Virus Hits MedStar Health Hospital Network

An anonymous reader writes: IT staff at multiple hospitals have been forced to stop all routine and net new operations and perform an all hands on deck emergency malware control effort in the last several weeks. The latest instance of this can be seen at MedStar Hospital. From a ZDNet report, "Malware has infected the computer network of MedStar Health, forcing the healthcare provider to shut down large portions of its electronic operations. A statement by the health system said that all facilities remain open, and that there was "no evidence of compromised information." The not-for-profit healthcare system operates ten hospitals across the Washington and Baltimore region, with more than a hundred outpatient health facilities. According to the system's website, it has more than 31,000 employees and serves hundreds of thousands of patients annually." This outbreak appears to be fairly widespread and not limited to the single story listed. A similar story appeared on Slashdot several weeks ago and a quick search on Google provides multiple hits that indicate that this type of incident is much more commonplace than I would have believed. Hospitals provide round the clock service to patients and many of these services are critical to the health of the hospital clients. Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents. IT analysts predicted that 2015 would be the year that hospitals became targets for hackers. It appears that 2015 was just the first wave of the potential storm coming that is headed directly towards our healthcare IT infrastructure. How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

Re:Have many more times does...

Just a few years ago I worked as a DBA/Unix Admin at a hospital for almost 2 years. Most hospitals appear to use EMR software produced by three different companies: Epic Systems, McKesson, and Cerner. The hospital I worked at used McKesson. This software package was installed there just a few years ago, but uses technology that was state of the art back when Clinton was president; we're talking fat-client installs with direct connections to the SQL database. I can actually remember running SQL traces that would capture " *= " in them (which is a old-school way of doing an OUTER JOIN, which Microsoft quit supporting after SQL 2000).

I can't speak for Epic, but I know many nurses that have to use it at various hospitals, and I haven't met a single one that speaks favorably of it.

All of these packages I've talked about are Windows based, so unless a hospital were to develop their own stuff (using Linux or whatever), their hands are somewhat tied. From what I've told, the cause of the big technology gap is the CDC and AMA approval process; by the time a new piece of software passes through certification, it's already out-dated.

*Posting anonymously to avoid any type of litigation.