Slashdot Mirror
Malware Is 'Rampant' On Medical Devices In Hospitals
Dupple sends this quote from MIT's Technology Review:
"Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable. While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion. [He said], 'Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.' ... Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed."
When someone does get hurt, it will be a very clear case of negligence on the part of the manufacturer, and the lawsuit will bring everyone else in line.
Sad that this is the way it works in America though.
Well if the nurses/doctors would quit browsing the internet for coupons and shopping sites.
I don't know about medical devices, but I do know that the last time I was in the emergency room I brought my laptop since I knew I would be there for a few hours. After getting tired of games and slashdot I decided to poke around the wifi network that I was on. I found an unsecured smb share on the network and downloaded a 17gb .bak file of patient records. Needless to say I deleted the file and sent an anonymous email to the administrator. 3 months later nothing had changed....
Windows is not intended to be used in life-critical situations such as medical hardware or nuclear reactor control. It's right there in capital letters in the EULA.
Someone's being a cheapskate here and decided to use windows instead of paying to develop a custom medical OS.
Sue the bandagers.. er, bastiges.
I used to work for an ophthalamic ultrasound company. You'd think that doctors, having all those years of college and medical school, would know better than to browse the internet on a medical device, or know enough to ensure that the USB flash drive they're carrying around and using to transfer images from one ultrasound to their computer is free of malware, but the sad reality is they're not, and while I can't speak for other devices manufactured by other companies, ours couldn't run antivirus and still run the ultrasound application effectively, so it was essentially wide-open to malicious software.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
I worked at a hospital for about a half year and noticed that their policy was if it isn't a "normal" computer, we don't touch it. We leave it up to the lab techs and pharmacy staff and cardiology people. So there's 99% of the problem.
The majority of computers in hospitals/doctor offices/dentists are budget machines running windows XP. Whatever software is intended to be run on them is installed right when the machines are purchased, and then the machines sole purpose for the next 5 years is to run that software. No one bothers to run Microsoft Update or similar because there never is an apparent need, hence the numerous "unpatched" machines.
Only IE 6 is supported and certified for use with the equipment and software. Not to mention there is no sense upgrading $300,000 equipment which is now certified with the all uber secure IE 7 when the older works just fine according to the accountants.
What could possobly go wrong! FYI no updates after May 2009! They are not certified for medical use yet
http://saveie6.com/
Dad has owned an ultrasound service business since the late 70s. My brothers and I all worked for him in varying capacities, before becoming engineers ourselves.
In my experience: the amount of willful ignorance towards all manner of IT in the medical field is nothing short of astounding.
I hate to say it, because I love alot of these people- but I chalk it up to the arrogance of the doctors and administrators. They treat anything IT related on the same level as an issue regarding say, HVAC or sanitation. That is to say, beneath them.
Which is fine, except in this case the "HVAC" can be programmed by a remote intruder to emit Zyklon B.
The technical issues that cause this are "easy" to remedy. You don't allow people to use the instrument to have administrator access. A good portion of applications can be remediated to work in a low privileged environment via file system ACLs. Those that cannot need to be network isolated and stripped down to the bare essentials needed to do the task it is for. *These are technical steps*
Administrative steps to take is to demand that the outside vendors don't get to dictate your network policies. Frankly in a hospital you can go all HIPPA on their asses.
To give an anecdote, we had a vendor who delivered an instrument, for with the edict was that *NO* settings could be changed. They shipped it with a manually configured IP of an ISP in Germany. Presumably they wanted us to buy the IP block to get it on the network.
Haven't they heard of http://kaspersky.ru ???
Ok, I'm only a student. So I don't know anything. But I sorta THOUGHT that the standard for a mission critical system (aka something like a heart monitor, blood gas analyzer, etc etc etc) would be to NOT use any software in your system that you don't have 100% control over.
You know, rather than picking some version of windows, use an embedded linux. Add the bare minimum graphics libraries you need in order to draw a gui. Isolate the threads that actually do the mission critical stuff (say, reading the sensor and displaying the output) from the ones that do other tasks (like handling all the complex menus and the network connectivity and so on). Heck, use a separate physical CPU for the mission critical stuff, and give it it's own dedicated display so that no matter what, it keeps displaying the important data. The hardware to do this is cheap.
And firewalls should be integrated into the devices themselves - even Linux can theoretically catch a worm, and so it should apply strict filtering rules on any communications with the network.
I can fully understand the reluctance of the manufacturers to issue software patches. Building the system so that it's practical to not ever patch it (well, maybe patch it a couple times to eliminate any bugs found after release) is a good thing. Everyone here must know that the best way to break a working machine is to shut it down and change something.
All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices.
Validated. That costs a bunch of money. And this basically is saying that if the manufacturer DOESN'T validate the changes to the FDA's satisfaction (meaning do a heck of a lot more testing than just applying the patch real quick and booting it up and making sure it's still working) then they are totally vulnerable to lawsuits.
Also, just as importantly : the manufacturer does not receive money from medical devices already sold. Their new ones (with new hardware which is why they can't back-port the software) are where the revenue is. In fact, it's sort of beneficial if the hospital's old equipment starts running slowly and badly because they can push their new gear (now with enhanced cybersecurity!)
I see this as a huge problem for us. The vendors we use don't support Windows 7 and often don't play nice without local administrator. I also find it frustrating that they don't provide Microsoft Certified Drivers (Makes deployment an issue).
When we have issues, they tell us to turn security features off. They must be administrators, you must turn UAC off, you much disable Data Execution Prevention, you must run on Windows XP. We have disproved the XP requirement over and over. We have done the same for administrator access. Stuff would work if it was written better or updated.
I wish I had leverage to force vendors to fix these issues. But in many casses they have the best or only device. When everyone else uses it and generally likes it, IT has a hard time holding out. Our issue is compounded because of our field. Most of our vendor's customers are small offices with 2-5 single purpose computers. They don't have an IT staff to understand what is really wrong.
Its these same packages and drivers the prevent VDI or cloud adoption in these locations.
In industries where arrogance and demanding people are common, the only people who work the jobs are those with a tolerance for such behavior.
This means you're picking your IT guys by whether they put up with your drama or not.
If you wonder why many law firms and hospitals have such bad IT staff, this is the reason. High turnover, low investment beyond what is demanded. Mainly because the demands are constant and irate.
These people are probably dropping 4000 Windows XP machines into a hospital, and then complaining about the reboots for patches and/or that weird orange browser they have to do now.
As a result, they get a ton of malware. The solution is obvious: turn on Windows update, and train staff to rein in their egos and drama for just a few minutes every day.
Unless I'm mistaken, it is illegal to create and distribute a computer virus, but "malware" somehow does not fall into this category because it's not deliberately destructive I guess. It *is* however, destructive in so much as the security holes it usually creates along with the system resources it takes.
Shouldn't we just be able to follow a piece of malware to it's source company and have the DOJ take care of them?? I recall legislation against spam having been written and people even being convicted for violating such laws, yet somehow we haven't decided malware is equally bad??
Everyone knows that hospitals are full of viruses. Obviously, not just the expected variety.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Okay, this is a valid point, and people need to pay attention when they engineer, build, support, and actually use these things. Still, what is done is done and paid for, and I imagine hospitals retain some I.T. department services of some sort, and all this gear is networked behind a firewall or two.
New gear absolutely must take these concerns into consideration and address them long-term because the threat will not go away. But what is the current threat on the legacy devices? What can an attacker hope to accomplish? What would be the motivation of a hacker or two, to reverse-engineer the MRI scanner, oh and by the way where did these guys get a redundant MRI scanner (etc.) to reverse engineer for their evil motivations?
Oh wait, much of this gear is beased upon Windows XP and that is the vector. Uh huh. Well that sort of shelf-lifes the security on your hardware I suppose. It might be best to support a long-term and truly open-system like Linux or FreeBSD rather than base your product on what the Microsoft Corporation can deliver for your own business requirements.
Or, if Microsoft is so good for (medical equipment) developers to base products on, than why can't the software be upgraded to support Windows 7 or 8?
You can't be ahead of the curve, if you're stuck in a loop.
HIMSS was actively working this topic in the early to mid 2000's. Check out their bibliography: www.himss.org/Content/Files/deviceSecurity/Bibliography.doc
Windows has become the de-facto standard embedded OS because it quick and easy to develop for. I work in a technical field and we can't even buy diagnostic equipment that doesn't show an XP logo before firing up. That means that unlike my 30-year old oscilloscope at home, these devices will fail and fail hard in the future and there will be no repairing them since their software will be completely tied to the machine ID they shipped with. It just all seems so freaking lazy.
it's been heavily reported for several months.
"Ok, I'm only a student. So I don't know anything. But I sorta THOUGHT that the standard for a mission critical system (aka something like a heart monitor, blood gas analyzer, etc etc etc) would be to NOT use any software in your system that you don't have 100% control over.
...
You make a lot of sense for a student
AccountKiller
A little sooner than we should, but that's them bones !!
Need a sign out front - Caution: This Hospital Uses Microsoft Windows.
A feeling of having made the same mistake before: Deja Foobar
...to be using Windows as a medical devices platform to begin with.
As a security auditor, I wish I could consider that to be an automatic "willfull negligence" HIPAA/HITECH violation, but my superiors will not allow me to do so.
'But that costs money'
'But that's difficult' (Security usually is)
Capcha: liquor ; if I drank alcohol this topic would probably drive me to do so...
What you have all described sounds good.
BUT.
It will cost money.
So we're not going to do any of that security crap until someone makes us do it. And then we're gonna drag our feet on deploying it. And still use the cheapest option out there.
I worked as an IT Manager in a hospital for a few years, and know a little bit about this... The first issue is that these systems typically CAN NOT be upgraded, and this is not due to the MFG not wanting to upgrade, this is a FDA compliance issue... If they upgrade the software, they have to do some very expensive certifications with the FDA, these same certifications delay the release of medical equipment to the point that much of the technology is already close to being outdated when it hits the market.
... but we managed just fine.
Our solution, which seems simple enough, was that every type of medical equipment was located on a different physical network (for critical pt. monitoring equipment) or at a minimum a seperate VLAN on the main network. All network access to this equipment was blocked except for very specific exceptions that were allowed based on the absolute need of that piece of equipment. We had no issues with any of these infections or malware, although it did increase the man-hours overhead especially when working with the vendors that would sometimes wonder why they could not hit the internet from the X-Ray machine
+++ATH0 NO CARRIER
Embedded systems, done wrong.
Whoever let network connected medical devices with un-hardened operating systems be certified needs to be thrown in prison. Seriously.
The term medical device has a broad definition; it includes obvious things such as laboratory analysers, X-ray equipment, etc., but it also includes PCs running specific types of software, such as medical records software. Most of these things run general purpose OSs - some embedded; some desktop.
E.g. Windows XP is a common platform for things like ultrasound scanners, MRI scanners, etc. XP embedded is quite common on things like laboratory equipment. Variants of linux are also in widespread use - albeit, often old. E.g. I work with an MRI scanner that runs a 2.2 kernel.
Now, things like analysers and scanners are usually on their own VLAN (or should be) with connections only to their application servers, with the servers heavily firewalled from the general purpose VLANs; however, this often isn't the case, and I've seen a number of installations where you can just sit down at a random PC, and SSH into an MRI scanner (these things usually have generic root passwords which are written in the service manual - once you know what the passwords are, you can get into any device of that make and model).
The biggest problem, however, is that these machines never get updated. The manufacturers often won't support any updates to the OS, or even permit hotfix installation, nevermind a 3rd party security package (for more general purpose devices). For example, one hospital earlier this year, upgraded their PACS system (software for storing and displaying X-ray/MRI/CT images) and bought a new set of dedicated workstations (quad core, Xeon E5, 8GB RAM, Dual Quadro), but because the PACS client software had to interface with a number of other client software packages, and those vendors had strict requirements; these machines ended up being loaded with XP SP1 32-bit and Java 1.4. Unsurprisingly, these aren't regularly patched, and more importantly, they can no longer update their anti-virus software as the current version of their chosen AV software won't run on this configuration (so they're stuck using an obsolete, unsupported version).
I saw an extreme example of this a few years ago when the Confiker worm hit. There were a group of hospitals in a major city, which shared the same infrastructure, and they had a very large PACS system. The worm got onto the PACS VLAN, and essentially killed the servers. The system was completely down for days, because as soon as the servers we rebooted or re-imaged; the worm killed them again. The vendor stubbornly refused to apply the hotfix and refused permission to install the hospital's antivirus system on the servers/workstations. The only thing that got it moving was when the CEO of the hospitals made a conference call with the hospitals lawyers and the CEO of the PACS vendor, telling them that they were going to f**k them so hard with the SLA stick, that they wouldn't be able to sit down for a month. After that call, the vendor agreed to install the hotfix, and the system came back online.
I found an unsecured smb share on the network and downloaded a 17gb .bak file of patient records. Needless to say I deleted the file and sent an anonymous email to the administrator. 3 months later nothing had changed....
Usually anyone who dares tell the Emperor that he's actually naked and not wearing any "new clothes" gets his head chopped off for pointing out the truth.
Lemme tell you what would've happened at one particular hospital I know of: The IT administrator would've contacted law enforcement and provided them with all the video footage from the multitudes of security cameras around the place, along with the patient and visitor lists, as well as all the the wifi access and activity logs containing your mac address and anything else logged and/or identifiable about your laptop, to try to find out your real identity for criminal prosecution purposes.
Despite the fact that they are extremely weak in securing their network resources in the first place nor do they have any realtime alerting mechanisms to detect any kind of unauthorized access while in progress.... they do go to ridiculous lengths to log and record everything necessary to try to identify you so they can come and get you long after the fact.
And firewalls should be integrated into the devices themselves
Firewalls don't help much when the telnet port is open and you can find the default root password for the device by invoking google.
A little over a month ago I was in a hospital and noticed a work station in a hallway that was obviously setup for visitors to use. I checked it out and it was running XP. Since the OS had noticed that a user had woken it up the balloons from the task bar started fighting with each other for my attention. Norton said it was months out of date, it also said that it had 400+ issues that needed looking at (found active virus's running, or something). I half wonder if someone with mal intent setup the computer and no one questioned it being there (the IT guys must have set it up), because the hospital sure wasn't taking care of it.
Before I begin let me preface this post by saying I work in a hospital in the IT Staff, and I have for the past 10 years now (as scary as that sounds to me typing it out). At any rate I can say that malware, spyware, virus' etc are a constant concern for the staff here. When I started working here it was the 'Wild West' for computing, people did what they wanted, when they wanted to on their computers, and we've slowly curbed that. Especially now that electronic medical records are being used. The key we've found to keep malicious software off computers used for medical purposes, or with confidential data is actually three fold -- First segregate those devices with ePHI (electronic protected health information) off onto their own network, strip the computers of all but the most essential software, and the medical staff all have to sign agreements when they're hired that strictly prohibit them from using computers for personal tasks. Want to check your e-mail? Bring in your smart phone, or laptop etc, and do it with that device (we actually provide a wireless for the entire staff to use 'just' for that purpose). Nobody can keep 'on task' all day, so allowing them the outlet with some caveats has been a great success. However, all machines that have access to the ePHI network are imaged once put into service, but we re-image the machines on a staggered schedule so every 6 months they're a fresh install. Virus software (AVG) is installed and on an automatic update / scan schedule as well -- with a central server that reports results to us. Also for security concerns every Laptop is encrypted (thank you Truecrypt), and every device that accesses ePHI comes through a VPN. If a Laptop get's stolen (and one has in the past), the VPN access for that device is revoked immediately. So between the VPN and Encryption, the odds of a 'break' in our security are astronomical. Anyway all these procedures may seem a bit excessive, but we've yet to have a PC with ePHI or EMR softwaret be compromised where I work thanks to them. I sleep slightly better at night thanks to this system actually. I do know of several other hospitals / medical facilities that are far far less secure though, and frankly it scares the hell out of me how cavalier they are about the whole ordeal. One of our doctors is Per Diem and his home office supplied him with an unencrypt, unsecured, laptop with full admin rights, and their EMR software installed on said Laptop for his free use. PS -- A tip to anyone working in a medical facility, one of the ways we had our providers (Doctors) agree to this stringent of a system was to point out that infractions where ePHI is compromised put their necks on the line, even more so then they do ours. So all this security is for their benefit as much as yours. Also, this goes double if you have a counseling staff because the rules around ePHI regarding counseling services are even more strict and crazy. Anyway hopefully that helps someone out.
Caution: This Hospital Uses Microsoft Windows 98
Malware Is 'Rampant' On Medical Devices In Hospitals
http://science.slashdot.org/story/12/10/17/1741225/malware-is-rampant-on-medical-devices-in-hospitals
Kaspersky To Build Secure OS For SCADA Systems
http://slashdot.org/index2.pl?section=&color=green&index=1&view=stories&duration=-1&startdate=20121017&page=1
Similar problems, so the solution should work for both. Of course, it costs millions in regulatory costs to make such a change in the med device. I’d argue reducing the regs would be far less dangerous for patients than running 10 year old versions of WinCE.
What you have all described sounds good.
BUT.
It will cost money.
So we're not going to do any of that security crap until someone makes us do it. And then we're gonna drag our feet on deploying it. And still use the cheapest option out there.
The alternative, in this world that we live in, is to have no product at all.
Q: What do you call the guy who graduated very last place at the bottom of his med school class?
A: Doctor.
Why was he in the emergency room yet capable of deliberately bringing a laptop for the long wait?
Because he was using the ER for something he should have gone to the doctor paid through his insurance rather then the ER which is free if you don't have insurance.
And he wonders why hospitals have no money to spend on IT security.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I once worked for a company that produced equipment used in hospitals, and I can vouch for the issues installing updates as well. Moreover, hopelessly stupid things were done such as hard-coding the hosts file for remote diagnostics, and logging in and running applications as the Windows Administrator account. Furthermore, the hospital IT staff was equally incompetent, in that even if (by some miracle) we wanted to patch the products we had to jump through hoops to do so, and even simple things like DNS resolution were filtered for our devices.
I work in a hospital IT department.
I would like to say first off medical software is slow to upgrade we're just now getting to the point where all the software is Windows 7 compatible. XP has a lot of bugs.
Second, a lot of the companies write the software with the intent of having Administrator rights. I have gotten into arguments with vendors on this, why would they continue to do this but they just shrug and say that it's the only supported way of doing things.
I think those two reasons are why there is so much vulnerability on hospital desktops.
Nuff said
Publicize the Manufacture and Models vulnerable, then wait for the malpractice trial lawyers to sink their teeth in. Doesn't matter if no one was actually hurt because of the vulnerability. If a device was in use when the patient suing was being treated and the device had malware (or even could have) they will latch onto that and suck in the device maker into the lawsuits. Fighting malware with malpractice lawyers. Seems dirty somehow.
I browse on +1 so AC's need not respond, I won't see it.
Just why in the hell are embedded medical devices running on a full blown windows system that is prone to malware infection, and likely to break functionality of the device if regular system updates (many of which will be for functionality that isnt being used) are installed?
Such devices should be using a custom, minimalist OS which is configured specifically for the purpose it serves, has no extra unnecessary functionality, and support for the entire package (device, hardware, application and os software) is provided by the device supplier...
If your OS is minimalist the chances of vulnerabilities existing are much smaller, and therefore the number of patches required is much smaller. Less risk, less maintenance.
The average attitude of corporations is to keep their devices horrendously insecure and hide them behind firewalls, basically gambling that noone will attack them...
Hospitals are _NOT_ secure networks, most hospitals are open to the public and it is trivially easy to walk in and gain access to an ethernet cable somewhere within the building. Just visiting several hospitals recently i have seen open ethernet ports in areas where members of the public could just walk in, and many hospitals are open 24 hours while the IT dept only really works 9-5.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Jail terms for those guilty of reckless endangement by selling or using medical devices running Windows.
When all you have is a hammer, every problem starts to look like a thumb.
Ahahahahahahah I totally understand why you would think these things, but, you need a little history.
I worked in Healthcare IT for about 6 years, until a few short months ago. Before that, I actually started my career as a service tech. The thing to realise is...the group I worked in moved out of the office they were in while I was there.... the original office had a room full of chest high benches, with a built in shelf above, and lots of plugs. If this sounds like the kind of setup that would have soldering stations, then you are getting very warm...because that what they used to do!
In fact, some of the same guys I worked with...had been there since core memory that was tacked to the wall was decommed.
That sort of attitude makes perfect sense if you are building a new network, in the total absence of road blocks. A hospital environment however... well.... we are talking about an environment thats been in CONTINUOUS operation since the early 1800s. (not all hospitals are that old, of course) all new equipment, all upgrades, all troubleshooting, all goes on, while operations continue. There is no weekend downtime. There is no middle of the night downtime.... thats just to START.
Add to that the federated 'academic' model that most hospitals use for their budgeting (ask your professors to explain how departments are budgeted and why money gets suddenly spent before the end of the fiscal year, and thats very much like how hospitals work). They started bringing in all this equipment before they even had central IT. They have their own budgets and egos, sometimes bigger departments will have their own mini-IT staff even! It is utter chaos.
Now the departments decide what they want, get most of the way down the path of purchasing it, then bring in IT late in the game. IT fights with them and the vendor about their standards, but can't fight too hard or else they will tell IT to go fuck themselves and just go do it with their own money, since IT can't actually say no. (or they make a stink up to a level where IT gets the smack down)
Then patching and OS upgrades.... often you can't patch or upgrade because the vendor claims they wont support it. Occasionally they blame the FDA saying they certified it on the OS version its on (we often questioned whether that held water).
In short, the vendor and department often act like they are on the same team and IT is the roadblock, rather than the department and IT working as a team. The department, especially if they are clinical, but sometimes research too, has more clout than IT, because the trustees are from the medical professions and they are the final say.
Very early on in my career I got a stack of work orders. First I was told "they can't have windows 95 because their department hasn't been upgraded yet" (and there were internal reasons involving training and federation that meant each dept needed one or two people trained before it could be upgraded).
A week later the hardware arrived and I was told "they are getting Windows 95, OEM build, not ours" (which was a HUGE exception for them)....from that point on, every day I showed up to do something for them based on what we were doing yesterday, and every day they had already had a meeting that I wasn't privy too, and my department had made new concessions to them, totally changing what I was supposed to do ..... the ego maniac who was making them do all this, of course, just got mad at me for constantly doing the wrong thing, even though, nobody had told me the plans changed.
Eventually I heard, through more connected people than me, that he had a huge and prestegious grant and was threatening to take his grant and go to another institutiuon if they didn't give him everything he wanted....and he got it.
Now.... tell me how you control what you are using when the final say on policy comes from people who don't understand IT, and are willing to see it as a roadblock rather than part of their team? Believe me when I say there are a lot of people (not everyone of course) who know what they should be doing, and want to do things right, but, they lose a lot of battles.
"I opened my eyes, and everything went dark again"
The computer systems at fault in the monitors were replaced several months ago by the manufacturer, Philips; the new systems, based on Windows XP, have better protections and the problem has been solved
We play the game with the bravery of being out of range
It's clear that diagnostic manufacturers prefer XP for various reasons, not least because it's really easy to develop for.
This leaves a gap in the market for:
a) retrofitting existing wayward devices with better software that's less vulnerable (wine/XP ++, or another win emulator??)
b) offering a secure medical OS
Seems like the kind of challenge the /. crowd would be keen to take up, GPL or no :)
Hey it's medical, so there's serious dosh to be made here!
char*f="char*f=%c%s%c;main(){printf(f,34,f,34);}";main(){printf(f,34,f,34);}
My wife had to get a CT scan to investigate her liver. I went with her and was able to see the machine and its operator while she was having the scan done.
Not only did the CT machine run Windows (XP), but the operator was surfing the web on it during the procedure, checking her hotmail and facebook.
Unbelievable.
1 Tim 6:20 O Timothy, keep that which is committed to thy trust, avoiding profane and vain babblings, and oppositions of science falsely so called: (KJV)
BTW, The word translated as science comes from gnosis: Knowledge
I usually prefer the ESV
O Timothy, guard the deposit entrusted to you. Avoid the irreverent babble and contradictions of what is falsely called “knowledge,”
Used to work in a medical environment and this does not surprise me at all. The whole "FDA regulated device" argument is just another sham by device manufacturers, software vendors, and lazy admins to avoid patching their systems. The medical community is completely out of touch with the current state of IT. They talk about needing continuity and up-time and all this, but have no idea what that means. You get a department file server trying to infect the entire network (including pcc devices) and they freak out when you knock their box offline. Yea, sorry, I know you can't get to your spreadsheet but I'm trying to prevent your server from KILLING SOMEONE.
It's a pathetic state of affairs and it won't change without better leadership. Hospitals need to start beating up their vendors to stop coding for Windows 3.11.
(worked in a health insurance firm, not even close to touching the patients, but...) I do completely understand how it happens, and it happens on a smaller and less risky scale in many non-life crucial IT business situations. Legacy systems so crammed with custom code that no one can even contemplate a rewrite to a modern and secure platform let alone adequately budget money and manpower for one, even when trapped on deep legacy platforms (MUMPS on DEC/Compaq/HP platforms anyone?) Vendors that won't allow you to touch the configuration at all or support is dropped a couple years later and the risk is yours (seen any voice integration systems that still force use of NT4 with no other choices anyone?) Then the vendor stops evaluating updates and patches if they ever did do it at all, or the bean counters drop the budget for the vendor's maintenance fee in the next budget cycle leaving you holding the bag. The only possible way to save yourself is to get the exact support agreements, documenting their "no patch or update" stance, from the vendor in big black bold type writing and make sure everyone is painfully aware of it and the risks that entails to data and other systems. Does saving yourself do anything at all to resolve the REAL problem? Hell no. But the power position of IT within most medical organizations is so weak and the "no one touches this except the vendor" attitude with embedded devices is so pervasive that there's not much else you can do in that situation aside from leaving or not taking the position in the first place.
The MS Windows EULAs have always stated that they are not to be used in nuclear plants, air traffic control and patient-critical applications.
What dumbass is putting this kruft in such environments?
That's a freaking lawsuit right there.
Few people in the E.R. got there alone.
If you ever have to transport someone to the hospital you can probably expect a wait.
Bring a book or something because you may not be able to enjoy the view from there.
No brain, no pain.
Oddly enough, it seems like this would make them less vulnerable. How much malware out there still targets or can affect Windows 98?
Required reading for internet skeptics
Buuuuut Microsoft gave us a really good deal on licensing, and hiring a programmer to do Linux is costly! Heck, we gave ourselves bonuses after we found a college student to write most of the code!
It's hard to sell a Linux device anyway. If it doesn't say windows or have an apple logo on it, it's probably some piece of crap made in china!
From the vendor side there's such a huge amount of pressure to ship stuff--and an embedded belief that "software is easy... if it was hard it would be called hardware". I've been told by prospective clients that they could "hire a twelve year old" to do what I do. This is apparently because managers are idiots who can't tell the difference between a web page and an embedded algorithm that does something that was impossible the year before and won't be easy for another decade.
The bottom line is the bottom line: if I quote on an embedded system that's fully secure it'll cost five times as much and take three times as long (and it still won't be FULLY secure, just not totally wide open.) Since no one in the purchasing decision making process values security--or even understands the least little bit about the gear they're buying above a black-box 'push this button and that happens' level--there is no pressure on vendors to make stuff secure.
Which is fortunate, because if there was, the security requirements would run head-on into the functional requirements, which require anyone with an MD to do anything with the gear with no training and without bothering to read the manual...
Blasphemy is a human right. Blasphemophobia kills.
Vendors need to VPN in to support their gear
No vendor ever needs to VPN in to support their gear, all vendor gear contains the ability to be maintained from on-site. Even with vendors like IBM and EMC who push extra heavy for VPN access have bid on-site-only service contracts when I tell them "this is a secure facility and off-site access to the equipment network will not be allowed".
What you mean is that you(r hospital) has placed a very small value on the security of their network, the equipment on that network and the HIPAA-covered data on that network.
* A malware-infected medical device is by definition not operating within specifications and should not be used in patient care.
* Failure to have adequate working equipment to ensure proper patient care is a no-no for hospitals. It can subject them to civil government penalties, sanctions against their license, sanctions from major insurance companies, consumer boycotts, losing lawsuits, and possibly worse.
Now here's a question:
Except for maintenance, there is no reason in the world to have equipment that's directly connected to a patient or is directly controlling a patient's drugs "writeable" from the outside world except from the device's own control panel or a nurse's-station-remote control panel running over a dedicated, isolated connection. Maintenance can be done from known-clean USB memory sticks or something similar.
"Reading" from the network is a different issue. I don't see the harm in that from a patient-care perspective (but there may be one from a privacy perspective). There are plenty of ways to get data off of a computer without allowing data onto it. An output-only serial port is but one example.
OK, I will make some concessions:
1) There may be a small number of inputs you want a medical device to have over a network, including "emergency remote shutdown and sound 'remote shutdown activated' alarm" for medical devices where NOT having a remote shutdown is more dangerous than allowing one to be activated maliciously.
2) The risk of a network that consists ONLY of equipment-care and related computers and which is isolated from other systems MAY be low enough to be good medical practice, but only if input from the outside is severely restricted to controlled situations, such as updates by trained personnel from known-safe media. In other words, no plugging your possibly-infected MP3 player into the nurse's station computer that is part of such a network.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Oddly enough, it seems like this would make them less vulnerable. How much malware out there still targets or can affect Windows 98?
Buckets. There's still tens of millions of people running it because they didn't see a need to upgrade and their present hardware is still running.
A feeling of having made the same mistake before: Deja Foobar
Items like the ones you mention are typically purchased, not by IT, but by clinicians, clinical technicians, biomedical technicians, etc. When large Health Information Systems are selected IT is typically present, but the selection weight of IT criteria often compose right around 15% of the total weighted score. And, this is important, IT has no veto! Therefore if IT is completely disgusted by one product and give it across the board zeros on all criteria, the most that decreases that vendor's score is by 15% of the total.
People play to their biases and strengths. Doctors and nurses like clinical features. Clinical managers like workflow control features. IT likes security, ease of upgrading, technical superiority, and so forth.
Many dedicated hospital systems have one, or some small number of vendors that dominate their niche. Those are the go-to systems in their product segments. They can be based on ancient technology but the users don't care about that. In addition, most of these vendors have "high touch" support arrangements. They provide comprehensive service and support and will often send out their own technicians at the drop of a hat. In these arrangements it's very common to see vendors with rules like "the customer shall not install or change anything, except with the direct support and agreeement of the vendor".
I used to support SCADA systems. Many of these had limited (or no) security features to speak of. The thinking was that they were completely self-contained and didn't need anything else, so physical control of their environment was all that was necessary. Never put them on a network the rationale went. Many medical device systems have a similar dynamic.
Except that, as time went on, the power and flexibility of networks became compelling. Why not allow a tech remote access to support a system from home, or across country, or around the world? The people who knew the limitations of these systems would not support such a move, but it's nothing to be overridden by a high level manager who simply does not appreciate the level of risk he is taking.
Anyhow this kind of stuff is slowly receding into history. Medicine is finally taking up IT on a huge scale and catching up to the rest of the world. Encountering clinicians who think of computers as "nothing to do with me" is thankfully becoming rare.
Why was that modded funny? I'd say it's insightful and just plain true...
Windows 3.11 FTW!
You know, rather than picking some version of windows, use an embedded linux
Funny that there are operating systems designed from the ground up to be secure and provide hard real-time guarantees, which is just what you want in medical equipment...
http://www.ghs.com/products/rtos/integrity.html
As someone who has worked in Healthcare IT I fully stand behind this comment and can say 100% this is the crap that goes on in hospitals.
That sounds like all the hospitals I have ever worked at. After the first I would only do hospitals if the signed a 6 month contract with me and paid me the equiralant of 2 years in that 6 months.
But the statement. " Occasionally they blame the FDA saying they certified it on the OS version its on (we often questioned whether that held water)." is wrong in my experience. I found that they said this 98% of the time. Not true but my management did not want to argue with them.
Microsoft says their software is not suitable for medical hardware but the FDA will certify such hardware. One party is wrong here. Which party? In this case, the one which didn't write the code.
Well... I suppose if you call a computer that old 'running'. More like walking at a leisurely pace.
You can learn how to fix these problems! I am doing the same with these free coding lessons online. www.good.is/codingforgood
When I broke my arm I had regular x-rays to check my progress. On more than one occasion I had to wait because of a virus problem on the x-ray equipment. I think the problem is the transfer of binary files. I was given a CD with my x-rays which I viewed at home (on linux). If transfers between hospitals are done the same way then there is potential for malware to be transferred.
http://michaelsmith.id.au
Most of this stuff runs some version of Windows, and often unpatched since they cannot certify that the critical care software running on them will not break when Windows is updated. Like the Denver Airport baggage handling fiasco, which also relied on unreliable Windows systems to control complex real time installations, this is not the hospitals' fault, but the device hardware/software manufacturers who decided to take the "easy" track and use Windows instead of a hardened, certified, real-time operating system, of which there are quite a number including QNX, WindRiver, etc. that run happily on standard x86 hardware. Those systems are pretty much immune to virus/malware infections not just because they are not "popular", but because they are designed to be difficult (very, very difficult) to compromise!
> But the statement. " Occasionally they blame the FDA saying they certified it on the OS version its
> on (we often questioned whether that held water)." is wrong in my experience. I found that they said
> this 98% of the time. Not true but my management did not want to argue with them.
Well... my management didn't (at least not where we could see it) question it, but we, the engineers, did. When i left, they were still getting their way.... the one I had specifically in mind, the most eggregious offender, was....well... the version of the linux distro on it was, no exageration, a decade old.
Even better, it wasn't built by us, and yet, they still got us, despite all that, to accept responsibility for supporting it.
"I opened my eyes, and everything went dark again"
Yet another plethora of reasons hospitals are death traps.