Slashdot Log In
Hospital Equipment Infected With Conficker
Posted by
timothy
on Thu Apr 30, 2009 05:13 PM
from the would-never-happen-with-electronic-medical-records dept.
from the would-never-happen-with-electronic-medical-records dept.
nandemoari writes "Recently, the Conficker/Downadup worm infected several hundred machines and critical medical equipment in an undisclosed number of US hospitals.
The attacks were not widespread; however, Marcus Sachs, director of the SANS Internet Storm Center, told CNET News that it raises the awareness of what we would do if there were millions of computers infected in hospitals or in critical infrastructure locations.
It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access.
A patch was released by Microsoft last October that fixes the problem, but the computers infected were reportedly too old to be patched."
Related Stories
[+]
The Birth and Battle of Conficker 239 comments
NewScientist has an interesting look back at the birth of the Conficker worm and how this sophisticated monster quickly grew to such power and infamy. "Since that flurry of activity in early April, all has been uneasily quiet on the Conficker front. In some senses, that marks a victory for the criminals. The zombie network is now established and being used for its intended purpose: to make money. Through its peer-to-peer capabilities, the worm can be updated on the infected network at any time. It is not an unprecedented situation. There are several other large networks of machines infected with malicious software. Conficker has simply joined the list. The security community will continue to fight them, but as long as the worm remains embedded in any computer there can be no quick fixes."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Well... (Score:5, Funny)
Any lawyers here (Score:5, Interesting)
Re: (Score:3, Informative)
Won't happen. Life-critical devices are embedded systems.
Car analogy (Score:2)
Maybe not, but cars have been removed from the market [wikipedia.org] for similar reasons. Notoriously insecure systems should never be used in hospitals.
Re: (Score:3, Interesting)
Yes, but you would have to prove a fairly strong ("proximate") causal link between the virus and the death. It's not enough to say "Well, the MRI machine was down because the tech was cleaning it and if we had gotten him scanned earlier we'd have seen a huge tumor but instead he died", it would have to "the MRI machine was infected with the virus and gave us wrong results so we opened his heart for nothing and he died on the table".
See, http://en.wikipedia.org/wiki/Proximate_cause [wikipedia.org]
Eeesh... (Score:2, Funny)
Re: (Score:2, Interesting)
Another reason to choose open source (Score:5, Informative)
I can totally understand why these systems were still running NT or 2000. If it ain't broke, don't fix it, right?
But if it ain't supported anymore, and it's completely closed-source, you literally CAN'T get fixes for vulnerabilities discovered later on. At least with an OSS product, you'd be able to hire a developer to fix the specific vulnerability on the existing system.
Here is why and how (Score:5, Insightful)
1) Vendors of these devices almost across the board disallow local IT admins to put any windows patches on the machines
- this is due to FDA requirements for approval, and the vendor is "covering" themselves
- also, they usually have a list of "qualified updates" that is usually MONTHS behind MS's patch cycle (not surprising given the sheer number and speed of holes that are found)
- usually the vendors claim that THEY will apply patches regularly, in practice, they almost NEVER do
2) Vendors typically disallow these machines to be on the active directory
- this is because they can't stand troubleshooting/supporting issues in their software due to GPO's being pushed down, software management software, etc etc
3) To everyone screaming how idiotic it is that medical devices have Windows on them: you may be a geek, but have clearly never worked in a real enterprise environment. Windows is embedded on so many devices in the world (medical and otherwise) that you would never even know existed. Why? Because it's widely supported, has huge hardware support, and is surprisingly OPEN to developers to hack it into whatever they need it to be. And windows programmers are a dime a dozen.
4) To everyone screaming how idiotic it is that medical devices are connected to the internet getting infected - Do you even know how Conficker spreads? It spreads quite easily across a LAN, attaching to Windows file shares. See MS08-067 for more info. Many of these devices are on a LAN with no DNS (although plenty are on the 'net). Why? Again, because vendors insist that they be connected so they can VPN in and support them (often using LogMeIn, Webex etc).
Re:Here is why and how (Score:5, Interesting)
I don't necessarily "think it's OK". I didn't write an editorial, I just outlined why this is what it is, as it seemed a lot of the commenters were under informed on what the article is referring to.
Also, as per usual, the media uses sensationalist wording. Most of the "medical devices" in question here are not something attached to your body where you will die if it crashes. Most of what this is referring to are clinical workstations used for doing all sorts of work related to medical care. For example, a workstation that interfaces to some sort of scanner to set up and initiate a scan. Or a workstation that crunches data that comes off some piece of medical hardware. Most devices that physically touch you and control something which can harm a person are coded in hardware, not windows, and have hardware in place to prevent such a thing from harming someone.
Please realize that the FDA must approve ANY piece of hardware that comes in contact with a human and the process is EXTREMELY restrictive and scrutinizing (and expensive). It's actually one gov't institution that I feel really does protect people in a lot of ways.
Parent
Re: (Score:3, Informative)
Most devices that physically touch you and control something which can harm a person are coded in hardware, not windows, and have hardware in place to prevent such a thing from harming someone.
Oh, you must be new here. Have you ever heard of a silly little thing called Therac-25? Here's a summary from Wikipedia [wikipedia.org]:
The Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited (AECL) after the Therac-6 and Therac-20 units (the earlier units had been produced in partnership with CGR of France). It was involved with at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation, approximately 100 times the intended dose. Three of the six patients died as a direct consequence. These accidents highlighted the dangers of software control of safety-critical systems, and they have become a standard case study in health informatics.
Apparently, some bonehead decided that the hardware lock is too expensive since it can be implemented in software - and removed the physical hardware circuit. So, you never know what those machines can and can't do :)
bugs on hospital computers (Score:4, Funny)
Suddenly I have this horrible urge to write a virus called "Swine Flu" that only attacks medical systems..
New Sources of SPAM! (Score:4, Funny)
Mabey it just wasn't a good time to upgrade? (Score:5, Funny)
Swine flu? (Score:5, Funny)
The question (Score:5, Informative)
Removable Drives (Score:4, Informative)
As I unfortunately found out yesterday, one of the more common ways the virus spreads is through removable drives. If autorun is enabled for removable devices (which it is by default, and no MS basher responses please), Windows will load autorun.inf straight away, infecting you.
A work colleague brought over a USB stick with some music on it, which I happily acquired, along with Conficker. For some retarded reason the resident shield was disabled. After we received an email about it, I noticed this and re-enabled it. I didn't realise I had the virus until this guy came over again with some more music and the AV software exploded in my face with a nice "warning conficker detected and removed" message. Of course that meant "removed from the USB stick" and not "removed from the PC".
Virus scans would no longer run, and I couldn't access most conficker-removal-related websites unless I went through a proxy. Incredibly, the Microsoft Malicious Software Removal tool worked a treat. After using that, rebooting, and disabling autorun in the registry, it's gone.
I blame partly myself for not disabling autorun (security lockdown on these work PCs is ridiculous; I would have had to ask an admin to do it), and for whoever disabled my bloody resident shield.
I hinted to our admin that I wanted Debian instead, but that didn't go down well. :)
tl;dr version: Conficker is bad, mmkay.
Windows is unsupportable, shouldn't be embedded (Score:3, Interesting)
Let me get this straight, we know Microsoft drops support for its OSes and that includes security patches, yet hospital equipment manufacturers are loading Windows on equipment costing millions? Come on folks, what's wrong with this picture.
Atleast with open source, the equipment manufacturer can backlevel a patch or hire someone to do this. They can't do this with Windows or it costs too much for them to do it. I can't imagine getting source access to an unsupported OS is something Microsoft wants. If they don't want it, they price it off the market.
So is anyone in the press bringing up the issue of companies embedding Windows in products which are expected to last more then 10 years like MRI machines and other hospital equipment? This isn't your standard corporate IT department that keeps throwing away good hardware every three to five years.
It's plain and simple, Windows is unsafe and unsupportable in any long life application.
LoB
The fix is simple: use Unix-based systems (Score:3, Interesting)
Here's a vaccine: use Unix and Unix-like systems. No medical device should be running Windows. You do see stuff with Unix, such as some CT scans, but the way Microsoft's marketing is strong, you see a lot of stuff on Windows. Also, because it allows for easy installation on a widespread platform.
Here's a big opportunity for open-source developers: ship the whole thing, computer, OS, *and* your image analysis software for microscopy - or whatever (of course, the ugly part for Linux is the GPL - but then there's always a choice of BSD or solaris).
BTW, how come retarded managers get to choose Windows for medical devices, and the NYSE sticks to Linux for their systems? Answer: because there is a shitload of money in the NYSE and big fish at the sea and they can't afford retards managing their IT infrasructure.
On another note, I suspect things are even worse in other corners of the world. For instance, a couple of weeks ago I was having a coffee with the guy reponsible for major IT infrastructure in the government health sector (this in Brazil, and I'll not disclose specific info), and he told me a horror story of how they run very old, unpatched software, that they *can't possibly* upgrade because, as these things go in the developing world, the budget wasn't always there when they needed, so they missed upgrades, and to upgrade the things, they can't just go from, say, version 5 to 7, because Microsoft doesn't work that way...BTW, the guy - a top manager - was clueless regarding, say, OpenBSD. He just bought pre-packaged Microsoft shite. How sad...He did mention that TCO for Linux was higher, because of lack of specialized workers (as opposed to a legion of incompetent sysadmins wannabes we see all the time in the Free Software meetings), and that they had made a half-assed atempt once.
OTOH, the public health sector should run open source software for security reasons. Period. If .mil does, why doesn't .gov?
Re:Does it bother anyone else..... (Score:5, Insightful)
Parent
Re: (Score:2)
Re:Does it bother anyone else..... (Score:5, Insightful)
Why risk having security vulnerabilities on a tried and tested mission-critical system? They should have gone with Linux or BSD from the start and had virtually guaranteed upgrade compatibility from that point on, with plenty of commercial support options.
Parent
Re:Does it bother anyone else..... (Score:5, Interesting)
what part of 10 year old equipment didn't you understand? What part of Win NT and win 2K makes you think the hardware can even run anything newer?
At that time your looking at Red Hat 5. think about it. linux wasn't ready back then for mission critical stuff.
At best they could have gone with OS/2 warp.
Parent
Re:Does it bother anyone else..... (Score:4, Interesting)
If the support contract doesn't include tested and managed security updates, it's not really support is it?
Parent
Re: (Score:3, Funny)
Newer isn't always better.
I disagree, think of how much better those machines would be running if they used vista!
Re: (Score:3, Interesting)
All versions of Windows (and Linux) are way too complex to ever be 100% bug-free. They should be running DOS.
Re: (Score:3, Informative)
Re:Does it bother anyone else..... (Score:5, Interesting)
For a life-critical system they probably shouldn't be running ANY version of Windows. But once you get past that issue, if you have tested it sufficiently to permit people's lives to depend on it, retesting it to the same standards on first Win2000 and then XP is a non-trivial effort, and might not even be possible without massive changes. So you would be sorely tempted to leave it alone. Presumably, since it's the same code, it doesn't need any more "features" or performance. So porting it provides no value.
A better question is whether or not it's a good idea to have the damn thing hooked up to the internet so it could *get* Conficker in the first place! Well, actually, that's not a question, since its obvious...
Brett
Parent
Re:Does it bother anyone else..... (Score:4, Interesting)
Also, many hospitals refuse to upgrade existing equipment to something newer. If it works, and it gets the clinicians the data they need to help the patient, then they don't want to take the risk of updating software/hardware.
Parent
Re: (Score:2)
For that matter, why is it running a general-purpose OS like Windows? Anything upon which life-critical systems run should be a hardened, embedded system focused on the equipment's features and nothing else.
Am I the only one who shudders at the idea of Bonzi Buddy on a cardiac monitoring system?
Re: (Score:2)
Re:Does it bother anyone else..... (Score:5, Interesting)
For that matter, why is it running a general-purpose OS like Windows?
Ease of development, particularly UI support for rich user interaction and feedback.
Most medical systems I've worked on have two OS's: a relatively hard realtime system that's really close to the hardware, and a second system (Linux or Windows) that's close to the user. For some applications the general purpose OS is used as a soft realtime system and talks to all the hardware via USB or a framegrabber. Only very simple systems are pure embedded these days.
Given the complexity of computing that some of these machines do this makes perfect sense: an embedded, realtime OS is just not what you want to be dealing with when trying to develop richly representational software. Think imaging systems and computer-assisted surgery systems, which often have a lot of analysis and image processing built in, including heavy user interaction, in realtime, in the OR.
Intra-op ultrasound is routine in cardiac surgery (and yes, sometimes systems hang and have to be rebooted while the patient is on the table with their heart stopped...) Intra-op fluoroscopy is routine in some procedures as well, particularly in ortho.
The problem is that people have come to expect features that can't be easily delivered without a general purpose OS, and the issues that come with that are pretty much invisible to anyone who would be likely to scream about it, including the FDA. Users get used to periodic failures and work around them, just like desktop users do.
Parent
Re: (Score:3, Informative)
It bothers me that "critical medical equipment" was running Windows at all.
Re: (Score:2)
Not necessarily newer, but certainly more robust (Windows 2000 is not something I'd consider reliable enough to be used in mission critical systems) and more secure (USB keys can carry viruses).
Usually, for something like that, as other have noted, you'd want a special-purpose OS or a very minimal layer on the hardware you can write apps directly to (eg: L4, OSKit, or something like that).
Re:Old Computers (Score:5, Interesting)
Medical equipment has a very long lifespan. Many devices for measurement and monitoring are used for 10 to 20 years before replacement. The general policy is "if it works, don't fix it and, more important, do not touch it".
The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.
Parent
Re:Old Computers (Score:5, Insightful)
Medical equipment has a very long lifespan. Many devices for measurement and monitoring are used for 10 to 20 years before replacement. The general policy is "if it works, don't fix it and, more important, do not touch it". The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.
Doesn't Microsoft itself say (perhaps in the EULA disclaimer) that its operating systems were not intended to be used in this sort of mission-critical capacity? That could of course have a very narrow definition, something along the lines of "don't ever use it to operate that iron lung but maybe use it so the receptionist can run MS Office" but if that were the case, then this would be a mere nuisance and not such a real problem. That is, in that case there'd be nothing special about the fact that the affected institution happened to be a hospital beyond the fact that it sounds bad. Because of that, I really get the impression that they were using the wrong tool for the job.
Parent
Re: (Score:3, Interesting)
Windows isn't usually used for anything absolutely critical. Still, when your MR scanners go down because of a worm even if it doesn't kill anyone directly it may lead to deaths due to missed diagnoses.
Re:Old Computers (Score:5, Insightful)
The biggest issue here is that Medical Equipment has to be run through an FDA Validation process. If you make changes to the system, you have to revalidate, and Validation takes months and $100K's. So the vendors leave them as-is.
What's frustrating is that these systems need to be on a LAN, since they need to report their results to other clinical systems. So these small islands need to be linked other islands, and eventually, someone screws up and links an island with an Internet connection . . . .
Parent
Re:Old Computers (Score:5, Interesting)
These systems are usually on a network segment dedicated strictly to imaging yet somehow I manage to find all fashon of virus (Most recently Conficker) games and saved email attachments on the Desktop.
The FDA is very strict about how these systems are to be upgraded and serviced but patching is a non issue.
My company has a simple solution to the virus issue though, If the network admin allows the cluster to get infected, we will gladly remove the infection, for a price.
If I have only had a penny for every time I have heard "It's not my network, check your equipment"
Parent
Re:Old Computers (Score:5, Insightful)
Because the network admin should have the laboratory equipment firewalled off with a "deny all" preceded and followed by comment lines that read " # DANGER -- MEDICAL EQUIPMENT ON THIS SEGMENT -- If you permit so much as one stinking port to pass through this firewall, I will hunt you down and leave nothing behind for the doctors to patch together."
There is no excuse on the planet for letting health care equipment see the cloud. If data has to enter or leave, it should pass through a bastion host. If the requirements are that the equipment really has to reach the internet, the requirements are faulty.
Parent
Re: (Score:3, Funny)
I don't know why, but i read "PACS" as "Particle Accelerator Cannons" - god forbid anything at CERN gets Conficker.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.
Shouldn't they be using OpenBSD, then?
Re:Old Computers (Score:5, Informative)
Shouldn't they be using OpenBSD, then?
Then the hospitals all complain because the in-house IT generally only understand MS, so they will have to pay for even the simplistic things.
I work for a medical software company and we had a program that ran on Linux only for a long time. We eventually ported it to Windows because the majority of the support calls required an on site visit since no one in IT support was willing and/or able to touch a Linux box. Several times I went to sites and the only problem would be that the hard disk was full and they simply needed to delete some old/unneeded data.
Parent
Re:Old Computers (Score:5, Interesting)
It's not like they can just upgrade the computer. The computer is running software that goes with specialized equipment. They'd have to upgrade everything if they upgraded anything and with that you could easily be talking millions of dollars. That might not be really needed as the machine should run just as well as it did with they bought it if it hasn't broke. If it's a smaller hospital, they might not have the budget to replace non-broken machines that still preform within needed specs, especially in this economic climate. Add in that some of these machines need to be FDA tested and are only supported by the manufactuer and that makes it even more expensive and harder to upgrade. Then, on many of these machines, the users might not even know they're running on NT4 as the software they run takes up the entire screen and they never actually interact with Windows at all.
I work in healthcare and I'm not surprised at all. Within the last year we just got rid of a Win95 system that was still talking over Novell networking, our Vax system, and a bunch of Sun Sparq stations. We still have plenty of Win2k and probably some WinNT4 around. We also have one of the most advanced set ups in the country, but legacy systems still exist for lots of reasons. First off, if it still works, management is not likely to want to get rid of it unless you make a good case for a good ROI. They're all old and aren't used to replacing major hospital systems that aren't broke especially if the new system doesn't offer any advantages. Budgets are always a problem because if the department isn't bringing in enough money to warrant new equipment, they might not get it. Then there are the vendors. perhaps GE, Fuji, or Cerner are happy with their old system or wants to sell you lots of stuff you don't want or need to replace one bit that is still running on old server tech just fine, so you effectively can't upgrade even if you wanted to.
Parent
Virus writers in the pay of computer sellers? (Score:3, Insightful)
It's extremely cynical of me perhaps, but I wonder if this isn't some type of pernicious planned obsolesence. Some car makers for many years deliberately made cars to last 20,000 hours (pure folklore, overheard) because they needed cars to fail after a few years to keep the volume of new car sales g
Re:Virus writers in the pay of computer sellers? (Score:5, Interesting)
The above post is accurate about the car analogy.
From my own experience, auto-manufacturers took it a step further and only made PARTS of the car with built in obsolescence. Then they buried that part under 30 other ones. That way they get the repair cost MUCH higher. A simple $10 part can cost you (at the dealership, of course) $1000 to get to and replace, the Ford Ranger/Explorer clutch slave cylinder INSIDE the transmission bellhousing...$30 part, $500 job, being a good example (most manufacturers put it on the outside). It also discourages the "shade-tree mechanics" from doing their own work.
But what you say is mostly correct. The REAL problem is that they've been at it so long, people think that a car that only lasts 5-6 years is NORMAL. They've been conditioned to it. People will not know what to do with a car that lasts 25 years, nor be happy with it. Its all about "new", or so we are told by the auto companies.
All that being said, the OP isn't being overly cynical, in my opinion. That shit happens ALL the time, and I see no reason it shouldn't in the IT field.
Parent
Re: (Score:3, Insightful)
"A simple $10 part can cost you (at the dealership, of course) $1000 to get to and replace, the Ford Ranger/Explorer clutch slave cylinder INSIDE the transmission bellhousing...$30 part, $500 job, being a good example (most manufacturers put it on the outside). It also discourages the "shade-tree mechanics" from doing their own work."
The concentric slave cylinders were more likely some bean counter idea to save the cost of a clutch fork, pivot ball, and associated hardware. The quick-connect hydraulic fitti
Re:Virus writers in the pay of computer sellers? (Score:5, Insightful)
I have to agree. You think a car maker gives a crap about the cost of a repair job down the line? I know several engineers personally that work in the auto industry. Their priorities go something like this:
1. Meet bare minimum, required by law emissions, safety, and quality standards.
2. Be as cheap to make as possible
3. Be as cheap to assemble as possible
4. Require the minimum retooling for factories making it.
5. Require minimum retraining for workers assembling it.
6. When it fails (and it will) make sure it doesn't make the car catch on fire, or slam on the gas, or lose the ability to brake, or otherwise hurt/maim/kill the driver (lawsuits cost money).
7. Make it implement some sort buzzword marketing tech that doesn't do much but sells cars.
8. Make it implement some tech that actually improves the car in a way that sells more cars.
9. Make it look cool.
10. Be durable enough to last past the warranty in 99% of vehicles, and not blatantly defective enough to force a recall/inspire a class action lawsuit.
11. Be servicable.
Notice thats a long list of conflicting goals, and how easy it is to service is on the bottom. Few people even look at the (estimated) total cost of ownership of a car, much less personally inspect how easy it looks to surface. And since systemic, hard to service problems tend to show up 5 years down the line, when the engineers responsible have long ago moved on to other projects, and that particular model has already been replaced anyways, noone really cares.
The idea that some sort of sneaky conspiracy of planned obsolescence is going on is bogus. The reality is the engineers and designers have different priorities. Replacement parts are often expensive because the machines required to make them are expensive, and they want to retool them to make something else as soon as possible, so they often make a bunch of extras and shove them in a warehouse somewhere. If those run out, and they have to make more, it means they have to spend a ton of money to make another run of them.
When people are buying cars, they want the latest and greatest. A car made using the tried and tested tech from 10 years ago would last longer, and be more reliable, but would offer less performance,comfort, and safety for pretty much the same price or more.
Parent
Re: (Score:3, Insightful)
but the LAN was connected to one with direct Internet access.
Internet enabled machine got infected, and bridged over to the closed-off network. Why SMB was enabled on the embedded systems is a better question.