Computer Viruses Are "Rampant" on Medical Devices in Hospitals

Discussion in 'malware problems & news' started by ronjor, Oct 17, 2012.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices/
     
  2. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    OK, unpatched OSes are bad, but why are those "life saving computers" connected to the internet? This only means the IT staff sucks, not the OS itself.
     
  3. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343

    Yeah. There's also this paragraph:

    So basically government regulations stop them from securing their machines. Typical government BS regulations.

    It looks like they are stuck with Windows because their specialized medical software needs it (because these companies that develop such software are idiots). So moving to something better is not an option.

    However, as you said, they could simply disconnect such critical systems from the Internet completely, but most network IT people are too stupid to consider the downsides of connecting heart monitoring machines to the LAN -- the same LAN that Nurse Jones is using IE6 to surf Facebook in the cubicle next door.

    It's just amazing that in 2012 people still have not learned to air-gap critical systems. I mean this has been the recommended practice since the 80's.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Imagine if they took those devices offline and realized they needed to turn it off in a patient or update it somehow. They'd have to perform surgery. Leaving it connected is the only option that allows tweaking and changing the system without cutting someone open every time.

    The issue is that they make it too widely accessible - they should only allow specific connections from specific devices.
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I don't think they are talking about pace makers here. I think they are talking about monitoring machines like heart and oxygen monitors (you know the computer screen by the bed that shows your heart rate, EKG reading, etc). These machines run Windows. A pace maker or some other implanted electronic device does not have the space or the need to run a full OS like Windows.

    There was a news story a number of years back that mentioned how someone figured out how to remotely tamper with a pace maker. However, that was done via a wireless connection in the local vicinity, not over the Internet.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Ah, true. Yeah, I was thinking of the article where they messed with them.
     
  7. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I knew this was an issue, and a largely ignored one. The black humor side of me cant help but nervously chuckle about BSODs on ventilators and "We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us." coming up anesthesia machines.
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  9. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Speak of the devil. I just saw an article published yesterday about a new pacemaker hack. He can deliver a 830 volt shock to the pacemaker, which would certainly kill the patient. Ouch. The range is limited to about 50 feet away though.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Stands to logic. Hospitals are among the most infected and contagious places in the world, so it's only fair that electronic devices used in these hospitals also be infected.
    Mrk
     
  11. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,046
    Location:
    USA
    IT staff definitely sucks. Plus, to my understanding any important medical devices should not be running Windows, mostly for the reason that there are OSes with better uptime.
     
  12. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    It's not that these devices are connected to the Internet, they aren't. They are however connected to the internal networks of hospitals and it is these networks that are connected to the internet and expose these devices to trouble. Someone brings in an infected mobile device (which is one of a few good reasons not to expect tablets to "take over" since any brought into a company and hooked up the the main network is an IT nightmare waiting to happen) or a laptop and plugs into the network, you've got yourself a problem. The network could also be hacked and brought down, bringing many of those devices with it. To make matters worse, as may have been mentioned already, most often staff cannot change or modify anything in these devices. Not even to secure them.

    Device vendors are more worried about running afoul of the FDA than making certain these devices can't be tampered with. It's not just an "IT sucks" problem or an OS problem, it's a regulatory problem.
     
  13. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    It doesn't matter. No PC from that network should be allowed to connect to the internet except where needed. Blacklist everything, whitelist only what's needed. No facebook, no yahoo mail, gmail, no USB device from home, no anything.
     
  14. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    You'd either run through these places knocking desks over like Jesus in the temple or sit on the floor and cry if you saw a lot of what goes on on these systems. All of the above things you mentioned are used and more. I've seen people watching movies, playing games online and bringing in mobile devices from God knows where. People will be people regardless if they're smack dab in the middle of Area 51 or running back and forth to patient rooms to change Depends at your local hospital.
     
  15. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    If they wouldn't let me solving the problems I sure wouldn't bother to get the job. What's the point of having a job where you just sit and watch the hours passing by? And when the problems arrive they all blame you.

    Personally, I don't understand why, when they decided to introduce this technology called internet, they didn't deployed 2 networks, one for these "life saving devices" and another one for all the people to have fun while in hospital.
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    You mean in 1970, when the DoD considered how they can maintain network connectivity between their sites in the case of a nuclear attack, why they didn't conceive a more trusted framework :)
    Mrk
     
  17. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    I highly doubt someone is still using 40 years old networks today.
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    You are using networks designed in 1948.
    Read Shannon's work on theory of communication, Bell Labs - free download.
    And then you will feel humbled.
    Mrk
     
  19. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    The poster probably meant networks as in the previously discussed internal hospital networks. Though in furthering that discussion, many still use Windows 95, which is 17 years old..and old enough. All that being said, yes you're right. If you use the Internet in any capacity, you're logging into a system that was long in existence before the "WWW" was thought of. So yes, there are 40 year old networks being used and with every major breach we're reminded why it might be time to consider giving the whole thing a makeover.
     
  20. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  21. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Yeap...that's the story and even worse...

    I've seen that situation everyday
    when I used to service Major Hospital accounts...
     
  22. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    You don't want to know how the situation is in less developed nations.....the good thing is that not a lot of hospitals monitor using PCs, but those that do....let's just say the PC is so horribly slowed down that occasional freezes means you miss a part of the continuous reading of say an EKG......:eek:
     
  23. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hopefully I won't get seriously ill anytime soon :(
     
  24. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I've been sick in places where they would ask you "What's an EKG?"..you're preaching to the choir here :D
     
  25. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    :) Point taken, my country used to be like that once. Not anymore, I think....at least not in my city.
     
Loading...
Thread Status:
Not open for further replies.