA on them and used a makita drill (or would it have to be Black and decker, you know, for the whole "made in america" thing.)
A couple hundred companies should also be knocking on the adware companies' doors, "politely" asking for a refund and leaving letters from their lawyers.

And, to be quite honest, a couple sysadmins also need a kick in the ass with a steel tipped pointy boot. Why would your keycard system be connected to your network, especially in a hospital situation? To say nothing of the fact that the pager system got owned (from what I understand, pagers are sort of important to doctors in hospitals) and it seems that pretty much everything was disrupted because ~15% of their computers were infected.
Not blaming them for the attacks, of course, but lets be serious, this was a pretty big screwup on their part. Then again, given hospital politics, it probably wasn't the sysadmin's fault, but a department head who has no training in IT, but does everything Toilet and Douche tells him to do.

Finally, id by some small chance, Christopher Maxwell is reading this, I can only hope that in 15 years you will remember your job at WalMart and recall how it was the best job you ever had.
Don't drop the soap, bud.

Re:Student's Fault

[basscomm]

At the hospital I work at, there are any number of reasons why a computer might be connected to the Internet. Perhaps someone might wish to visit the site of the CDC to get up to date information on some disease or other. Maybe the hospital offers training services via a third-party web site. Of course, they don't have full-blown access to the Internet, but they are connected for various legitimate reasons.

Re:Student's Fault

[TFGeditor]

Bullshit.

I used to be on the "Microsoft sucks" bandwagon, but then realized that "security vulnerabilities" would not exist if there were no dirtbags exploiting them.

No, vulnerabilities or not, it is not Microsoft's/Bill Gates' or Steve Jobs' or Linus Torvald's fauly when some criminal with a computer wreaks havoc on the internet or a private network. It is ALWAYS the criminal's fault.

An unsecured system is no more an "invitation" to exploit than a short skirt is an invitation to rape.

Re:Student's Fault

[MysteriousPreacher]

Returning to the gun shop analogy (since it seems to be popular). If the gun shop doesn't take the precautions required by law and someone steals guns to use in a crime then the gun shop is liable. The point though is that the gun shop is not to blame for the shootings but should be legally liable for the fact that it allowed it's guns to be stolen because they didn't observe their legal obligations.

If a car shop allows a visibly drunk man with no drivers licence to test drive a car then while not responsible for the deaths caused, they should bear some responsibility for fulfulling their legal obligations (assuming they have any).

Re:Student's Fault

[loraksus]

Precisely. It sounds like (ok, this is going to be geeky as hell, but I'm going to do it anyways) someone could learn by watching a couple episodes of Battlestar Galactica.

And I suppose they might need the internet for paging their doctors - since it is probably a third party company that has a laughably bad ("Oh look, we ported our paging app to java and can run it over the web! Goodie Golly!") interface - but I'm pretty sure it can be done a bit more elegantly and can be made a bit more resilient.

What the fuck their keycard access system was doing on the same network as some of the infected computers is a complete mystery to me though.

Re:Student's Fault

[SCHecklerX]

If that network is so critical, then why is it so vulnerable???

Re:Student's Fault

[ninji]

I've got no choice but to agree. Even if it was in no way intentional to have anything relating to a hospital's systems, If your going to do something illegal for profit, everything that happens as a reprecution is your responsiblity. Direct or indirect, you are the cuase for those actions, and in this case, it is quite direct.

I could see his charge being lowered, for the hosptial shutting down being unintentional, but should definetly still be a large amount of jail time. By this I mean, If I blow up large explosives in areas where nobody is for fun, its a limited charge of recklnessness and poessesion of such explosives. If I blowup a childrens shooltrip bus on accident, it wasn't intentional, but im still going to jail for along time and rightfully so. If that was the case, I shouldn't of been playing with bombs in the first place, they are dangerous and things like that can happen, thus my responsiblity to take the punishment if something does.

The same in this case, even if unintentional, he is still directly responsible for all the problems that happend as a result of it. He took the responsiblity of making 100,000$ breaking the law, now he can take the responsiblity for the people he hurt, put at risk, and put through that event(im sure if your due for emergency surgery and the hosptial is going HAYWIRE your going to be a little traumatized).

Re:Student's Fault

[utlemming]

Shades of gray? Who to blame?

Real easy: The principles are the consiprators. They are the ones that planned the attack, launced it, and used the tools. Personal responsability is not mitigated by availiability, oportunity or circumstance. Just because they saw how to use a tool in such a way does not make them any less the guilty. The gun analogy here does not quite work. Why? Because the adware network had to be changed in order to get it work. So there was more planning, work, testing, etc., which proves more culpability and the maliciious nature of the act. In the case of gun, you just load, point and click. In this case, an entire bot net was pointed at a target, programmed and then used to attack. It is a whole lot different than pointing one gun, it is the equivalent of pointing thousands of guns, and then firing them. Worst yet, it is the equivalent of pointing thousands of guns and then blackmailing someone by saying you won't do it unless they pay you not to do it. So sure they saw that they could do it. They did it. But that does not in any way mitiagate there culpability.

As much as I hate the adware people, they are just as much as a victem too. Assume that the software was legitimately on the computers they hijacked, then this stunt was in violation of the computer tresspass laws. Further, there software was reversed engineered, hacked and then used on a hospital in an attempt to get the money.

So painting the hospital and the adware company as secondaries is foolish. When some decides that they are going to exploit someone or something and use illegal methods to gain, everybody in the chain becomes a victem, regardless of their degree of contributing participation. If the adware company had the forsight to know that its software could have been used to do such a thing, then it would reasonable to blame them, but I seriously doubt they did.

Otherwise, rest the blame squarely on the shoulders of the princple attackers. Personal responsability is what matters. The attackers used what they knew to exploit the tools.

Re:Student's Fault

[cide1]

Because all software patches must be validated through an FDA audit procedure. You can't just go patch a computer that someone's life depends on. This case makes this procedure look funny, but you can't just put any software on medical equipment. I'm sure most people are aware of the case of the Therac-25. http://courses.cs.vt.edu/~cs3604/lib/Therac_25/The rac_1.html

I'm not sure what the real solution is, but I am sure who the criminal is. If the students didn't release malicious software, that network would still be up.

Re:Student's Fault

[mortis_aeturnus]

If you believe that some of the hospital staff is not partially at fault, then you are either not a proponent of personal responsibility, or you are a contradicting yourself.

The criteria for responsibility is cause and effect. If one entity was not present or did not perform an action (or held an inaction), and the problematic event did not occur, than that entity is responsible.

Victims should not deserve any benefit of lax criticism solely for being a victim. Furthermore, those who wrongfully claim to be a victim when they are not victims are clearly liars.

In this case, the victim is not just the hospital. The victims are also the patients of this hospital. However, the patients were at more of a loss than the hospital itself. There has been little discussion of how the hospital staff should be protecting the patients from this attack. The staff is complacent in their inability to protect the integrity of the hospital and, more importantly, the well being of the patients.

Consider the following examples. If a hospital did not use use sterile equiptment and patients become infected with a pathogen, should the hospital be responsible, or should the pathogen be responsible. By your logic, the pathogen will be responsible. However, the hospital is clearly at fault here.

If a network of computers becomes zombies after an individual invades them, would you consider the owners of the computers to be at fault? Clearly, you might not. However the computers are similar to pets of an owner. If a pet kills a person, the owner is also at fault. Similarly, the owners of the computer(s) are also at at fault because their property is being used, addendum a hypothesis that the zombies are to be used in an invasive act, should be partially responsible. If one does not believe that the computer owners are at fault, then one can not support laws of most Western societies in their entirety.

Re:Student's Fault

[RESPAWN]

I provide IT services in the healthcare industry, including work at several different hospitals, so here's my perspective on the situation. That said, please note that I'm not 100% up to date on the most current technologies since the hospitals I've worked at hadn't implemented many of them.

Most likely, the ICU wasn't "shut down". Instead, it's much more likely that only those computer systems used for ordering, transactioning, etc. were shut down. Please note that any life critical equipment is typically placed on a physically seperate network from the rest of the hospitals computer systems. It is acceptable to put things like MRI machines and such on the hospital LAN, but patient monitoring devices will not be affected. If this is not the case for some reason and the patient monitoring equipment was put on the same lan as the general computing systems, the IT staff and the hospital administration should be canned.

Most likely the system most affected would be the hosptials ordering system. That is, the system that handles ordering medicines from the hospitals internal pharmacy. In an ICU, that shouldn't be as big of a deal, because 1) they should already be well supplied to handle any emergencies, and 2) unless the hospital is using VOIP (seriously doubful), somebody can always call the pharmacy and tell them in person. The system won't be as automated as usual, but that shouldn't matter too terribly much. The simple truth is, despite our reliance on technology, every hospital should have a contingency plan in case the technology fails. If it's not a law, it should be. And if it's not a law and this hospital doesn't have a contingency plan, then the hosptial administration should be sacked and the hospital closed down due to unsafe conditions. These are people's lives at stake and we need all of the safety nets we can get. The same goes for if the personnell aren't properly trained on the contingency plan.

That said, this event will cost the hospital money. Mostly in personnell costs as they will undoubtedly require personnell to work longer shifts or extra shifts as they work to input the data collected during the outage (medicines administered, procedures performed, etc.) back into the hospital's computer system. In the end, that information needs to be entered into the hospital's systems if they want to get paid.

As for blame, well there's plenty of blame to go around. Firstly, the administrator of the botnet should most certainly be sent to prison for his actions. What he did was illegal, and he sure as hell should know that. Secondly, the local IT staff should be partly to blame here. Nurses and doctors get bored, they surf the internet, and junk gets on their computers. If they don't have technological methods in place to protect against such occurrances (installing the latest patches, anti-virus/anti-spyware software, etc.), they should be dismissed and somebody more competant brought in. If the IT staff had proposed such measures, but they were shot down by the CFO for financial reasons, then the CFO should get the boot. The staff using the PCs should also be to blame since they were most probably violating hospital policy

Now... the reality. Hospitals are very political entities. More so than other environments I've worked in. I doubt anybody will actually get the axe, but sometimes shakeups and/or disasters like these are needed to show the powers that be that the resources previously requested are indeed necessary for the smoothe operation of business.

To respond to your assertion that his actions had grave consequences, they are most likely not as grave as the article would have you believe. It's just more sensational to claim that the entire ICU was "shut down" due to scary computer virii. (Is there such a thing as impartial, just-the-facts-ma'am reporting these days?) Most likely the ICU continued to function on their contingency plan using pen and paper just like they probably did only a few years prior. His actions were probably no graver than they would be with any other company that would experience lost productivity due to the loss of computer systems.

Re:Student's Fault

[xmundt]

Greetings and Salutations...
        For what it is worth, I feel I should point out that, in most cases, rape has nothing to do with sexual feelings. Rather it is a power trip where the rapist, through feelings of inadequacy and anxiety is terrorising a helpless victim. The length of the skirt does not matter, as there are thousands of cases of demurely dressed women being raped.
        Now...as to the topic at hand. It will be interesting to see what sentence Maxwell gets whacked with. I think the max is a bit over the top, actually, but, I could see the possibility of a suspended sentence, with community service, and supervised probation. Of course, the juveniles will, at worst, be stuck in jail until they are 18 (Perhaps a good paddling would be more effective...) In any case it sounds to me like they are nearly perfect Republicans, and a good mirror of American society. They seemed to be able to ignore the moral and ethical questions about damage to the systems they were taking control of, and seem to believe that the rules only apply to someone else. Would we feel any differently if they had managed to infiltrate a university system and cause disruption of class schedules, etc?
        As mentioned in other comments, there is plenty of blame to go around too. It sounds as if the sysadmins were woefully behind in keeping the network secure. While there is no comment as to what OS was being used, I suspect it was, indeed, Windows of some flavor. IF I was in charge of such a critical network, I would make damn sure that I had a real firewall between it and the rest of the world, and, that there were internal firewalls running on the various machines to keep things under some control.
          Of course, the fishing-net mesh of security holes in Windows keeps this a full-time job. Adding to that the fact that even today many sysadmins simply do not have a clue about good security procedures, makes this sort of disaster much more likely.
        Finally, I do lay some of the blame on the advertising model. While the whole idea of click-through charges can make internet advertising very attractive for the clients, it is a powerful incentive for greedy and unprincipled people to set up this sort of bot flood.
          How do we fix the problem? "don't use windows" is the easy, but alas, unrealistic option. Rather, sysadmins need to understand that security is not a moutaintop goal that we can reach, set up our lawnchair and kick back to enjoy the beautiful view! Rather, it is more like a 40 mile hike with full packs. All you can do is put your head down, and keep slogging along. The journey will, alas, unlike the hike, never end and, since the spammers and phishers and other scum continually find ways to get BY the security, we sysadmins have to continually patch the holes and update our fences.
          Regards
          Dave Mundt

Re:Student's Fault

[Randseed]

I'm a physician and have worked in around seven hospitals, six ICUs, two pediatric ICUs, and one neonatal intensive care unit, among all the wards, clinics, and other random mechanisms of healthcare delivery. I can honestly say that the IT guys are damn, fucking, scarily incompetent. Some examples:

One hospital, a major level 1 trauma center, has a medical record system that's almost entirely on computer. It actually works pretty well. The application runs under X11, and bounces off a server program which is basically a middle-end to some SQL database software. So instead of going out and buying some PCs, installing Linux or BSD on them, and running their app, they splurge and spend much more for these IBM workstations. Again, no big deal. Then, because they're worried about fires, etc., they have several fallback servers which are basically mirrored copies of the database clustered around the hospital. I was bored one night in the E.R., where one of these fallover servers is, and got sick of an AIX login prompt staring at me. "login: root" "password: " Boom. Root prompt. (And am I going to report this? HELL NO. "Hey, that doctor hacked the network! REPORT HIM TO THE STATE! AIEEEEE!")

This same place at least did something sane. They have a bunch of Winblows machines running on their major network. They subnetted the AIX machines such that they can't access the Internet, and can only access the health information systems. The problem, however, is since now they had a bunch of Windows machines around that nobody ever used, they installed some kind of X11 server, and opened the network to these machines. So the AIX machines can't talk to the Internet. However, the Windows machines -- the one which are most likely to get infected with something -- can talk to the Internet and the medical records network with impunity. Oops.

Another hospital installed a software package which was a IBM DB2 frontend of some sort, written in ncurses. It left some things to be desired, but worked okay once you got used to it. (I prefer CLIs, damn it!) For various reasons, there were mechanisms to directly access the SQL database -- free of auditing, access restriction, or anything else -- from within the CLI, provided that you had a database login and password. Normally what happened is that the client program had the DB login and password locked away somewhere, and merely "authorized" you to use it. So one day I hit the wrong button and accidentally tell it I want straight SQL access. This system used a period to indicate "Oops. No, um, take me back." So I hit a period. "Password: " Uh. Period. I GET SOMETHING SAYING MY PASSWORD HAS EXPIRED AND I MUST RESET IT! Since it won't let me out otherwise, I set it to "12345" and get the hell out.

Two years later when I left that hospital, I checked on my last day. The password still worked.

The point is that hospitals are run by the same kind of incompetent Devry dingbats that corporate America is. It's just that they don't know it. So I'm not surprised that this hospital's network setup was so bad that this kid managed to pull this off.

I also think the kid is a supreme idiot, and given exactly what he did, I'd like to beat him with a crowbar.

Re:Student's Fault

[Randseed]

WTF do they need to be on the Internet for?

My experience with most doctors is if you take away WebMD and PDR.net from a doctor and you got a very insecure individual. Seriously though, if it's a large hospital with multiple campuses (or even not) the EMR will probably require internet access. Anything critical such as monitoring patient's equiptment etc is done over RF or rarely a seperate isolated network.

Agreed. But the way this should be engineered is similar to how I've engineered my home network and office network.

All the networks connect to the Internet. All of them are incoming firewalled against everything except what I explicitly want. (A deny-default model.) My router NATs to the other machines on my home network. My WiFi connection is over a VPN. Any communication between the computers that touches the Internet or WiFi is VPNed. One off site system which acts as a router to a bunch of Windows terminals, a backup system, distributed computing system, and fallback server, will not accept ANY connections, and, at most, will merely route NATed traffic to the Windows machines so that they can use the Internet.

As a result, I'm not worried about someone evesdropping on my WiFi traffic, intercepting my traffic when I connect using my laptop from offsite, or anyone getting in at all really. The only access to the network on the incoming side is by OpenVPN and one machine which is running a chrooted SMTP server. The "secure" machines are unable to initiate connections outside except what I've explicitly allowed.

So I'm not quaking in fear that someone is going to go hack my box. Incidentally, a security condition is that no Windows are on my network unless I have no choice, and if they are, they can ONLY talk to the Internet and back out; not to any of the internal machines.

Now, why do I say all this? Because I'm a doctor, not an IT guy. The IT guys look at me like I'm some twit who just fell off the turnip truck. Maybe I did, but I sure as hell didn't hit my head in the process. Passwordless fallback servers, Windows machines which if infected act as a terrific bridge between the (insecure) fallback servers, EMR system, and the Internet, etc. It makes me want to barf.

Oh, and why don't I say anything? I'll get blown off at best. At worst, I'll have some DeVry dipshit claim I "hacked the network." It's a sad, sad state of affairs.

And yes, this thread pushed some of my buttons.

Re:Student's Fault

[StikyPad]

I also think the kid is a supreme idiot, and given exactly what he did, I'd like to beat him with a crowbar.

First, do no harm.

Who's at fault?

So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"

This is slashdot. The answer to that question is either Bill Gates or George Bush.

So who's really at fault here?

[Ooblek]

Sounds like a setup for a Chewbacca Defense.

It is a pity that the US legal system is no longer about justice; it is now about what can be proven.

Re:So who's really at fault here?

It is a pity that the US legal system is no longer about justice; it is now about what can be proven.

I don't understand your comment. If you cannot prove a person is guilty, punishing them is not justice.

The Perpetrators Are At Fault

[Kurt+Wall]

Suggesting that the hospitals are at fault for failing to secure their networks adequately is assinine. The perpetrators are at fault. Adware companies might provide incentive and the hospitals evidently need to secure their networks, too, but culpability lies solely with the two defectives who committed the crime.

Re:The Perpetrators Are At Fault

[jcr]

Suggesting that the hospitals are at fault for failing to secure their networks adequately is assinine

No, it's a well-established legal theory, known as "contributory negligence". The perps are the main culprits, but it's quite likely that the hospital and several of their vendors will end up tapping their liability insurance to the tune of some millions of dollars.

-jcr

Re:The Perpetrators Are At Fault

[Mark+Hood]

[C]ulpability lies solely with the two defectives who committed the crime

So do you lock the front door when you leave the house?

Yes? But why, surely it's not your fault if someone comes in and takes everything, it's entirely their fault, no?

Lock your car too? Use passwords on your PC? Do you walk along flashing your cash at all and sundry?

You're right, it's the choice of these kids to break the law - but a hospital ought to 'lock the doors'... Not least because if they have a system that literally controls whether people live & die, they should not let just anyone have access to it. I want to know why the Intensive Care unit was on the Internet at all. If ever there was a system that should have an 'air gap' to the real world, it's that.

And the people saying 'the hospital isn't to blame any more than a woman in a short skirt is to blame for being raped' - it's not about blame, it's about responsible actions. If a woman dressed provocatively walks home alone on darkened streets, of course she doest not want to be raped, but she has to appreciate it raises the likelihood. Rapists exist, and every woman has a duty to herself not to make herself a target. Criminals exist, and every person (institution, business) have a duty to themselves (and their customers) not to make themselves targets too. If you walk down the street with your iPod in your hand, a mugger is more likely to target you than if you don't - doesn't mean it's not his fault, just that you didn't try and protect yourself.

Agreed, the 'short skirt' argument shouldn't get the rapist a lighter sentence, just because his justifcation was 'she was asking for it' any more than the hospital being insecure should reduce the penalty on these cretins. But I hope the judge says 'you see the scum that's out there? Be smart, be safe, and don't take the risk'.

It's possible for both sides to be at fault - but that seems to elude a large number of the Slashdot 'group thinkers'. Lock these guys up as long as you like, but if you don't also get the hospital to wise up then it's pointless - there's a never ending collection of criminals out there... and next time someone could die.

Mark

common factor ....

[3seas]

computer industry....software...

the analogies that others might post in this thread may not consider the possibility of doing it all different such that these problems either likley won't exist or they can't.

Want protection from internet problems? Don't connect to it.But even the International Space Station has had its computer problems.

Life support and computers......hmmmmm....

The students, of course

[SoupIsGoodFood_42]

What kind of idiot would blame the other two? No matter what motivates them, or who makes their job easier, they are the ones who are ultimately responsible for their own actions.

Re:The students, of course

[ultranova]

What kind of idiot would blame the other two?

The kind of idiot that thinks that a hospital, being responsible for the wellbeing of its patients, were neglicent in guarding that wellbeing ? Or that the addware scum were perhaps being just a teeny bit guilty for offering a reward for illegal activities ?

No matter what motivates them, or who makes their job easier, they are the ones who are ultimately responsible for their own actions.

The students are responsible for their own actions. The hospital is responsible for neglect in a position where such neglect may result in deaths. The adware companies are responsible for offering a reward for illegal activities.

Think of it this way: if I run a nuclear power plant, and make the main reactor controls available from Internet, am I guilty of something when someone hacks the reactor to explode ? And if I put out a bounty on someones head, am I guilty of something when some hitman takes the offer and kills the poor bastard ?

Of course the hacker and the hitman are responsible for their own actions, but that certainly doesn't make me innocent.

All three + few more

[luvirini]

If you do not lock your network/car/house you are looking for trouble..

if you make promotions that encourage antisocial behavior you should be ashamed..

if you try to steal money frm above promitions by using above holes you are ofcourse a thing called criminal.

And the extras: Companies making unsecure products..

It can't be networked...

[caluml]

Surely the actual ICU equipment isn't networked at all, and this just inconvenienced the admin and support staff in that dept?

Re:It can't be networked...

[loraksus]

Surely the actual ICU equipment isn't networked at all

Sure it is. If someone flatlines, the attending gets a page. Furthermore, like someone said, it is pretty simple to throw 20 ekg's on a 24" lcd and monitor all the patients in the ward from a single location. And, of course, they have alarms that go off when someone flatlines too.

Now, there is a way of doing this and isolating it from the Internet (aka, The Right Way). There is also a Really Wrong, No Seriously, How Goddamn Stupid Do You Have To Be To Do It That Way.

I really don't know why the door access was compromised. Maybe they ran it over the same network, maybe their access server got hit by the adware, it ultimately doesn't matter. It should be on a seperate set of wires, and really, should be an almost standalone system.

At fault: all three

[hellfire]

All three are to blame, but to different degrees.

The students should be taken out and beaten. Anyone with any level of computer knowledge these days should know such activities are both highly immoral and illegal. This isn't stealing MP3s. And to attack a hospital? How thoughtless can you get? However, it's easy to be tempted by this type of thing, while these students got caught, many more got away with it at some point.

The Hospital should be scolded, but it's hard to know just from the story to what degree. It could range from a slap on the wrist to a lawsuit. If they had good computer security, then the students were just good at getting through. If it was bad computer security, then they need to step up and admit it. In any case, they are a hospital that appears to be running Windows to control their sensitive security systems. Bad choice, and that alone warrants one finger pointed at the hospital, if it's true. However, many hospitals are notoriously underfunded. In any case, I hope the IT staff of the hospital reviews this situation and revamps their software to minimize this risk in the future.

The adware makes should all be taken out and shot. They are the immoral facilitators and the ones who should take the most blame. They are the modern day equivalent of drug dealers. They didn't kill the person taking their drugs, but they knew it eventually would come to that, and they never stopped selling. They put all the risk for the crime on the students, knowing full well they could get caught, and that someone elses computer system would be seriously damaged. Something very gruesome and painful should befall them, before execution.

shameful suggestion

[jdwclemson]

Is there no end to the chaotic suggestion that the victims are at fault? People SHOULD lock their doors, they SHOULD keep their children from strangers, they SHOULD avoid walking down dark alleys late at night. That doesn't mean they are the ones at fault with the burgler, rapist, or thug attack. When you even suggest the fault lies with anybody but the attacker, you only validate them as being victims of lose security. This breeds contemptable statements such as "it wasn't my fault I killed the man, he should of had a gun to stop me". Absurd? I agree, Zonk's suggestion certainly was.

Stupid question

[SmallFurryCreature]

So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?

Note that what follows below is only based on RTFA wich as usuall when dealing with mainstream press reporting on tech may be wrong or inaccurate or indeed made up on the spot. Nonetheless based on this I conclude the following.

That the student used zombie computers to install adware software that would then generate 'hits' for the students account so that he would be paid. He was using computers he did not own to defraud adware companies by generating false ad hits. This is a wellknown fraud dealing mostly with pay-per-click style ad schemes.

So who takes blaim here and for what? Funny enough that the 'question' left out the first and most obvious cullprit.

• Microsoft for creating an OS that never bothered with security. How do I know it was windows that was hacked? Because everyone know just how many ad programs there are that run on that various unix like OS'es out there.
• The hospital for not buying proper software, anything not made by MS, and not properly securing their infrastructure. Yes criminals are to blaim for breaking in but you should still lock your house.
• The adware companies really ain't to blaim that much. They are the victims here. The only blaim they share is like with the hospital in that they do not properly secure their operations to guard against fraud. But since they are the ones who lost money by paying for fake advertising they are the victim.
• And finally the student. Well it is clear he is a criminal, he took computers that did not belong to him and used them to defraud a third party (the ad companies) for his own personal gain. He is not just some hacker who got caught playing around, he was doing it for the money. I doubt very much he is in fact a hacker, more likely he just used readily available tools to do the work for him. This makes him a simple criminal.

I am amazed that MS was not mentioned as one of the cullprits. How often does their software got to lead to crap like this before people will finally ban it for any serious use. Would we accept a hospital that used say oxygen bottles filled by the local scuba diver club? Use alcohol produced in someone's bathtub?

I would very much like to hear that the person responsible for that hospitals computer systems is fired and never allowed to work again. Yes the student is the criminal here who deserves jail time but a sysadmin who installs windows deserves the chair. And yes I would be happy to throw the switch. Hell I would be happy to peddle on a bike to generate the electricity.

If I sound a bit biased against MS it is because I have once again been drafted in working on some piece of crap MS setup because some MSCE idiot made a nice sales pitch. Why don't you just put a sign on your server "Own me!" and be done with it.

Before you blame the admins...

[NorbrookC]

Yet another slashdot thread where everyone immediately starts screaming "Linux!" "BSD!" the second they hear the term "security breach". Of course, it'd be nice if there were actually a lot of applications for healthcare that run on those OSs - which there aren't. OSS is pretty thin on the ground when it comes to this field.

Why don't you look and see what's involved in hospital IT? I've been there, and it's a major headache for admins. You have administrators who don't really know much about computers and doctors who are frequently the biggest prima donnas in the world when it comes to getting what they want, in a corporate culture which caters to them.

Add in software developers who frequently have no clue as to what's actually needed, how to make a useable UI, and how information flows in a healthcare setting. But they have a hell of a sales pitch to the doctors and administrators, and you're the one who has to make it work.

Now try to secure it. Really! Wait until the first time Doctor X decides they're going to install their personal software on the workstation. Never mind that supposedly they're not allowed to do that - they'll do it anyways and then scream at you when you take it off. Take a wild guess as to who the hospital's going to back!

It's easy to blame the IT people, and the use of Windows, here. Wrong, but easy. They picked it up pretty quickly, and dealt with it. I'm sure they'd have loved to have more control, but unfortunately it's a question of what you're allowed to do, not what you want to do.

Re:Before you blame the admins...

[DerekLyons]

Yet another slashdot thread where everyone immediately starts screaming "Linux!" "BSD!" the second they hear the term "security breach". Of course, it'd be nice if there were actually a lot of applications for healthcare that run on those OSs - which there aren't. OSS is pretty thin on the ground when it comes to this field.

It's not just healthcare apps... The vendor of vertical app my wife (who is the comptroller) uses in her business is switching from Linux to Windows - because their TCO is *higher* under Linux. The vendor is tired of supporting the OS as well as the app, and the businesses that run the app are tired of not being able to slide over to to $BIG_BOX_STORE, buying a box off the shelf, and being able to drop it on their network. (Instead they have to buy the box from the vendor - who wants to be in the software business, not the hardware business.)

Linux may be 'cheaper' for the individual geek, or the large business with a dedicated IT staff - but the middle sized and small business it's a different kettle of fish.

A non-technological analogy

[MrNougat]

Let's say I have a car with a nice stereo in it. I leave the car unlocked all night, and in the morning discover that the stereo is missing, having been ripped out of the dash with what I can presume was a crowbar.

The crowbar company is not at fault. I am not at fault, even if I am stupid for having left the car unlocked. The thief is at fault, the end. My leaving my car unlocked does not give anyone the right to enter my car for any reason.

Just because computers are involved doesn't mean the rules change. If someone sent you a piece of postal mail touting P3N1S ENLARRGMNT, you would throw it away immediately, but for some reason, when it's sent via email, it carries more validity.

The doctors are at fault

[mangu]

You have administrators who don't really know much about computers and doctors who are frequently the biggest prima donnas in the world when it comes to getting what they want, in a corporate culture which caters to them.

Then it's very obvious that the doctors are at fault. A doctor who doesn't scrub thoroughly enough before performing a surgery cannot blame the infection on the germs. A hospital that relies on a computer system that isn't secure enough cannot blame the crackers.

Microsoft software shouldn't be allowed in hospitals for the same reason pets aren't allowed in surgery rooms. A doctor who insists in having his MS-Windows computer connected to a critical hospital network is like a surgeon who insists in bringing his pet labrador into the surgery room. They may love their software and they may love their dog, nothing wrong with that, but when other peoples' health and life are at stake they are responsible for taking the best precautions, even if it causes them some inconvenience and even it they must follow instructions from people they consider intellectually inferior in some way.

Re:The doctors are at fault

[NorbrookC]

Microsoft software shouldn't be allowed in hospitals for the same reason pets aren't allowed in surgery rooms.

Nice - but do you know how little software for hospitals is available that doesn't require Windows? I'm serious. I know a lot of healthcare IT people who'd love to be able to move away from Windows, but you can't work with something that doesn't exist. Which is the state of OSS - and even the various closed *nix systems - in this area. Not enough applications.

A doctor who insists in having his MS-Windows computer connected to a critical hospital

That doesn't stop them from bringing in their own software disks. I spent a lot of time when I worked in a hospital IT setting, removing screensavers which took over all the workstation resources ("but it looked cool!"), AOL ("I wanted to check my e-mail") and various viruses ("I was working on this at home, and...") All of which was against hospital policy. The computers didn't even have modems, but that didn't stop them. These were all things that would have gotten a desk clerk fired in a heartbeat, but the most you could do to the doctors was to politely request that they not do it again.

A hospital that relies on a computer system that isn't secure enough cannot blame the crackers.

Absolutely you can blame the crackers! Just because I left my front door unlocked doesn't give you the right to walk into my house. Point out that I forgot to lock the door, fine. Anything else is not.

When my dad was in a cardiac ICU

[Intraloper]

all the monitoring info was radio relayed to a monitoring statin at the central desk, where a single nurse monitored it full time. The unit had a staffing ratin of one nurses per three patients; the monitoring nurse was one of them If they had lost that connection, they would not have had sufficient staff to keep every patient adequately monitored. They didnt have sufficient staff to personally monitor the patients anyway, even with the electronic monitoring helping them out. The nurses were acutely aware of this, and were not happy about it.

Re:When my dad was in a cardiac ICU

[Dashing+Leech]

"If they had lost that connection, they would not have had sufficient staff to keep every patient adequately monitored."

Hmm. Interesting. I work for a NASA contractor and the safety systems need to be 3 failures deep to go without being addressed as safety hazards, and that includes non-life-threatening risks (like laser damage to eyes). The above described scenario is one failure deep to become life-threatening. It's interesting that we put more emphasis on astronaut safety, who volunteer for dangerous jobs, than we do for ICU patients.

Re:When my dad was in a cardiac ICU

[TeraCo]

If you'd thought about it, it would be obvious why this is the case. In the case of NASA, if it wasn't safe people wouldn't volunteer. In the case of ICU, you're never going to have a shortage of 'volunteers'.

Who is to blame?

[desertrat_it]

"So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"

In order, I would rank:

the student

the adware companies

the hospital IT staff

THE STUDENT (80% blame)

has no excuse for his actions. He deserves the prison sentence he will no doubt get.

THE ADWARE COMPANIES (15% blame)

Just when I thought they could not be any more despicable, they prove me wrong. (One of the tasks I deal with is cleaning up, or even re-imaging, spyware infested Windows PCs.)

THE HOSPITAL IT STAFF (5% blame)

Come on! What were they thinking of when they exposed such critical, sensitive systems to the internet! I have previously worked in a company where some people had two PCs on their desks - one with internet access, and the one with the sensitive info was NOT exposed to the internet, even via a firewall!

Hopefully the hosital will have a "lessons learned" roundup in a non-confrontational manner, looking at the mistakes made, and revise their IT security policy accordingly. Hopefully, there will also be no firings - it is more important to learn the lessons than to fire a scapegoat.

We're at fault

[Simonetta]

We are the ones who are responsable. Because, we, the technological elite, have done nothing to prevent this type of situation from occuring. And we have the power to do so. But we don't have the spine to accept our responsibilities for the technology that we create.

    Who should go to jail or at least get tossed out of school? The students of course. For unleashing deliberately an uncontrolled technology for profit without making any preparations for the consequences.

    If you are a chemical company and you dump poison into a stream or pump it into the air to get rid of industrial surplus, and this directly causes death and destruction, then you are responsible (at least in the civilized world). You make sure of the effects of what you do before you do it.

    Same with software. The days are just about over where people will accept unwanted consequences of bad software as unforseen 'acts of God'. The time is coming to an end where you can publish any junk with a tiny print disclaimer stating that you as the software creator are not responsible for anything that the software does.

    Same with malware. The software company that put out this adware program should be sued out of business, and the programmers should be blacklisted for creating an application that was outside of acceptable guidelines. And we as the technical elite should set and enforce the guidelines. This is an idea whose time has come and no one else can do it but us. This is the only way that this type of thing will stop. And if the adware program sellers don't like it, too bad. We created the net; we control the net; we take responsibility for what assholes do on the net; we punish the assholes who don't follow our guidelines. That is the way it should be. It would improve the position and respect that geeks get in society.

    Blaming the hospital is like blaming 911 equipment makers for the situations that caused people to call 911 (an emergency telephone code that contacts help in the USA). No one would blame electrical equipment manufacturers for the acts of a criminal deliberately cutting the power in a hospital.

Why do they need the internet in the first place?

[atomic_toaster]

Let's set the argument regarding who is at fault aside for a moment. Let's even set aside the "this wouldn't have happened on a non-Microsoft OS" hyperbole. My main question is this:

WHY WERE THE HOSPITAL'S COMPUTERS CONNECTED TO THE INTERNET IN THE FIRST PLACE?

I can't think of a single reason that the computers containing confidential information, personal medical records, and systems necessary for the day-to-day running of the hospital weren't on a stand-alone network in the first place. There are probably some tools that require internet connection, but why weren't these tools run on separate computers? It's fairly easy to transfer data from an internet-connected computer to a non-internet-connected computer (and vice-versa) with floppy discs, removable drives, CDs, DVDs, etc. It may create a small extra step every once and a while, but it's not like the dangers of computers being hacked over the internet is unknown. Even if it did not create an ethical dilemma to have patient records possibly available to a competent internet hacker, the threat of massive lawsuits should such information be stolen should be enough to create some justifiable paranoia about internet attacks. Also, if someone had died because of a slowing of communications within the hospital due to the current hacking, the hospital probably would have been faced with a wrongful death suit. Whether the hospital lost such a lawsuit or not, it would still cost a lot of money and effect the bottom line.

Come on, people, this should be a case of enlightened self-interest. It may be the robber's fault if the robber comes into your house through an unlocked door, but the insurance company won't cover your losses if you left the door unlocked. Locking your doors can be a bit inconveninent if you have to get the door open again while carrying an armload of groceries, but it's worth the security in the long run.

It's web of stupidity.

[Inoshiro]

"So who's really at fault here? The students?"

Yup. Motive, means, opprotunity. S/he went ahead and performed a crime. This is the easiest to prosecute under the very slow-to-adapt laws that exist at the moment.

"The hospital for not securing their computers and network?"

Yup. Not taking due care with patients' lives is a felony, IIRC. This is as bad as not requiring your doctors to have a degree or wash their hands. The hospital is lawfully required to set safe standards.

"Or the adware companies for providing the incentive?"

Yup. These folks are guilty of a different crime, but still guilty. I don't know why there aren't more police aresting people and charging them with theft of service. Ad-ware is almost exactly like spam in terms of its side effects and damage.

Everyone is guilty! Only the student will be prosecuted, unless some smart lawyers get on it.

Shades of (blame) grey...

[Shoten]

The students are at fault, above all else. But I can't believe that the IT department of the hospital was so incredibly foolish as to put everything on the same network. Access control for the doors, computers in the ICU, the system that handles paging doctors...all on the same net instead of broken out by system? What the hell? Did the system at the nurses' station in the ICU NEED to have direct connectivity to the card reader on the door?

I don't think for an instant that the students who exploited systems at the hospital are in any way excused by the fact that the hospital set themselves up for a good hard screwing once they got exploited. But anyone...ANYONE...in a role of designing networks and systems needs to face the facts that such people do exist, are out there, and are very busy. You have to plan for certain "what if" situations, and this is a textbook example of one such scenario. That the IT department of the hospital put all of their eggs into one networking basket as they did is utterly inexcusable, and they too share some blame for planning a system on the proverbial assumption that there are no bad people in the world.

-1 Totally Wrong

[dustmite]

but then realized that "security vulnerabilities" would not exist if there were no dirtbags exploiting them

Yes they would - security vulnerabilities are defects/holes in the software and they would exist regardless of whether or not they were exploited. (If a lock manufacturer makes locks that are easy to pick, those locks are easy to pick regardless of whether anyone actually uses that fact to break into something. Your 'tree falls in a forest' logic is wrong, unless you believe in 100% relativism, which anyone who has ever bumped their toe against something in the dark will be able to tell you is nonsense.)

Perhaps you were thinking of "exploits". But if you can't even get the most incredibly basic security terminology right, I'm not sure you are qualified to be saying anything about computer security at all.

STRAW MAN! Patients - not hospital are victims...

[hung_himself]

Of course the students and adware companies were wrong but the scariest part of it was that the hospital - is getting off so easily - even in the land of geeks. What would be the reaction if the hospital had left its records, medications, instrumentation out in the open and physically rather than just electronically accessible to the public? If someone had died - who do you think would be sued - the idiot who tried to pawn the heart monitor or the hospital for leaving it on the street?

For those not familiar with the health system here - it is a private one. The motive for hospitals is to maximize profit while minimizing costs. Since there is relatively little public accountability through the government, and individual patients are largely unaware of the relative quality of hospitals, health care insurers are the ones that keep costs from getting too high and malpractice suits keep quality of care from getting too low. Mistakes can cost money - but admitting mistakes can cost a lot more and thus the level of cover-your-butt here is amazingly high.

In such a CYA environment, I question two things - the assertion that noone was hurt - and that the bot attacks were the ones that brought the network down. Both of these things may be true but are also things that administrators would say to prevent lawsuits. The fact that the staff was able to adapt so well to the computers being down suggests to me that this is not the first time that it has happened. In any case, there is no question that the computer network is poorly setup and that is almost certainly the fault of the administration. The docs can get away with small things like putting screensavers on their machines but it would take a high level admin who wanted to save money by using the same OS across the board and/or wanted remote connectivity so that his crackberry could work more easily to really screw things up. If there are lawsuits - things will probably change - not necessarily to do things in a sane matter - but so that they can't be sued. The same calculation (effect on lawsuits) will also be used to decide whether and who will be fired/scapegoated over this - and it won't be the admin with the crackberry. At worst he/she might be made to go on a junket to Japan to learn how to run a hospital more like a automotive assembly line...

Who's at fault? All of them!

[kavau]

"So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"

How about "all of them"? Our society likes to attribute guilt to a single party (or even a single person, aka scapegoat) whenever possible and convenient. Makes the task of appearing to make progress and fixing things much easier, I guess.

Shit happens when idiots collide.

dumb question

[pci]

who is guilty?
The students are guilty
Adware companys are just scum
and well the hospital has a small case of stupidity

Another analogy:

[Ungrounded+Lightning]

Hear hear. There's plenty of fault to go around.

Here's another analogy that should make it even clearer:

A bank puts its customers' deposits in a bushel basked behind a non-armor plate-glass window and closes for the night. A thief comes by, breaks the glass with a hammer, grabs the money, and runs.

Who's to blame?
  - The bank?
  - The thief?
  - The manufacturer of the hammer?
  - The manufacturer of the plate glass window?
  - The car dealership selling the luxury car the thief wanted?

It's pretty obvious to me:
  - The thief, for breaking in and stealing the money, and
  - The bank, for not exercising due dilligence in protecting its depositors' money.

The same with the hospital, which has an obligation to exercise due dilligence in protecting its patients' health and the infrastructure which directly affects the provision of its medical treatments.

Yes the student was at fault, too. But it's a big wide world out there. With something like five billion people in it and a significant fraction of them having network access, there are plenty of bad and/or irresponsible people with a network presence.

This constitutes a threat as pervasive as weather, or disease. It's up to people who run institutions like banks and hospitals to take this into account. They must take reasonable precautions to protect the health - physical or financial - of the people who have entrusted it to their care.

Microsoft software is NOT rated for life-critical applications and its security flaws are well known. What the HELL was a hospital doing putting life-critical information on it, or letting it share a network with life-critical systems AND the rest of the internet?

I don't know about the rest of you. But just as I wouldn't deposit my money at a bank that leaves it sitting behind a plate-glass window overnight, I'm not going to schedule any medical procedures at a hospital that let this happen, then gave no visible sign of accepting any responsibility for the failure, blaming it entirely on the intruder.

Re:Here's one scenario:

[Randseed]

Considering that the various entry points need to communicate back to the central server ... and there's already all this cat5 cable run for the network ...

Some "genius" decides to save money (always a good plan) and use the existing cable system to enable communication between the entry points and the security computer.

You can laugh all you want, but my boss right now would take the savings and rely upon me to make sure that everything else was fully patched, anti-virused, locked down, etc.

After all, I'm salaried and hardware / cable installation costs real money.

The sad part about it is that even that isn't an excuse. What I'm about to suggest is far from perfect, but eliminates most of the attacks from dime-store techno-weenies.

You have one cable. That cable is going to run between the keycard entry system, the monitor bank, the EMR system, and Windows machines which are chilling out, vulnerable as all hell, and generally being bad citizens. So you assign 10.1.1.0/24 to the keycard system. You assign 10.1.2.0/24 to the EMR system. You assign 10.1.3.0/24 to the monitor bank. You assign 10.1.4.0/24 to the Winblows boxes. You buy a $300 machine from Best Buy, say and AMD 3200+, and install Linux on it. Run the damned thing into a switch. Have the Linux machine only route data appropriately. In other words, it is going to sectoin the subnets.

Now, you're still vulnerable to various attacks. I wouldn't suggest otherwise. Some ARP attacks come to mind. But this eliminates 99% of the attacks out there. Even if the Windows machines are infected all to hell, the Linux machine won't route 10.1.4.0/24 to 10.1.1.0/24, 10.1.2.0/24, or 10.1.3.0/24.