Report: Evidence of Healthcare Breaches Lurks On Infected Medical Devices

chicksdaddy writes: Evidence that serious and widespread breaches of hospital- and healthcare networks is likely to be hiding on compromised and infect medical devices in clinical settings, including medical imaging machines, blood gas analyzers and more, according to a report by the firm TrapX. In the report, which will be released this week, the company details incidents of medical devices and management stations infected with malicious software at three, separate customer engagements. According to the report, medical devices – in particular so-called picture archive and communications systems (PACS) radiologic imaging systems – are all but invisible to security monitoring systems and provide a ready platform for malware infections to lurk on hospital networks, and for malicious actors to launch attacks on other, high value IT assets.

Malware at a TrapX customer site spread from a unmonitored PACS system to a key nurse's workstation. The result: confidential hospital data was secreted off the network to a server hosted in Guiyang, China. Communications went out encrypted using port 443 (SSL), resulting in the leak of an unknown number of patient records. "The medical devices themselves create far broader exposure to the healthcare institutions than standard information technology assets," the report concludes. One contributing factor to the breaches: Windows 2000 is the OS of choice for "many medical devices." The version that TrapX obtained "did not seem to have been updated or patched in a long time," the company writes.

Re:Dude! You got a Dell

[bobbied]

Infected by Dell is more like it. Notice all the health (sick) companies use Dell. Notice that.

Seriously? If you don't load your own image on the corporate computer you purchased from Dell, you've got a problem, not Dell. I don't know of *any* corporate customer of any reasonable size that doesn't have their own commissioning process that involves wiping the disk and starting over so they can be sure that the system is 100% what they want, and nothing else.

Heck, one of the first things I do even with retail equipment is re-install everything to get rid of all the vender supplied bloat and "free" offers and get to a minimum install set. I do it for two reasons.. Clean out the junk and verify I have everything I need to recover the system in the future.

Re:FDA Certification Part of the Problem

[mike.mondy]

Vendors like to claim this, but the FDA clarified over 10 years ago that vendors are expected to apply security patches and other updates outside of the core clinical software. Re-certification is not required, the vendor merely has to certify that they tested the update for any effect on clinical function.

So, it's exactly like he said and no updates are allowed to be installed.

ISVs are shit at security because nothing about security is their problem. Being in healthcare doesn't change that; if anything, it makes it worse. I would expect a vendor to spend exactly zero effort on verifying security updates, and less than that on notifying customers. If it ain't a new sale, they ain't interested.

Honestly, I hope some hospital gets the balls to sue an ISV for failing to act in a timely manner for perpetually ignoring security like we all know they do. It's not going to change until someone holds them accountable. They'll just hide behind their EULAs until then, and hospitals will get the bill for letting people die because of security holes.

From the linked FDA page:

4. Who is responsible for ensuring the safety and effectiveness of medical devices that incorporate OTS software?

You (the device manufacturer who uses OTS software in your medical device) bear the responsibility for the continued safe and effective performance of the medical device, including the performance of OTS software that is part of the device.1

If the device manufacturers are forcing hospitals to run without OS patches, the manufacturers are not doing what the FDA says they should do. Maybe the FDA should change should to required. Even so, I have to wonder if there's anything preventing the manufacturers from simply maintaining a patch compatibility web page and telling the hospitals that they're responsible for the OS patches... I seriously doubt either party is innocent, but have to wonder if the hospitals are the bigger culprit.