Support Site For Hospital Respirators Found Riddled With Malware

chicksdaddy writes "A web site used to distribute software updates for a wide range medical equipment, including ventilators has been blocked by Google after it was found to be riddled with malware and serving up attacks. The U.S. Department of Homeland Security is looking into the compromise. The site belongs to San Diego-based CareFusion Inc., a hospital equipment supplier. The infected Web sites, which use a number of different domains, distribute firmware updates for a range of ventilators and respiratory products. Scans by Google's Safe Browsing program in May and June found the sites were rife with malware. For example, about six percent of the 347 Web pages hosted at Viasyshealthcare.com, a CareFusion Web site that is used to distribute software updates for the company's AVEA brand ventilators, were found to be infected and pushing malicious software to visitors' systems."

Hello, HIPPA?

Hello, is HIPPA home?

I thought these people, the medical drug/supply industry in general, held themselves to higher regard than others, which translated into better business practices. I mean, they're dealing with peoples lives here.

Guess even they aren't immune from technological ineptitude and poor management.

/not sure if HIPPA applies; hope it does and they're at least fined

Re:Hello, HIPPA?

Hello, is HIPPA home?

Proper spelling mnemonic: HIPAA is not a HIPPO.

As for HIPAA, unless the ventilator's server had patient information on it, it probably doesn't apply.

Re:Hello, HIPPA?

[TeddyR]

They can be fined if any user identifiable medical data was proven to be compromised as a result of the malware.

They also have to do regular internal security scans (IE: Anti Virus scans and other steps) to ensure that they are not infected or allowing people that should not have access to the user identifiable data that they should not)

This also includes regular security training for their staff; which means that the download pages should not have had a "just click on run to install the software"

http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf

Re:Hello, HIPPA?

[detritus.]

The key here is user identifiable.
If someone compromises a respirator, I doubt it has the patient's name in the embedded OS.
Most hospitals employ VLANs and keep medical data off those segmets -- I'm sure there's stories of patients or guests dumb enough to plug in to the ethernet jack in a hospital room for free internet.

However, shutting one of these life support devices off remotely or preventing them from operating properly is certain death. That's likely the biggest concern.

Oh nos, they shut down the Google!

[xxxJonBoyxxx]

>> "A web site used to distribute software updates for a wide range medical equipment, including ventilators has been blocked by Google...

Yes, that will stop them, because the only way people find information is through Google.

Re:Oh nos, they shut down the Google!

Umm, you read the summary or even the title and that is your reaction?

This is a website that releases updates to medical equipment and instead is serving up malware. The fact that Google automated software is the one that caught it and notified visitors about it is but a minor foot note. Thankfully, it doesn't seem that the firmware itself was messed with though the article is light on details.

While, definitely alarming, I wouldn't call it surprisingly however. It in the medical field is generally sorely lacking.

Re:Oh nos, they shut down the Google!

[andymadigan]

This is Google's Safe Browsing function. It's their attempt to flag potentially dangerous sites. IT's not intended to block access to the site entirely, merely warn that it's been infected. It's up to the people who manage the site to fix it.

Re:Oh nos, they shut down the Google!

[rtb61]

In this case it is used to publicly advertise a critical products, system and security admins failure and force immediate remedial action. Rather and embarrassing way for Google to do it but very effective and all in all, very appropriate.

Re:Oh nos, they shut down the Google!

[jonbryce]

Blocked by google means blocked by any browser that checks against google's safe site database before opening the page. That includes Chrome (as you might expect) and Firefox. Internet Explorer uses Microsoft's equivalent, I don't know about Opera and Safari.

Probably not singled out

[dmomo]

A lot of sites are infected by bots who probe domains for tell-tale signs of security holes. Take a look at the logs for any website. You'll see regular GET requests from thousands of ip addresses looking for pages of well known applications (like phpmyadmin).

The site was probably running some package with a hole in it.

I run a url-shortner. Links to such compromised sites are always being further obfuscated through the shortner. It's a never ending process.

They will be fine

[Billly+Gates]

All the hospitals I worked on still use IE 6 and XP SP 2 which has not had an update in over 2 years with +100 exploits. With that and some of the most top IT and well paid infrastructures in the industry I can't see how anything could go wrong?

Re:They will be fine

[ColdWetDog]

Wow. Where the hell do you work? I've been on a tour of 8 hospitals in the West - NOBODY is running IE6 although half of them were running XP SP3.

Everybody is using IE 7/8 and / or Firefox.

Even McKesson, that dinosaur of a company has finally become browser agnostic.

No excuses. None at all.

Re:They will be fine

[Billly+Gates]

That is a relief. Most slashdotters here who have worked in the medical field all tell similiar stories of IE 6 or IE 5.5 on Windows 2000 still.

I assumed all the intranet apps still required XP SP 2 and IE 6 because of medical testing and the fact that it is expensive to replace equipment so why change?

I wont say the names here publically. But one is a chain with 7 or 8 locations all on the west coast. I came in for a PC Refresh project too. All new hardware for a new EPIC medical database. But the equipment and service agreements stipulated that we run IE 6 or we get no support.

They encrpyt the hard drives so nothing gets out and has MAC access controls to the server room, yet leave Adobe 7 (forgot the version), XP SP 2, and IE 6 for the employers to browse the open internet with no sandbox.

Re:They will be fine

[TapeCutter]

I notice you are using the past tense, ie: worked on/in. Although not in the medical industry the multi-national I work for only got rid of IE6 on their SOE image last year. The same is true for many companies, it wasn't until win7 arrived that they started in earnest to purge their internal applications that only worked on IE6. MS lost the standards wars, consequently moving away from IE6 has been a huge headache for the business world.

Note I'm not making excuse for people here just relating my observation that the commercial world kept wipping IE6 long after it's death certificate had been issued by MS, in many situations that was a perfectly reasonable business decision. Personally I think the situation in TFA is inexcusable regardless of what software they were using, how did it get so bad for so long that google ended up blocking it before the admins noticed anything? If the admins did notice then why was it still serving up malware, why wasn't it turned off? If this was 'real engineering', I suspect the people running it would now be facing criminal negligence charges.

Re:They will be fine

I am a contractor so yes it was past tense.

The issue I am making fun of is hospitals have LARGE amounts of devices that are internet enabled like $300,000 cat scan machines that PDF and email documents and are managed only via IE 6 as they were made in a different era when that was the gold standard before Firefox was anything but a cheap amature internet thingie a half decade ago. They almost always use very obsolete platforms with 256 megs of ram, IE 6, etc. The budget analysts folks are under heavy pressure to cut costs and IT is always the cost center at the end of day.

Worse many devices have support contracts dictating you use IE 6 or IE 7 before we will even talk to you on the phone. All equipment must be medical certified which takes years to process so they are even further behind compared to vanilla corporate America. This was the case with the EPIC project I was working on.

I was dumb founded when they had me installing XP SP 2 on these new icore 5s. At least XP SP 3 gets patches. Looking at ColdWetdog's website I believe I worked for his employer possible in 2011 early last year and maybe they did plan on upgrading. If it was in Anchorage where the center facility is based I will certainly get a good laugh :-)

If they went to at least XP SP 3 by now then that is patched I will be happy. There were no talks of that at the time as I asked the IT department WTF etc. Equipment and medical software are very very expensive and is always years behind the competition. In Canada they still use Windows 2000 and IE 5.5 web apps because it is cost prohibitive to change and things like COWS (Computer On Wheels) have very narrow specifications where the company will void your warranty if you touch it.

Locking systems down to exact time frames is wrong and is negligent in this new day and age I agree. I hope McKesson and StarChart certainly do just follow standards as hospitals should be more state of the art in technology and not techno-phobic so to speak. WIth such pricy and expensive testing it makes sense to keep the budget to hire more nurses and doctors than to keep IT going if their systems are just something a secretary uses to remind patients when their next appointment is. The medical database project at least tied all of Alaska, Washington, and Oregon together with a unified patient record which now makes IT a lot more important.

Assisted suicide just got easier

[deatypoo]

Your honor, I swear, grandma was hacked!

Re:Assisted suicide just got easier

[courcoul]

And it takes the well known hacker defacement "yow haz b33n Pwned!" to a whole new level......

Re:So what

Possibly - but the most malware-infected sites are sometimes the ones you wouldn't expect. Charities. Churches. Fraternal organizations. Anyplace where the servers are operated and maintained by volunteers who don't have a financial stake in the organization's operations, and who don't have a good background in security.

Porn sites, on the other hand, are run by businesses who expect repeat business, and can't afford to scare customers away with malware. Their sites are much LESS likely to be infected, because they have professional IT staffs.

You get the IT support you pay for.

3rd party Vendors / suppliers

[Joe_Dragon]

3rd party Vendors / suppliers make it hard to find who is at fault.

Re:3rd party Vendors / suppliers

[hawguy]

3rd party Vendors / suppliers make it hard to find who is at fault.

I thought the company that hired the shoddy vendor is at fault? Does HIPAA, SOX, etc let you push responsibility onto a vendor that you hired?

Re:3rd party Vendors / suppliers

Does HIPAA, SOX, etc let you push responsibility onto a vendor that you hired?

Aren't those just about money? These systems may be handling tasks where lives are at stake. But I think as far as SOX is concerned, that's not important. In the worst case somebody is going to die, it's not like any real damage would happen such as letting people get away with some financial scams. (Is slashdot trying to give me some sort of hint by choosing "lawsuit" as the capcha?)

i hate to be the dick in all things

[KingBenny]

but it does say something about the importance of the websites

I don't get it...

[f3rret]

So the site is riddled with malware, like hundreds of other sites out there I imagine. That is their webserver, which probably lives with some hosting provider somewhere and has no contact with the stuff they use for development of those medical devices.

Besides I don't really think that malware designed for whatever those servers ran will run on medical hardware..

Re:I don't get it...

[dalias]

The problem is that the malware might offer a backdoor for someone to intentionally compromise the integrity of the medical device firmware. Even if it doesn't, the fact that the site is vulnerable means somebody else who's actually skilled (unlike the dumb sks/bots) could independently obtain access for the purpose of modifying the firmware.

I can see it

[HangingChad]

Companies are cutting corners all the time. Outsourcing IT support and web site maintenance, so it doesn't surprise me they don't know their own sites are serving up malware.

And it all rolls downhill. The company running their web site runs 5,000 sites with two stressed out staff and can't keep up with sites that get boned. The host probably has thousands of domains and they don't have the staff to check on all their customer sites.

So all this shit falls on a handful of people who are overworked and underpaid by management who don't give a crap about anything but getting their bonus and boning the HR director.

let's see updates framed out to a supplier

[Joe_Dragon]

So the site is riddled with malware, like hundreds of other sites out there I imagine. That is their webserver, which probably lives with some hosting provider somewhere and has no contact with the stuff they use for development of those medical devices.

Besides I don't really think that malware designed for whatever those servers ran will run on medical hardware..

let's see updates framed out to a supplier that likely framed out the website to a 3rd party hosting with a 3rd party place who build the web site.

likely there is no contact with the stuff they use for development of those medical devices.

Re:All part of the plan.

[h3llfish]

Idiot. You don't just change your operating system on a whim in a medical environment. For one thing, the hospital or other institution probably doesn't even own the device, and so has no ability to change the OS. Even if they did, the device probably can't run a different OS. And even if it could, the institution would have to validate the new OS to ensure that it performed all of its functions correctly. Yeah, just change your OS, because a hospital is pretty much the same thing as your home network! Dipshit.

Medical hardware is not the target

[manu0601]

As I understand, medical hardware was not the target. This is plain malware nesting in plain vulnerable software. The company happens to be in the medical field, the firmware for their product does not seems to have been infected.

Somthing about Respirators...

[bill_mcgonigle]

Back in the day, when I had the first pre-802.11b device at the hospital I worked at, I helped a bit with testing medical devices for interference from wireless networking equipment.

Almost everything was fine except for some respirators, which went kerplooie when a device was within about 2 feet.

Talking to the manufacturer, they kept saying how they had a medical device exemption from the FCC for radio frequency interference. That's meant to shield outbound RF, but transmitters are good antennas and all. Long-and-short, they cut corners because the FCC said they could. And their devices are tasked with keeping critically ill people alive. Awesome.

Windows

[soundguy]

The server is running II6 so the OS is probably Windows Server 2003. The site is built on ASP.NET. The IP address is registered to the company, so they're probably running their own in-house data center. My guess is they don't have anyone in IT that actually knows what the hell they are doing, which is typical of Windows shops thanks to bean counters and short-sighted management.

Re:Windows

[soundguy]

Make that IIS 6. Stupid keyboard battery is dying.

Wordpress

[utkonos]

They were probably running Wordpress on IIS.

Re:All part of the plan.

[VON-MAN]

Cool down please. The AC never said "change .... on a whim", he said: "avoid that". Besides, he's right. It's clear that anyone should avoid medical devices that need windows to update their firmware, or worse: _run_ windows.

Not to worry though

[gelfling]

Your medical information is protected, even from, especially from YOU by the idiot on the other end of the phone muttering "HIPAA"

Re:So what

[AssholeMcGee+]

Why would you target these out of the host of sites you should be targeting? Is this cyberwar? Or just a case of malware finding just about anything to attach too? If it is attaching to anything why was the industry not prepared for this?

Re:All part of the plan.

[turbidostato]

"Idiot. You don't just change your [malware ridden] operating system on a whim in a medical environment"

There, corrected for you.

But then, maybe you should in fact change your malware ridden operating system on a whim, *specially* in a medical environment.

Re:All part of the plan.

[hairyfeet]

Because a completely UNPATCHED Linux is magically better, yes?

The problem is that YOU CANNOT UPDATE because of naturally the incredible amount of red tape and testing that MUST be done on a machine on which lives depend. It wouldn't matter if it was running Windows, BSD, or Linux as there would be ZERO PATCHES applied to the machine for most if not all of its life.

That is why frankly all machines of that type need to be running a custom built RTOS with as little OS as possible, preferably just enough to do the function. Now if you want to build that out of Linux, BSD, Windows, or even OS/2? Really makes no difference to me, whatever floats your boat. but since it will never get updated you damned well better make it as thin, stripped down and light as possible.

In the end this is exactly the kind of job that Windows and Linux embedded should be used for, but because its cheaper to just slap a copy of Windows Embedded with everything left at default instead of actually thinking about what the program actually needs to function and stripping out the rest you get dumbshit moves where things like PCs controlling respirators have a fricking web browser.