Slashdot Mirror
Hospital Equipment Infected With Conficker
nandemoari writes "Recently, the Conficker/Downadup worm infected several hundred machines and critical medical equipment in an undisclosed number of US hospitals.
The attacks were not widespread; however, Marcus Sachs, director of the SANS Internet Storm Center, told CNET News that it raises the awareness of what we would do if there were millions of computers infected in hospitals or in critical infrastructure locations.
It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access.
A patch was released by Microsoft last October that fixes the problem, but the computers infected were reportedly too old to be patched."
I'm surprised that NT4 is still run. But then again I often see it running on older equipment in stores, call centers and hospitals I guess.
I guess that's the other meaning of "Nosocomial infection"...
So if a patient dies due to a (computer) virus and the virus writer gets caught can he be charged with manslaughter or something?
Negative moral value of force outweighs the positive value of good intentions.
Newer isn't always better.
All versions of Windows (and Linux) are way too complex to ever be 100% bug-free. They should be running DOS.
Hospital equipment running Windows NT... Virus or no, I wouldn't want my life to depend on that machine. "Yeah, I hooked him up to the EKG and it just keeps saying device not recognized."
Maybe not, but cars have been removed from the market for similar reasons. Notoriously insecure systems should never be used in hospitals.
In fact, it rarely is. If their existing OS, which is likely running custom software specific to this equipment, is still doing what it needs to do for them, what need do they have to switch? They certainly don't need to be able to play the latest games or anything superfluous like that. Why risk breaking compatibility on a tried and tested mission-critical system? How many businesses do you know of that switched to Vista the moment it came out? If you do know any, you know they're pretty dumb, don't you?
A family member was in an intensive care unit and was hooked up to a machine that would monitor them for seizures.
In addition to a bunch of electrodes and other monitoring devices there was a web cam.
I looked at the screen and saw the Win XP task bar (pretty sure it was XP not win 2k but it was a while ago). It was a shock to see it and caused me some concern, but since it was just monitoring software, not as critical as the other systems in the room and the unit's layout made the bed viewable from the nurse's station, it wasn't a big deal.
Had the respirator shown an XP toolbar I would have made a stink.
NT and win2k have always appeared to be fairly stable for me. More so than XP in my experience.
For a life-critical system they probably shouldn't be running ANY version of Windows. But once you get past that issue, if you have tested it sufficiently to permit people's lives to depend on it, retesting it to the same standards on first Win2000 and then XP is a non-trivial effort, and might not even be possible without massive changes. So you would be sorely tempted to leave it alone. Presumably, since it's the same code, it doesn't need any more "features" or performance. So porting it provides no value.
A better question is whether or not it's a good idea to have the damn thing hooked up to the internet so it could *get* Conficker in the first place! Well, actually, that's not a question, since its obvious...
Brett
In the medical industry, making even the smallest changes is often difficult. (I've heard stories of companies continuing to release medical software based on WinNT, and they will probably continue to do it.) When it comes to making changes to software (and hardware), there are lots of regulatory hurdles you need to meet. (The more "life-critical" a device is, the more stringent the regulations are) Obviously, it makes sense, because you don't want to go to the hospital today and find a Windows 7 Beta powered device responsible for your safety.
Also, many hospitals refuse to upgrade existing equipment to something newer. If it works, and it gets the clinicians the data they need to help the patient, then they don't want to take the risk of updating software/hardware.
Doh!
For that matter, why is it running a general-purpose OS like Windows? Anything upon which life-critical systems run should be a hardened, embedded system focused on the equipment's features and nothing else.
Am I the only one who shudders at the idea of Bonzi Buddy on a cardiac monitoring system?
Your mind is clear / The things that you fear / Will fade with how much you / Believe what you hear
Hey, that adorable purple ape has wonderful bedside manner!
Exactly; look at the Hubble telescope and it's 486's. It's not the processors that are causing it to fail over time, they're still chugging along.
It bothers me that "critical medical equipment" was running Windows at all.
Not necessarily newer, but certainly more robust (Windows 2000 is not something I'd consider reliable enough to be used in mission critical systems) and more secure (USB keys can carry viruses).
Usually, for something like that, as other have noted, you'd want a special-purpose OS or a very minimal layer on the hardware you can write apps directly to (eg: L4, OSKit, or something like that).
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access.
Critical medical equipment running Windows and connected to the Internet? YOU'RE DOING IT WRONG! The sheer stupidity of humans never ceases to amaze me.
Why risk having security vulnerabilities on a tried and tested mission-critical system? They should have gone with Linux or BSD from the start and had virtually guaranteed upgrade compatibility from that point on, with plenty of commercial support options.
Sam ty sig.
All medical devices have to go through a very stringent testing and approval process. The process is extremely costly. Even the slightest revision in a design spec can require a whole new series of retesting and recertification. Therefore what happens is that the manufacturers develop their devices using a certain piece of software and it stays on that piece of software. If you think about it, there isn't any need for a heart monitor to have internet access. The real problem is that the staff at the hospital obviously failed to follow the guidelines that were laid out for them by the manufacturer and/or their local IT department. I don't know about you, but I don't want my medical devices pulling down auto updates that might bork their functionality. As long as you're running Microsoft software on certified hardware with a known good set of drivers, the odds of a blue screen or other serious system problem are next to none. I'm not saying that you want to run your business on an NT4 server plugged into the internet. But for a medical device that should be stand alone, it isn't exactly a huge risk to be running Windows.
I can totally understand why these systems were still running NT or 2000. If it ain't broke, don't fix it, right?
But if it ain't supported anymore, and it's completely closed-source, you literally CAN'T get fixes for vulnerabilities discovered later on. At least with an OSS product, you'd be able to hire a developer to fix the specific vulnerability on the existing system.
Don't you wish your girlfriend was a geek like me?
no, not at all. I know we've all been brainwashed into the 'must upgrade' way of thinking, but for many places once you have something working, don't touch it and it'll keep working.
So, no, many places run NT4, it was quite a good OS, before MS started adding 'value added features' to it.
1) Vendors of these devices almost across the board disallow local IT admins to put any windows patches on the machines
- this is due to FDA requirements for approval, and the vendor is "covering" themselves
- also, they usually have a list of "qualified updates" that is usually MONTHS behind MS's patch cycle (not surprising given the sheer number and speed of holes that are found)
- usually the vendors claim that THEY will apply patches regularly, in practice, they almost NEVER do
2) Vendors typically disallow these machines to be on the active directory
- this is because they can't stand troubleshooting/supporting issues in their software due to GPO's being pushed down, software management software, etc etc
3) To everyone screaming how idiotic it is that medical devices have Windows on them: you may be a geek, but have clearly never worked in a real enterprise environment. Windows is embedded on so many devices in the world (medical and otherwise) that you would never even know existed. Why? Because it's widely supported, has huge hardware support, and is surprisingly OPEN to developers to hack it into whatever they need it to be. And windows programmers are a dime a dozen.
4) To everyone screaming how idiotic it is that medical devices are connected to the internet getting infected - Do you even know how Conficker spreads? It spreads quite easily across a LAN, attaching to Windows file shares. See MS08-067 for more info. Many of these devices are on a LAN with no DNS (although plenty are on the 'net). Why? Again, because vendors insist that they be connected so they can VPN in and support them (often using LogMeIn, Webex etc).
THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE
Suddenly I have this horrible urge to write a virus called "Swine Flu" that only attacks medical systems..
On some hardware even installing windows updates will void the warranty and that same hardware also has to be on the network.
This SPAM was brought to you by a heart monitor!
http://www.beanleafpress.com
Its possible that they can't upgrade to a newer OS. To do so may require them to upgrade the modality attached to the OS. Hospital systems have to be validated to conform to FDA requirements and the vendor just may no longer support that OS and its just not possible to do it in house.
"Hi it says I need to upgrade my RAM, what is that?"... "RAM is a part of your computer, if you have more of it, you can expect it to run faster... tell me what your computer is running and I'll see if I can help you out."... "Uh, right now the computer is running Bob's heart and lungs for him."
The article says "A patch was released by Microsoft last October ..." The availability of a patch doesn't mean squat. Before a patch can bve installed on medical equipment, the hardware vendor has to validate the patch. In other words, the vendor has to test the ever loving crap out of the software to insure it does not conpromise patient safety.
The fact that cornflicker got on life safety and mission critical systems at all raises the question of why anyone would use a consumer grade operating system for mission critical systems or for life support systems. At a minimum, these systems should have been running Unix or Solaris. Vx Works or Linux are also good, but require a higher level of computer engineed to implement.
This is just plain lunacy.
For that matter, why is it running a general-purpose OS like Windows?
Ease of development, particularly UI support for rich user interaction and feedback.
Most medical systems I've worked on have two OS's: a relatively hard realtime system that's really close to the hardware, and a second system (Linux or Windows) that's close to the user. For some applications the general purpose OS is used as a soft realtime system and talks to all the hardware via USB or a framegrabber. Only very simple systems are pure embedded these days.
Given the complexity of computing that some of these machines do this makes perfect sense: an embedded, realtime OS is just not what you want to be dealing with when trying to develop richly representational software. Think imaging systems and computer-assisted surgery systems, which often have a lot of analysis and image processing built in, including heavy user interaction, in realtime, in the OR.
Intra-op ultrasound is routine in cardiac surgery (and yes, sometimes systems hang and have to be rebooted while the patient is on the table with their heart stopped...) Intra-op fluoroscopy is routine in some procedures as well, particularly in ortho.
The problem is that people have come to expect features that can't be easily delivered without a general purpose OS, and the issues that come with that are pretty much invisible to anyone who would be likely to scream about it, including the FDA. Users get used to periodic failures and work around them, just like desktop users do.
Blasphemy is a human right. Blasphemophobia kills.
A better question is whether or not it's a good idea to have the damn thing hooked up to the internet so it could *get* Conficker in the first place! Well, actually, that's not a question, since its obvious...
The computers that were infected weren't hooked to the internet, they were hooked to a network that was hooked to the internet. The other equipment was probably either connected to an infected computer at some point, hooked into the same network, or some combination of similar things.
Seems to me that equipment of this type should be running on software that's been written from the ground up to be secure and crash-proof. Using any out-of-the-box software is asking for trouble since you can't control the code and it's going to provide features that the equipment doesn't need. Any of those unnecessary features could easily cause crashes or security concerns. The equipment should only accept input that's exactly what it's expecting and reject anything else.
So, we have Conficker infecting hospitals now. And meanwhile, after Conficker's payload goes live, there's a massive outbreak of swine flu. And conficker spreads spam... spam is a pork product... COINCIDENCE?!
No kidding!!! What do you say at this point?
Bridgestone wasn't committing a criminal act. They had a flaw with their product.
Under US law, there are situations where you can be prosecuted if during the commission of a crime you cause something more severe to happen. One that has happened successfully is criminal being prosecuted for murder during robbery, even when they themselves didn't fire the shot that killed someone. However because the reason the death happened was their robbery, they are charged.
Now as it would apply to this, I don't know. You'd have to ask someone who's an expert in this area of law and even then this is untested so it would have to be decided in trial. However it is the sort of thing that can happen. If you commit a crime and in doing so cause other harm to happen, even if it wasn't direct or your direct intent, you can still be charged at least in the US.
what part of 10 year old equipment didn't you understand? What part of Win NT and win 2K makes you think the hardware can even run anything newer?
At that time your looking at Red Hat 5. think about it. linux wasn't ready back then for mission critical stuff.
At best they could have gone with OS/2 warp.
i thought once I was found, but it was only a dream.
Does it bother anyone else that "critical medical equipment" was running Windows NT or 2000?
Of course it does. Building any medical equipment around an intrinsically unreliable system is about as irresponsible a decision as anyone could make.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Obviously, it makes sense, because you don't want to go to the hospital today and find a Windows 7 Beta powered device responsible for your safety.
Sure, but you also don't want to go to the hospital today and find a Windows 3.11 powered device responsible for your safety
No sig for the moment.
Kind of makes you wonder what percentage of the prestigious Windows market share is special purpose devices like this (or mundane devices like cash registers.) I know Case equipment (CNH) uses WinCE on almost everything. At least that is pared down to the essentials.
In any case this seems like lazy engineering if the item is vulnerable to viruses.
-- My apologies if the above facts contain any opinions, or vice versa! --
The question here is this: did the sub-human wankers who created this ever consider this possibility? Now that it's happened, do you think they give a shit? Is there a chance that someone is saying, "Gee, maybe this wasn't such a good idea..." right about now?
They would still have been unable to upgrade/patch/etc.
The issue is the support contracts say "DO NOT TOUCH!".
Agreed, I don't see how anyone could convince themselves that they have actually tested it sufficiently if it's running on Windows (or any other consumer-level OS). But once you have it on one version, and never change it, at least you haven't introduced any other variables, i.e. at least it's not a moving target.
Brett
Seems to me that equipment of this type should be running on software that's been written from the ground up to be secure and crash-proof.
I'm intrigued by your implication that windows, or any other OS wasn't written with these goals in mind. Perhaps, it's just not quite so easy to achieve?
"The computers that were infected weren't hooked to the internet, they were hooked to a network that was hooked to the internet."
So, they were hooked up to the internet.
Physical separation people. It's the ONLY way.
I don't mean to nitpick, but what's the difference? Your ISP has a network that's hooked to the Internet and you connect your computer to it in order to have Internet access. Seems to me that the basic routing functionality of IP guarantees that there is no meaningful difference there, at least not unless you have some carefully-planned firewall rules in place and even then ...
It is a miracle that curiosity survives formal education. - Einstein
If the support contract doesn't include tested and managed security updates, it's not really support is it?
Sam ty sig.
The computers that were infected weren't hooked to the internet, they were hooked to a network that was hooked to the internet. The other equipment was probably either connected to an infected computer at some point, hooked into the same network, or some combination of similar things.
Being hooked up to a network that is hooked up to the internet (an insanely large network) is being hooked up to the internet! Any way the network that the medical equipment is on should be a closed system with no computers that were ever connected to the internet.
Newer isn't always better.
I disagree, think of how much better those machines would be running if they used vista!
It's extremely cynical of me perhaps, but I wonder if this isn't some type of pernicious planned obsolesence. Some car makers for many years deliberately made cars to last 20,000 hours (pure folklore, overheard) because they needed cars to fail after a few years to keep the volume of new car sales going.
Wouldn't the same principle work with computers? Something has to make them fail over time or people will make do with the old. Unfortunate that this means NT4 boxes in hospitals might get people killed, but when have the truly greedy ever really cared?
Do not mock my vision of impractical footwear
As I unfortunately found out yesterday, one of the more common ways the virus spreads is through removable drives. If autorun is enabled for removable devices (which it is by default, and no MS basher responses please), Windows will load autorun.inf straight away, infecting you.
A work colleague brought over a USB stick with some music on it, which I happily acquired, along with Conficker. For some retarded reason the resident shield was disabled. After we received an email about it, I noticed this and re-enabled it. I didn't realise I had the virus until this guy came over again with some more music and the AV software exploded in my face with a nice "warning conficker detected and removed" message. Of course that meant "removed from the USB stick" and not "removed from the PC".
Virus scans would no longer run, and I couldn't access most conficker-removal-related websites unless I went through a proxy. Incredibly, the Microsoft Malicious Software Removal tool worked a treat. After using that, rebooting, and disabling autorun in the registry, it's gone.
I blame partly myself for not disabling autorun (security lockdown on these work PCs is ridiculous; I would have had to ask an admin to do it), and for whoever disabled my bloody resident shield.
I hinted to our admin that I wanted Debian instead, but that didn't go down well. :)
tl;dr version: Conficker is bad, mmkay.
Homonyms are fun!
You're driving your car, but they're riding their bikes there.
they were hooked to a network that was hooked to the internet.
So essentially they were on same switch network or segment medical hosts by vlan and probably ip packet filtering at the gateway. Sounds like a poor design and really poor security policy if Conficker can push NetBIOS propagation outgoing to medical hosts network regardless bridging network has access to internet or not.
The main point should be the fact that network design and security model is defected in this case, not what OS is running or software it's running on top of what OS. There is no foolproof OS known to mankind as of yet, and I highly doubt medical device manufactures can do any better at developing OS/software than software companies. And I hate when I have to defend Microsoft on this, but there is no proof that Windows OS is inherently unstable when it's in use by medical devices.
"Don't let fools fool you. They are the clever ones."
Why are you getting modded as "Funny?" That's the first thought I had. Shouldn't heart monitors and MRI machines have an embedded OS of some sort? MRIs are more complex, but (AFAIK) things like heart monitors do one thing and one thing only.
This signature serves no purpose other than to help you see which posts were made by me.
At least with an OSS product, you'd be able to hire a developer to fix the specific vulnerability on the existing system.
It doesn't work that way.
You botch this assignment and people die.
The hospital does not have the financial or technical resources to validate your work.
It's potential exposure to administrative actions, civil and perhaps criminal penalties is enormous.
Let's assume that the hospital equipment can't be patched enough or in a timely-enough manner to make it safe enough to use with the Internet. To me it's obvious: don't ever allow connections to the Internet in any way.
Critical medical equipment should never have been even remotely connected to anything not 100% secure.
---- Booth was a patriot ----
No, they shouldn't be running something newer. Older software has had longer to show it's failings and to be well understood. Nobody wants to be surprised by medical equipment. They SHOULD, however, be running something safer.
These probably aren't the heart monitors physically in the patient, but rather either EKG's or pacemaker programming monitors -- which need to have graphics, a terminal, and be connected to other clinical systems.
...
Well then how the hell am I supposed to send my heartbeats to twitter?
Answer that! Ball's in your court.
Considering the high cholesterol content of spam, it's probably already wreaked its share of havoc on heart monitors... it's about time the heart monitors gave something back.
Let me get this straight, we know Microsoft drops support for its OSes and that includes security patches, yet hospital equipment manufacturers are loading Windows on equipment costing millions? Come on folks, what's wrong with this picture.
Atleast with open source, the equipment manufacturer can backlevel a patch or hire someone to do this. They can't do this with Windows or it costs too much for them to do it. I can't imagine getting source access to an unsupported OS is something Microsoft wants. If they don't want it, they price it off the market.
So is anyone in the press bringing up the issue of companies embedding Windows in products which are expected to last more then 10 years like MRI machines and other hospital equipment? This isn't your standard corporate IT department that keeps throwing away good hardware every three to five years.
It's plain and simple, Windows is unsafe and unsupportable in any long life application.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
what part of 10 year old equipment didn't you understand?
The part where they connected it to a *network*.
At that time your looking at Red Hat 5. think about it. linux wasn't ready back then for mission critical stuff.
Of course it was. Well, perhaps the RedHat distro was a bit immature back then, but Debian certainly was ready, as was Slackware. But that's not really the point. The question is, why were Microsoft's non-realtime, closed-source solutions considered for controlling mission-critical medical hardware?
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
trouble is conficker can spread through flash sticks too, so it's fairly easy for it to jump from the internet to an isolated network.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
You mean we can't nuke it from orbit?
This is not the funny you're looking for.
Newer isn't always better.
But better almost always IS newer. After all, how are you supposed to improve something that doesn't exist?
Users get used to periodic failures and work around them, just like desktop users do.
It seems to me that failures like this are tolerable as long as the different systems have enough decoupling, and enough human attention is in the loop to modulate the system. If the system reporting your 3-month historical blood pressure crashes, no biggie, but if the actuator making my respirator move relied on a web page's embedded OLE control always returning the right value over XMLRPC, I'd be a little more nervous. Well, a lot more nervous.
Don't blame me, I voted for Baltar.
I'm intrigued by your implication that windows, or any other OS wasn't written with these goals in mind. Perhaps, it's just not quite so easy to achieve?
When you're writing software that does a single specific task, on very specific hardware, it's very easy to achieve reliability and security. These mainstream consumer operating systems are designed to run a vast array of generalized computing applications on a vast array of hardware. The application developers and equipment makers can only control a very tiny portion of the code running in these systems.
...(Windows 2000 is not something I'd consider reliable...
Windows 2000 was perfectly reliable until windows 2003/xp came out - then (as if by magic) - it wasn't.
I think it was also right after a few ms updates and patches were rolled out.
I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.
And I hate when I have to defend Microsoft on this, but there is no proof that Windows OS is inherently unstable when it's in use by medical devices.
Stability is not the issue; security is, and it's pretty much proven that Windows is inherently insecure when it's in use in medical devices. In Linux, at least you can easily pare it down to the smallest set of functions you need (to the point of completely excluding TCP/IP or the entire networking stack if you choose), whereas Windows XP Embedded still gets Windows viruses.
It is when doing such updates could break very costly certification processes that medical equipment must have... which is kind of important in the healthcare industry... The correct action is PROTECT the equipment from external threats --- there is no reason for a heart monitor to get on google.
+++ATH0 NO CARRIER
Here's a vaccine: use Unix and Unix-like systems. No medical device should be running Windows. You do see stuff with Unix, such as some CT scans, but the way Microsoft's marketing is strong, you see a lot of stuff on Windows. Also, because it allows for easy installation on a widespread platform.
Here's a big opportunity for open-source developers: ship the whole thing, computer, OS, *and* your image analysis software for microscopy - or whatever (of course, the ugly part for Linux is the GPL - but then there's always a choice of BSD or solaris).
BTW, how come retarded managers get to choose Windows for medical devices, and the NYSE sticks to Linux for their systems? Answer: because there is a shitload of money in the NYSE and big fish at the sea and they can't afford retards managing their IT infrasructure.
On another note, I suspect things are even worse in other corners of the world. For instance, a couple of weeks ago I was having a coffee with the guy reponsible for major IT infrastructure in the government health sector (this in Brazil, and I'll not disclose specific info), and he told me a horror story of how they run very old, unpatched software, that they *can't possibly* upgrade because, as these things go in the developing world, the budget wasn't always there when they needed, so they missed upgrades, and to upgrade the things, they can't just go from, say, version 5 to 7, because Microsoft doesn't work that way...BTW, the guy - a top manager - was clueless regarding, say, OpenBSD. He just bought pre-packaged Microsoft shite. How sad...He did mention that TCO for Linux was higher, because of lack of specialized workers (as opposed to a legion of incompetent sysadmins wannabes we see all the time in the Free Software meetings), and that they had made a half-assed atempt once.
OTOH, the public health sector should run open source software for security reasons. Period. If .mil does, why doesn't .gov?
Main difference between the BSD license and the GPL license: one is from California and the other is from Massachusetts
With the Internet locked out, the only thing left is to train employees never to introduce USB sticks into the system--at the risk of picking up a law suit or loss of employment.
what part of 10 year old equipment didn't you understand? What part of Win NT and win 2K makes you think the hardware can even run anything newer? At that time your looking at Red Hat 5. think about it. linux wasn't ready back then for mission critical stuff. At best they could have gone with OS/2 warp.
They could have gone with Solaris ;)
It is always better to be a first grade version of yourself than a second grade version of someone else.
And OS/2 warp is, like, totally supported today.
Main difference between the BSD license and the GPL license: one is from California and the other is from Massachusetts
For a life-critical system they probably shouldn't be running ANY version of Windows.
"Hahahaha, children, the things we've seen."
Like telemedicine types wiring ECG real-time data to Linux (*) with MySQL and PHP interfaces. Is that acceptable/safe? I don't think so...
(*) not Real-Time Linux.
Main difference between the BSD license and the GPL license: one is from California and the other is from Massachusetts
No, it's just reality when you work in Healthcare IT, and for patient safety reasons, it's better this way...
Your comment leads me to believe that you don't know anything about Health Care IT and should maybe move on to another topic.
The issue in this story is not the fact that the equipment is unpatched, the issue is that some idiot allowed a threat to reach the equipment in the first place.
+++ATH0 NO CARRIER
The problem is that people have come to expect features that can't be easily delivered without a general purpose OS, and the issues that come with that are pretty much invisible to anyone who would be likely to scream about it, including the FDA. Users get used to periodic failures and work around them, just like desktop users do.
We can't expect Mr. Surgeon, who's been rebooting his Wintel boxen for two decades, who thinks it's "natural" for computers to get a "virus" to scream about it.
However, the physicians, engineers and computer people who make the devices and softwares should display a higher standard. IMHO, for instance, it's unacceptable to just "hack away" at C/C++ in such systems. At the very least some formal methods should be applied. Safe(r) languages, like SPARKAda
http://en.wikipedia.org/wiki/SPARK_(programming_language)
Code analyzers with formal theory behind them, such as PolySpace
http://www.mathworks.com/products/polyspace/index.html
Etc.
If a system needs rebooting in the middle of surgery, than it's criminal.
There's cultural barrier against safer languages and formal methods and we need to overcome it.
Main difference between the BSD license and the GPL license: one is from California and the other is from Massachusetts
I read once that there were a few reasons NASA was always pretty far behind on processors compared with home PC's. Keep in mind this is from memory.
1. By waiting the get processors who's flaws are well known (no surprises)
2. They can get radiation hardened chips. It takes time to develop such a chip, and you want the one with known flaws, so by definition the chip is out of date.
3. The power requirements are low.
Good lord, you got modded troll for that? WTF?!
Are you kidding?
Red Hat 5 was far more ready for mission critical systems than anything M$ has ever released, and likely more ready than anything M$ will ever release.
Actually, what this story proves is that that approach is unworkable, and threats WILL reach the equipment.
It's time for a new approach. Seriously.
Being a health care worker, I would have thought that being responsible, and *not* bypassing the hospital's IT access controls - no matter how "pathetic" - was part of your job?
Just sayin'...
This is why the manufacturers fold their tents every five years and move on.
Don't get sick.
Help stamp out iliturcy.
The network is not trusted. Not ever. Not even a lab network with air gap. For the lifetime that these devices are expected to see somebody will defeat the network security, even if they have to invent a parallel port to wifi adapter.
The trick is to never expose services to the network on clients. Ever. Clients are for using services, not providing them. And audit your network periodically to ensure the damned clients haven't started listening without permission. When you implement this policy expect to have considerable disruption as you discover precisely what services are running on clients that are used for important work. It's very scary. Port monitoring can be used also to detect if a client is performing services on a "stealth" port. There's a whole lot more to running a secure network but most people don't even do this much so locking down broadcast and monitoring for slow scanning and other steps are pretty moot.
Also, audit your servers. Each server needs to have services exposed. But it should have those required only. By default all ports should be not listening and this should be checked with snort before the required services are started.
And of course turn off auto run.
Help stamp out iliturcy.
Physical separation people. It's the ONLY way.
That doesn't work very well any more. Most small devices now come with wireless comm capabilities, bluetooth or IR or wifi or CDMA or .... These are generally not obviously "network" connections to non-experts, and many don't have any visible external signs that they're included or working.
This was one of the things that has been learned by the people studying the problems with electronic voting equipment in recent elections. The people in charge will insist that the machines not be networked, but they don't seem to understand that wireless networking connections are possible. So some of the machines that "weren't networked" had running IR and/or bluetooth installed and enabled, and people were able to use these to access the machines from across the room and modify their data.
Also, you and I know that wifi and bluetooth are or can be network connections. But your boss probably doesn't know this. They aren't visible and don't have wires, so they can't be "connections", now can they? And why would any medical administrators expect that a computer infection could spread through the air without any physical contact? ;-)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
It's not so much that it is inherently unstable, it's that it (and anything remotely like it) are so complex under the hood that you have no way of every testing or proving it works. Do you suppose that Windows contains a function from a library somewhere, that wasn't explicitly tested? Yes? BZZZT! Fail! At least for a truly life-critical system. It's not at all clear what the deal was here, but in the most critical situations the OS is written from scratch, and sometimes consists of "see clock leading edge, jump to location 80octal, run". Of course there's a break point where the risk of doing this sort of programming is greater than the risk of using something more complex with more history, but I would sure lean more towards the former than the latter, if it was my grandmother hooked up to it.
Brett
Even DOS would be more suitable for this application.
POKE 36879,8
I spent many years developing real-time software for embedded, real-time, and safety-critical systems, and all I can say is that ANYONE who uses Microsoft software for such should be arrested for endangering the public safety! Remember the disaster that was the Denver International Airport automated baggage handling system? That had to be pulled out entirely because after years of effort and 100's of millions of US Dollars? It was built on NT. When I heard about that (before it was deployed), I screamed, saying that it could not possibly work! Well, my opinion was vindicated (unfortunately). So, the fact that many of these safety-critical medical systems which are built with MS software have proven vulnerable to the most pernicious malware we have ever seen, does not surprise me in the least. I hope that the hardware and software companies who have developed and sold these systems to hospitals and such are forced to recall all these systems, and certify them to Blue Book security standards. Shame on them! A good example of why management should not be making engineering decisions, IMHO...
Sometimes, real fast is almost as good as real-time.
what part of 10 year old equipment didn't you understand? What part of Win NT and win 2K makes you think the hardware can even run anything newer?
At that time your looking at Red Hat 5. think about it. linux wasn't ready back then for mission critical stuff.
At best they could have gone with OS/2 warp.
Actually Solaris was pretty popular for MRI scanners back then. GE eventually switched to Linux which they currently use. Siemens and Phillips went with Windows.
Insecurely designed systems insecurely administered on insecure network insecurely connected to insecure internet run afoul of common problem; patients feel insecure?
That wasn't even remotely "troll" behavior. It's informative, accurate, and well written. Wow.
Special equipment like that always runs old OSes. I've seen ATMs use Windows ME when XP has been out for a few years already. I'm surprised they aren't still on DOS.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
AFAIK the radiation hardness is affected by the channel size, the modern 40nm or whatever chips operate at very, VERY tiny voltages which are lower than the noise space tends to add while the really old stuff is so big you need a significant voltage to switch a bit.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
Windows was designed for user friendliness and such, it's much easier to secure the system when it doesn't provide much driver support (just enough to deal with the hardware it's meant for rather than generalized support for all kinds of configurations and purposes), much UI, etc.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
We had a single NAS that everyone had forgotten about get nailed because it ran a version of win2k called "Windows Powered!" which was basically windows 2000 for storage servers. The issue? You can't run service packs, or patches on it that aren't provided by the manufacturer. The manufacturer hasn't released a patch in 4 years. So we essentially had a 1TB NAS sitting there sharing out a virus that we had no way to patch. Once we located it we isolated it, copied everything to a new nas running windows 2k3 storage server via crossover, and then verified the 2k3 box was clean. However that old nas easily infected 20 other machines - including machines which were shipped to hospitals because they will not allow us to install virus scanners (they want to use their own managed scanners). Further, most QA(quality assurance) workstations which are attached to MR, CR, XR, US, NM and other units tend to be running OLD copies of windows with no virus scanners. You can blame konica, kodak, fuji, and the other imaging companies for that idiotic choice.
"A patch was released by Microsoft last October by November that fixes the problem, but the computers infected were reportedly too old to be patched"
This doesn't make technological sense. If they were capable of running the unpatched version, they were equally capable of running the patched version. I mean Conficker ran ok on these old systems.
"that old nas easily infected 20 other machines - including machines which were shipped to hospitals because they will not allow us to install virus scanners"
Interesting, would these other machines have been protected if they did have AV installed. See here where they refer to an arbitrary code execution during path canonicalization'. I think they mean a buffer overflow in the RPC service.
"Before a patch can bve installed on medical equipment, the hardware vendor has to validate the patch"
What are the technological and legal issues in relation to computerized medical equipment. How does one go about validating a patch. Who is responsible when something goes wrong. At least one hospitable has had equipment rebooting during surgery. How do you test the patch, apply patch, scrub up and attend operation, wait for BSOD and click on restore ?
Or one of the UNIX flavors.
~Petaris "The world is open. Are you?"
Yeah, let's make sure the medical computers can't get to the internet. Oh wait, that means they no longer work. Now fix it: call the vendor, hear them typing, "Hey, I can't ping that equipment, you must have a network problem. Fix it immediately."
Now while the doctors start to storm the help desk, explain how they chose the wrong requirements for their networked equipment.
Upshot? Doctor puts his thumb down and you are fired. Next person gets the network connection restored. Rinse, lather, repeat.
Yes, I do run a hospital network. If you think your network safety is given a higher priority than the convenience of the equipment configuration and the remote availability for the doctors, you must be stealing something from the pharmacy.
the network that the medical equipment is on should be a closed system with no computers that were ever connected to the internet
You haven't bought any medical equipment in the last 10 years have you? Because if you think medical equipment works without the internet, you are wrong.
Now, whether it should connect is a different story. The fact is it does connect and must connect to provide service.
The only problem with this setup remains 24/7 guaranteed availability.
I'm doing it wrong? Not according to GE who makes some of our CT equipment. They specify the exact networking parameters that better be working. If they can't ping the equipment from the support center in (?)India(?), they claim you're doing it wrong.
Not according to MedQuest. Not according to AGM. Not according to Cardinal Health. They all require internet connections to the equipment.
Yeah, but you keep believing that I'm doing it wrong.
Too bad? If GE can't support your $5million 64-slice CT scanner that's TOO BAD?
I'm pretty sure it would be too bad if no patients could be seen because the equipment is down. It's too bad we can't get remote support. It's too bad we are now paying for something that is not generating revenue. It's too bad the head of radiology is yelling at the network admin. It's too bad the CEO has to decide that the head of radiology (who brings in $5 million per month) or the network admin (who COSTS money) needs replacing.
Here's how it goes:
Doc: I want the scanner to work.
Admin: This was a bad pruchasing decision, it wouldn't be safe. I refuse to connect it to the network.
Doc: I want the scanner to work.
Admin#2: But that wouldn't be safe. I refuse.
Doc: I want the scanner to work.
Admin#3: Right away, sir!
--------
Admin#1: Spare change?
Admin#2: You want fries with that?
Should it be this way? Probably not. Is it this way? Oh, yeah.
I suppose I'm just being an old fogey here, but I think life-critical medical equipment code should be written in assembler. No code lying around doing nothing. No variables the programmer isn't aware of. And for goodness sake, no damn operating system at all. Sensor data in, massaged data out, and nothing else.
Contribute to civilization: ari.aynrand.org/donate
Anyone smart enough to set the system up for the idiots should be smart enough to disable all unnecessary shit that could pose a problem. In fact, it's their job.
Of course, the easiest thing is to buy hardware without the unnecessary shit in the first place.
Aren't you more concerned that it's not on an isolated network?
That's another major problem. Hard to say which is worse.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
When the equipment was designed 10+ years ago, and the support contracts were written, noone ever heard of security updates because the equipment was NOT CONNECTED TO THE INTERNET. It was NOT DESIGNED to connect to the internet, period. The fact that it's even possible to connect it to the internet, is the fly in the ointment here. And what if the original manufacturer of the multimillion dollar equipment no longer exists yet the equipment works perfectly fine for the function that it was originally designed, and there's no budget for its replacement?
Why hasn't the internet kept pace with technology and made it impossible to hook ancient insecure gear up to it anyway?
what part of 10 year old equipment didn't you understand? What part of Win NT and win 2K makes you think the hardware can even run anything newer?
My immediate thought on reading this was to think of the 10-year-old machine upstairs that's doing just find running a 2-year-old OS release and software to make it a gateway, firewall, and server machine. Of course, it isn't running the MS Windows that it came with. It's original owner found that it was no longer powerful enough to handle the latest Windows "features", and gave it to me. I installed a then-current linux on it, a release that was much newer than Win NT or 2K, and it's been running just fine since then.
This is a common source of very usable hardware for a lot of linux users. We magnanimously offer to take old, slow machines off the hands of Windows users who need something more powerful. The smaller, faster programs that come with linux usually work pretty well on all that obsolete hardware. We do often install bigger disks, of course, and sometimes we get a bit more memory, depending on the apps we want to run. (A caching DNS server can use as much memory as the motherboard will accept.) But we don't complain much about old hardware; old hardware has been pretty good to us. ;-)
Actually, there's an older case in the nearby university lab where my mail email lives. The lab has a gateway/firewall/nameserver machine that's at least 15 years old. Yup; it's an old Intel box, originally created to run Windows. But over 90% of its life has been as a FreeBSD server system. Its plenty big and fast enough for that task. It would be hopeless for any current Windows release, or even for Win 2K, but it would probably run just fine with any of the current *BSD releases, or with a current linux.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Ish. I do not envy you that position, but I understand it.
Can you at least firewall off the equipment down to the bare minimums, like ports 80 and 443? Can you hide them behind a transparent proxy that would bear the brunt of the attacks? Can you maybe access them via Citrix, or a Terminal Services Client, or something that is at least a hop away from the raw internet? Are they at least on a separate partition from the other Windows boxes on your network, so when Dr. Red fires up his laptop and starts spreading malware like wildfire, at least your lab equipment is safe?
It just seems like there are plenty of other mitigation strategies you could use to reduce exposure to these machines without removing
John
A terrorist attack on the NHS has brought three London hospitals to a halt.
The terrorists, representing an organisation calling itself "Microsoft," apparently used insecure third-party contractors to put a virus-running platform called "Windows" into critical systems in the hospitals, in order to extort money from them on an annual basis.
It is understood that a large percentage of all businesses are infected with the virus, wasting up to 25% of employees' working time and opening the companies to further attacks from related criminal organisations demanding to see all their licenses.
The virus in question, W32.SHILL/SCHOFIELD, takes over the host's IT systems, leading to aches, pains, nausea, vomiting, pumping out prodigious quantities of faeces and a terrible compulsion to spread the infection to others. The patient also walks with a shuddering stumble and asks for their hospital meal to include tasty, tasty brains. Recovery has commenced when they have an overwhelming urge to throw their computer out of the window. "Getting this stuff out of the system makes MRSA look like a walk in the park," said one cleaner, waving his shit-encrusted hands about for emphasis.
When the infection became known, ambulances were diverted to other hospitals. "We have maintained a safe environment for our patients throughout the incident," said a spokesman for Barts NHS Trust, "keeping them in the Clostridium difficile culturing lab rather than risking exposing them to 'Windows.'"
http://rocknerd.co.uk
What about also explicitly educating the less-technical staff about the reasons for these measures ?
Otherwise it would get perceived as "yet another pointless policy IT is putting in to hinder my productivity".
Obviously they would still want web/twitter... so maybe put a few powerful machines running a bunch of vncservers, and allow the staff to do all the twittering/news browsing from there ?
I believe that. My daughter recently spent a few days in the pediatric ICU, and at both the hospital she was taken to by ambulance and later, at the hospital to which she was transferred because they have a PICU, I saw lots of computers running Windows 2000. These hospitals are both top-notch, highly regarded institutions in a major metropolitan area of the United States, but they have some pretty antiquated computer equipment. Wouldn't surprise me if they had NT 4.x machines lurking somewhere, too.
I don't think the threat is so much that people will die on the table as a result of computer downtime, but that they will die, for example in the ER as a result of a huge increase in processing backlog brought on when computers are down and paper forms have to be brought out, combined with some human error introduced by trying to read the scribbly handwriting of others.
Those who dare to install heart monitoring or other life critical equipment running Windows should be deported to The Hague and tried for crimes against humanity. Those who agree to operate such equipment of their own free will should be fired on the spot.
This is about as insane as controlling an 80 foot crane with a Gameboy. Total madness.
The Hacker's Guide To The Kernel: Don't panic()!