Slashdot Mirror


Hospital Equipment Infected With Conficker

nandemoari writes "Recently, the Conficker/Downadup worm infected several hundred machines and critical medical equipment in an undisclosed number of US hospitals. The attacks were not widespread; however, Marcus Sachs, director of the SANS Internet Storm Center, told CNET News that it raises the awareness of what we would do if there were millions of computers infected in hospitals or in critical infrastructure locations. It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access. A patch was released by Microsoft last October that fixes the problem, but the computers infected were reportedly too old to be patched."

9 of 289 comments (clear)

  1. Any lawyers here by clarkkent09 · · Score: 4, Interesting

    So if a patient dies due to a (computer) virus and the virus writer gets caught can he be charged with manslaughter or something?

    --
    Negative moral value of force outweighs the positive value of good intentions.
  2. Re:Does it bother anyone else..... by Brett+Buck · · Score: 4, Interesting

    Does it bother anyone else that "critical medical equipment" was running Windows NT or 2000? Don't get me wrong - I like to bash MS as much as the next /.'er but XP is almost to sunset - Shouldn't they be running something a little newer?

              For a life-critical system they probably shouldn't be running ANY version of Windows. But once you get past that issue, if you have tested it sufficiently to permit people's lives to depend on it, retesting it to the same standards on first Win2000 and then XP is a non-trivial effort, and might not even be possible without massive changes. So you would be sorely tempted to leave it alone. Presumably, since it's the same code, it doesn't need any more "features" or performance. So porting it provides no value.

    A better question is whether or not it's a good idea to have the damn thing hooked up to the internet so it could *get* Conficker in the first place! Well, actually, that's not a question, since its obvious...

          Brett

  3. Re:Old Computers by BSAtHome · · Score: 5, Interesting

    Medical equipment has a very long lifespan. Many devices for measurement and monitoring are used for 10 to 20 years before replacement. The general policy is "if it works, don't fix it and, more important, do not touch it".
    The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.

  4. Re:Old Computers by painandgreed · · Score: 5, Interesting

    It's not like they can just upgrade the computer. The computer is running software that goes with specialized equipment. They'd have to upgrade everything if they upgraded anything and with that you could easily be talking millions of dollars. That might not be really needed as the machine should run just as well as it did with they bought it if it hasn't broke. If it's a smaller hospital, they might not have the budget to replace non-broken machines that still preform within needed specs, especially in this economic climate. Add in that some of these machines need to be FDA tested and are only supported by the manufactuer and that makes it even more expensive and harder to upgrade. Then, on many of these machines, the users might not even know they're running on NT4 as the software they run takes up the entire screen and they never actually interact with Windows at all.

    I work in healthcare and I'm not surprised at all. Within the last year we just got rid of a Win95 system that was still talking over Novell networking, our Vax system, and a bunch of Sun Sparq stations. We still have plenty of Win2k and probably some WinNT4 around. We also have one of the most advanced set ups in the country, but legacy systems still exist for lots of reasons. First off, if it still works, management is not likely to want to get rid of it unless you make a good case for a good ROI. They're all old and aren't used to replacing major hospital systems that aren't broke especially if the new system doesn't offer any advantages. Budgets are always a problem because if the department isn't bringing in enough money to warrant new equipment, they might not get it. Then there are the vendors. perhaps GE, Fuji, or Cerner are happy with their old system or wants to sell you lots of stuff you don't want or need to replace one bit that is still running on old server tech just fine, so you effectively can't upgrade even if you wanted to.

  5. Re:Does it bother anyone else..... by radtea · · Score: 5, Interesting

    For that matter, why is it running a general-purpose OS like Windows?

    Ease of development, particularly UI support for rich user interaction and feedback.

    Most medical systems I've worked on have two OS's: a relatively hard realtime system that's really close to the hardware, and a second system (Linux or Windows) that's close to the user. For some applications the general purpose OS is used as a soft realtime system and talks to all the hardware via USB or a framegrabber. Only very simple systems are pure embedded these days.

    Given the complexity of computing that some of these machines do this makes perfect sense: an embedded, realtime OS is just not what you want to be dealing with when trying to develop richly representational software. Think imaging systems and computer-assisted surgery systems, which often have a lot of analysis and image processing built in, including heavy user interaction, in realtime, in the OR.

    Intra-op ultrasound is routine in cardiac surgery (and yes, sometimes systems hang and have to be rebooted while the patient is on the table with their heart stopped...) Intra-op fluoroscopy is routine in some procedures as well, particularly in ortho.

    The problem is that people have come to expect features that can't be easily delivered without a general purpose OS, and the issues that come with that are pretty much invisible to anyone who would be likely to scream about it, including the FDA. Users get used to periodic failures and work around them, just like desktop users do.

    --
    Blasphemy is a human right. Blasphemophobia kills.
  6. Re:Does it bother anyone else..... by peragrin · · Score: 4, Interesting

    what part of 10 year old equipment didn't you understand? What part of Win NT and win 2K makes you think the hardware can even run anything newer?

    At that time your looking at Red Hat 5. think about it. linux wasn't ready back then for mission critical stuff.

    At best they could have gone with OS/2 warp.

    --
    i thought once I was found, but it was only a dream.
  7. Re:Here is why and how by altek · · Score: 4, Interesting

    I don't necessarily "think it's OK". I didn't write an editorial, I just outlined why this is what it is, as it seemed a lot of the commenters were under informed on what the article is referring to.

    Also, as per usual, the media uses sensationalist wording. Most of the "medical devices" in question here are not something attached to your body where you will die if it crashes. Most of what this is referring to are clinical workstations used for doing all sorts of work related to medical care. For example, a workstation that interfaces to some sort of scanner to set up and initiate a scan. Or a workstation that crunches data that comes off some piece of medical hardware. Most devices that physically touch you and control something which can harm a person are coded in hardware, not windows, and have hardware in place to prevent such a thing from harming someone.

    Please realize that the FDA must approve ANY piece of hardware that comes in contact with a human and the process is EXTREMELY restrictive and scrutinizing (and expensive). It's actually one gov't institution that I feel really does protect people in a lot of ways.

    --
    THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE
  8. Re:Old Computers by Mazcote+Yarquest · · Score: 5, Interesting

    Indeed, I work for an OEM on the imaging (X-Ray) side of the house. My system(s) do get patched regularly. The users are given specific instruction not to "Surf the web".

    These systems are usually on a network segment dedicated strictly to imaging yet somehow I manage to find all fashon of virus (Most recently Conficker) games and saved email attachments on the Desktop.

    The FDA is very strict about how these systems are to be upgraded and serviced but patching is a non issue.

    My company has a simple solution to the virus issue though, If the network admin allows the cluster to get infected, we will gladly remove the infection, for a price.

    If I have only had a penny for every time I have heard "It's not my network, check your equipment"

  9. Re:Virus writers in the pay of computer sellers? by Anachragnome · · Score: 4, Interesting

    The above post is accurate about the car analogy.

    From my own experience, auto-manufacturers took it a step further and only made PARTS of the car with built in obsolescence. Then they buried that part under 30 other ones. That way they get the repair cost MUCH higher. A simple $10 part can cost you (at the dealership, of course) $1000 to get to and replace, the Ford Ranger/Explorer clutch slave cylinder INSIDE the transmission bellhousing...$30 part, $500 job, being a good example (most manufacturers put it on the outside). It also discourages the "shade-tree mechanics" from doing their own work.

    But what you say is mostly correct. The REAL problem is that they've been at it so long, people think that a car that only lasts 5-6 years is NORMAL. They've been conditioned to it. People will not know what to do with a car that lasts 25 years, nor be happy with it. Its all about "new", or so we are told by the auto companies.

    All that being said, the OP isn't being overly cynical, in my opinion. That shit happens ALL the time, and I see no reason it shouldn't in the IT field.