Slashdot Mirror
Report: Evidence of Healthcare Breaches Lurks On Infected Medical Devices
chicksdaddy writes: Evidence that serious and widespread breaches of hospital- and healthcare networks is likely to be hiding on compromised and infect medical devices in clinical settings, including medical imaging machines, blood gas analyzers and more, according to a report by the firm TrapX. In the report, which will be released this week, the company details incidents of medical devices and management stations infected with malicious software at three, separate customer engagements. According to the report, medical devices – in particular so-called picture archive and communications systems (PACS) radiologic imaging systems – are all but invisible to security monitoring systems and provide a ready platform for malware infections to lurk on hospital networks, and for malicious actors to launch attacks on other, high value IT assets.
Malware at a TrapX customer site spread from a unmonitored PACS system to a key nurse's workstation. The result: confidential hospital data was secreted off the network to a server hosted in Guiyang, China. Communications went out encrypted using port 443 (SSL), resulting in the leak of an unknown number of patient records. "The medical devices themselves create far broader exposure to the healthcare institutions than standard information technology assets," the report concludes. One contributing factor to the breaches: Windows 2000 is the OS of choice for "many medical devices." The version that TrapX obtained "did not seem to have been updated or patched in a long time," the company writes.
Malware at a TrapX customer site spread from a unmonitored PACS system to a key nurse's workstation. The result: confidential hospital data was secreted off the network to a server hosted in Guiyang, China. Communications went out encrypted using port 443 (SSL), resulting in the leak of an unknown number of patient records. "The medical devices themselves create far broader exposure to the healthcare institutions than standard information technology assets," the report concludes. One contributing factor to the breaches: Windows 2000 is the OS of choice for "many medical devices." The version that TrapX obtained "did not seem to have been updated or patched in a long time," the company writes.
It's not just the outdated OS that is the problem. One must wonder why a medical image storage server is allowed by the network to make outbound network requests all the way to China.
Love sees no species.
HIPAA imposes fines for each patient's record lost through security breaches, even if the medical provider "did not know (and by exercising reasonable diligence would not have known)" https://kb.iu.edu/d/ayzf that there was a breach. These kinds of punitive rules have scared the entire industry to death, and yet the open secret is that nobody is safe from breaches, or these fines. This story illustrates how the law has done little, if anything, to actually protect privacy.
Most providers react to HIPAA in one of two ways:
1) They over-react, creating stupid policies like refusing to tell even a patient's own spouse the details of a patient's medical condition, unless the proper paperwork has been filed, or
2) They under-react, blissfully ignoring any privacy concerns.
If we're going to try to regulate privacy in the medical industry, how about let's focus on the device and software makers with certification programs, and let hospitals and physicians get back to doing what they do best: treating illnesses.
Infected by Dell is more like it. Notice all the health (sick) companies use Dell. Notice that.
The reason a lot of these devices use outdated OSes is that it has to be FDA approved. I used to work on some hospital networks, and not only were some of these systems running out-dated operating systems, they couldn't have any security updates applied without losing their FDA approval. We kept these systems locked in solitary confinement behind firewalls (with no Internet access), but you still have to be able to get to them over the network to actually use them (and worse, occasionally by remote radiologists coming in over a VPN from who knows where).
Infected by Dell is more like it. Notice all the health (sick) companies use Dell. Notice that.
Seriously? If you don't load your own image on the corporate computer you purchased from Dell, you've got a problem, not Dell. I don't know of *any* corporate customer of any reasonable size that doesn't have their own commissioning process that involves wiping the disk and starting over so they can be sure that the system is 100% what they want, and nothing else.
Heck, one of the first things I do even with retail equipment is re-install everything to get rid of all the vender supplied bloat and "free" offers and get to a minimum install set. I do it for two reasons.. Clean out the junk and verify I have everything I need to recover the system in the future.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Here's the long skinny.... and I'm working at one of the better, or 'leading' hospital systems in the US. (I use the term leading loosely there...). Possibly top 10...?
With regard to the environment? Be afraid. Be VERY afraid. This OS and APP environment is half a decade behind on nearly every front, with the exception being AV, UserRoles and SecOps policy. Want the 'latest'? Pony up $$$! And you still won't be on the edge!
A LOT of it, is vendors who do not follow the edge when it comes to security and maintenance. The other half of the equation is yes, FDA approval. Once a piece of gear is in place, it may not be updated for a year. Possibly ever. Or, unless you want to pony up $$$. I'm looking at you General Embelishment, as well as a WHOLE lot of others. BIG names here, and you've heard of them...
Oh yea... Here's a kicker. You'd be amazed at how much of the kit here, is entirely built with FOSS!!!
Various Linux dists? Yup
Old openssl? Yup! pre-Heartbleed? Yup! Developed entirely using QT? Yup!
I could go on, but I've stopped bothering to look....
Money's pretty good though.... Cost of living is pretty low where I am, so the bank account is filling up nicely!
I'm on the east coast, if you were wondering...
The secure medical device market is heating up. It's why BlackBerry bought into NantHealth and partnered with them to deliver a secure mobile monitoring service.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Clearly we need doctors for medical devices. Oooh, think of the insurance opportunities!
"One contributing factor to the breaches: Windows 2000 is the OS of choice for "many medical devices." The version that TrapX obtained "did not seem to have been updated or patched in a long time," the company writes."
Well DUH. I'd have been rather surprised if they had since Win2k was EOL'd 5 years ago.
Subject verb object. Subject verb object.
Until you master that, probably best to avoid trying to write sentences with multiple clauses ;-)
"In the report, which will be released this week, the company details incidents of medical devices and management stations infected with malicious software at three, separate customer engagements."
Wouldn't it be safer to run these medical devices on a dedicated Real Time Operating System (RTOS). That isn't susceptible to acquiring malware through normal operation ref.
The main reason they put it out is that it helps reduce their costs.
If you read the FDA advice at http://www.fda.gov/RegulatoryI... and at http://www.fda.gov/MedicalDevi...
The key piece of advice is If manufacturers chose to use OTS software in their devices and vulnerabilities in OTS software can affect the safety and effectiveness of their networked devices, they have to act to keep their devices safe and effective.
Locking their devices away behind firewalls is great, but you should also provide copies of the above documentation to the vendor and ask them how they act to "keep their devices safe and effective". Make sure your legal staff are involved in asking the question, and see how quickly their advice changes.
Oh - and if you want bonus points in this - make sure that your purchasing people are across this issue and the question is asked during all procurement exercises, and that the contracts and specifications stipulate that the vendors are accountable for doing so.
What's needed is an industry standard on how to partition and isolate these devices, while allowing appropriate inter-system communications to occur. Then at least there is something that people can hold vendors to and drive the level of technical maturity in the right direction. The sad thing is that these companies are locked in the 1990's mindset, and unless there us a blowtorch applied to their feet they will keep on selling equipment to their customers that is technically obsolete.
Heck, one of the first things I do even with retail equipment is re-install everything to get rid of all the vender supplied bloat and "free" offers and get to a minimum install set. I do it for two reasons.. Clean out the junk and verify I have everything I need to recover the system in the future.
I do the same thing, and for the same two reasons. I once returned a server because I could not get it to work from the CDs they sent with it, after wiping the hard drive. When the vendor returned the server, the set of CDs was complete.
In addition to running on unpatched Windows 2000 systems, the NOVA CCX devices use default SQL database administrator (DBA) permissions to protect access to the device’s back-end database, which holds patient data.
This sounded fishy to me as Microsoft SQL Server doesn't have such a thing as "default SQL database administrator permissions." After digging through the actual report you eventually discover that the Nova CCX devices use SAP's SQL Anywhere v7.