Forgot your password?
typodupeerror
Security Medicine The Internet

Hospital Equipment Infected With Conficker 289

Posted by timothy
from the would-never-happen-with-electronic-medical-records dept.
nandemoari writes "Recently, the Conficker/Downadup worm infected several hundred machines and critical medical equipment in an undisclosed number of US hospitals. The attacks were not widespread; however, Marcus Sachs, director of the SANS Internet Storm Center, told CNET News that it raises the awareness of what we would do if there were millions of computers infected in hospitals or in critical infrastructure locations. It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access. A patch was released by Microsoft last October that fixes the problem, but the computers infected were reportedly too old to be patched."
This discussion has been archived. No new comments can be posted.

Hospital Equipment Infected With Conficker

Comments Filter:
  • Well... (Score:5, Funny)

    by fuzzyfuzzyfungus (1223518) on Thursday April 30, 2009 @06:16PM (#27779911) Journal
    I guess that's the other meaning of "Nosocomial infection"...
    • by idontgno (624372)

      And here I am with no mod points.

      Mods, this is +1 Insightful as well as +1 Funny. Please vote appropriately.

  • Any lawyers here (Score:5, Interesting)

    by clarkkent09 (1104833) * on Thursday April 30, 2009 @06:21PM (#27779967)
    So if a patient dies due to a (computer) virus and the virus writer gets caught can he be charged with manslaughter or something?
    • Re: (Score:3, Informative)

      Won't happen. Life-critical devices are embedded systems.

    • if a patient dies due to a (computer) virus and the virus writer gets caught can he be charged with manslaughter or something?

      Maybe not, but cars have been removed from the market [wikipedia.org] for similar reasons. Notoriously insecure systems should never be used in hospitals.

    • Re: (Score:2, Interesting)

      by jd (1658)

      It depends. Did anyone successfully sue Bridgestone for their exploding SUV tyres for manslaughter? That's infinitely more direct and far more culpable, so if it failed in a case like that, it would almost certainly fail in a virus case.

      • Bridgestone wasn't committing a criminal act. They had a flaw with their product.

        Under US law, there are situations where you can be prosecuted if during the commission of a crime you cause something more severe to happen. One that has happened successfully is criminal being prosecuted for murder during robbery, even when they themselves didn't fire the shot that killed someone. However because the reason the death happened was their robbery, they are charged.

        Now as it would apply to this, I don't know. You

      • by pfleming (683342)
        Manslaughter is a criminal offense. You sue for civil offenses, ie. wrongful death.
    • Re: (Score:3, Interesting)

      by Wrath0fb0b (302444)

      Yes, but you would have to prove a fairly strong ("proximate") causal link between the virus and the death. It's not enough to say "Well, the MRI machine was down because the tech was cleaning it and if we had gotten him scanned earlier we'd have seen a huge tumor but instead he died", it would have to "the MRI machine was infected with the virus and gave us wrong results so we opened his heart for nothing and he died on the table".

      See, http://en.wikipedia.org/wiki/Proximate_cause [wikipedia.org]

      • Re: (Score:2, Informative)

        by maharb (1534501)

        Bingo. Proximate cause and negligence on the hospitals part would definitely create a low probability that the virus writer could be charged with the manslaughter successfully. Basically the virus writer could not have reasonably foreseen the writing of this virus as causing someones death due to the huge time, distance, and number of events involved before someone died. Also if any internal policy is set so that these computers are not supposed to be connected to the internet then it pretty much absolve

    • How about the cheap ass IT directors that refused to run on modern hardware/software? I'm pretty sure that running windows NT/2000 and refusing to patch violates all sorts of HIPPA.

      • Not at all. HIPAA is all about what security measures can be deemed reasonably sufficient. In this case, the systems may have been provided by a vendor and are certified only to run at a certain patch level. Makers of medical devices can't be expected to fuzz the software every time Microsoft releases a patch to make sure it doesn't kill someone when used; they instead sell a single device certified to work a certain way.

        Given that, reasonable security measures would have been to physically isolate the n
    • Can the hospital employees and management who failed to provide safe equipment be sued/charged? Using windows (or any other full OS) on medical equipment is a recipe for disaster.
    • by rwyoder (759998)

      So if a patient dies due to a (computer) virus and the virus writer gets caught can he be charged with manslaughter or something?

      I would blame the morons who put a known buggy, virus-prone piece of trash OS into critical medical equipment.

    • A couple of days ago, I posted a comment about how nobody takes this security shit seriously.

      I was modded flamebait.

      Now we find out hospital systems running medical equipment are connected to the Internet, unpatched, and apparently not running any decent antivirus software.

      Flamebait? My ass.

      It's not flamebait if it's the truth.

  • Eeesh... (Score:2, Funny)

    by Chasmyr (1261462)
    Hospital equipment running Windows NT... Virus or no, I wouldn't want my life to depend on that machine. "Yeah, I hooked him up to the EKG and it just keeps saying device not recognized."
    • Re: (Score:2, Interesting)

      Hospitals are big on not messing with things that work. The devices that still have NT on them do so because, despite the OS's shortcomings, they work.
  • by Ironica (124657) <pixel@boondoc[ ]rg ['k.o' in gap]> on Thursday April 30, 2009 @06:41PM (#27780295) Journal

    I can totally understand why these systems were still running NT or 2000. If it ain't broke, don't fix it, right?

    But if it ain't supported anymore, and it's completely closed-source, you literally CAN'T get fixes for vulnerabilities discovered later on. At least with an OSS product, you'd be able to hire a developer to fix the specific vulnerability on the existing system.

    • At least with an OSS product, you'd be able to hire a developer to fix the specific vulnerability on the existing system.

      It doesn't work that way.

      You botch this assignment and people die.

      The hospital does not have the financial or technical resources to validate your work.

      It's potential exposure to administrative actions, civil and perhaps criminal penalties is enormous.

  • by altek (119814) on Thursday April 30, 2009 @06:43PM (#27780313) Homepage

    1) Vendors of these devices almost across the board disallow local IT admins to put any windows patches on the machines
        - this is due to FDA requirements for approval, and the vendor is "covering" themselves
        - also, they usually have a list of "qualified updates" that is usually MONTHS behind MS's patch cycle (not surprising given the sheer number and speed of holes that are found)
        - usually the vendors claim that THEY will apply patches regularly, in practice, they almost NEVER do

    2) Vendors typically disallow these machines to be on the active directory
        - this is because they can't stand troubleshooting/supporting issues in their software due to GPO's being pushed down, software management software, etc etc

    3) To everyone screaming how idiotic it is that medical devices have Windows on them: you may be a geek, but have clearly never worked in a real enterprise environment. Windows is embedded on so many devices in the world (medical and otherwise) that you would never even know existed. Why? Because it's widely supported, has huge hardware support, and is surprisingly OPEN to developers to hack it into whatever they need it to be. And windows programmers are a dime a dozen.

    4) To everyone screaming how idiotic it is that medical devices are connected to the internet getting infected - Do you even know how Conficker spreads? It spreads quite easily across a LAN, attaching to Windows file shares. See MS08-067 for more info. Many of these devices are on a LAN with no DNS (although plenty are on the 'net). Why? Again, because vendors insist that they be connected so they can VPN in and support them (often using LogMeIn, Webex etc).

    • by altek (119814)

      I hate to reply to my own comment, but I forgot to add something.

      5) Why don't sysadmins at the hospitals disable filesharing and enforce stronger policies on these devices?
            - usually the vendor contract explicitly states that modifying the systems in such a way will void your $50,000 annual support contract on your $3 million scanner. Scanner is broken? Tough shit, you voided your contract. Buy a new one.

    • by nurb432 (527695)

      *snip* Many of these devices are on a LAN with no DNS (although plenty are on the 'net). Why? Again, because vendors insist that they be connected so they can VPN in and support them (often using LogMeIn, Webex etc).

      They should be on a dedicated LAN with NO entry point for some idiot with a laptop. A vendor complains? Too bad, hand them a cat 5 on different network. Its your rules, not theirs.

      Im sorry but when it comes to medical equipment there is NO excuse for being sloppy. Those involved should be blacklisted from the industry.

      And yes, it can be done, and is. Sure its difficult, but it needs to be done.

    • > 3) To everyone screaming how idiotic it is that medical devices have Windows on them: you may be a geek, but have clearly never worked in a real enterprise environment.

      I'm sure there was a lot of the same type of justification in the financial industry to the few people who pointed out how idiotic the risks being taken with money were. It's irrelevant *why* something so moronic is being done. It's still tremendously stupid, and needs to be changed. Windows does not belong anywhere lives are at stake

  • by Cederic (9623) on Thursday April 30, 2009 @06:47PM (#27780385) Journal

    Suddenly I have this horrible urge to write a virus called "Swine Flu" that only attacks medical systems..

    • by altek (119814)

      black helicopters should be hovering above your house right... about... NOW

  • by happy_place (632005) on Thursday April 30, 2009 @06:48PM (#27780401) Homepage
    This SPAM was brought to you by a heart monitor!
    • Considering the high cholesterol content of spam, it's probably already wreaked its share of havoc on heart monitors... it's about time the heart monitors gave something back.

  • by Chasmyr (1261462) on Thursday April 30, 2009 @06:49PM (#27780419)
    "Hi it says I need to upgrade my RAM, what is that?"... "RAM is a part of your computer, if you have more of it, you can expect it to run faster... tell me what your computer is running and I'll see if I can help you out."... "Uh, right now the computer is running Bob's heart and lungs for him."
  • by Anonymous Coward

    The article says "A patch was released by Microsoft last October ..." The availability of a patch doesn't mean squat. Before a patch can bve installed on medical equipment, the hardware vendor has to validate the patch. In other words, the vendor has to test the ever loving crap out of the software to insure it does not conpromise patient safety.

    The fact that cornflicker got on life safety and mission critical systems at all raises the question of why anyone would use a consumer grade operating system fo

  • Swine flu? (Score:5, Funny)

    by Sockatume (732728) on Thursday April 30, 2009 @06:52PM (#27780471)
    So, we have Conficker infecting hospitals now. And meanwhile, after Conficker's payload goes live, there's a massive outbreak of swine flu. And conficker spreads spam... spam is a pork product... COINCIDENCE?!
  • The question (Score:5, Informative)

    by thePowerOfGrayskull (905905) <marc.paradise@NOSpaM.gmail.com> on Thursday April 30, 2009 @07:10PM (#27780707) Homepage Journal
    The question here is this: did the sub-human wankers who created this ever consider this possibility? Now that it's happened, do you think they give a shit? Is there a chance that someone is saying, "Gee, maybe this wasn't such a good idea..." right about now?
    • by Renraku (518261)

      I don't think many virus writers would like to see their virus killing people.

      I'd say the blame is 50% on the part of the virus writer for not considering the consequences, and 50% on the part of the medical equipment maker that decided to use Windows to save a few bucks and didn't consider the fact that Windows is one of the most insecure operating systems ever.

      For a car analogy, someone throws an empty soda can out the window. Said soda can is then crushed by a Chinese-knockoff motorcycle. Since the tir

    • by freelunch (258011)

      The question here is this: did the sub-human wankers who created this ever consider this possibility? Now that it's happened, do you think they give a shit? Is there a chance that someone is saying, "Gee, maybe this wasn't such a good idea..." right about now?

      No, they're saying "Windows 7 will be more secure, and even better for medical devices"

      Or did you mean the Conficker authors?

  • Removable Drives (Score:4, Informative)

    by Samah (729132) on Thursday April 30, 2009 @07:33PM (#27781015)

    As I unfortunately found out yesterday, one of the more common ways the virus spreads is through removable drives. If autorun is enabled for removable devices (which it is by default, and no MS basher responses please), Windows will load autorun.inf straight away, infecting you.

    A work colleague brought over a USB stick with some music on it, which I happily acquired, along with Conficker. For some retarded reason the resident shield was disabled. After we received an email about it, I noticed this and re-enabled it. I didn't realise I had the virus until this guy came over again with some more music and the AV software exploded in my face with a nice "warning conficker detected and removed" message. Of course that meant "removed from the USB stick" and not "removed from the PC".

    Virus scans would no longer run, and I couldn't access most conficker-removal-related websites unless I went through a proxy. Incredibly, the Microsoft Malicious Software Removal tool worked a treat. After using that, rebooting, and disabling autorun in the registry, it's gone.

    I blame partly myself for not disabling autorun (security lockdown on these work PCs is ridiculous; I would have had to ask an admin to do it), and for whoever disabled my bloody resident shield.

    I hinted to our admin that I wanted Debian instead, but that didn't go down well. :)

    tl;dr version: Conficker is bad, mmkay.

  • Critical medical equipment should never have been even remotely connected to anything not 100% secure.

    • The fatal flaw with your argument is that nothing is ever 100% secure.

      I will, however, go so far as to say that no critical system that will be used for an extended period of time should be using closed software that will ever be EOLed.

  • by Locutus (9039) on Thursday April 30, 2009 @08:51PM (#27781711)

    Let me get this straight, we know Microsoft drops support for its OSes and that includes security patches, yet hospital equipment manufacturers are loading Windows on equipment costing millions? Come on folks, what's wrong with this picture.

    Atleast with open source, the equipment manufacturer can backlevel a patch or hire someone to do this. They can't do this with Windows or it costs too much for them to do it. I can't imagine getting source access to an unsupported OS is something Microsoft wants. If they don't want it, they price it off the market.

    So is anyone in the press bringing up the issue of companies embedding Windows in products which are expected to last more then 10 years like MRI machines and other hospital equipment? This isn't your standard corporate IT department that keeps throwing away good hardware every three to five years.

    It's plain and simple, Windows is unsafe and unsupportable in any long life application.

    LoB

  • by synthespian (563437) on Thursday April 30, 2009 @09:43PM (#27782167)

    Here's a vaccine: use Unix and Unix-like systems. No medical device should be running Windows. You do see stuff with Unix, such as some CT scans, but the way Microsoft's marketing is strong, you see a lot of stuff on Windows. Also, because it allows for easy installation on a widespread platform.

    Here's a big opportunity for open-source developers: ship the whole thing, computer, OS, *and* your image analysis software for microscopy - or whatever (of course, the ugly part for Linux is the GPL - but then there's always a choice of BSD or solaris).

    BTW, how come retarded managers get to choose Windows for medical devices, and the NYSE sticks to Linux for their systems? Answer: because there is a shitload of money in the NYSE and big fish at the sea and they can't afford retards managing their IT infrasructure.

    On another note, I suspect things are even worse in other corners of the world. For instance, a couple of weeks ago I was having a coffee with the guy reponsible for major IT infrastructure in the government health sector (this in Brazil, and I'll not disclose specific info), and he told me a horror story of how they run very old, unpatched software, that they *can't possibly* upgrade because, as these things go in the developing world, the budget wasn't always there when they needed, so they missed upgrades, and to upgrade the things, they can't just go from, say, version 5 to 7, because Microsoft doesn't work that way...BTW, the guy - a top manager - was clueless regarding, say, OpenBSD. He just bought pre-packaged Microsoft shite. How sad...He did mention that TCO for Linux was higher, because of lack of specialized workers (as opposed to a legion of incompetent sysadmins wannabes we see all the time in the Free Software meetings), and that they had made a half-assed atempt once.

    OTOH, the public health sector should run open source software for security reasons. Period. If .mil does, why doesn't .gov?

Every successful person has had failures but repeated failure is no guarantee of eventual success.

Working...