Malware Is 'Rampant' On Medical Devices In Hospitals

[Sionyn]

Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable. While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion. [He said], 'Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.' ... Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed.

http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices/

[westfw]

Various pieces of EE lab equipment (scopes, logic analyzers, device programmers, label printers) that happen to be running windows "under the hood" are also at significant risk.  They frequently run older ("stable") versions of windows, without updates that might lead to incompatibility with the hardware, and they frequently bypass any administrative controls that an IT department might have had in place.

[akcoder]

I work for the division of a hospital that manufactures a commercial medical device (an MDDS). Our device runs ontop of Windows XP. And given that we have actually spent the significant amount of time required to really lock down the OS, just about every permission imaginable has been stripped away from the user our device runs under, it surprises me that the likes of GE, Bosch, Fujitsu, etc can't/won't spend the time to create a locked down system so things like this aren't a problem. Just my two cents...

-dan

[poptones]

How ironic. You spend all that time to "lock it down" so now can you patch it? Because if you can't, all one really needs to do is put it on a network, sit back, and watch it get owned.

[snoopen]

Does locking down the OS like that really help that much though? I would have thought the attack vectors used by such malware would exist outside of typical OS user permission domain. Unless you're also talking about booting from read only media and running the OS in a RAM disk? I'd imagine that even that method would be open to exploitation if there was non-volatile read-write storage. Maybe I'm thinking too much into this?

[jeremy]

I study in this area. As someone who has messed around with computers my entire life, I have absolutely no idea why anyone ever thought it would be ok to connect this stuff to the internet. Even if it was custom firmware on a processor with signed binaries, still makes me uncomfortable; the titanic was unsinkable right?

[jucole]

It doesn't surprise me;  they should make the company who installed the problematic device / system to sort it out. 

I hate this phrase but it's pretty true -  crap in, crap out!

[Dago]

I absolutely have to post this link: http://www.scmagazine.com.au/News/319508,hacked-terminals-capable-of-causing-pacemaker-mass-murder.aspx

What about heart pacemakers with no security at all? It would be trivial to make a "virus" that spreads from a pacemaker to pacemaker and activates at the same time... Talk about scary.

[ptricks]

I study in this area. As someone who has messed around with computers my entire life, I have absolutely no idea why anyone ever thought it would be ok to connect this stuff to the internet. Even if it was custom firmware on a processor with signed binaries, still makes me uncomfortable; the titanic was unsinkable right?

Exactly!
I hate the current mentality that everything should be connected to the internet, I am waiting for someone to announce the digital tongue depressor that uploads how much pressure the doctor uses to hold down the tongue to the cloud.

One thing that gets me upset is the news media, they report anything that gets a virus anywhere as the end of the world, especially this non sense about the military systems are in danger, they will take control of the power grid, etc. These type of systems remain disconnected from any outside network, some places do not even allow an internet connected pc in the building, not even a cell phone.   It isn't hard to prevent malware on a corporate system, disconnect the outside access physically from the outside world and have specific pc that connect to the internet but not the internal network, and no, software solutions are not good enough, it needs to be physical.

One of the best systems I have seen is one used at a local nuclear power plant, it is capable of sending data out over the internet, but cannot receive data. Internally the internet connection is changed to a RS-422 connection and the internal computers that send data do not have the receive wires connected, just the transmit !

[PbFoot]

As a former medical device technician, my opinion is that Windows is not a viable OS for any type of medical device. I would like to see an OS developed specifically for use in medical devices that was designed from the outset to prevent malware infection, as well as other reliability features.

However, the market dictates that everything be as cheap as possible, an I don't expect that there will be any change in this any time soon. It would take a mass catastrophe to change anything, and even then I am not sure it would happen.

-PbFoot

[bullet308]

This looks like a job for Linux-man!!!!

Seriously, would this not resolve a *whole* bunch of problems here? It would pretty much make the problem of incidental infections go away, in any case...

[Sionyn]

Journalist: Let’s imagine a hospital where life support systems are running Vista. Would you trust it with your life?

Bill Gates: Security has been the top priority for Microsoft for quite some time and that’s why I put out a key call for us to focus on that in a very big way over three years ago, and that’s why we’ve made investments like having people from Gecad ( Romanian company ) join on the security action from Microsoft. The answer to your question is that, absolutely, Vista is the most secure operating system we’ve ever done, and if it’s administred properly, absolutely, it can be used to run a hospital or any kind of mission crytical thing. But it’s not as simple as saying “If you use Vista, that happens automatically”. The issues about patient records and who should be able to see them, the issue about setting up a network, so that authorized people can connect up to that hospital network, the issue about having backup power, so that the computer systems can run even if the generators go down. There are a lot of issues to properly set up that system, so that you have the redundancy and the security walls to make sure it fullfils that very crytical function. So we are working with partners to raise their skills to make sure that when get involved in an installation like that they can make it secure. So I feel better about Vista than any other operating system, but there’s a lot of things that need to be done well, and we’re certaintly committed to step up and make sure these security issues are ieasier and better understood.

[SeanB]

If you take XP and strip it down to run embedded you have a limited user, a locked administrator and no extra software. No flash, no viewers and nothing that is not needed for the embedded system to operate and connect. Smaller attack surface, and you have locked off all of the common escalation methods as the handlers are not there or just return when called ( better, or you trap an exception and force a reboot). Updates are then overwriting the entire hard drive with a prebuilt and tested image, you can preserve settings and documents by using a separate partition to store that, and doing sanity checks when you read the data to weed out out of range attacks.

With this actually it makes little difference between using XP, Unix or Linux, as you have stripped all extra cruft out and locked down the system. Users may complain, but you have to make it look just like an appliance to them. You will even strip out support for non supplied hardware, and limit the USB to the components and drivers you supply.

[TheWelly888]

I work in a hospital as a medical equipment technician and I can assure everyone that NO life support medical equipment ( eg anaesthetic machines, ventilators, syringe drivers, volumetric pumps ) uses Windows PCs to work - each such system have their own software/firmware developed by the manufacturer.

Those that do use Windows are only used for diagnostics ( eg ultrasound image processors ) which will not cause immediate harm should the OS crash.

[Neilm]

I hate the current mentality that everything should be connected to the internet, I am waiting for someone to announce the digital tongue depressor that uploads how much pressure the doctor uses to hold down the tongue to the cloud.

I was involved in the development of a tester that could be plugged into a companies intranet. Every thing was hooked up and worked, most of the work in the software was done.

First units were sent out for trial. First feedback - "Your unit outputs 100kV so we are not going to trust it plugged into out network". The only point that was unanimously agreed upon.

Neil

[Sionyn]

blimey

[akcoder]

Does locking down the OS like that really help that much though? I would have thought the attack vectors used by such malware would exist outside of typical OS user permission domain. Unless you're also talking about booting from read only media and running the OS in a RAM disk? I'd imagine that even that method would be open to exploitation if there was non-volatile read-write storage. Maybe I'm thinking too much into this?

Our stuff doesn't run off a RAM disk because we need to write data locally and have that data persist in case of a sudden loss of power.

But the only things that run on our image are things that are absolutely required to make the thing work. Just about every service is turned off. Hell, even calc.exe has been stripped off :-)

-dan

[akcoder]

How ironic. You spend all that time to "lock it down" so now can you patch it? Because if you can't, all one really needs to do is put it on a network, sit back, and watch it get owned.

We do indeed. We use home-grown software to push out patches. The patches are all cryptographically signed by a minimum of two people on the authorized signers list. We use this process to push out os patches and upgrades to our software.

-dan

[akcoder]

This looks like a job for Linux-man!!!!

Seriously, would this not resolve a *whole* bunch of problems here? It would pretty much make the problem of incidental infections go away, in any case...

While that may be true, in the arena I operate in (integrating devices from multiple vendors into a acquisition kiosk) almost none of the devices we integrate have linux drivers. And we can't write the drivers for these devices without taking on a metric ton of liability and regulation from the FDA.

For example, one of the devices we acquire data from is an EKG. Which IIRC is a "class 3" medical device, the most restrictive classification. If we were to even try and parse their data stream, that would make our kiosk into a class 3 device. That is not a road we want to go down. So our solution is to capture there data and store it. But then call into the vendors SDK and have it generate a PDF output that can be displayed to the end user.

-dan

[saturation]

10+ years ago I was part of systems management for healthcare involving many thousands of devices.

Healthcare networks are segmented into multiple rings, tiers, and subnets, all of which can be isolated from individual to groups to contain malware.

Software monitors traffic and if a pattern of uncommon output occurs, anything from a single workstation or device to any part of the network, can be rapidly disconnected.  Security response occurs in seconds.  The key is the automated monitor, which is proprietary but available to institutions.

99.99% of patient care electronics like cardiac monitors or a dialysis machine, have their OSs akin to firmware.  Now, if the devices used in the article described have r/w capability to its firmware or OS, that is a security risk from the manufacturer, and was a poor choice by the purchaser. 

Devices and workstations in any institution typically have >2x more than actually used,  even more in reserves and stand alone, so those taken down by a fault or malware can be replaced in seconds.   So, the article commenting that a failure in a workstation could have led to patient harm seems like they have serious procedural issues for the hospital in that article.

Finally, malware events are reportable on case by case basis to the FBI or similar entities for further investigation to insure no holes are left open that require plugging, at least from a due diligence perspective. 

Note, the security procedures were designed to be independent of the OS and was designed to keep malware from spreading.  But if its localized to one machine like a keylogger or spyware, it will not be detected by the system, but it also does not take the workstation down, it may be difficult to find without local users suspicion and if it passed the central and local malware screening software.

In the end, I guess the gist of the article is that the FDA should be part of the monitoring loop.  But I would disagree that this event is 'rampant'.

In the USA liability is a big thing; multimillion dollar lawsuits from families of wrongful death or harm caused by errant electronics in healthcare is an opportunity for a country full of lawyers, that alone plus the FDA keep the manufacturers on their toes. 

[poptones]

Seriously, would this not resolve a *whole* bunch of problems here? It would pretty much make the problem of incidental infections go away...

Not if you can't patch it. You think there are no known attack vectors for linux?

The strong suit of linux is the many eyeballs and the rapidity with which serious problems tend to be addressed. That doesn't mean there are no attack vectors present. If you put a server on the net, and you never patch it, you're going to be owned no matter if that server runs apache on linux or iis on windows.