Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hospital Equipment Infected With Conficker

Posted by timothy on from the would-never-happen-with-electronic-medical-records dept.

nandemoari writes "Recently, the Conficker/Downadup worm infected several hundred machines and critical medical equipment in an undisclosed number of US hospitals. The attacks were not widespread; however, Marcus Sachs, director of the SANS Internet Storm Center, told CNET News that it raises the awareness of what we would do if there were millions of computers infected in hospitals or in critical infrastructure locations. It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access. A patch was released by Microsoft last October that fixes the problem, but the computers infected were reportedly too old to be patched."

8 of 289 comments (clear)

  1. Re:Old Computers by BSAtHome · · Score: 5, Interesting

    Medical equipment has a very long lifespan. Many devices for measurement and monitoring are used for 10 to 20 years before replacement. The general policy is "if it works, don't fix it and, more important, do not touch it".
    The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.

  2. Another reason to choose open source by Ironica · · Score: 5, Informative

    I can totally understand why these systems were still running NT or 2000. If it ain't broke, don't fix it, right?

    But if it ain't supported anymore, and it's completely closed-source, you literally CAN'T get fixes for vulnerabilities discovered later on. At least with an OSS product, you'd be able to hire a developer to fix the specific vulnerability on the existing system.

    --
    Don't you wish your girlfriend was a geek like me?
  3. Re:Old Computers by painandgreed · · Score: 5, Interesting

    It's not like they can just upgrade the computer. The computer is running software that goes with specialized equipment. They'd have to upgrade everything if they upgraded anything and with that you could easily be talking millions of dollars. That might not be really needed as the machine should run just as well as it did with they bought it if it hasn't broke. If it's a smaller hospital, they might not have the budget to replace non-broken machines that still preform within needed specs, especially in this economic climate. Add in that some of these machines need to be FDA tested and are only supported by the manufactuer and that makes it even more expensive and harder to upgrade. Then, on many of these machines, the users might not even know they're running on NT4 as the software they run takes up the entire screen and they never actually interact with Windows at all.

    I work in healthcare and I'm not surprised at all. Within the last year we just got rid of a Win95 system that was still talking over Novell networking, our Vax system, and a bunch of Sun Sparq stations. We still have plenty of Win2k and probably some WinNT4 around. We also have one of the most advanced set ups in the country, but legacy systems still exist for lots of reasons. First off, if it still works, management is not likely to want to get rid of it unless you make a good case for a good ROI. They're all old and aren't used to replacing major hospital systems that aren't broke especially if the new system doesn't offer any advantages. Budgets are always a problem because if the department isn't bringing in enough money to warrant new equipment, they might not get it. Then there are the vendors. perhaps GE, Fuji, or Cerner are happy with their old system or wants to sell you lots of stuff you don't want or need to replace one bit that is still running on old server tech just fine, so you effectively can't upgrade even if you wanted to.

  4. Mabey it just wasn't a good time to upgrade? by Chasmyr · · Score: 5, Funny

    "Hi it says I need to upgrade my RAM, what is that?"... "RAM is a part of your computer, if you have more of it, you can expect it to run faster... tell me what your computer is running and I'll see if I can help you out."... "Uh, right now the computer is running Bob's heart and lungs for him."

  5. Re:Does it bother anyone else..... by radtea · · Score: 5, Interesting

    For that matter, why is it running a general-purpose OS like Windows?

    Ease of development, particularly UI support for rich user interaction and feedback.

    Most medical systems I've worked on have two OS's: a relatively hard realtime system that's really close to the hardware, and a second system (Linux or Windows) that's close to the user. For some applications the general purpose OS is used as a soft realtime system and talks to all the hardware via USB or a framegrabber. Only very simple systems are pure embedded these days.

    Given the complexity of computing that some of these machines do this makes perfect sense: an embedded, realtime OS is just not what you want to be dealing with when trying to develop richly representational software. Think imaging systems and computer-assisted surgery systems, which often have a lot of analysis and image processing built in, including heavy user interaction, in realtime, in the OR.

    Intra-op ultrasound is routine in cardiac surgery (and yes, sometimes systems hang and have to be rebooted while the patient is on the table with their heart stopped...) Intra-op fluoroscopy is routine in some procedures as well, particularly in ortho.

    The problem is that people have come to expect features that can't be easily delivered without a general purpose OS, and the issues that come with that are pretty much invisible to anyone who would be likely to scream about it, including the FDA. Users get used to periodic failures and work around them, just like desktop users do.

    --
    Blasphemy is a human right. Blasphemophobia kills.
  6. Swine flu? by Sockatume · · Score: 5, Funny

    So, we have Conficker infecting hospitals now. And meanwhile, after Conficker's payload goes live, there's a massive outbreak of swine flu. And conficker spreads spam... spam is a pork product... COINCIDENCE?!

    --
    No kidding!!! What do you say at this point?
  7. Re:Old Computers by Anonymous Coward · · Score: 5, Insightful

    The biggest issue here is that Medical Equipment has to be run through an FDA Validation process. If you make changes to the system, you have to revalidate, and Validation takes months and $100K's. So the vendors leave them as-is.

    What's frustrating is that these systems need to be on a LAN, since they need to report their results to other clinical systems. So these small islands need to be linked other islands, and eventually, someone screws up and links an island with an Internet connection . . . .

  8. Re:Old Computers by Mazcote+Yarquest · · Score: 5, Interesting

    Indeed, I work for an OEM on the imaging (X-Ray) side of the house. My system(s) do get patched regularly. The users are given specific instruction not to "Surf the web".

    These systems are usually on a network segment dedicated strictly to imaging yet somehow I manage to find all fashon of virus (Most recently Conficker) games and saved email attachments on the Desktop.

    The FDA is very strict about how these systems are to be upgraded and serviced but patching is a non issue.

    My company has a simple solution to the virus issue though, If the network admin allows the cluster to get infected, we will gladly remove the infection, for a price.

    If I have only had a penny for every time I have heard "It's not my network, check your equipment"