Virus Hits MedStar Health Hospital Network (zdnet.com)

← Back to Stories (view on slashdot.org)

Virus Hits MedStar Health Hospital Network (zdnet.com)

Posted by msmash on Tuesday March 29, 2016 @07:40AM from the growing-trend dept.

An anonymous reader writes: IT staff at multiple hospitals have been forced to stop all routine and net new operations and perform an all hands on deck emergency malware control effort in the last several weeks. The latest instance of this can be seen at MedStar Hospital. From a ZDNet report, "Malware has infected the computer network of MedStar Health, forcing the healthcare provider to shut down large portions of its electronic operations. A statement by the health system said that all facilities remain open, and that there was "no evidence of compromised information." The not-for-profit healthcare system operates ten hospitals across the Washington and Baltimore region, with more than a hundred outpatient health facilities. According to the system's website, it has more than 31,000 employees and serves hundreds of thousands of patients annually." This outbreak appears to be fairly widespread and not limited to the single story listed. A similar story appeared on Slashdot several weeks ago and a quick search on Google provides multiple hits that indicate that this type of incident is much more commonplace than I would have believed. Hospitals provide round the clock service to patients and many of these services are critical to the health of the hospital clients. Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents. IT analysts predicted that 2015 would be the year that hospitals became targets for hackers. It appears that 2015 was just the first wave of the potential storm coming that is headed directly towards our healthcare IT infrastructure. How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

62 of 96 comments (clear)

Min score:

Reason:

Sort:

Sounds like a job for by fredrated · 2016-03-29 07:44 · Score: 1

appropriately aimed cruse missiles.
1. Re:Sounds like a job for by sittingnut · 2016-03-29 08:14 · Score: 1
  
  cruse missiles aimed at who?
  or are you advocating yet another shoot first ask questions later strategy.
  as in many usa foreign policy disasters and defeats.
2. Re:Sounds like a job for by myowntrueself · 2016-03-29 08:30 · Score: 1
  
  cruse missiles aimed at who?
  or are you advocating yet another shoot first ask questions later strategy.
  as in many usa foreign policy disasters and defeats.
  I think the idea is to just nuke everything that isn't the USA...
  
  --
  In the free world the media isn't government run; the government is media run.
3. Re:Sounds like a job for by desdinova+216 · 2016-03-29 09:54 · Score: 1
  
  from orbit? it's the only way to be sure.
4. Re:Sounds like a job for by bev_tech_rob · 2016-03-30 01:51 · Score: 1
  
  cruse missiles aimed at who?
  or are you advocating yet another shoot first ask questions later strategy.
  as in many usa foreign policy disasters and defeats.
  Has worked for us in the past ;) IMO, a visit by Seal Team 6 with a road trip to Gitmo included would be nice.
  
  --
  You're messin' with my Zen Thing, man.....
Sorry I'm AC, but this is very relevant. by Anonymous Coward · 2016-03-29 08:03 · Score: 4, Insightful

I worked (as a sys admin / tech support) for both the University Hospitals Health Systems and the Cleveland Clinic (Cleveland.) I'd estimate that about 65%+ of the really expensive machines had some type of malware that the doctors actively ignored because they were under strict orders not to update machines or it would 'invalidate the warranty from the manufacturer.' Some of those machines literally cost millions of dollars. It was well understood that they were infected, but it was explained to me that I was not allowed to remove the malware or update the machine to prevent further infection or spread of infection "because, if the machine stops working, the manufacturer will refuse to support it and it'll become a 6 million dollar paper weight"- I imagine most hospitals have some similar silliness going on.
1. Re:Sorry I'm AC, but this is very relevant. by Anonymous Coward · 2016-03-29 08:24 · Score: 4, Insightful
  
  Correct, sir.
  I worked IT in a hospital system for 9 years (one that works with Cleveland Clinic every now and again, as a matter of fact). A lot of XP still deployed. Some Windows2000 deployed still. A lot of old unix-style systems from 1980s that have never been upgraded. A lot of servers without RAID controllers (single disk) that are running life and death systems. This isn't necessarily by choice. You're at the mercy of the vendor and FDA a lot of the time. These vendors... McKesson comes immediately to mind, will SELL you 7-8 year old obsolete junk as a brand new solution if you buy a system / software / widget from them. That's all they sell and it's what they support. You want the McKesson PACS system? Great! Here's your old HP DL380 Gen4 server with Windows2000 SP2, because it's what we "certify," for the low low price of $19,000 for said server. It gets worse when you have systems critical enough that the FDA gets involved in (expect to see a lot of 3.5" floppy disks).
  Same goes for some of the major medical equipment. You bought that multi-million dollar, state of the art CT scanner, but GE is going to give you a crap workstation probably running WindowsNT. God forbid you try to upgrade it, or apply Windows updates, or put antivirus on it... they'll cancel your service contract before you can click the mouse then rat you out to the FDA for messing with it. I can't tell you how many systems we were FORBIDDEN from 1) applying patches and 2) running antivirus on.
  Now before you start with the smartass Windows vs Linux comments... let's reiterate that you get what the vendor gives you. This isn't a personal gaming and coding rig. You're talking about PCs for medical equipment that is specialized, only a handful of vendors make, and the FDA is breathing down their and your neck over it. You don't get the option of "oh I'm just going to migrate it to Ubuntu"
2. Re:Sorry I'm AC, but this is very relevant. by __aaclcg7560 · 2016-03-29 08:45 · Score: 1
  
  I'd estimate that about 65%+ of the really expensive machines had some type of malware that the doctors actively ignored because they were under strict orders not to update machines or it would 'invalidate the warranty from the manufacturer.'
  These medical devices are on a separate network VLAN, has no direct access to the Internet, and have a dedicated IT support team? If not, your hospital is doing it wrong.
3. Re:Sorry I'm AC, but this is very relevant. by Archangel+Michael · 2016-03-29 08:52 · Score: 1
  
  Here's the deal, if you're going to blame the FDA for this, you're gonna stir some serious shit up.
  1) FDA is that way, because it is Government. (queue the "I'd rather have old busted FDA than Somalia" counter arguments)
  2) This is the same FDA that said Walnuts growers couldn't use Factual Information on their products, because only Drugs can make those claims
  3) FDA won't even STUDY cannabis for medicinal use because ... well big Pharma can't handle the competition
  FDA has indemnified the makers from lawsuits due to failures with such protections. Which is huge deal, and why you CANNOT mess with them at all, even to install antivirus.. The problem is the FDA. It takes years to bring new devices to market, and the FDA doesn't care if they work or not, just that they go through the process. There are PLENTY of examples of FDA approved devices that just plain suck.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
4. Re:Sorry I'm AC, but this is very relevant. by Bugler412 · 2016-03-29 08:57 · Score: 1
  
  So very true, and no they typically don't isolate them network wise, or at least not the extent necessary for safety. Hospitals and health care in general is where I've witnessed some of the absolute worst IT practices of my 25 year career, topping this list is entrenched legacy systems like what you mention, and management that refuses to press the vendors for proper software maintenance, thinking that it's somehow unnecessary. The industry use of unmaintained embedded software (doesn't matter what OS) is the largest vulnerability of all. This will be a quaint preview of what will happen with the Internet of Things too.
5. Re:Sorry I'm AC, but this is very relevant. by ColdWetDog · 2016-03-29 11:32 · Score: 1
  
  Sorry guy, GE CTs run Linux. Just watch the boot screen.
  
  --
  Faster! Faster! Faster would be better!
6. Re:Sorry I'm AC, but this is very relevant. by tnk1 · 2016-03-29 13:01 · Score: 1
  
  Realistically, the devices probably run whatever was reasonably current when the actual device was designed and tested. They're not *trying* to run old shit, they just don't want to re-certify every time they make a change to the system. Certification with the .gov is expensive and time consuming, which I know from first hand experience, and medical certification is even worse.
  On this board, it is important to us that people take IT security reasonably seriously. To medical equipment makers, that's second fiddle to being able to make a device that works at its primary task which can then make it through certification and eventually make back the cash they dumped into designing it and pushing it through the process.
  Someone like the FDA is going to have to force them to care about malware protection, mostly because it is the FDA that is making it such a pain in the ass to get this stuff certified to begin with. They're the long pole in the tent, so unless the FDA cares about it, everything else is less than important.
7. Re:Sorry I'm AC, but this is very relevant. by Archangel+Michael · 2016-03-30 02:57 · Score: 1
  
  All of what you said may be true. However it hasn't stopped fake research, it just makes it harder. Plenty of drugs that turned out to be awful passed FDA muster.
  And if you see what the FDA did for Walnuts, you'll know that it doesn't just test "drugs", it defines what constitutes a drug, to the point where making factual claims on a nut makes it a "drug" by FDA rules, and thus "illegal" because ... it hasn't passed FDA approval for said claims. In other words, facts don't matter, only rules matter. Which is the whole point of my post.
  Natural products may NOT claim things that only drugs can claim. Thus eating right cannot prevent diseases (never mind Scurvy is preventable by eating citrus, certain eye diseases by eating certain vegetables etc). Foods cannot make those claims under FDA rules.
  All of that is not negated by your points. Which makes your points either misleading and/or not completely accurate. But here is the key phrase from the FDA quote you used ...
  
  Before conducting testing in humans of a drug that has not been approved by the FDA
  Walnuts are not drugs. But making claims that ONLY drugs can make, (Omega 3 vs heart disease) that walnuts can HELP PREVENT disease, puts the walnuts into the realm of a "drug" and thus, would need testing by the FDA to be able to make sure it is safe and effective before they can make that claim (regardless of the actual facts!) . Until you realize that it is the definition of "drug" that the FDA controls, you're gonna keep missing the point.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
8. Re:Sorry I'm AC, but this is very relevant. by Archangel+Michael · 2016-03-30 03:00 · Score: 1
  
  You inadvertently made my point. Thanks. Cannibis is not Cannabinoid byproduct being developed. My guess, is that they will genetically engineer something that can mass produce the Cannibinoid and that is what is actually going to be protected. See Monsanto for further references.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
9. Re:Sorry I'm AC, but this is very relevant. by PIBM · 2016-03-30 03:40 · Score: 1
  
  Doctors time is limited; do you want them to have to walk up to every machine and look at the results ? Or move back in time and print low resolution fixed contrast scans that have to be moved by someone so the doctor can have a look ? It would be nice though if a little arduino could be put in front of those machine, receiving serial data on the USB line and sending to a network server acting as a dispatch using a network shield, with SPIEN=1. Cost, with a box, 25$
Re:Have many more times does... by Anonymous Coward · 2016-03-29 08:12 · Score: 1

Having worked there in the past I can assure you that most of their UNIX/Linux box are compromised in some fashion or another.
seems obvious by Gravis+Zero · 2016-03-29 08:15 · Score: 2, Insightful

How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?
STOP USING WINDOWS!

--
Anons need not reply. Questions end with a question mark.
1. Re:seems obvious by AlphaBro · 2016-03-29 08:27 · Score: 1
  
  Take some time to familiarize yourself with the economy of malware. This is not an operating system problem.
2. Re:seems obvious by khasim · 2016-03-29 08:43 · Score: 2
  
  STOP USING WINDOWS!
  Probably not an option. Since the OS decision is usually based upon what what software will be running on it.
  But how can the "guard themselves against these attacks"? Maybe they can't. But first try recognizing the means by which machines get infected. Can those be blocked? Limited?
  Secondly, backups. Lots of backups. And testing of the backups. Even if you are infected, you should be able to recover from backups.
  Third, SEGMENT YOUR NETWORK. Machines that can access CRITICAL SYSTEMS should not be connecting to the Internet. If someone outside the office needs access then give them a Citrix session or equivalent.
  Finally, monitor your network for things like this. Know what the normal traffic is and look for the abnormal instances. It takes a lot of time to encrypt a lot of files.
3. Re:seems obvious by Gravis+Zero · 2016-03-29 09:03 · Score: 2, Insightful
  
  Take some time to familiarize yourself with the economy of malware. This is not an operating system problem.
  security is about reducing risk and windows is the highest risk operating system by a HUGE margin. it's not the entire solution but it is most of it.
  
  --
  Anons need not reply. Questions end with a question mark.
4. Re:seems obvious by Gravis+Zero · 2016-03-29 09:06 · Score: 1
  
  Probably not an option. Since the OS decision is usually based upon what what software will be running on it.
  which is why management should talk to security people BEFORE buying any software/hardware. just because you are fucked now, doesn't mean the solution has changed.
  
  --
  Anons need not reply. Questions end with a question mark.
5. Re:seems obvious by lgw · 2016-03-29 11:12 · Score: 1
  
  windows is the highest risk operating system by a HUGE margin.
  
  It isn't Win95 any more. The Windows kernel is no more or less vulnerable than anything else commonly used. Windows users may have bad habits in terms of volunteering to install malware, but that doesn't apply to kiosk-style workstations attached to equipment.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
6. Re:seems obvious by AlphaBro · 2016-03-29 11:33 · Score: 1
  
  Nope, the issues we're facing have virtually nothing to do with platform. Move to different operating systems and the APTs will follow. In fact, they already are. Arguments that other operating systems will provide adequate security in the meantime amount to little more than security through obscurity, which is widely accepted as an anti-pattern. Until we address the underlying issues, nothing will change for the better, regardless of OS used. Quite the opposite, I assure you.
7. Re:seems obvious by AlphaBro · 2016-03-29 11:48 · Score: 1
  
  Having personally discovered and exploited vulnerabilities in FOSS medical software, I can tell you that your "solution" isn't one.
8. Re:seems obvious by Gravis+Zero · 2016-03-29 19:37 · Score: 1
  
  who said anything about FOSS? also, they didn't attack the medical software, they attacked the operating system.
  so tell me, what is this alleged FOSS medical software that you exploited and how did you do it? kinda sounds like you a full of shit.
  
  --
  Anons need not reply. Questions end with a question mark.
9. Re:seems obvious by AlphaBro · 2016-03-29 20:49 · Score: 1
  
  Generally, when people suggest using an alternative to Windows they are alluding to FOSS alternatives. It doesn't matter though, because it's highly unlikely the attackers actually exploited an operating system zero-day to compromise the systems affected. That's not how this sort of thing works, you see; a zero-day in a modern operating system is worth far more than can be had with a few ransoms. And to be clear, persistence in an already compromised system isn't really part of the "attack", excluding stuff like local EoP of course. Given that this account is largely for shitting all over /., I think I will abstain from providing details that could easily be used to track down my real identity. Rest assured I've contributed plenty of security fixes to software you probably use on a daily basis.
10. Re:seems obvious by Gravis+Zero · 2016-03-29 21:48 · Score: 1
  
  I will abstain from providing details that could easily be used to track down my real identity. Rest assured I've contributed plenty of security fixes to software you probably use on a daily basis.
  LOL. you are so full of shit. well done.
  
  --
  Anons need not reply. Questions end with a question mark.
11. Re:seems obvious by AlphaBro · 2016-03-30 07:41 · Score: 1
  
  Not at all. If you look at my post history, it's quite clear I'm a security researcher. What you think doesn't matter, though. I'll keep you safe regardless, end user.
12. Re:seems obvious by EndlessNameless · 2016-04-01 01:35 · Score: 1
  
  When the imaging system vendor only supplies and supports Windows 2000 or XP workstations in 2016, you're looking at a serious problem.
  The problem is Windows, specifically the obsolete and unsupported versions of Windows that the equipment manufacturers force the hospitals to use.
  And inadequate isolation of these vulnerable hosts.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
even GPs say prevention better than cure by ihtoit · 2016-03-29 08:15 · Score: 1, Insightful

...except in the case of IT infrastructure, where a broken PC keeps a sysadmin in work.
I disagree with this, however.
Systems made essential by feature-request-creep from the hospital administrators should have ZERO downtime. Or close as dammit. Preventative measures are therefore essential. Strict user policy, coupled with strict sanction and for fuck's sake, live failback to paper and pencil! Yes, I've been in situations where failure is NOT an option. Measures should be enforced to PREVENT failures whether internal or externalised. So, here it is:
Hospital data network should have per-user access policy on the internal network only. Otherwise it should be airgapped. NO external access should be possible. If that means ensuring that not a single wireless connection exists on the network, then so be it. I have seen one such example where this policy isn't followed to this day and I've told them again and again that their network is vulnerable: Nottingham City NHS Trust has OPEN Wi-Fi through their aministration network! Find the right network share and you have access to the ENTIRE NHS database.

--
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
1. Re:even GPs say prevention better than cure by tnk1 · 2016-03-29 13:30 · Score: 1
  
  Those good ideas you suggest are not certified for medical or mission critical activities. Therefore they will not be used.
  It could be certified, but it will take about five years to get through the process and cost probably about a million dollars to do it before they could even sell a single unit to a hospital.
  And if it's free, that's much worse. Then there is no one who will be able to pay for the certification process.
  This is medicine and the process must be followed as long as it fucks you over for less than a malpractice suit or regulatory inquiry would.
  Note that the OS for this equipment often *is* supported, but through a special deal with the equipment manufacturer, so this solution also falls into the same situation as the anti-virus scan would. You need to be running their image on their hardware or your equipment is now unsupported and if it fails, it is now a multi-million dollar brick because you won't be able to fix it.
2. Re:even GPs say prevention better than cure by ihtoit · 2016-03-30 01:57 · Score: 1
  
  they are probably glad I haven't because I would be the bitch sysadmin from Hell. When it comes to information security I. Do. Not. Compromise. Period. The High Court in London learned that the hard way when some dink of a paper pusher demanded my client file and I told her to get fucked.
  
  --
  Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
3. Re:even GPs say prevention better than cure by ihtoit · 2016-03-30 02:00 · Score: 1
  
  someone please mod #51803685 up, he makes a good point. Although, in this country when a doctor walks from a hospital he doesn't get to take his patients with him, those who are left get to take up the slack. That will soon no longer be the case as the NHS is sold piecemeal to the private sector.
  
  --
  Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Airgap by Doke · 2016-03-29 08:20 · Score: 1

Airgap seems like an excellent place to start. Date does need to come in and out, but you could limit it to usb drives that are virus scanned before being reconnected to the internal network. It would be a nusance, but less so than these infections.
1. Re:Airgap by AlphaBro · 2016-03-29 08:25 · Score: 2
  
  AV? That's adorable.
2. Re:Airgap by frank_adrian314159 · 2016-03-29 09:56 · Score: 1
  
  How do the charges that the patient is racking up get sent to the insurance company? You think hand billing is an option? What about lab reports from external labs? Consulting reports from a consulting physician? Reports to/downloads from governmental registries (immunization, etc.)? Or do you expect all of this (and more) to be hand transferred?
  Have you ever seen what goes into (and comes out of) a modern EMR system?
  
  --
  That is all.
3. Re:Airgap by msauve · 2016-03-29 10:20 · Score: 1
  
  "Have you ever seen what goes into (and comes out of) a modern EMR system?"
  
  Anyone who's ever dealt with healthcare insurance has. It epitomizes GIGO. And yes, healthcare was much less expensive when it was done by hand.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
4. Re:Airgap by tnk1 · 2016-03-29 13:05 · Score: 1
  
  It was much less expensive when it was done by hand, but it doesn't scale.
5. Re:Airgap by msauve · 2016-03-29 14:14 · Score: 1
  
  LOL. Never heard of "economy of scale," have you?
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
6. Re:Airgap by Doke · 2016-03-30 03:42 · Score: 1
  
  I expect them to spend $2000 on a set of 4TB external usb hard drives, and have three employees (one per shift) rotate them between three systems: inside, AV, and outside. That's going to be orders of magnitude cheaper than cleaning up after these infections, or getting layer 7 firewalls for everything. It will require some coding to automate all the transfers, but it's worth it.
  Some employees will need two desktops, inside and outside.
7. Re:Airgap by EndlessNameless · 2016-03-30 10:04 · Score: 1
  
  And what happens in the case of billing issues, which are, by the way, quite frequent? If you have to go back and forth with BC/BS 10 times to get a claim approved for payment, what happens when you can only transfer the necessary files once a day?
  Everyone thinks air gapping is a magic bullet. And it is never practical.
  A hardened gateway device sitting between the two networks might work though. Most importantly, it won't run an obsolete operating system with a plethora of public vulnerabilities nor does it require FDA certification when modified.
  You could imagine something which accepts only well-formed and authorized requests in a standard format, exposes no other service, and then communicates to the medical equipment on the other side in whatever manner those devices require. But then you'd need to actually build that device because it doesn't exist right now.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Re:Have many more times does... by Anonymous Coward · 2016-03-29 08:20 · Score: 3, Informative

Just a few years ago I worked as a DBA/Unix Admin at a hospital for almost 2 years. Most hospitals appear to use EMR software produced by three different companies: Epic Systems, McKesson, and Cerner. The hospital I worked at used McKesson. This software package was installed there just a few years ago, but uses technology that was state of the art back when Clinton was president; we're talking fat-client installs with direct connections to the SQL database. I can actually remember running SQL traces that would capture " *= " in them (which is a old-school way of doing an OUTER JOIN, which Microsoft quit supporting after SQL 2000).
I can't speak for Epic, but I know many nurses that have to use it at various hospitals, and I haven't met a single one that speaks favorably of it.
All of these packages I've talked about are Windows based, so unless a hospital were to develop their own stuff (using Linux or whatever), their hands are somewhat tied. From what I've told, the cause of the big technology gap is the CDC and AMA approval process; by the time a new piece of software passes through certification, it's already out-dated.
*Posting anonymously to avoid any type of litigation.
Please summarize... by xxxJonBoyxxx · 2016-03-29 08:22 · Score: 1

...this poorly written wall of text. At first glance this looks like an India-sourced whitepaper.

"Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents."

Er...what?
Don't run it by Anonymous Coward · 2016-03-29 08:32 · Score: 1

How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?
Don't run malware. It is easier and cheaper to abstain from running malware, than it is go ahead and run it. Show me someone who has malware, and I'll show you someone who went to a lot of extra trouble to make that happen. You simply have to stop going to all that extra trouble.
Secure systems? by NetNinja · 2016-03-29 08:38 · Score: 1

Hospital systems should be segmented and isolated between networks. I bet you 10 million bucks that everything is sitting on a flat network.
Grats and good luck.
Bet you they haven't disabled USB access.
Re: Have many more times does... by Anonymous Coward · 2016-03-29 08:49 · Score: 1

As long as Microsoft keeps paying kickbacks, they'll keep getting exclusive contracts with government entities. With the contract we have with Microsoft at my hospital, we have to buy a copy of Windows Server for every server even if they don't run Windows.
Re:Let me think... by acoustix · 2016-03-29 08:55 · Score: 2

Separate networks are definitely key. But how many organizations actually practice it? And if they do, are they doing it correctly? For example, are the network access points secured? Do they only allow certain MAC addresses on certain switchports?
This is where technology like Cisco ISE (I'm only a customer, not a vendor - and I don't have this product yet) would help reduce the attack surface for different areas of the network.

--
"A plan fiendishly clever in its intricacies"- Homer Simpson
Ask a... by frank_adrian314159 · 2016-03-29 08:57 · Score: 1

How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?
They will have little choice but to devise systems that pay little attention to these "operating concerns" lest those concerns become non-operating concerns.

--
That is all.
Re:Let me think... by Archangel+Michael · 2016-03-29 08:58 · Score: 1

They could start using Virtual Desktops, which when properly implemented would reduce exposure to such things in the first place.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Re:Uh oh by Archangel+Michael · 2016-03-29 09:00 · Score: 1

I wonder if Ransomware could infect Google Docs on a Google Drive.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Which EHR? by normanjd · 2016-03-29 09:47 · Score: 1

Anyone know for sure the EHR sfotware they are using? A quick Google search seems to say they were switching to Cerner a couple years ago, but would like conformation...
Re:Have many more times does... by ColdWetDog · 2016-03-29 11:29 · Score: 2

All of these packages I've talked about are Windows based, so unless a hospital were to develop their own stuff (using Linux or whatever), their hands are somewhat tied. From what I've told, the cause of the big technology gap is the CDC and AMA approval process; by the time a new piece of software passes through certification, it's already out-dated.
Yes, all the EMR vendors use Windows so we're stuck there, but no, the CDC and the AMA do not approve software. CMS (Centers for Medicaid and Medicare Security (???)) gives guidelines about how to go about looking for certified EHRs. A quasi governmental body called CCHIT used to certify EHRs but they've given up on that.
And there is no real 'technology gap' in modern EHRs. They are large, complicated programs so, like other large, complicated programs they tend to be conservative in how they are constructed and they are, of course, a bit of a kludge. But they run on modern hardware, use modern databases and have pretty good performance if they are set up right.
They are giant pains-in-the-ass as far as clinical staff is concerned but that is because the Powers That Be have decided it's OK for highly paid, busy professionals to be secretaries and data entry clerks. Until we get over that paradigm, this won't change much.

--
Faster! Faster! Faster would be better!
Re:ah yes, the machine that goes "PING!" by tnk1 · 2016-03-29 12:52 · Score: 1

Why do you blame the doctors for that?
It's not the doc's fault that the company will not support something if you screw with it. I mean, sure, they can invalidate the warranty, and then who is going to fix it when it breaks?
I'm guessing you don't work with this stuff very often or you'd know that you don't screw with something that invalidates your warranty on equipment that costs millions to replace. The doctors don't have a plethora of products to choose from where they can simply pick one that is a little more expensive, but has malware protection.
The actual problem is that the manufacturers for these devices are not in any way incentivized for securing their devices against malware attacks. Their device only needs to do what it's primary function is because there's no other serious competition. You can't go buy this shit at Walmart, you know. You get to pick product #1 which isn't protected from malware or product #2 which isn't protected from malware either.
Re:User error by aXis100 · 2016-03-29 13:06 · Score: 2

These days you can buy individual 2 port firewall modules, often designed for industrial equipment but would be equally suited to medical devices. Every single device can have a firewall in front of it an only allow specific ingress AND egress traffic.
It's really not difficult to fix.
Re:Let me think... by tnk1 · 2016-03-29 13:16 · Score: 1

It seems easy conceptually, but these threats have crept up on a sector where the product approval cycle is measured in years or even decades. They have old equipment and facilities that were meant for medicine first, and IT a very distant second (or third). And if IT security was an afterthought in the products they selected, they're not going to be able to turn them around fast.
Hell, even re-doing the network could be a multi-million dollar project so they can update routers, add more physical wiring and ports, and re-deploy equipment to create air gaps where they never had them before. They're not working with a green field. These are working hospitals that complicate the hell out of trying to redesign networks. They're not going to spend that money or time unless someone makes them. Perhaps someone is about to make them do that. Or perhaps not.
Re:Another disturbing cloud reality by tnk1 · 2016-03-29 13:41 · Score: 1

For once, this has nothing to do with Cloud security. These folks got owned all by themselves on their own network.
They might have actually been more secure in the Cloud. Which is not meant to be a ringing endorsement of Cloud security, but Hospitals are notoriously insecure and their IT is run on a shoestring.
Just because you have your data on-site, doesn't make you safer. If you're a screw-up, or you aren't taking security seriously, it is entirely possible for your security to be worse than any Cloud provider.
Re:We put too much faith in technology by tnk1 · 2016-03-29 13:45 · Score: 1

I doubt that they are ignoring security, they just aren't either prioritizing it highly enough, or they don't have the resources to do so.
IT security is overhead. You need it, but it is all expense. This is not a job where all you have to do is just do it. You need to show very clearly why the expense is needed and security is one of those things that seems like a jobs program... until you're hacked, and then its too late.
Re:Solution by tnk1 · 2016-03-29 13:48 · Score: 1

Let's be clear, computers open new dangers, but a lot of our current medical capabilities and even billing and records keeping actually relies on the capability.
This isn't something that hospitals are doing because they love whiz-bang gadgets. Going back to paper is not a solution.
Hospitals invest in security? by khz6955 · 2016-03-29 18:38 · Score: 1

"Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents."

That would be news to me that Hospitals invest in security. If so then how do they keep getting hit. And would this MedStar Health malware be a Windows executable that only runs on Microsoft Windows.
Re:Let me think... by bev_tech_rob · 2016-03-30 04:54 · Score: 1

"How can hospitals guard themselves against these attacks"
They could, as a start, keep the medical (patient records, diagnostic, monitoring, etc.) networks segregated from each other, and especially from the Internet. But that would prevent staff from checking the Bookface, so it wouldn't go over well.
You enforce blocking of "Bookface" since it is non-work related. You try to access site and you get
"URL Prohibited
Access to this website has been prohibited due to possible concerns over its safety, reputation, or due to company policy.
Event Details:
URL: https://www.facebook.com/
Category: Social Networking
Policy: Extended Access
If you have a business reason for accessing this website, please click the link below and submit the form to be routed for approval
We do that in my organization and works pretty well....

--
You're messin' with my Zen Thing, man.....
Re:User error by rthille · 2016-03-30 05:14 · Score: 1

I'd guess the cost of one of those (something like a RPi) would be ~$20 each.
And the cost of a medically certified one would be ~$2000 each.

--
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Re:ah yes, the machine that goes "PING!" by EndlessNameless · 2016-03-30 09:51 · Score: 1

Already broken? Maybe. But as long as the medical function is not impaired, it will still fulfill its primary purpose. And changing the software can trigger an expensive recertification process.
Plus, when every choice is broken, what do you do? Just toss all the machines? Diagnose patients without MRIs and ultrasounds? The doctors and medical directors don't really have many options.
Hospital IT should setup these devices with network ACLs that permit only the barest minimum communication required for the device to work. Figuring that out takes time and effort, so lazy IT might not push management---or management may balk at the cost and tradeoffs.
With many of the management servers and workstations running severely outdated operating systems, the only secure option is total isolation from internet-connected business systems. Isolating equipment requires effort from other people though---in particular, the users who need to move data to or from that device.
Between poor vendor support and the requirement to digitally manage and exchange medical records, hospitals are between a rock and a hard place. I would like to see the FDA impose device security requirements, as that is the only way to force the vendors' hands.

--

---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.