Virus Hits MedStar Health Hospital Network

An anonymous reader writes: IT staff at multiple hospitals have been forced to stop all routine and net new operations and perform an all hands on deck emergency malware control effort in the last several weeks. The latest instance of this can be seen at MedStar Hospital. From a ZDNet report, "Malware has infected the computer network of MedStar Health, forcing the healthcare provider to shut down large portions of its electronic operations. A statement by the health system said that all facilities remain open, and that there was "no evidence of compromised information." The not-for-profit healthcare system operates ten hospitals across the Washington and Baltimore region, with more than a hundred outpatient health facilities. According to the system's website, it has more than 31,000 employees and serves hundreds of thousands of patients annually." This outbreak appears to be fairly widespread and not limited to the single story listed. A similar story appeared on Slashdot several weeks ago and a quick search on Google provides multiple hits that indicate that this type of incident is much more commonplace than I would have believed. Hospitals provide round the clock service to patients and many of these services are critical to the health of the hospital clients. Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents. IT analysts predicted that 2015 would be the year that hospitals became targets for hackers. It appears that 2015 was just the first wave of the potential storm coming that is headed directly towards our healthcare IT infrastructure. How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

Sounds like a job for

[fredrated]

appropriately aimed cruse missiles.

Re:Sounds like a job for

I'm not sure the US has that kind of determination against Russia.

Re:Sounds like a job for

[sittingnut]

cruse missiles aimed at who?
or are you advocating yet another shoot first ask questions later strategy.
as in many usa foreign policy disasters and defeats.

Re:Sounds like a job for

[myowntrueself]

cruse missiles aimed at who?
or are you advocating yet another shoot first ask questions later strategy.
as in many usa foreign policy disasters and defeats.

I think the idea is to just nuke everything that isn't the USA...

Re:Sounds like a job for

[desdinova+216]

from orbit? it's the only way to be sure.

Re:Sounds like a job for

[bev_tech_rob]

cruse missiles aimed at who?
or are you advocating yet another shoot first ask questions later strategy.
as in many usa foreign policy disasters and defeats.

Has worked for us in the past ;) IMO, a visit by Seal Team 6 with a road trip to Gitmo included would be nice.

Have many more times does...

this have to happen before healthcare gives up on Windows?

Re:Have many more times does...

my wife works for a hospital system. they still have Windows XP deployed...

Re:Have many more times does...

Having worked there in the past I can assure you that most of their UNIX/Linux box are compromised in some fashion or another.

Re:Have many more times does...

Just a few years ago I worked as a DBA/Unix Admin at a hospital for almost 2 years. Most hospitals appear to use EMR software produced by three different companies: Epic Systems, McKesson, and Cerner. The hospital I worked at used McKesson. This software package was installed there just a few years ago, but uses technology that was state of the art back when Clinton was president; we're talking fat-client installs with direct connections to the SQL database. I can actually remember running SQL traces that would capture " *= " in them (which is a old-school way of doing an OUTER JOIN, which Microsoft quit supporting after SQL 2000).

I can't speak for Epic, but I know many nurses that have to use it at various hospitals, and I haven't met a single one that speaks favorably of it.

All of these packages I've talked about are Windows based, so unless a hospital were to develop their own stuff (using Linux or whatever), their hands are somewhat tied. From what I've told, the cause of the big technology gap is the CDC and AMA approval process; by the time a new piece of software passes through certification, it's already out-dated.

*Posting anonymously to avoid any type of litigation.

Re: Have many more times does...

As long as Microsoft keeps paying kickbacks, they'll keep getting exclusive contracts with government entities. With the contract we have with Microsoft at my hospital, we have to buy a copy of Windows Server for every server even if they don't run Windows.

Re:Have many more times does...

> McKesson

We hired a project manager and a developer that worked for them each for over a decade. Both were fired for embezzling and seemed shocked that we had a problem with what they were doing. Both also constantly stole beer out of my personal fridge under my desk. Again, they both acted like I was the one being a jerk. That company must be a shitshow wrt ethics.

Re:Have many more times does...

Epic is not Windows based.
The installation that we had ran on an AIX backend (the only option we had) using a document database (called Cache).
The reporting system can be *NIX or Windows based. Most installs that we knew of were Windows based. Database is either Oracle or SQL Server.
The Epic client can run on Windows (which we used), Mac or Linux (according to Epic).

Epic is based on M (MUMPS) which was developed at Mass. General Hospital in the early 70's if memory serves.

Having worked on Epic and a few other EMR's, I can say that Epic is crap.
Totally inflexible, very expensive and not user friendly.
The reporting system is f*cked. Must rely on ETL loads from the document database into a relational database for any reporting.
Epic is not able to handle a nightly data dump, so you have to schedule different parts of the client record to dump at different parts of the week.
If you need accurate reports up to the last business day, you will not get them.
You can use the very limited reporting that is built into the Epic application (querying the document database), but the reporting is very limited in what you can do, how much data you can pull and what types of data you can pull. Also, it is very slow and a large report will slow down the entire Epic system.

Re:Have many more times does...

[ColdWetDog]

All of these packages I've talked about are Windows based, so unless a hospital were to develop their own stuff (using Linux or whatever), their hands are somewhat tied. From what I've told, the cause of the big technology gap is the CDC and AMA approval process; by the time a new piece of software passes through certification, it's already out-dated.

Yes, all the EMR vendors use Windows so we're stuck there, but no, the CDC and the AMA do not approve software. CMS (Centers for Medicaid and Medicare Security (???)) gives guidelines about how to go about looking for certified EHRs. A quasi governmental body called CCHIT used to certify EHRs but they've given up on that.

And there is no real 'technology gap' in modern EHRs. They are large, complicated programs so, like other large, complicated programs they tend to be conservative in how they are constructed and they are, of course, a bit of a kludge. But they run on modern hardware, use modern databases and have pretty good performance if they are set up right.

They are giant pains-in-the-ass as far as clinical staff is concerned but that is because the Powers That Be have decided it's OK for highly paid, busy professionals to be secretaries and data entry clerks. Until we get over that paradigm, this won't change much.

Re:Have many more times does...

Well... this is actually one place where microsoft named their software is a suitable manner... Windows :D

Re:Have many more times does...

Crap.. tags where removed.... Windows (eyes crossed)(tongue hanging out)

User error

You can't prevent stupid.

Re:User error

Switching to Anonymous . . .

The hospital I work at has horrible problems with outdated equipment and utterly crappy firmware. Medical devices get taken down by our security department's routine, non-malicious scans ("non-malicious" meaning standard port scans, benign user names on SSH scans, no buffer overrun-type scans). We have clinical devices back from the early 90's. Some don't do DHCP. Some expect classful addressing. But because these are several hundred thousands or millions of dollars, sometimes per machine, they won't replace them. We do the best we can with firewalls, but there's not much we can do when upper hospital management doesn't give a rat's backside. We tell them, "Look, what would happen if a hacker got inside our network and fired off these scans against our equipment?" I have to assume it falls on deaf ears, because there have been no changes.

Re:User error

[aXis100]

These days you can buy individual 2 port firewall modules, often designed for industrial equipment but would be equally suited to medical devices. Every single device can have a firewall in front of it an only allow specific ingress AND egress traffic.

It's really not difficult to fix.

Re:User error

And I'm sure the same administration not willing to upgrade the equipment will gladly take funds away from administrative salaries^W^Wpatient care for the firewall equipment. I also have a certain bridge in the NYC area that I'd love to sell you.

Re:User error

[rthille]

I'd guess the cost of one of those (something like a RPi) would be ~$20 each.

And the cost of a medically certified one would be ~$2000 each.

Sorry I'm AC, but this is very relevant.

I worked (as a sys admin / tech support) for both the University Hospitals Health Systems and the Cleveland Clinic (Cleveland.) I'd estimate that about 65%+ of the really expensive machines had some type of malware that the doctors actively ignored because they were under strict orders not to update machines or it would 'invalidate the warranty from the manufacturer.' Some of those machines literally cost millions of dollars. It was well understood that they were infected, but it was explained to me that I was not allowed to remove the malware or update the machine to prevent further infection or spread of infection "because, if the machine stops working, the manufacturer will refuse to support it and it'll become a 6 million dollar paper weight"- I imagine most hospitals have some similar silliness going on.

Re:Sorry I'm AC, but this is very relevant.

Correct, sir.

I worked IT in a hospital system for 9 years (one that works with Cleveland Clinic every now and again, as a matter of fact). A lot of XP still deployed. Some Windows2000 deployed still. A lot of old unix-style systems from 1980s that have never been upgraded. A lot of servers without RAID controllers (single disk) that are running life and death systems. This isn't necessarily by choice. You're at the mercy of the vendor and FDA a lot of the time. These vendors... McKesson comes immediately to mind, will SELL you 7-8 year old obsolete junk as a brand new solution if you buy a system / software / widget from them. That's all they sell and it's what they support. You want the McKesson PACS system? Great! Here's your old HP DL380 Gen4 server with Windows2000 SP2, because it's what we "certify," for the low low price of $19,000 for said server. It gets worse when you have systems critical enough that the FDA gets involved in (expect to see a lot of 3.5" floppy disks).

Same goes for some of the major medical equipment. You bought that multi-million dollar, state of the art CT scanner, but GE is going to give you a crap workstation probably running WindowsNT. God forbid you try to upgrade it, or apply Windows updates, or put antivirus on it... they'll cancel your service contract before you can click the mouse then rat you out to the FDA for messing with it. I can't tell you how many systems we were FORBIDDEN from 1) applying patches and 2) running antivirus on.

Now before you start with the smartass Windows vs Linux comments... let's reiterate that you get what the vendor gives you. This isn't a personal gaming and coding rig. You're talking about PCs for medical equipment that is specialized, only a handful of vendors make, and the FDA is breathing down their and your neck over it. You don't get the option of "oh I'm just going to migrate it to Ubuntu"

Re:Sorry I'm AC, but this is very relevant.

There's no reason for any of those systems you describe to be on a network.

Re:Sorry I'm AC, but this is very relevant.

[__aaclcg7560]

I'd estimate that about 65%+ of the really expensive machines had some type of malware that the doctors actively ignored because they were under strict orders not to update machines or it would 'invalidate the warranty from the manufacturer.'

These medical devices are on a separate network VLAN, has no direct access to the Internet, and have a dedicated IT support team? If not, your hospital is doing it wrong.

Re:Sorry I'm AC, but this is very relevant.

[Archangel+Michael]

Here's the deal, if you're going to blame the FDA for this, you're gonna stir some serious shit up.

1) FDA is that way, because it is Government. (queue the "I'd rather have old busted FDA than Somalia" counter arguments)
2) This is the same FDA that said Walnuts growers couldn't use Factual Information on their products, because only Drugs can make those claims
3) FDA won't even STUDY cannabis for medicinal use because ... well big Pharma can't handle the competition

FDA has indemnified the makers from lawsuits due to failures with such protections. Which is huge deal, and why you CANNOT mess with them at all, even to install antivirus.. The problem is the FDA. It takes years to bring new devices to market, and the FDA doesn't care if they work or not, just that they go through the process. There are PLENTY of examples of FDA approved devices that just plain suck.

Re:Sorry I'm AC, but this is very relevant.

[Bugler412]

So very true, and no they typically don't isolate them network wise, or at least not the extent necessary for safety. Hospitals and health care in general is where I've witnessed some of the absolute worst IT practices of my 25 year career, topping this list is entrenched legacy systems like what you mention, and management that refuses to press the vendors for proper software maintenance, thinking that it's somehow unnecessary. The industry use of unmaintained embedded software (doesn't matter what OS) is the largest vulnerability of all. This will be a quaint preview of what will happen with the Internet of Things too.

Re:Sorry I'm AC, but this is very relevant.

[ColdWetDog]

Sorry guy, GE CTs run Linux. Just watch the boot screen.

Re:Sorry I'm AC, but this is very relevant.

[tnk1]

Realistically, the devices probably run whatever was reasonably current when the actual device was designed and tested. They're not *trying* to run old shit, they just don't want to re-certify every time they make a change to the system. Certification with the .gov is expensive and time consuming, which I know from first hand experience, and medical certification is even worse.

On this board, it is important to us that people take IT security reasonably seriously. To medical equipment makers, that's second fiddle to being able to make a device that works at its primary task which can then make it through certification and eventually make back the cash they dumped into designing it and pushing it through the process.

Someone like the FDA is going to have to force them to care about malware protection, mostly because it is the FDA that is making it such a pain in the ass to get this stuff certified to begin with. They're the long pole in the tent, so unless the FDA cares about it, everything else is less than important.

Re:Sorry I'm AC, but this is very relevant.

Someone like the FDA is going to have to force them to care about malware protection,

This part is true, and it's unfortunate. It's a little more complicated than you say though. Those who blame FDA, are the exact same type of scumbag businesses that would dump toxic waste directly into the drinking water if the EPA didn't stop them. FDA regulations ARE NOT onerous. I worked for a medical device manufacturer for many years and they don't HAVE to make things cheap and it is NOT difficult to get things certified. Slightly expensive perhaps, but as mentioned, they charge $19,000 for $150 worth of hardware, THE CUSTOMER pays for the regulation, the problem is, the business owners are POCKETING IT instead of using it towards the purpose. They are greedy fucks. They are the same ones who whine and cry, "You're going to put me out of business!" when the government demands simple things like not paying a slave wage (minimum living wage laws). It's all bullshit. Don't believe their bullshit.

Re:Sorry I'm AC, but this is very relevant.

Here's the deal, if you're going to blame the FDA for this, you're gonna stir some serious shit up.

1) FDA is that way, because it is Government. (queue the "I'd rather have old busted FDA than Somalia" counter arguments)
2) This is the same FDA that said Walnuts growers couldn't use Factual Information on their products, because only Drugs can make those claims
3) FDA won't even STUDY cannabis for medicinal use because ... well big Pharma can't handle the competition

FDA has indemnified the makers from lawsuits due to failures with such protections. Which is huge deal, and why you CANNOT mess with them at all, even to install antivirus.. The problem is the FDA. It takes years to bring new devices to market, and the FDA doesn't care if they work or not, just that they go through the process. There are PLENTY of examples of FDA approved devices that just plain suck.

I think you misunderstand what the FDA actually does. They do not do their own original research or testing. They do research and testing on drugs which have been trialed already to help prevent fake research. From what I understand, the FDA only gets involved once people want to test drugs/equipment on people. From the FDA website:

Before conducting testing in humans of a drug that has not been approved by the FDA, an investigator submits an investigational new drug (IND) application, which is reviewed by the FDA. An IND includes protocols describing proposed studies, the qualifications of the investigators who will conduct the clinical studies, and assurances of informed consent and protection of the rights, safety, and welfare of the human subjects. The FDA reviews the IND to ensure that the proposed studies, generally referred to as clinical trials, do not place human subjects at unreasonable risk of harm. The FDA also verifies that there are adequate assurances of informed consent and human subject protection.

The FDA also supports research into the medical use of marijuana and its constituents through cooperation with other federal agencies involved in marijuana research. Conducting clinical research using marijuana involves interactions with other federal agencies:

The FDA reviews the IND application and the research protocol submitted by the applicant.
The Drug Enforcement Administration (DEA) reviews the registration application filed by the researcher.
The National Institute on Drug Abuse (NIDA) within the National Institutes of Health operates pursuant to the Single Convention on Narcotic Drugs. NIDA has been designated the responsible agency to supply research-grade marijuana to researchers.

http://www.fda.gov/NewsEvents/PublicHealthFocus/ucm421163.htm
And for what it is worth, there is a fair amount of research on medical marijuana elsewhere in the world. I don't know if the FDA will take into account research done by overseas labs but quite a few countries allow FDA approval to be the equivalent of local approval for drugs.

Re:Sorry I'm AC, but this is very relevant.

WTF are you talking about? GW Pharmaceuticals just released positive ph3 results for their cannabinoid Epidiolex (Dravet syndrome). www.nasdaq.com/press-release/gw-pharmaceuticals-announces-positive-phase-3-pivotal-study-results-for-epidiolex-cannabidiol-20160314-00153

And no, you clueless dipshit, the FDA doesn't conduct studies. It reviews them for safety and efficacy before allowing drugs on the market.

Re:Sorry I'm AC, but this is very relevant.

[Archangel+Michael]

All of what you said may be true. However it hasn't stopped fake research, it just makes it harder. Plenty of drugs that turned out to be awful passed FDA muster.

And if you see what the FDA did for Walnuts, you'll know that it doesn't just test "drugs", it defines what constitutes a drug, to the point where making factual claims on a nut makes it a "drug" by FDA rules, and thus "illegal" because ... it hasn't passed FDA approval for said claims. In other words, facts don't matter, only rules matter. Which is the whole point of my post.

Natural products may NOT claim things that only drugs can claim. Thus eating right cannot prevent diseases (never mind Scurvy is preventable by eating citrus, certain eye diseases by eating certain vegetables etc). Foods cannot make those claims under FDA rules.

All of that is not negated by your points. Which makes your points either misleading and/or not completely accurate. But here is the key phrase from the FDA quote you used ...

Before conducting testing in humans of a drug that has not been approved by the FDA

Walnuts are not drugs. But making claims that ONLY drugs can make, (Omega 3 vs heart disease) that walnuts can HELP PREVENT disease, puts the walnuts into the realm of a "drug" and thus, would need testing by the FDA to be able to make sure it is safe and effective before they can make that claim (regardless of the actual facts!) . Until you realize that it is the definition of "drug" that the FDA controls, you're gonna keep missing the point.

Re:Sorry I'm AC, but this is very relevant.

[Archangel+Michael]

You inadvertently made my point. Thanks. Cannibis is not Cannabinoid byproduct being developed. My guess, is that they will genetically engineer something that can mass produce the Cannibinoid and that is what is actually going to be protected. See Monsanto for further references.

Re:Sorry I'm AC, but this is very relevant.

[PIBM]

Doctors time is limited; do you want them to have to walk up to every machine and look at the results ? Or move back in time and print low resolution fixed contrast scans that have to be moved by someone so the doctor can have a look ? It would be nice though if a little arduino could be put in front of those machine, receiving serial data on the USB line and sending to a network server acting as a dispatch using a network shield, with SPIEN=1. Cost, with a box, 25$

Re:Sorry I'm AC, but this is very relevant.

I worked (as a sys admin / tech support) for both the University Hospitals Health Systems and the Cleveland Clinic (Cleveland.) I'd estimate that about 65%+ of the really expensive machines had some type of malware that the doctors actively ignored because they were under strict orders not to update machines or it would 'invalidate the warranty from the manufacturer.'

But malware is a modification of the machine too. That should either invalidate the warranty too or (better) put an obligation on the manufacturer to repair the thing because it shouldn't have been vulnerable to malware in the first place. And as malware is a modification, doesn't it invalidate FDA approval of the device?

Re:Sorry I'm AC, but this is very relevant.

Same goes for some of the major medical equipment. You bought that multi-million dollar, state of the art CT scanner, but GE is going to give you a crap workstation probably running WindowsNT. God forbid you try to upgrade it, or apply Windows updates, or put antivirus on it... they'll cancel your service contract before you can click the mouse then rat you out to the FDA for messing with it. I can't tell you how many systems we were FORBIDDEN from 1) applying patches and 2) running antivirus on.

I know you right about the above. Been there. But a question to you as the Sysadmin. Why is this shit not on a closed protected network? Its a CT scanner so why not have a switch in the CT room and just the machines needed for CT scanning is connected to the switch and no connection to the hospital LAN? Air Gap?

I know what GE's contract says but it is completed against all HIPPA standards if you think about it.

I bring this up because I pen test for a living. I do them all PCI/DSS, HIPPA, SOX. Every hospital I have tested horribly failed mostly from flat networks and no updates. It actually scares me to test these places because if I knock off the wrong thing I could kill someone. Why are heart monitors on a network with Internet access?? Why can I see you CT scanner from the same network as the Nurses station?

I do understand where your at so no smartass "migrate" comments I know you get what is given but if it is a POS device (Piece Of Shit) then lock it up in its own little world and let the vendor sort out how to work with YOUR security practices. Yes I've had this fight when I worked as Chief of Network Security for some Doctors offices. I drove GE and McKesson nuts. We had good security rules and I didn't bend the rules to fit their product. I brought up HIPPA requirements all the time for my defense.

A security thought.
I can crack a hospital wide open in less than an hour but an adult toy store network I can beat on for two days and get nowhere. Yes buying a dildo is safer than the access to your medical records. Maybe bring that up to your vendor next time.

5 hospitals I have tested in the last two years the Domain Administrator's accounts password was... password. I'm not lying.

Let me think...

"How can hospitals guard themselves against these attacks"

They could, as a start, keep the medical (patient records, diagnostic, monitoring, etc.) networks segregated from each other, and especially from the Internet. But that would prevent staff from checking the Bookface, so it wouldn't go over well.

Re:Let me think...

[acoustix]

Separate networks are definitely key. But how many organizations actually practice it? And if they do, are they doing it correctly? For example, are the network access points secured? Do they only allow certain MAC addresses on certain switchports?

This is where technology like Cisco ISE (I'm only a customer, not a vendor - and I don't have this product yet) would help reduce the attack surface for different areas of the network.

Re:Let me think...

[Archangel+Michael]

They could start using Virtual Desktops, which when properly implemented would reduce exposure to such things in the first place.

Re:Let me think...

[tnk1]

It seems easy conceptually, but these threats have crept up on a sector where the product approval cycle is measured in years or even decades. They have old equipment and facilities that were meant for medicine first, and IT a very distant second (or third). And if IT security was an afterthought in the products they selected, they're not going to be able to turn them around fast.

Hell, even re-doing the network could be a multi-million dollar project so they can update routers, add more physical wiring and ports, and re-deploy equipment to create air gaps where they never had them before. They're not working with a green field. These are working hospitals that complicate the hell out of trying to redesign networks. They're not going to spend that money or time unless someone makes them. Perhaps someone is about to make them do that. Or perhaps not.

Re:Let me think...

[bev_tech_rob]

"How can hospitals guard themselves against these attacks"

They could, as a start, keep the medical (patient records, diagnostic, monitoring, etc.) networks segregated from each other, and especially from the Internet. But that would prevent staff from checking the Bookface, so it wouldn't go over well.

You enforce blocking of "Bookface" since it is non-work related. You try to access site and you get

"URL Prohibited
Access to this website has been prohibited due to possible concerns over its safety, reputation, or due to company policy.

Event Details:
URL: https://www.facebook.com/
Category: Social Networking
Policy: Extended Access
If you have a business reason for accessing this website, please click the link below and submit the form to be routed for approval

We do that in my organization and works pretty well....

ah yes, the machine that goes "PING!"

[Thud457]

"because, if the machine stops working, the manufacturer will refuse to support it and it'll become a 6 million dollar paper weight"

Nice priorities there, docs.
Not "it could kill patients"
Nor "we can't change even the tiniest thing otherwise we lose FDA certification".
But "it might cost the hospital money" (to brick an infected device and have to replace with an hopefully more secure updated version).

Re:ah yes, the machine that goes "PING!"

[tnk1]

Why do you blame the doctors for that?

It's not the doc's fault that the company will not support something if you screw with it. I mean, sure, they can invalidate the warranty, and then who is going to fix it when it breaks?

I'm guessing you don't work with this stuff very often or you'd know that you don't screw with something that invalidates your warranty on equipment that costs millions to replace. The doctors don't have a plethora of products to choose from where they can simply pick one that is a little more expensive, but has malware protection.

The actual problem is that the manufacturers for these devices are not in any way incentivized for securing their devices against malware attacks. Their device only needs to do what it's primary function is because there's no other serious competition. You can't go buy this shit at Walmart, you know. You get to pick product #1 which isn't protected from malware or product #2 which isn't protected from malware either.

Re:ah yes, the machine that goes "PING!"

I would classify it as broken already in that case.... For a $6M equipment i would expect the support to actually be good and that they actually fix reported security-issues.. But maybe it's just be being stupid..

Re:ah yes, the machine that goes "PING!"

[EndlessNameless]

Already broken? Maybe. But as long as the medical function is not impaired, it will still fulfill its primary purpose. And changing the software can trigger an expensive recertification process.

Plus, when every choice is broken, what do you do? Just toss all the machines? Diagnose patients without MRIs and ultrasounds? The doctors and medical directors don't really have many options.

Hospital IT should setup these devices with network ACLs that permit only the barest minimum communication required for the device to work. Figuring that out takes time and effort, so lazy IT might not push management---or management may balk at the cost and tradeoffs.

With many of the management servers and workstations running severely outdated operating systems, the only secure option is total isolation from internet-connected business systems. Isolating equipment requires effort from other people though---in particular, the users who need to move data to or from that device.

Between poor vendor support and the requirement to digitally manage and exchange medical records, hospitals are between a rock and a hard place. I would like to see the FDA impose device security requirements, as that is the only way to force the vendors' hands.

"Not for profit" so who cares about it again?

You can take off your nose, but You remain ugly in the inside. Now I care less about it.

seems obvious

[Gravis+Zero]

How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

STOP USING WINDOWS!

Re:seems obvious

[AlphaBro]

Take some time to familiarize yourself with the economy of malware. This is not an operating system problem.

Re:seems obvious

[khasim]

STOP USING WINDOWS!

Probably not an option. Since the OS decision is usually based upon what what software will be running on it.

But how can the "guard themselves against these attacks"? Maybe they can't. But first try recognizing the means by which machines get infected. Can those be blocked? Limited?

Secondly, backups. Lots of backups. And testing of the backups. Even if you are infected, you should be able to recover from backups.

Third, SEGMENT YOUR NETWORK. Machines that can access CRITICAL SYSTEMS should not be connecting to the Internet. If someone outside the office needs access then give them a Citrix session or equivalent.

Finally, monitor your network for things like this. Know what the normal traffic is and look for the abnormal instances. It takes a lot of time to encrypt a lot of files.

Re:seems obvious

[Gravis+Zero]

Take some time to familiarize yourself with the economy of malware. This is not an operating system problem.

security is about reducing risk and windows is the highest risk operating system by a HUGE margin. it's not the entire solution but it is most of it.

Re:seems obvious

[Gravis+Zero]

Probably not an option. Since the OS decision is usually based upon what what software will be running on it.

which is why management should talk to security people BEFORE buying any software/hardware. just because you are fucked now, doesn't mean the solution has changed.

Re:seems obvious

Have you ever worked in medical IT?

There's no such thing as end user computing without Windows.

And if you think "find another vendor who doesn't use Windows" then good luck finding a solution for your problem.

Re:seems obvious

[lgw]

windows is the highest risk operating system by a HUGE margin.

It isn't Win95 any more. The Windows kernel is no more or less vulnerable than anything else commonly used. Windows users may have bad habits in terms of volunteering to install malware, but that doesn't apply to kiosk-style workstations attached to equipment.

Re:seems obvious

[AlphaBro]

Nope, the issues we're facing have virtually nothing to do with platform. Move to different operating systems and the APTs will follow. In fact, they already are. Arguments that other operating systems will provide adequate security in the meantime amount to little more than security through obscurity, which is widely accepted as an anti-pattern. Until we address the underlying issues, nothing will change for the better, regardless of OS used. Quite the opposite, I assure you.

Re:seems obvious

[AlphaBro]

Having personally discovered and exploited vulnerabilities in FOSS medical software, I can tell you that your "solution" isn't one.

Re:seems obvious

[Gravis+Zero]

who said anything about FOSS? also, they didn't attack the medical software, they attacked the operating system.

so tell me, what is this alleged FOSS medical software that you exploited and how did you do it? kinda sounds like you a full of shit.

Re:seems obvious

[AlphaBro]

Generally, when people suggest using an alternative to Windows they are alluding to FOSS alternatives. It doesn't matter though, because it's highly unlikely the attackers actually exploited an operating system zero-day to compromise the systems affected. That's not how this sort of thing works, you see; a zero-day in a modern operating system is worth far more than can be had with a few ransoms. And to be clear, persistence in an already compromised system isn't really part of the "attack", excluding stuff like local EoP of course. Given that this account is largely for shitting all over /., I think I will abstain from providing details that could easily be used to track down my real identity. Rest assured I've contributed plenty of security fixes to software you probably use on a daily basis.

Re:seems obvious

[Gravis+Zero]

I will abstain from providing details that could easily be used to track down my real identity. Rest assured I've contributed plenty of security fixes to software you probably use on a daily basis.

LOL. you are so full of shit. well done.

Re:seems obvious

[AlphaBro]

Not at all. If you look at my post history, it's quite clear I'm a security researcher. What you think doesn't matter, though. I'll keep you safe regardless, end user.

Re:seems obvious

[EndlessNameless]

When the imaging system vendor only supplies and supports Windows 2000 or XP workstations in 2016, you're looking at a serious problem.

The problem is Windows, specifically the obsolete and unsupported versions of Windows that the equipment manufacturers force the hospitals to use.

And inadequate isolation of these vulnerable hosts.

even GPs say prevention better than cure

[ihtoit]

...except in the case of IT infrastructure, where a broken PC keeps a sysadmin in work.

I disagree with this, however.

Systems made essential by feature-request-creep from the hospital administrators should have ZERO downtime. Or close as dammit. Preventative measures are therefore essential. Strict user policy, coupled with strict sanction and for fuck's sake, live failback to paper and pencil! Yes, I've been in situations where failure is NOT an option. Measures should be enforced to PREVENT failures whether internal or externalised. So, here it is:

Hospital data network should have per-user access policy on the internal network only. Otherwise it should be airgapped. NO external access should be possible. If that means ensuring that not a single wireless connection exists on the network, then so be it. I have seen one such example where this policy isn't followed to this day and I've told them again and again that their network is vulnerable: Nottingham City NHS Trust has OPEN Wi-Fi through their aministration network! Find the right network share and you have access to the ENTIRE NHS database.

Re:even GPs say prevention better than cure

The problem isn't downtime. From my experience, the infected machines still function as intended (and this is one of the big obstacles.) The problem is, there are infected machines that require 100% up time and are too expensive to have redundancies in place. Due to manufacturer requirements, they cannot be updated with the most current countermeasures so they are left to continue infecting other machines on the internal network. A majority of the malware you see in hospitals is *ancient* and has existed there longer than most of the employees.

Re:even GPs say prevention better than cure

My understanding is that carbon black (or similar products) are the solutions for this.
Such as if you have to have a windows 2003 server going after EO. I think they way it works is they can make a "shell" around the server as I understand it.
https://www.carbonblack.com/solutions/windows-server-2003-end-of-life/

Also, if it's virtualized, it's easier to control its network access. Such as if it only needs to communicate over port 49 to IP 192.168.1.5 then block everything else. Then if it gets infected, it's trying stuff that's not going through.

Or whitelist apps (such as through GPO)

Etc, there's a lot of possible solutions to protecting those legacy systems that cannot be upgraded/updated. At least one of the aforementioned is "free"

Re:even GPs say prevention better than cure

[tnk1]

Those good ideas you suggest are not certified for medical or mission critical activities. Therefore they will not be used.

It could be certified, but it will take about five years to get through the process and cost probably about a million dollars to do it before they could even sell a single unit to a hospital.

And if it's free, that's much worse. Then there is no one who will be able to pay for the certification process.

This is medicine and the process must be followed as long as it fucks you over for less than a malpractice suit or regulatory inquiry would.

Note that the OS for this equipment often *is* supported, but through a special deal with the equipment manufacturer, so this solution also falls into the same situation as the anti-virus scan would. You need to be running their image on their hardware or your equipment is now unsupported and if it fails, it is now a multi-million dollar brick because you won't be able to fix it.

Re:even GPs say prevention better than cure

[ihtoit]

they are probably glad I haven't because I would be the bitch sysadmin from Hell. When it comes to information security I. Do. Not. Compromise. Period. The High Court in London learned that the hard way when some dink of a paper pusher demanded my client file and I told her to get fucked.

Re:even GPs say prevention better than cure

[ihtoit]

someone please mod #51803685 up, he makes a good point. Although, in this country when a doctor walks from a hospital he doesn't get to take his patients with him, those who are left get to take up the slack. That will soon no longer be the case as the NHS is sold piecemeal to the private sector.

Uh oh

Ah yes, but no one has figured out that the individual that caused it probably posted to Reddit last night.

https://www.reddit.com/r/tifu/comments/4cazfy/tifu_by_accidentally_downloading_ransonware_at/

Re:Uh oh

[Archangel+Michael]

I wonder if Ransomware could infect Google Docs on a Google Drive.

Airgap

[Doke]

Airgap seems like an excellent place to start. Date does need to come in and out, but you could limit it to usb drives that are virus scanned before being reconnected to the internal network. It would be a nusance, but less so than these infections.

Re:Airgap

[AlphaBro]

AV? That's adorable.

Re:Airgap

[frank_adrian314159]

How do the charges that the patient is racking up get sent to the insurance company? You think hand billing is an option? What about lab reports from external labs? Consulting reports from a consulting physician? Reports to/downloads from governmental registries (immunization, etc.)? Or do you expect all of this (and more) to be hand transferred?

Have you ever seen what goes into (and comes out of) a modern EMR system?

Re:Airgap

[msauve]

"Have you ever seen what goes into (and comes out of) a modern EMR system?"

Anyone who's ever dealt with healthcare insurance has. It epitomizes GIGO. And yes, healthcare was much less expensive when it was done by hand.

Re:Airgap

[tnk1]

It was much less expensive when it was done by hand, but it doesn't scale.

Re:Airgap

[msauve]

LOL. Never heard of "economy of scale," have you?

Re:Airgap

[Doke]

I expect them to spend $2000 on a set of 4TB external usb hard drives, and have three employees (one per shift) rotate them between three systems: inside, AV, and outside. That's going to be orders of magnitude cheaper than cleaning up after these infections, or getting layer 7 firewalls for everything. It will require some coding to automate all the transfers, but it's worth it.

Some employees will need two desktops, inside and outside.

Re:Airgap

[EndlessNameless]

And what happens in the case of billing issues, which are, by the way, quite frequent? If you have to go back and forth with BC/BS 10 times to get a claim approved for payment, what happens when you can only transfer the necessary files once a day?

Everyone thinks air gapping is a magic bullet. And it is never practical.

A hardened gateway device sitting between the two networks might work though. Most importantly, it won't run an obsolete operating system with a plethora of public vulnerabilities nor does it require FDA certification when modified.

You could imagine something which accepts only well-formed and authorized requests in a standard format, exposes no other service, and then communicates to the medical equipment on the other side in whatever manner those devices require. But then you'd need to actually build that device because it doesn't exist right now.

Please summarize...

[xxxJonBoyxxx]

...this poorly written wall of text. At first glance this looks like an India-sourced whitepaper.

"Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents."

Er...what?

Re:Please summarize...

Translation: Many hospitals are focused on security. However, if a vendor says "Here's the system, don't touch it you'll break it" and it doesn't have the basics in security like a locked-down OS firewall or AV protection, then hospital IT has to deal with it after it becomes infected.

If it's anything physical, throw an external firewall on the beast. We've done things in the past where we've put a firewall on a portable device and set the firewall to use a VPN solution so it connects back to a VPN (concentrator/server/peer/whatever). Full policy configuration available, device won't work properly without the firewall (typically doesn't do DHCP so plugging it into some random jack won't allow it to work).

game theory and thermodynamics

I am sure there is some law to be written somewhere related to thermodyamics or something that says, there is no way to prevent it, that ultimately these this will and must occur, maybe with game theory one could develop such a law...yes I speak nonsense but I am sure someone could do something with the thought.

Don't run it

How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

Don't run malware. It is easier and cheaper to abstain from running malware, than it is go ahead and run it. Show me someone who has malware, and I'll show you someone who went to a lot of extra trouble to make that happen. You simply have to stop going to all that extra trouble.

Secure systems?

[NetNinja]

Hospital systems should be segmented and isolated between networks. I bet you 10 million bucks that everything is sitting on a flat network.

Grats and good luck.

Bet you they haven't disabled USB access.

"Constrained by operating concerns"

That's code for "ain't nobody got time for security, make that share world-writable." None of those hospitals was "targeted". They caught the same plague that all the other email-attachment clickers catch, and their IT operations are so run-down and without authority over how things are done that everything is just wide open. You'd think a hospital would know a thing or two about epidemics control, but we all know that "with a computer" renders all prior art moot.

Another disturbing cloud reality

At some point we allowed technology to replace our reliable system with an otherwise vulnerable technology solution. Putting any kind of health records on a system that could affect patients or shut down a medical facility is very scary and yet we see this potential not just in medical but in our utilities, our communications and our
government systems. We have moved to the cloud without many taking enough steps to protect that information.

Re:Another disturbing cloud reality

[tnk1]

For once, this has nothing to do with Cloud security. These folks got owned all by themselves on their own network.

They might have actually been more secure in the Cloud. Which is not meant to be a ringing endorsement of Cloud security, but Hospitals are notoriously insecure and their IT is run on a shoestring.

Just because you have your data on-site, doesn't make you safer. If you're a screw-up, or you aren't taking security seriously, it is entirely possible for your security to be worse than any Cloud provider.

We put too much faith in technology

Everything is being handled by a "system" which usually means computers, programs, internet, networking. Everything from climate systems, alarms, records, equipment, utilities, billing, all because we want to eliminate people from this process. We have plenty of enemies willing to hack and disrupt our systems to create chaos. Its way easier to hack a system then infiltrate and bomb a subway or building. IT needs to get onboard not only with maintaining and installing these systems.
But protecting them too.

Re:We put too much faith in technology

[tnk1]

I doubt that they are ignoring security, they just aren't either prioritizing it highly enough, or they don't have the resources to do so.

IT security is overhead. You need it, but it is all expense. This is not a job where all you have to do is just do it. You need to show very clearly why the expense is needed and security is one of those things that seems like a jobs program... until you're hacked, and then its too late.

Ask a...

[frank_adrian314159]

How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

They will have little choice but to devise systems that pay little attention to these "operating concerns" lest those concerns become non-operating concerns.

Re:Ask a...

How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

They will have little choice but to devise systems that pay little attention to these "operating concerns" lest those concerns become non-operating concerns.

Two relatively simple things ... encrypted everything, all the time and separate the networks. No out side person should ever have traffic on the patient/staff networks. Medical devices shouldn't be talking on administrative networks and conversely administrative traffic shouldn't be on the device network. And surgical robotics should be completely isolated from both.

Which EHR?

[normanjd]

Anyone know for sure the EHR sfotware they are using? A quick Google search seems to say they were switching to Cerner a couple years ago, but would like conformation...

Solution

[fustakrakich]

Go back to paper and fax, slow but effective.

Computers are still not ready for prime time. They are little more than a Google/Facebook appliance. It is not a good idea to use them for anything more critical than that.

Re:Solution

[tnk1]

Let's be clear, computers open new dangers, but a lot of our current medical capabilities and even billing and records keeping actually relies on the capability.

This isn't something that hospitals are doing because they love whiz-bang gadgets. Going back to paper is not a solution.

Where's Anonymous

Why aren't they tracking these perps down one by one?

Hospitals invest in security?

[khz6955]

"Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents."

That would be news to me that Hospitals invest in security. If so then how do they keep getting hit. And would this MedStar Health malware be a Windows executable that only runs on Microsoft Windows.