Virus Hits MedStar Health Hospital Network

An anonymous reader writes: IT staff at multiple hospitals have been forced to stop all routine and net new operations and perform an all hands on deck emergency malware control effort in the last several weeks. The latest instance of this can be seen at MedStar Hospital. From a ZDNet report, "Malware has infected the computer network of MedStar Health, forcing the healthcare provider to shut down large portions of its electronic operations. A statement by the health system said that all facilities remain open, and that there was "no evidence of compromised information." The not-for-profit healthcare system operates ten hospitals across the Washington and Baltimore region, with more than a hundred outpatient health facilities. According to the system's website, it has more than 31,000 employees and serves hundreds of thousands of patients annually." This outbreak appears to be fairly widespread and not limited to the single story listed. A similar story appeared on Slashdot several weeks ago and a quick search on Google provides multiple hits that indicate that this type of incident is much more commonplace than I would have believed. Hospitals provide round the clock service to patients and many of these services are critical to the health of the hospital clients. Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents. IT analysts predicted that 2015 would be the year that hospitals became targets for hackers. It appears that 2015 was just the first wave of the potential storm coming that is headed directly towards our healthcare IT infrastructure. How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

Sorry I'm AC, but this is very relevant.

I worked (as a sys admin / tech support) for both the University Hospitals Health Systems and the Cleveland Clinic (Cleveland.) I'd estimate that about 65%+ of the really expensive machines had some type of malware that the doctors actively ignored because they were under strict orders not to update machines or it would 'invalidate the warranty from the manufacturer.' Some of those machines literally cost millions of dollars. It was well understood that they were infected, but it was explained to me that I was not allowed to remove the malware or update the machine to prevent further infection or spread of infection "because, if the machine stops working, the manufacturer will refuse to support it and it'll become a 6 million dollar paper weight"- I imagine most hospitals have some similar silliness going on.

Re:Sorry I'm AC, but this is very relevant.

Correct, sir.

I worked IT in a hospital system for 9 years (one that works with Cleveland Clinic every now and again, as a matter of fact). A lot of XP still deployed. Some Windows2000 deployed still. A lot of old unix-style systems from 1980s that have never been upgraded. A lot of servers without RAID controllers (single disk) that are running life and death systems. This isn't necessarily by choice. You're at the mercy of the vendor and FDA a lot of the time. These vendors... McKesson comes immediately to mind, will SELL you 7-8 year old obsolete junk as a brand new solution if you buy a system / software / widget from them. That's all they sell and it's what they support. You want the McKesson PACS system? Great! Here's your old HP DL380 Gen4 server with Windows2000 SP2, because it's what we "certify," for the low low price of $19,000 for said server. It gets worse when you have systems critical enough that the FDA gets involved in (expect to see a lot of 3.5" floppy disks).

Same goes for some of the major medical equipment. You bought that multi-million dollar, state of the art CT scanner, but GE is going to give you a crap workstation probably running WindowsNT. God forbid you try to upgrade it, or apply Windows updates, or put antivirus on it... they'll cancel your service contract before you can click the mouse then rat you out to the FDA for messing with it. I can't tell you how many systems we were FORBIDDEN from 1) applying patches and 2) running antivirus on.

Now before you start with the smartass Windows vs Linux comments... let's reiterate that you get what the vendor gives you. This isn't a personal gaming and coding rig. You're talking about PCs for medical equipment that is specialized, only a handful of vendors make, and the FDA is breathing down their and your neck over it. You don't get the option of "oh I'm just going to migrate it to Ubuntu"

seems obvious

[Gravis+Zero]

How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

STOP USING WINDOWS!

Re:seems obvious

[khasim]

STOP USING WINDOWS!

Probably not an option. Since the OS decision is usually based upon what what software will be running on it.

But how can the "guard themselves against these attacks"? Maybe they can't. But first try recognizing the means by which machines get infected. Can those be blocked? Limited?

Secondly, backups. Lots of backups. And testing of the backups. Even if you are infected, you should be able to recover from backups.

Third, SEGMENT YOUR NETWORK. Machines that can access CRITICAL SYSTEMS should not be connecting to the Internet. If someone outside the office needs access then give them a Citrix session or equivalent.

Finally, monitor your network for things like this. Know what the normal traffic is and look for the abnormal instances. It takes a lot of time to encrypt a lot of files.

Re:seems obvious

[Gravis+Zero]

Take some time to familiarize yourself with the economy of malware. This is not an operating system problem.

security is about reducing risk and windows is the highest risk operating system by a HUGE margin. it's not the entire solution but it is most of it.

Re:Have many more times does...

Just a few years ago I worked as a DBA/Unix Admin at a hospital for almost 2 years. Most hospitals appear to use EMR software produced by three different companies: Epic Systems, McKesson, and Cerner. The hospital I worked at used McKesson. This software package was installed there just a few years ago, but uses technology that was state of the art back when Clinton was president; we're talking fat-client installs with direct connections to the SQL database. I can actually remember running SQL traces that would capture " *= " in them (which is a old-school way of doing an OUTER JOIN, which Microsoft quit supporting after SQL 2000).

I can't speak for Epic, but I know many nurses that have to use it at various hospitals, and I haven't met a single one that speaks favorably of it.

All of these packages I've talked about are Windows based, so unless a hospital were to develop their own stuff (using Linux or whatever), their hands are somewhat tied. From what I've told, the cause of the big technology gap is the CDC and AMA approval process; by the time a new piece of software passes through certification, it's already out-dated.

*Posting anonymously to avoid any type of litigation.

Re:Airgap

[AlphaBro]

AV? That's adorable.

Re:Let me think...

[acoustix]

Separate networks are definitely key. But how many organizations actually practice it? And if they do, are they doing it correctly? For example, are the network access points secured? Do they only allow certain MAC addresses on certain switchports?

This is where technology like Cisco ISE (I'm only a customer, not a vendor - and I don't have this product yet) would help reduce the attack surface for different areas of the network.

Re:Have many more times does...

[ColdWetDog]

All of these packages I've talked about are Windows based, so unless a hospital were to develop their own stuff (using Linux or whatever), their hands are somewhat tied. From what I've told, the cause of the big technology gap is the CDC and AMA approval process; by the time a new piece of software passes through certification, it's already out-dated.

Yes, all the EMR vendors use Windows so we're stuck there, but no, the CDC and the AMA do not approve software. CMS (Centers for Medicaid and Medicare Security (???)) gives guidelines about how to go about looking for certified EHRs. A quasi governmental body called CCHIT used to certify EHRs but they've given up on that.

And there is no real 'technology gap' in modern EHRs. They are large, complicated programs so, like other large, complicated programs they tend to be conservative in how they are constructed and they are, of course, a bit of a kludge. But they run on modern hardware, use modern databases and have pretty good performance if they are set up right.

They are giant pains-in-the-ass as far as clinical staff is concerned but that is because the Powers That Be have decided it's OK for highly paid, busy professionals to be secretaries and data entry clerks. Until we get over that paradigm, this won't change much.

Re:User error

[aXis100]

These days you can buy individual 2 port firewall modules, often designed for industrial equipment but would be equally suited to medical devices. Every single device can have a firewall in front of it an only allow specific ingress AND egress traffic.

It's really not difficult to fix.