Hospital Equipment Infected With Conficker 289
nandemoari writes "Recently, the Conficker/Downadup worm infected several hundred machines and critical medical equipment in an undisclosed number of US hospitals.
The attacks were not widespread; however, Marcus Sachs, director of the SANS Internet Storm Center, told CNET News that it raises the awareness of what we would do if there were millions of computers infected in hospitals or in critical infrastructure locations.
It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access.
A patch was released by Microsoft last October that fixes the problem, but the computers infected were reportedly too old to be patched."
Any lawyers here (Score:5, Interesting)
Re:Does it bother anyone else..... (Score:3, Interesting)
All versions of Windows (and Linux) are way too complex to ever be 100% bug-free. They should be running DOS.
Re:Does it bother anyone else..... (Score:1, Interesting)
A family member was in an intensive care unit and was hooked up to a machine that would monitor them for seizures.
In addition to a bunch of electrodes and other monitoring devices there was a web cam.
I looked at the screen and saw the Win XP task bar (pretty sure it was XP not win 2k but it was a while ago). It was a shock to see it and caused me some concern, but since it was just monitoring software, not as critical as the other systems in the room and the unit's layout made the bed viewable from the nurse's station, it wasn't a big deal.
Had the respirator shown an XP toolbar I would have made a stink.
NT and win2k have always appeared to be fairly stable for me. More so than XP in my experience.
Re:Does it bother anyone else..... (Score:5, Interesting)
For a life-critical system they probably shouldn't be running ANY version of Windows. But once you get past that issue, if you have tested it sufficiently to permit people's lives to depend on it, retesting it to the same standards on first Win2000 and then XP is a non-trivial effort, and might not even be possible without massive changes. So you would be sorely tempted to leave it alone. Presumably, since it's the same code, it doesn't need any more "features" or performance. So porting it provides no value.
A better question is whether or not it's a good idea to have the damn thing hooked up to the internet so it could *get* Conficker in the first place! Well, actually, that's not a question, since its obvious...
Brett
Re:Does it bother anyone else..... (Score:4, Interesting)
Also, many hospitals refuse to upgrade existing equipment to something newer. If it works, and it gets the clinicians the data they need to help the patient, then they don't want to take the risk of updating software/hardware.
Re:Eeesh... (Score:2, Interesting)
Re:Any lawyers here (Score:2, Interesting)
It depends. Did anyone successfully sue Bridgestone for their exploding SUV tyres for manslaughter? That's infinitely more direct and far more culpable, so if it failed in a case like that, it would almost certainly fail in a virus case.
Re:Old Computers (Score:5, Interesting)
Medical equipment has a very long lifespan. Many devices for measurement and monitoring are used for 10 to 20 years before replacement. The general policy is "if it works, don't fix it and, more important, do not touch it".
The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.
Re:Any lawyers here (Score:3, Interesting)
Yes, but you would have to prove a fairly strong ("proximate") causal link between the virus and the death. It's not enough to say "Well, the MRI machine was down because the tech was cleaning it and if we had gotten him scanned earlier we'd have seen a huge tumor but instead he died", it would have to "the MRI machine was infected with the virus and gave us wrong results so we opened his heart for nothing and he died on the table".
See, http://en.wikipedia.org/wiki/Proximate_cause [wikipedia.org]
Re:Old Computers (Score:5, Interesting)
It's not like they can just upgrade the computer. The computer is running software that goes with specialized equipment. They'd have to upgrade everything if they upgraded anything and with that you could easily be talking millions of dollars. That might not be really needed as the machine should run just as well as it did with they bought it if it hasn't broke. If it's a smaller hospital, they might not have the budget to replace non-broken machines that still preform within needed specs, especially in this economic climate. Add in that some of these machines need to be FDA tested and are only supported by the manufactuer and that makes it even more expensive and harder to upgrade. Then, on many of these machines, the users might not even know they're running on NT4 as the software they run takes up the entire screen and they never actually interact with Windows at all.
I work in healthcare and I'm not surprised at all. Within the last year we just got rid of a Win95 system that was still talking over Novell networking, our Vax system, and a bunch of Sun Sparq stations. We still have plenty of Win2k and probably some WinNT4 around. We also have one of the most advanced set ups in the country, but legacy systems still exist for lots of reasons. First off, if it still works, management is not likely to want to get rid of it unless you make a good case for a good ROI. They're all old and aren't used to replacing major hospital systems that aren't broke especially if the new system doesn't offer any advantages. Budgets are always a problem because if the department isn't bringing in enough money to warrant new equipment, they might not get it. Then there are the vendors. perhaps GE, Fuji, or Cerner are happy with their old system or wants to sell you lots of stuff you don't want or need to replace one bit that is still running on old server tech just fine, so you effectively can't upgrade even if you wanted to.
Re:Does it bother anyone else..... (Score:5, Interesting)
For that matter, why is it running a general-purpose OS like Windows?
Ease of development, particularly UI support for rich user interaction and feedback.
Most medical systems I've worked on have two OS's: a relatively hard realtime system that's really close to the hardware, and a second system (Linux or Windows) that's close to the user. For some applications the general purpose OS is used as a soft realtime system and talks to all the hardware via USB or a framegrabber. Only very simple systems are pure embedded these days.
Given the complexity of computing that some of these machines do this makes perfect sense: an embedded, realtime OS is just not what you want to be dealing with when trying to develop richly representational software. Think imaging systems and computer-assisted surgery systems, which often have a lot of analysis and image processing built in, including heavy user interaction, in realtime, in the OR.
Intra-op ultrasound is routine in cardiac surgery (and yes, sometimes systems hang and have to be rebooted while the patient is on the table with their heart stopped...) Intra-op fluoroscopy is routine in some procedures as well, particularly in ortho.
The problem is that people have come to expect features that can't be easily delivered without a general purpose OS, and the issues that come with that are pretty much invisible to anyone who would be likely to scream about it, including the FDA. Users get used to periodic failures and work around them, just like desktop users do.
Re:Does it bother anyone else..... (Score:5, Interesting)
what part of 10 year old equipment didn't you understand? What part of Win NT and win 2K makes you think the hardware can even run anything newer?
At that time your looking at Red Hat 5. think about it. linux wasn't ready back then for mission critical stuff.
At best they could have gone with OS/2 warp.
Re:Here is why and how (Score:5, Interesting)
I don't necessarily "think it's OK". I didn't write an editorial, I just outlined why this is what it is, as it seemed a lot of the commenters were under informed on what the article is referring to.
Also, as per usual, the media uses sensationalist wording. Most of the "medical devices" in question here are not something attached to your body where you will die if it crashes. Most of what this is referring to are clinical workstations used for doing all sorts of work related to medical care. For example, a workstation that interfaces to some sort of scanner to set up and initiate a scan. Or a workstation that crunches data that comes off some piece of medical hardware. Most devices that physically touch you and control something which can harm a person are coded in hardware, not windows, and have hardware in place to prevent such a thing from harming someone.
Please realize that the FDA must approve ANY piece of hardware that comes in contact with a human and the process is EXTREMELY restrictive and scrutinizing (and expensive). It's actually one gov't institution that I feel really does protect people in a lot of ways.
Re:Does it bother anyone else..... (Score:4, Interesting)
If the support contract doesn't include tested and managed security updates, it's not really support is it?
Re:Old Computers (Score:5, Interesting)
These systems are usually on a network segment dedicated strictly to imaging yet somehow I manage to find all fashon of virus (Most recently Conficker) games and saved email attachments on the Desktop.
The FDA is very strict about how these systems are to be upgraded and serviced but patching is a non issue.
My company has a simple solution to the virus issue though, If the network admin allows the cluster to get infected, we will gladly remove the infection, for a price.
If I have only had a penny for every time I have heard "It's not my network, check your equipment"
Re:Virus writers in the pay of computer sellers? (Score:5, Interesting)
The above post is accurate about the car analogy.
From my own experience, auto-manufacturers took it a step further and only made PARTS of the car with built in obsolescence. Then they buried that part under 30 other ones. That way they get the repair cost MUCH higher. A simple $10 part can cost you (at the dealership, of course) $1000 to get to and replace, the Ford Ranger/Explorer clutch slave cylinder INSIDE the transmission bellhousing...$30 part, $500 job, being a good example (most manufacturers put it on the outside). It also discourages the "shade-tree mechanics" from doing their own work.
But what you say is mostly correct. The REAL problem is that they've been at it so long, people think that a car that only lasts 5-6 years is NORMAL. They've been conditioned to it. People will not know what to do with a car that lasts 25 years, nor be happy with it. Its all about "new", or so we are told by the auto companies.
All that being said, the OP isn't being overly cynical, in my opinion. That shit happens ALL the time, and I see no reason it shouldn't in the IT field.
Windows is unsupportable, shouldn't be embedded (Score:3, Interesting)
Let me get this straight, we know Microsoft drops support for its OSes and that includes security patches, yet hospital equipment manufacturers are loading Windows on equipment costing millions? Come on folks, what's wrong with this picture.
Atleast with open source, the equipment manufacturer can backlevel a patch or hire someone to do this. They can't do this with Windows or it costs too much for them to do it. I can't imagine getting source access to an unsupported OS is something Microsoft wants. If they don't want it, they price it off the market.
So is anyone in the press bringing up the issue of companies embedding Windows in products which are expected to last more then 10 years like MRI machines and other hospital equipment? This isn't your standard corporate IT department that keeps throwing away good hardware every three to five years.
It's plain and simple, Windows is unsafe and unsupportable in any long life application.
LoB
Re:Old Computers (Score:3, Interesting)
Windows isn't usually used for anything absolutely critical. Still, when your MR scanners go down because of a worm even if it doesn't kill anyone directly it may lead to deaths due to missed diagnoses.
The fix is simple: use Unix-based systems (Score:3, Interesting)
Here's a vaccine: use Unix and Unix-like systems. No medical device should be running Windows. You do see stuff with Unix, such as some CT scans, but the way Microsoft's marketing is strong, you see a lot of stuff on Windows. Also, because it allows for easy installation on a widespread platform.
Here's a big opportunity for open-source developers: ship the whole thing, computer, OS, *and* your image analysis software for microscopy - or whatever (of course, the ugly part for Linux is the GPL - but then there's always a choice of BSD or solaris).
BTW, how come retarded managers get to choose Windows for medical devices, and the NYSE sticks to Linux for their systems? Answer: because there is a shitload of money in the NYSE and big fish at the sea and they can't afford retards managing their IT infrasructure.
On another note, I suspect things are even worse in other corners of the world. For instance, a couple of weeks ago I was having a coffee with the guy reponsible for major IT infrastructure in the government health sector (this in Brazil, and I'll not disclose specific info), and he told me a horror story of how they run very old, unpatched software, that they *can't possibly* upgrade because, as these things go in the developing world, the budget wasn't always there when they needed, so they missed upgrades, and to upgrade the things, they can't just go from, say, version 5 to 7, because Microsoft doesn't work that way...BTW, the guy - a top manager - was clueless regarding, say, OpenBSD. He just bought pre-packaged Microsoft shite. How sad...He did mention that TCO for Linux was higher, because of lack of specialized workers (as opposed to a legion of incompetent sysadmins wannabes we see all the time in the Free Software meetings), and that they had made a half-assed atempt once.
OTOH, the public health sector should run open source software for security reasons. Period. If .mil does, why doesn't .gov?