Slashdot Mirror

← Back to Stories (view on slashdot.org)

Support Site For Hospital Respirators Found Riddled With Malware

Posted by Soulskill on from the what-could-possibly-go-wrong dept.

chicksdaddy writes "A web site used to distribute software updates for a wide range medical equipment, including ventilators has been blocked by Google after it was found to be riddled with malware and serving up attacks. The U.S. Department of Homeland Security is looking into the compromise. The site belongs to San Diego-based CareFusion Inc., a hospital equipment supplier. The infected Web sites, which use a number of different domains, distribute firmware updates for a range of ventilators and respiratory products. Scans by Google's Safe Browsing program in May and June found the sites were rife with malware. For example, about six percent of the 347 Web pages hosted at Viasyshealthcare.com, a CareFusion Web site that is used to distribute software updates for the company's AVEA brand ventilators, were found to be infected and pushing malicious software to visitors' systems."

48 comments

  1. All part of the plan. by Anonymous Coward · · Score: 0

    1. Reduce health care expenses
    2. Kill sick people
    3. Blame the Chinese
    4. Profit.

    1. Re:All part of the plan. by Anonymous Coward · · Score: 0
      Maybe, but what OS does all this malware run on?

      Avoid that and most of your problems go away.

    2. Re:All part of the plan. by h3llfish · · Score: 2

      Idiot. You don't just change your operating system on a whim in a medical environment. For one thing, the hospital or other institution probably doesn't even own the device, and so has no ability to change the OS. Even if they did, the device probably can't run a different OS. And even if it could, the institution would have to validate the new OS to ensure that it performed all of its functions correctly. Yeah, just change your OS, because a hospital is pretty much the same thing as your home network! Dipshit.

    3. Re:All part of the plan. by VON-MAN · · Score: 1

      Cool down please. The AC never said "change .... on a whim", he said: "avoid that". Besides, he's right. It's clear that anyone should avoid medical devices that need windows to update their firmware, or worse: _run_ windows.

    4. Re:All part of the plan. by turbidostato · · Score: 2

      "Idiot. You don't just change your [malware ridden] operating system on a whim in a medical environment"

      There, corrected for you.

      But then, maybe you should in fact change your malware ridden operating system on a whim, *specially* in a medical environment.

    5. Re:All part of the plan. by hairyfeet · · Score: 2

      Because a completely UNPATCHED Linux is magically better, yes?

      The problem is that YOU CANNOT UPDATE because of naturally the incredible amount of red tape and testing that MUST be done on a machine on which lives depend. It wouldn't matter if it was running Windows, BSD, or Linux as there would be ZERO PATCHES applied to the machine for most if not all of its life.

      That is why frankly all machines of that type need to be running a custom built RTOS with as little OS as possible, preferably just enough to do the function. Now if you want to build that out of Linux, BSD, Windows, or even OS/2? Really makes no difference to me, whatever floats your boat. but since it will never get updated you damned well better make it as thin, stripped down and light as possible.

      In the end this is exactly the kind of job that Windows and Linux embedded should be used for, but because its cheaper to just slap a copy of Windows Embedded with everything left at default instead of actually thinking about what the program actually needs to function and stripping out the rest you get dumbshit moves where things like PCs controlling respirators have a fricking web browser.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. So what by Anonymous Coward · · Score: 0

    I bet most are due to staff members browsing other infected sites

    1. Re:So what by Anonymous Coward · · Score: 5, Insightful

      Possibly - but the most malware-infected sites are sometimes the ones you wouldn't expect. Charities. Churches. Fraternal organizations. Anyplace where the servers are operated and maintained by volunteers who don't have a financial stake in the organization's operations, and who don't have a good background in security.

      Porn sites, on the other hand, are run by businesses who expect repeat business, and can't afford to scare customers away with malware. Their sites are much LESS likely to be infected, because they have professional IT staffs.

      You get the IT support you pay for.

    2. Re:So what by Anonymous Coward · · Score: 0

      "Possibly - but the most malware-infected sites are sometimes the ones you wouldn't expect. Charities. Churches. Fraternal organizations. Anyplace where the servers are operated and maintained by volunteers who don't have a financial stake in the organization's operations, and who don't have a good background in security."

      IOW morons with invisible friends.

    3. Re:So what by AssholeMcGee+ · · Score: 1

      Why would you target these out of the host of sites you should be targeting? Is this cyberwar? Or just a case of malware finding just about anything to attach too? If it is attaching to anything why was the industry not prepared for this?

  3. Hello, HIPPA? by Anonymous Coward · · Score: 2

    Hello, is HIPPA home?

    I thought these people, the medical drug/supply industry in general, held themselves to higher regard than others, which translated into better business practices. I mean, they're dealing with peoples lives here.

    Guess even they aren't immune from technological ineptitude and poor management.

    /not sure if HIPPA applies; hope it does and they're at least fined

    1. Re:Hello, HIPPA? by Anonymous Coward · · Score: 1

      Hello, is HIPPA home?

      Proper spelling mnemonic: HIPAA is not a HIPPO.

      As for HIPAA, unless the ventilator's server had patient information on it, it probably doesn't apply.

    2. Re:Hello, HIPPA? by TeddyR · · Score: 2

      They can be fined if any user identifiable medical data was proven to be compromised as a result of the malware.

      They also have to do regular internal security scans (IE: Anti Virus scans and other steps) to ensure that they are not infected or allowing people that should not have access to the user identifiable data that they should not)

      This also includes regular security training for their staff; which means that the download pages should not have had a "just click on run to install the software"

      http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf

      --

      --
      Time is on my side
    3. Re:Hello, HIPPA? by anared · · Score: 0, Flamebait

      You really think the medical industry cares about people? Treatments are more profitable than cures...

    4. Re:Hello, HIPPA? by detritus. · · Score: 2

      The key here is user identifiable.
      If someone compromises a respirator, I doubt it has the patient's name in the embedded OS.
      Most hospitals employ VLANs and keep medical data off those segmets -- I'm sure there's stories of patients or guests dumb enough to plug in to the ethernet jack in a hospital room for free internet.

      However, shutting one of these life support devices off remotely or preventing them from operating properly is certain death. That's likely the biggest concern.

  4. Oh nos, they shut down the Google! by xxxJonBoyxxx · · Score: 1, Offtopic

    >> "A web site used to distribute software updates for a wide range medical equipment, including ventilators has been blocked by Google...

    Yes, that will stop them, because the only way people find information is through Google.

    1. Re:Oh nos, they shut down the Google! by Anonymous Coward · · Score: 2, Insightful

      Umm, you read the summary or even the title and that is your reaction?

      This is a website that releases updates to medical equipment and instead is serving up malware. The fact that Google automated software is the one that caught it and notified visitors about it is but a minor foot note. Thankfully, it doesn't seem that the firmware itself was messed with though the article is light on details.

      While, definitely alarming, I wouldn't call it surprisingly however. It in the medical field is generally sorely lacking.

    2. Re:Oh nos, they shut down the Google! by andymadigan · · Score: 3

      This is Google's Safe Browsing function. It's their attempt to flag potentially dangerous sites. IT's not intended to block access to the site entirely, merely warn that it's been infected. It's up to the people who manage the site to fix it.

      --
      The right to protest the State is more sacred than the State.
    3. Re:Oh nos, they shut down the Google! by Anonymous Coward · · Score: 0

      You're some kind of idiot, aren't you?

    4. Re:Oh nos, they shut down the Google! by rtb61 · · Score: 2

      In this case it is used to publicly advertise a critical products, system and security admins failure and force immediate remedial action. Rather and embarrassing way for Google to do it but very effective and all in all, very appropriate.

      --
      Chaos - everything, everywhere, everywhen
    5. Re:Oh nos, they shut down the Google! by jonbryce · · Score: 2

      Blocked by google means blocked by any browser that checks against google's safe site database before opening the page. That includes Chrome (as you might expect) and Firefox. Internet Explorer uses Microsoft's equivalent, I don't know about Opera and Safari.

  5. Probably not singled out by dmomo · · Score: 4, Interesting

    A lot of sites are infected by bots who probe domains for tell-tale signs of security holes. Take a look at the logs for any website. You'll see regular GET requests from thousands of ip addresses looking for pages of well known applications (like phpmyadmin).

    The site was probably running some package with a hole in it.

    I run a url-shortner. Links to such compromised sites are always being further obfuscated through the shortner. It's a never ending process.

    1. Re:Probably not singled out by Anonymous Coward · · Score: 0

      Could be. But they also boast about being a "worldwide" company; makes you wonder how many of their software updates originated in China.

    2. Re:Probably not singled out by Anonymous Coward · · Score: 0

      yeah, i wonder how much they paid the admin to ignore the malware while they were infecting lots of clueless n00bs

  6. They will be fine by Billly+Gates · · Score: 4, Insightful

    All the hospitals I worked on still use IE 6 and XP SP 2 which has not had an update in over 2 years with +100 exploits. With that and some of the most top IT and well paid infrastructures in the industry I can't see how anything could go wrong?

    --
    http://saveie6.com/
    1. Re:They will be fine by ColdWetDog · · Score: 2

      Wow. Where the hell do you work? I've been on a tour of 8 hospitals in the West - NOBODY is running IE6 although half of them were running XP SP3.

      Everybody is using IE 7/8 and / or Firefox.

      Even McKesson, that dinosaur of a company has finally become browser agnostic.

      No excuses. None at all.

      --
      Faster! Faster! Faster would be better!
    2. Re:They will be fine by Billly+Gates · · Score: 2

      That is a relief. Most slashdotters here who have worked in the medical field all tell similiar stories of IE 6 or IE 5.5 on Windows 2000 still.

      I assumed all the intranet apps still required XP SP 2 and IE 6 because of medical testing and the fact that it is expensive to replace equipment so why change?

      I wont say the names here publically. But one is a chain with 7 or 8 locations all on the west coast. I came in for a PC Refresh project too. All new hardware for a new EPIC medical database. But the equipment and service agreements stipulated that we run IE 6 or we get no support.

      They encrpyt the hard drives so nothing gets out and has MAC access controls to the server room, yet leave Adobe 7 (forgot the version), XP SP 2, and IE 6 for the employers to browse the open internet with no sandbox.

      --
      http://saveie6.com/
    3. Re:They will be fine by TapeCutter · · Score: 2

      I notice you are using the past tense, ie: worked on/in. Although not in the medical industry the multi-national I work for only got rid of IE6 on their SOE image last year. The same is true for many companies, it wasn't until win7 arrived that they started in earnest to purge their internal applications that only worked on IE6. MS lost the standards wars, consequently moving away from IE6 has been a huge headache for the business world.

      Note I'm not making excuse for people here just relating my observation that the commercial world kept wipping IE6 long after it's death certificate had been issued by MS, in many situations that was a perfectly reasonable business decision. Personally I think the situation in TFA is inexcusable regardless of what software they were using, how did it get so bad for so long that google ended up blocking it before the admins noticed anything? If the admins did notice then why was it still serving up malware, why wasn't it turned off? If this was 'real engineering', I suspect the people running it would now be facing criminal negligence charges.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    4. Re:They will be fine by Anonymous Coward · · Score: 4, Interesting

      I am a contractor so yes it was past tense.

      The issue I am making fun of is hospitals have LARGE amounts of devices that are internet enabled like $300,000 cat scan machines that PDF and email documents and are managed only via IE 6 as they were made in a different era when that was the gold standard before Firefox was anything but a cheap amature internet thingie a half decade ago. They almost always use very obsolete platforms with 256 megs of ram, IE 6, etc. The budget analysts folks are under heavy pressure to cut costs and IT is always the cost center at the end of day.

      Worse many devices have support contracts dictating you use IE 6 or IE 7 before we will even talk to you on the phone. All equipment must be medical certified which takes years to process so they are even further behind compared to vanilla corporate America. This was the case with the EPIC project I was working on.

      I was dumb founded when they had me installing XP SP 2 on these new icore 5s. At least XP SP 3 gets patches. Looking at ColdWetdog's website I believe I worked for his employer possible in 2011 early last year and maybe they did plan on upgrading. If it was in Anchorage where the center facility is based I will certainly get a good laugh :-)

      If they went to at least XP SP 3 by now then that is patched I will be happy. There were no talks of that at the time as I asked the IT department WTF etc. Equipment and medical software are very very expensive and is always years behind the competition. In Canada they still use Windows 2000 and IE 5.5 web apps because it is cost prohibitive to change and things like COWS (Computer On Wheels) have very narrow specifications where the company will void your warranty if you touch it.

      Locking systems down to exact time frames is wrong and is negligent in this new day and age I agree. I hope McKesson and StarChart certainly do just follow standards as hospitals should be more state of the art in technology and not techno-phobic so to speak. WIth such pricy and expensive testing it makes sense to keep the budget to hire more nurses and doctors than to keep IT going if their systems are just something a secretary uses to remind patients when their next appointment is. The medical database project at least tied all of Alaska, Washington, and Oregon together with a unified patient record which now makes IT a lot more important.

  7. why the relaxed response? by Anonymous Coward · · Score: 0

    afaiu if manufactures of medical hardware cut corners making stuff that is not up to spec. like replacing components with out the right approvals, not following procedures etc. it generally involves federal agents and handcuffs

  8. Assisted suicide just got easier by deatypoo · · Score: 3, Funny

    Your honor, I swear, grandma was hacked!

    --
    Any sufficiently advanced incompetence is indistinguishable from malice.
    1. Re:Assisted suicide just got easier by courcoul · · Score: 2

      And it takes the well known hacker defacement "yow haz b33n Pwned!" to a whole new level......

  9. 3rd party Vendors / suppliers by Joe_Dragon · · Score: 1

    3rd party Vendors / suppliers make it hard to find who is at fault.

    1. Re:3rd party Vendors / suppliers by hawguy · · Score: 2

      3rd party Vendors / suppliers make it hard to find who is at fault.

      I thought the company that hired the shoddy vendor is at fault? Does HIPAA, SOX, etc let you push responsibility onto a vendor that you hired?

    2. Re:3rd party Vendors / suppliers by Anonymous Coward · · Score: 1

      Does HIPAA, SOX, etc let you push responsibility onto a vendor that you hired?

      Aren't those just about money? These systems may be handling tasks where lives are at stake. But I think as far as SOX is concerned, that's not important. In the worst case somebody is going to die, it's not like any real damage would happen such as letting people get away with some financial scams. (Is slashdot trying to give me some sort of hint by choosing "lawsuit" as the capcha?)

  10. i hate to be the dick in all things by KingBenny · · Score: 1

    but it does say something about the importance of the websites

    --
    Free speech was meant to be free for all... how can anyone grow up in a nanny state ?
  11. I don't get it... by f3rret · · Score: 1

    So the site is riddled with malware, like hundreds of other sites out there I imagine. That is their webserver, which probably lives with some hosting provider somewhere and has no contact with the stuff they use for development of those medical devices.

    Besides I don't really think that malware designed for whatever those servers ran will run on medical hardware..

    --
    Admit nothing. Deny Everything. Make Counter-accusations.
    1. Re:I don't get it... by dalias · · Score: 4, Insightful

      The problem is that the malware might offer a backdoor for someone to intentionally compromise the integrity of the medical device firmware. Even if it doesn't, the fact that the site is vulnerable means somebody else who's actually skilled (unlike the dumb sks/bots) could independently obtain access for the purpose of modifying the firmware.

  12. I can see it by HangingChad · · Score: 2

    Companies are cutting corners all the time. Outsourcing IT support and web site maintenance, so it doesn't surprise me they don't know their own sites are serving up malware.

    And it all rolls downhill. The company running their web site runs 5,000 sites with two stressed out staff and can't keep up with sites that get boned. The host probably has thousands of domains and they don't have the staff to check on all their customer sites.

    So all this shit falls on a handful of people who are overworked and underpaid by management who don't give a crap about anything but getting their bonus and boning the HR director.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  13. let's see updates framed out to a supplier by Joe_Dragon · · Score: 1

    So the site is riddled with malware, like hundreds of other sites out there I imagine. That is their webserver, which probably lives with some hosting provider somewhere and has no contact with the stuff they use for development of those medical devices.

    Besides I don't really think that malware designed for whatever those servers ran will run on medical hardware..

    let's see updates framed out to a supplier that likely framed out the website to a 3rd party hosting with a 3rd party place who build the web site.

    likely there is no contact with the stuff they use for development of those medical devices.

  14. Medical hardware is not the target by manu0601 · · Score: 1

    As I understand, medical hardware was not the target. This is plain malware nesting in plain vulnerable software. The company happens to be in the medical field, the firmware for their product does not seems to have been infected.

  15. Somthing about Respirators... by bill_mcgonigle · · Score: 1

    Back in the day, when I had the first pre-802.11b device at the hospital I worked at, I helped a bit with testing medical devices for interference from wireless networking equipment.

    Almost everything was fine except for some respirators, which went kerplooie when a device was within about 2 feet.

    Talking to the manufacturer, they kept saying how they had a medical device exemption from the FCC for radio frequency interference. That's meant to shield outbound RF, but transmitters are good antennas and all. Long-and-short, they cut corners because the FCC said they could. And their devices are tasked with keeping critically ill people alive. Awesome.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  16. Windows by soundguy · · Score: 2

    The server is running II6 so the OS is probably Windows Server 2003. The site is built on ASP.NET. The IP address is registered to the company, so they're probably running their own in-house data center. My guess is they don't have anyone in IT that actually knows what the hell they are doing, which is typical of Windows shops thanks to bean counters and short-sighted management.

    --
    Nothing worthwhile ever happens before noon
    1. Re:Windows by soundguy · · Score: 1

      Make that IIS 6. Stupid keyboard battery is dying.

      --
      Nothing worthwhile ever happens before noon
    2. Re:Windows by Anonymous Coward · · Score: 0

      Very astute theory and probably accurate. Most of the original team that worked on those servers were laid off years ago.

  17. Wordpress by utkonos · · Score: 1

    They were probably running Wordpress on IIS.

  18. Not to worry though by gelfling · · Score: 1

    Your medical information is protected, even from, especially from YOU by the idiot on the other end of the phone muttering "HIPAA"

  19. Medical device flaws by Anonymous Coward · · Score: 0

    The biggest problem doesn't exactly lie on the shoulders of the facilities but the vendors. The way things are released through their 510k ties their hands. I work for a vendor that still puts XP SP0 on customers networks because that's how some idiot filed the 510.

    Most facilities will segregate these systems and let the malware run rampant even on systems used in surgery.