Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hospital Equipment Infected With Conficker

timothy posted more than 5 years ago | from the would-never-happen-with-electronic-medical-records dept.

Security 289

nandemoari writes "Recently, the Conficker/Downadup worm infected several hundred machines and critical medical equipment in an undisclosed number of US hospitals. The attacks were not widespread; however, Marcus Sachs, director of the SANS Internet Storm Center, told CNET News that it raises the awareness of what we would do if there were millions of computers infected in hospitals or in critical infrastructure locations. It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access. A patch was released by Microsoft last October that fixes the problem, but the computers infected were reportedly too old to be patched."

cancel ×

289 comments

Sorry! There are no comments related to the filter you selected.

Old Computers (1)

Jesterace (914041) | more than 5 years ago | (#27779905)

I'm surprised that NT4 is still run. But then again I often see it running on older equipment in stores, call centers and hospitals I guess.

Re:Old Computers (5, Interesting)

BSAtHome (455370) | more than 5 years ago | (#27780223)

Medical equipment has a very long lifespan. Many devices for measurement and monitoring are used for 10 to 20 years before replacement. The general policy is "if it works, don't fix it and, more important, do not touch it".
The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.

Re:Old Computers (4, Insightful)

causality (777677) | more than 5 years ago | (#27780647)

Medical equipment has a very long lifespan. Many devices for measurement and monitoring are used for 10 to 20 years before replacement. The general policy is "if it works, don't fix it and, more important, do not touch it". The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.

Doesn't Microsoft itself say (perhaps in the EULA disclaimer) that its operating systems were not intended to be used in this sort of mission-critical capacity? That could of course have a very narrow definition, something along the lines of "don't ever use it to operate that iron lung but maybe use it so the receptionist can run MS Office" but if that were the case, then this would be a mere nuisance and not such a real problem. That is, in that case there'd be nothing special about the fact that the affected institution happened to be a hospital beyond the fact that it sounds bad. Because of that, I really get the impression that they were using the wrong tool for the job.

Re:Old Computers (5, Insightful)

Anonymous Coward | more than 5 years ago | (#27780693)

The biggest issue here is that Medical Equipment has to be run through an FDA Validation process. If you make changes to the system, you have to revalidate, and Validation takes months and $100K's. So the vendors leave them as-is.

What's frustrating is that these systems need to be on a LAN, since they need to report their results to other clinical systems. So these small islands need to be linked other islands, and eventually, someone screws up and links an island with an Internet connection . . . .

Re:Old Computers (5, Interesting)

Mazcote Yarquest (1407219) | more than 5 years ago | (#27781097)

Indeed, I work for an OEM on the imaging (X-Ray) side of the house. My system(s) do get patched regularly. The users are given specific instruction not to "Surf the web".

These systems are usually on a network segment dedicated strictly to imaging yet somehow I manage to find all fashon of virus (Most recently Conficker) games and saved email attachments on the Desktop.

The FDA is very strict about how these systems are to be upgraded and serviced but patching is a non issue.

My company has a simple solution to the virus issue though, If the network admin allows the cluster to get infected, we will gladly remove the infection, for a price.

If I have only had a penny for every time I have heard "It's not my network, check your equipment"

Re:Old Computers (2, Insightful)

Jeremy Erwin (2054) | more than 5 years ago | (#27781113)

The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.

Shouldn't they be using OpenBSD, then?

Re:Old Computers (1)

Anonymous Coward | more than 5 years ago | (#27781119)

Medical equipment has a very long lifespan. Many devices for measurement and monitoring are used for 10 to 20 years before replacement. The general policy is "if it works, don't fix it and, more important, do not touch it".

If it's running Windows it probably never worked in the first place, so the point is moot.

[/humour]

Re:Old Computers (5, Interesting)

painandgreed (692585) | more than 5 years ago | (#27780387)

It's not like they can just upgrade the computer. The computer is running software that goes with specialized equipment. They'd have to upgrade everything if they upgraded anything and with that you could easily be talking millions of dollars. That might not be really needed as the machine should run just as well as it did with they bought it if it hasn't broke. If it's a smaller hospital, they might not have the budget to replace non-broken machines that still preform within needed specs, especially in this economic climate. Add in that some of these machines need to be FDA tested and are only supported by the manufactuer and that makes it even more expensive and harder to upgrade. Then, on many of these machines, the users might not even know they're running on NT4 as the software they run takes up the entire screen and they never actually interact with Windows at all.

I work in healthcare and I'm not surprised at all. Within the last year we just got rid of a Win95 system that was still talking over Novell networking, our Vax system, and a bunch of Sun Sparq stations. We still have plenty of Win2k and probably some WinNT4 around. We also have one of the most advanced set ups in the country, but legacy systems still exist for lots of reasons. First off, if it still works, management is not likely to want to get rid of it unless you make a good case for a good ROI. They're all old and aren't used to replacing major hospital systems that aren't broke especially if the new system doesn't offer any advantages. Budgets are always a problem because if the department isn't bringing in enough money to warrant new equipment, they might not get it. Then there are the vendors. perhaps GE, Fuji, or Cerner are happy with their old system or wants to sell you lots of stuff you don't want or need to replace one bit that is still running on old server tech just fine, so you effectively can't upgrade even if you wanted to.

Virus writers in the pay of computer sellers? (2, Insightful)

Nefarious Wheel (628136) | more than 5 years ago | (#27781003)

Sometimes I wonder if the writers of viruses aren't secretly in the pay of computer sales organisations, or even manufacturers. After all, isn't the common message "you need to keep your software up to date"?

It's extremely cynical of me perhaps, but I wonder if this isn't some type of pernicious planned obsolesence. Some car makers for many years deliberately made cars to last 20,000 hours (pure folklore, overheard) because they needed cars to fail after a few years to keep the volume of new car sales going.

Wouldn't the same principle work with computers? Something has to make them fail over time or people will make do with the old. Unfortunate that this means NT4 boxes in hospitals might get people killed, but when have the truly greedy ever really cared?

Re:Virus writers in the pay of computer sellers? (1)

maxume (22995) | more than 5 years ago | (#27781161)

Maybe. The problem with your theory is that most corporations are happy to operate on a 3 year schedule, and most home users don't care if stuff doesn't last 5 years (and they really don't want to pay for 10).

Well... (4, Funny)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#27779911)

I guess that's the other meaning of "Nosocomial infection"...

Re:Well... (1)

idontgno (624372) | more than 5 years ago | (#27780625)

And here I am with no mod points.

Mods, this is +1 Insightful as well as +1 Funny. Please vote appropriately.

Does it bother anyone else..... (0)

netruner (588721) | more than 5 years ago | (#27779927)

Does it bother anyone else that "critical medical equipment" was running Windows NT or 2000? Don't get me wrong - I like to bash MS as much as the next /.'er but XP is almost to sunset - Shouldn't they be running something a little newer?

Re:Does it bother anyone else..... (4, Insightful)

Dyinobal (1427207) | more than 5 years ago | (#27779973)

Newer isn't always better.

Re:Does it bother anyone else..... (1)

Feanturi (99866) | more than 5 years ago | (#27780073)

In fact, it rarely is. If their existing OS, which is likely running custom software specific to this equipment, is still doing what it needs to do for them, what need do they have to switch? They certainly don't need to be able to play the latest games or anything superfluous like that. Why risk breaking compatibility on a tried and tested mission-critical system? How many businesses do you know of that switched to Vista the moment it came out? If you do know any, you know they're pretty dumb, don't you?

Re:Does it bother anyone else..... (4, Insightful)

setagllib (753300) | more than 5 years ago | (#27780213)

Why risk having security vulnerabilities on a tried and tested mission-critical system? They should have gone with Linux or BSD from the start and had virtually guaranteed upgrade compatibility from that point on, with plenty of commercial support options.

Re:Does it bother anyone else..... (4, Interesting)

peragrin (659227) | more than 5 years ago | (#27780623)

what part of 10 year old equipment didn't you understand? What part of Win NT and win 2K makes you think the hardware can even run anything newer?

At that time your looking at Red Hat 5. think about it. linux wasn't ready back then for mission critical stuff.

At best they could have gone with OS/2 warp.

Re:Does it bother anyone else..... (0)

Anonymous Coward | more than 5 years ago | (#27781385)

what part of 10 year old equipment didn't you understand? What part of Win NT and win 2K makes you think the hardware can even run anything newer?

At that time your looking at Red Hat 5. think about it. linux wasn't ready back then for mission critical stuff.

At best they could have gone with OS/2 warp.

QNX, VxWorks.

QNX 4 (1994?) had GUI capabilities, a POSIX API at the time as well AFAIK (if you wanted to use it), and it's still supported with patches from what I can tell on the web site.

2K maybe, but I would not have put NT on any mission critical system from my experiences with it.

Re:Does it bother anyone else..... (1)

sexconker (1179573) | more than 5 years ago | (#27780717)

They would still have been unable to upgrade/patch/etc.

The issue is the support contracts say "DO NOT TOUCH!".

Re:Does it bother anyone else..... (3, Interesting)

setagllib (753300) | more than 5 years ago | (#27780795)

If the support contract doesn't include tested and managed security updates, it's not really support is it?

Re:Does it bother anyone else..... (1)

courtjester801 (1415457) | more than 5 years ago | (#27780155)

Exactly; look at the Hubble telescope and it's 486's. It's not the processors that are causing it to fail over time, they're still chugging along.

Re:Does it bother anyone else..... (2, Funny)

interkin3tic (1469267) | more than 5 years ago | (#27780869)

Newer isn't always better.

I disagree, think of how much better those machines would be running if they used vista!

Re:Does it bother anyone else..... (0)

Mr. Freeman (933986) | more than 5 years ago | (#27780023)

What does "newer" have to do with anything? What about "functional". God forbid these things were running windows Vista. Newer, yes. Functional, nope.

Re:Does it bother anyone else..... (3, Interesting)

Anonymous Coward | more than 5 years ago | (#27780055)

All versions of Windows (and Linux) are way too complex to ever be 100% bug-free. They should be running DOS.

Re:Does it bother anyone else..... (2, Insightful)

miggyb (1537903) | more than 5 years ago | (#27781157)

Why are you getting modded as "Funny?" That's the first thought I had. Shouldn't heart monitors and MRI machines have an embedded OS of some sort? MRIs are more complex, but (AFAIK) things like heart monitors do one thing and one thing only.

Re:Does it bother anyone else..... (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27780079)

A family member was in an intensive care unit and was hooked up to a machine that would monitor them for seizures.

In addition to a bunch of electrodes and other monitoring devices there was a web cam.

I looked at the screen and saw the Win XP task bar (pretty sure it was XP not win 2k but it was a while ago). It was a shock to see it and caused me some concern, but since it was just monitoring software, not as critical as the other systems in the room and the unit's layout made the bed viewable from the nurse's station, it wasn't a big deal.

Had the respirator shown an XP toolbar I would have made a stink.

NT and win2k have always appeared to be fairly stable for me. More so than XP in my experience.

Re:Does it bother anyone else..... (4, Interesting)

Brett Buck (811747) | more than 5 years ago | (#27780089)

Does it bother anyone else that "critical medical equipment" was running Windows NT or 2000? Don't get me wrong - I like to bash MS as much as the next /.'er but XP is almost to sunset - Shouldn't they be running something a little newer?

          For a life-critical system they probably shouldn't be running ANY version of Windows. But once you get past that issue, if you have tested it sufficiently to permit people's lives to depend on it, retesting it to the same standards on first Win2000 and then XP is a non-trivial effort, and might not even be possible without massive changes. So you would be sorely tempted to leave it alone. Presumably, since it's the same code, it doesn't need any more "features" or performance. So porting it provides no value.

A better question is whether or not it's a good idea to have the damn thing hooked up to the internet so it could *get* Conficker in the first place! Well, actually, that's not a question, since its obvious...

      Brett

Re:Does it bother anyone else..... (1)

moderatorrater (1095745) | more than 5 years ago | (#27780465)

A better question is whether or not it's a good idea to have the damn thing hooked up to the internet so it could *get* Conficker in the first place! Well, actually, that's not a question, since its obvious...

The computers that were infected weren't hooked to the internet, they were hooked to a network that was hooked to the internet. The other equipment was probably either connected to an infected computer at some point, hooked into the same network, or some combination of similar things.

Seems to me that equipment of this type should be running on software that's been written from the ground up to be secure and crash-proof. Using any out-of-the-box software is asking for trouble since you can't control the code and it's going to provide features that the equipment doesn't need. Any of those unnecessary features could easily cause crashes or security concerns. The equipment should only accept input that's exactly what it's expecting and reject anything else.

Re:Does it bother anyone else..... (1)

Brett Buck (811747) | more than 5 years ago | (#27780721)

Agreed, I don't see how anyone could convince themselves that they have actually tested it sufficiently if it's running on Windows (or any other consumer-level OS). But once you have it on one version, and never change it, at least you haven't introduced any other variables, i.e. at least it's not a moving target.

        Brett

Re:Does it bother anyone else..... (1)

zonky (1153039) | more than 5 years ago | (#27780743)

Seems to me that equipment of this type should be running on software that's been written from the ground up to be secure and crash-proof.

I'm intrigued by your implication that windows, or any other OS wasn't written with these goals in mind. Perhaps, it's just not quite so easy to achieve?

Re:Does it bother anyone else..... (1)

sexconker (1179573) | more than 5 years ago | (#27780755)

"The computers that were infected weren't hooked to the internet, they were hooked to a network that was hooked to the internet."

So, they were hooked up to the internet.

Physical separation people. It's the ONLY way.

Re:Does it bother anyone else..... (1, Insightful)

causality (777677) | more than 5 years ago | (#27780761)

The computers that were infected weren't hooked to the internet, they were hooked to a network that was hooked to the internet.

I don't mean to nitpick, but what's the difference? Your ISP has a network that's hooked to the Internet and you connect your computer to it in order to have Internet access. Seems to me that the basic routing functionality of IP guarantees that there is no meaningful difference there, at least not unless you have some carefully-planned firewall rules in place and even then ...

Re:Does it bother anyone else..... (1)

tagno25 (1518033) | more than 5 years ago | (#27780845)

The computers that were infected weren't hooked to the internet, they were hooked to a network that was hooked to the internet. The other equipment was probably either connected to an infected computer at some point, hooked into the same network, or some combination of similar things.

Being hooked up to a network that is hooked up to the internet (an insanely large network) is being hooked up to the internet! Any way the network that the medical equipment is on should be a closed system with no computers that were ever connected to the internet.

Re:Does it bother anyone else..... (1)

layer3switch (783864) | more than 5 years ago | (#27781057)

they were hooked to a network that was hooked to the internet.

So essentially they were on same switch network or segment medical hosts by vlan and probably ip packet filtering at the gateway. Sounds like a poor design and really poor security policy if Conficker can push NetBIOS propagation outgoing to medical hosts network regardless bridging network has access to internet or not.

The main point should be the fact that network design and security model is defected in this case, not what OS is running or software it's running on top of what OS. There is no foolproof OS known to mankind as of yet, and I highly doubt medical device manufactures can do any better at developing OS/software than software companies. And I hate when I have to defend Microsoft on this, but there is no proof that Windows OS is inherently unstable when it's in use by medical devices.

Re:Does it bother anyone else..... (3, Interesting)

Smitty825 (114634) | more than 5 years ago | (#27780091)

In the medical industry, making even the smallest changes is often difficult. (I've heard stories of companies continuing to release medical software based on WinNT, and they will probably continue to do it.) When it comes to making changes to software (and hardware), there are lots of regulatory hurdles you need to meet. (The more "life-critical" a device is, the more stringent the regulations are) Obviously, it makes sense, because you don't want to go to the hospital today and find a Windows 7 Beta powered device responsible for your safety.

Also, many hospitals refuse to upgrade existing equipment to something newer. If it works, and it gets the clinicians the data they need to help the patient, then they don't want to take the risk of updating software/hardware.

Re:Does it bother anyone else..... (1)

Abreu (173023) | more than 5 years ago | (#27780685)

Obviously, it makes sense, because you don't want to go to the hospital today and find a Windows 7 Beta powered device responsible for your safety.

Sure, but you also don't want to go to the hospital today and find a Windows 3.11 powered device responsible for your safety

Re:Does it bother anyone else..... (1)

StreetStealth (980200) | more than 5 years ago | (#27780105)

For that matter, why is it running a general-purpose OS like Windows? Anything upon which life-critical systems run should be a hardened, embedded system focused on the equipment's features and nothing else.

Am I the only one who shudders at the idea of Bonzi Buddy on a cardiac monitoring system?

Re:Does it bother anyone else..... (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#27780145)

Hey, that adorable purple ape has wonderful bedside manner!

Re:Does it bother anyone else..... (5, Interesting)

radtea (464814) | more than 5 years ago | (#27780449)

For that matter, why is it running a general-purpose OS like Windows?

Ease of development, particularly UI support for rich user interaction and feedback.

Most medical systems I've worked on have two OS's: a relatively hard realtime system that's really close to the hardware, and a second system (Linux or Windows) that's close to the user. For some applications the general purpose OS is used as a soft realtime system and talks to all the hardware via USB or a framegrabber. Only very simple systems are pure embedded these days.

Given the complexity of computing that some of these machines do this makes perfect sense: an embedded, realtime OS is just not what you want to be dealing with when trying to develop richly representational software. Think imaging systems and computer-assisted surgery systems, which often have a lot of analysis and image processing built in, including heavy user interaction, in realtime, in the OR.

Intra-op ultrasound is routine in cardiac surgery (and yes, sometimes systems hang and have to be rebooted while the patient is on the table with their heart stopped...) Intra-op fluoroscopy is routine in some procedures as well, particularly in ortho.

The problem is that people have come to expect features that can't be easily delivered without a general purpose OS, and the issues that come with that are pretty much invisible to anyone who would be likely to scream about it, including the FDA. Users get used to periodic failures and work around them, just like desktop users do.

Re:Does it bother anyone else..... (1)

angelwolf71885 (1181671) | more than 5 years ago | (#27780699)

hed be danceing and playing his bngos to the beat of the heart V agreed that purpple ape has a wonderful bedside manner

Re:Does it bother anyone else..... (2, Informative)

Chirs (87576) | more than 5 years ago | (#27780157)

It bothers me that "critical medical equipment" was running Windows at all.

Re:Does it bother anyone else..... (1)

jd (1658) | more than 5 years ago | (#27780181)

Not necessarily newer, but certainly more robust (Windows 2000 is not something I'd consider reliable enough to be used in mission critical systems) and more secure (USB keys can carry viruses).

Usually, for something like that, as other have noted, you'd want a special-purpose OS or a very minimal layer on the hardware you can write apps directly to (eg: L4, OSKit, or something like that).

Re:Does it bother anyone else..... (1)

dave562 (969951) | more than 5 years ago | (#27780241)

All medical devices have to go through a very stringent testing and approval process. The process is extremely costly. Even the slightest revision in a design spec can require a whole new series of retesting and recertification. Therefore what happens is that the manufacturers develop their devices using a certain piece of software and it stays on that piece of software. If you think about it, there isn't any need for a heart monitor to have internet access. The real problem is that the staff at the hospital obviously failed to follow the guidelines that were laid out for them by the manufacturer and/or their local IT department. I don't know about you, but I don't want my medical devices pulling down auto updates that might bork their functionality. As long as you're running Microsoft software on certified hardware with a known good set of drivers, the odds of a blue screen or other serious system problem are next to none. I'm not saying that you want to run your business on an NT4 server plugged into the internet. But for a medical device that should be stand alone, it isn't exactly a huge risk to be running Windows.

Re:Does it bother anyone else..... (1)

gbjbaanb (229885) | more than 5 years ago | (#27780309)

no, not at all. I know we've all been brainwashed into the 'must upgrade' way of thinking, but for many places once you have something working, don't touch it and it'll keep working.

So, no, many places run NT4, it was quite a good OS, before MS started adding 'value added features' to it.

Re:Does it bother anyone else..... (1, Informative)

Anonymous Coward | more than 5 years ago | (#27780415)

Its possible that they can't upgrade to a newer OS. To do so may require them to upgrade the modality attached to the OS. Hospital systems have to be validated to conform to FDA requirements and the vendor just may no longer support that OS and its just not possible to do it in house.

Re:Does it bother anyone else..... (1, Insightful)

jcr (53032) | more than 5 years ago | (#27780633)

Does it bother anyone else that "critical medical equipment" was running Windows NT or 2000?

Of course it does. Building any medical equipment around an intrinsically unreliable system is about as irresponsible a decision as anyone could make.

-jcr

Any lawyers here (4, Interesting)

clarkkent09 (1104833) | more than 5 years ago | (#27779967)

So if a patient dies due to a (computer) virus and the virus writer gets caught can he be charged with manslaughter or something?

Re:Any lawyers here (3, Informative)

Ethanol-fueled (1125189) | more than 5 years ago | (#27780009)

Won't happen. Life-critical devices are embedded systems.

Re:Any lawyers here (1)

77Punker (673758) | more than 5 years ago | (#27780291)

Ever heard of embedded Windows? I've had a cheap GPS navigation system run Windows before.

Re:Any lawyers here (1)

Deanalator (806515) | more than 5 years ago | (#27780461)

The last medical device I worked on ran xp embedded.

Re:Any lawyers here (0)

Anonymous Coward | more than 5 years ago | (#27781393)

In media, TV and audio industry there are lots of systems who does just one job like running AVID, ProTools etc. and they are never updated. It is same deal whether they run OS X or Windows. Of course, they aren't connected to internet and they don't even have reachable USB/CDROM or anything. Good admins even use that "BIOS password" function for extra security, even while it is questionable.

Re:Any lawyers here (1, Informative)

Anonymous Coward | more than 5 years ago | (#27780611)

wow. that's some real strong faith there.

#1 that's not necessarily true

#2 the idea that an embedded system can't be exploited or negatively impacted by the exploitation of a 2ndary system is naive at best.

welcome to the real world. you're gonna have a tough time here.

oops. sorry. just checked your profile...more than your fair share of troll and flamebait. i get it. well done sweet stuff. now go stroke it...you're a soopahstah.

Re:Any lawyers here (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27780891)

Oh, really? [wikipedia.org]

When operating in direct electron-beam therapy mode, a low-powered electron beam was emitted directly from the machine, then spread to safe concentration using scanning magnets. When operating in megavolt X-ray mode, the machine was designed to rotate four components into the path of the electron beam: a target, which converted the electron beam into X-rays; a flattening filter, which spread the beam out over a larger area; a set of movable blocks (also called a collimator), which shaped the X-ray beam; and an X-ray ion chamber, which measured the strength of the beam.

The accidents occurred when the high-power electron beam was activated instead of the intended low power beam, and without the beam spreader plate rotated into place. The machine's software did not detect that this had occurred, and therefore did not prevent the patient from receiving a potentially lethal dose of radiation. The high-powered electron beam struck the patients with approximately 100 times the intended dose of radiation, causing a feeling described by patient Ray Cox as "an intense electric shock". It caused him to scream and run out of the treatment room.[2] Several days later, radiation burns appeared and the patients showed the symptoms of radiation poisoning. In three cases, the injured patients died later from radiation poisoning.

The software flaw is recognized as a race condition.

Re:Any lawyers here (0)

Anonymous Coward | more than 5 years ago | (#27780049)

yep

Car analogy (1)

mangu (126918) | more than 5 years ago | (#27780071)

if a patient dies due to a (computer) virus and the virus writer gets caught can he be charged with manslaughter or something?

Maybe not, but cars have been removed from the market [wikipedia.org] for similar reasons. Notoriously insecure systems should never be used in hospitals.

Re:Any lawyers here (1, Interesting)

jd (1658) | more than 5 years ago | (#27780211)

It depends. Did anyone successfully sue Bridgestone for their exploding SUV tyres for manslaughter? That's infinitely more direct and far more culpable, so if it failed in a case like that, it would almost certainly fail in a virus case.

Big difference (1)

Sycraft-fu (314770) | more than 5 years ago | (#27780533)

Bridgestone wasn't committing a criminal act. They had a flaw with their product.

Under US law, there are situations where you can be prosecuted if during the commission of a crime you cause something more severe to happen. One that has happened successfully is criminal being prosecuted for murder during robbery, even when they themselves didn't fire the shot that killed someone. However because the reason the death happened was their robbery, they are charged.

Now as it would apply to this, I don't know. You'd have to ask someone who's an expert in this area of law and even then this is untested so it would have to be decided in trial. However it is the sort of thing that can happen. If you commit a crime and in doing so cause other harm to happen, even if it wasn't direct or your direct intent, you can still be charged at least in the US.

Re:Any lawyers here (0)

Anonymous Coward | more than 5 years ago | (#27781235)

Look up the actual failure rate of those tyres ... it's very low. They were flawed yes, but not badly. The majority of SUV deaths they were implicated in were due to the fact that SUVs are inherently unsafe moron-mobiles, with the handling characteristics of a beached whale on ketamine.

Re:Any lawyers here (2, Interesting)

Wrath0fb0b (302444) | more than 5 years ago | (#27780279)

Yes, but you would have to prove a fairly strong ("proximate") causal link between the virus and the death. It's not enough to say "Well, the MRI machine was down because the tech was cleaning it and if we had gotten him scanned earlier we'd have seen a huge tumor but instead he died", it would have to "the MRI machine was infected with the virus and gave us wrong results so we opened his heart for nothing and he died on the table".

See, http://en.wikipedia.org/wiki/Proximate_cause [wikipedia.org]

Re:Any lawyers here (2, Informative)

maharb (1534501) | more than 5 years ago | (#27780903)

Bingo. Proximate cause and negligence on the hospitals part would definitely create a low probability that the virus writer could be charged with the manslaughter successfully. Basically the virus writer could not have reasonably foreseen the writing of this virus as causing someones death due to the huge time, distance, and number of events involved before someone died. Also if any internal policy is set so that these computers are not supposed to be connected to the internet then it pretty much absolves the virus writer and puts the liability on the hospital.

Someone could certainly take it to court but I don't think the virus writer would lose.

Now if the virus was written to fuck with only medical software and then the virus writer attempted to get it on medical computers you have a different case.

p.s. I am not a lawyer.

Re:Any lawyers here (1)

Deanalator (806515) | more than 5 years ago | (#27780437)

How about the cheap ass IT directors that refused to run on modern hardware/software? I'm pretty sure that running windows NT/2000 and refusing to patch violates all sorts of HIPPA.

Re:Any lawyers here (1)

UnrefinedLayman (185512) | more than 5 years ago | (#27780801)

Not at all. HIPAA is all about what security measures can be deemed reasonably sufficient. In this case, the systems may have been provided by a vendor and are certified only to run at a certain patch level. Makers of medical devices can't be expected to fuzz the software every time Microsoft releases a patch to make sure it doesn't kill someone when used; they instead sell a single device certified to work a certain way.

Given that, reasonable security measures would have been to physically isolate the network these devices were on. This often doesn't happen thanks to VLANs and sloppy network administration.

Re:Any lawyers here (1)

moderatorrater (1095745) | more than 5 years ago | (#27780481)

Can the hospital employees and management who failed to provide safe equipment be sued/charged? Using windows (or any other full OS) on medical equipment is a recipe for disaster.

Re:Any lawyers here (1)

rwyoder (759998) | more than 5 years ago | (#27780879)

So if a patient dies due to a (computer) virus and the virus writer gets caught can he be charged with manslaughter or something?

I would blame the morons who put a known buggy, virus-prone piece of trash OS into critical medical equipment.

Re:Any lawyers here (0)

Anonymous Coward | more than 5 years ago | (#27781297)

Somebody didn't read the EULA. The hospital and the equipment manufacturer would share a part of the blame. The hospitals share of the blame is driven from the lack of reasonable effort to secure and update the systems, the equipment manufacturers share from the possible FDA certification violations and negligence for knowingly providing a system without fitness for operating in a critical environment. I think the virus writer should be charged with involuntary manslaughter among other things, but the hospital and the equipment manufacturer could still be the biggest payers.

Re:Any lawyers here (1)

noidentity (188756) | more than 5 years ago | (#27781339)

So if a patient dies due to a (computer) virus and the virus writer gets caught can he be charged with manslaughter or something?

What about the OS vendor, or the hospital who chose such a vulnerable OS, or who connected their computers to the outside world (or at least flash drives)?

Re:Any lawyers here (1)

cbiltcliffe (186293) | more than 5 years ago | (#27781405)

A couple of days ago, I posted a comment about how nobody takes this security shit seriously.

I was modded flamebait.

Now we find out hospital systems running medical equipment are connected to the Internet, unpatched, and apparently not running any decent antivirus software.

Flamebait? My ass.

It's not flamebait if it's the truth.

Eeesh... (2, Funny)

Chasmyr (1261462) | more than 5 years ago | (#27780063)

Hospital equipment running Windows NT... Virus or no, I wouldn't want my life to depend on that machine. "Yeah, I hooked him up to the EKG and it just keeps saying device not recognized."

Re:Eeesh... (2, Interesting)

Translation Error (1176675) | more than 5 years ago | (#27780175)

Hospitals are big on not messing with things that work. The devices that still have NT on them do so because, despite the OS's shortcomings, they work.

Re:Eeesh... (0)

Chasmyr (1261462) | more than 5 years ago | (#27780347)

Hospitals are big on not messing with things that work.

Well, NT didn't work to begin with, that was the problem. At the risk of sounding apprehinsive and alarmist... I prefer to not apply the "just don't change anything and everything will be fine" creedo, doubly so to critical equipment. Because thats what this story is all about, somebody changed something simple and everything went kablooey.

Re:Eeesh... (0)

Anonymous Coward | more than 5 years ago | (#27780249)

Hospital equipment running Windows NT... Virus or no, I wouldn't want my life to depend on that machine.

"Yeah, I hooked him up to the EKG and it just keeps saying device not recognized."

Well if the patient had bothered to update his firmware to the latest revision then maybe the EKG machine would recognize him. If he couldn't be arsed to regularly update what else does he expect? Is the EKG machine supposed to wipe his arse for him too?

Re:Eeesh... (1)

maxume (22995) | more than 5 years ago | (#27781399)

Would you refuse an MRI if the machine used Windows (I have no idea if they do or not)?

Sigh. (1)

Oricalchos (1339065) | more than 5 years ago | (#27780191)

It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access.

Critical medical equipment running Windows and connected to the Internet? YOU'RE DOING IT WRONG! The sheer stupidity of humans never ceases to amaze me.

Re:Sigh. (2, Insightful)

AndrewNeo (979708) | more than 5 years ago | (#27780355)

Apparently you can't even read what you quoted.

but the LAN was connected to one with direct Internet access.

Internet enabled machine got infected, and bridged over to the closed-off network. Why SMB was enabled on the embedded systems is a better question.

summary.. (0, Flamebait)

Anonymous Coward | more than 5 years ago | (#27780195)

"A patch was released by Microsoft last October by November that fixes the problem"

What the fuck. Am I missing something here, or is that indeed awful proofreading and nonexistent editing?

On some hardware even installing windows updates w (1)

Joe The Dragon (967727) | more than 5 years ago | (#27780393)

On some hardware even installing windows updates will void the warranty and that same hardware also has to be on the network.

Another reason to choose open source (5, Informative)

Ironica (124657) | more than 5 years ago | (#27780295)

I can totally understand why these systems were still running NT or 2000. If it ain't broke, don't fix it, right?

But if it ain't supported anymore, and it's completely closed-source, you literally CAN'T get fixes for vulnerabilities discovered later on. At least with an OSS product, you'd be able to hire a developer to fix the specific vulnerability on the existing system.

Think again (1)

westlake (615356) | more than 5 years ago | (#27781227)

At least with an OSS product, you'd be able to hire a developer to fix the specific vulnerability on the existing system.

It doesn't work that way.

You botch this assignment and people die.

The hospital does not have the financial or technical resources to validate your work.

It's potential exposure to administrative actions, civil and perhaps criminal penalties is enormous.

Here is why and how (4, Insightful)

altek (119814) | more than 5 years ago | (#27780313)

1) Vendors of these devices almost across the board disallow local IT admins to put any windows patches on the machines
    - this is due to FDA requirements for approval, and the vendor is "covering" themselves
    - also, they usually have a list of "qualified updates" that is usually MONTHS behind MS's patch cycle (not surprising given the sheer number and speed of holes that are found)
    - usually the vendors claim that THEY will apply patches regularly, in practice, they almost NEVER do

2) Vendors typically disallow these machines to be on the active directory
    - this is because they can't stand troubleshooting/supporting issues in their software due to GPO's being pushed down, software management software, etc etc

3) To everyone screaming how idiotic it is that medical devices have Windows on them: you may be a geek, but have clearly never worked in a real enterprise environment. Windows is embedded on so many devices in the world (medical and otherwise) that you would never even know existed. Why? Because it's widely supported, has huge hardware support, and is surprisingly OPEN to developers to hack it into whatever they need it to be. And windows programmers are a dime a dozen.

4) To everyone screaming how idiotic it is that medical devices are connected to the internet getting infected - Do you even know how Conficker spreads? It spreads quite easily across a LAN, attaching to Windows file shares. See MS08-067 for more info. Many of these devices are on a LAN with no DNS (although plenty are on the 'net). Why? Again, because vendors insist that they be connected so they can VPN in and support them (often using LogMeIn, Webex etc).

Re:Here is why and how (1)

altek (119814) | more than 5 years ago | (#27780433)

I hate to reply to my own comment, but I forgot to add something.

5) Why don't sysadmins at the hospitals disable filesharing and enforce stronger policies on these devices?
      - usually the vendor contract explicitly states that modifying the systems in such a way will void your $50,000 annual support contract on your $3 million scanner. Scanner is broken? Tough shit, you voided your contract. Buy a new one.

Re:Here is why and how (0)

Anonymous Coward | more than 5 years ago | (#27780603)

Re #3: Just because a lot of people do it doesn't make it any less stupid. And while using a large, complex general-purpose OS on a medical device is a pretty bad idea, doing it so it can be programmed by some dollar-a-day programmer out in Elbonia who probably doesn't even know what a buffer overflow is, is about the worst idea imaginable. We're talking about devices where a crash could kill someone here and you think it's okay to cut corners?

Re:Here is why and how (4, Interesting)

altek (119814) | more than 5 years ago | (#27780731)

I don't necessarily "think it's OK". I didn't write an editorial, I just outlined why this is what it is, as it seemed a lot of the commenters were under informed on what the article is referring to.

Also, as per usual, the media uses sensationalist wording. Most of the "medical devices" in question here are not something attached to your body where you will die if it crashes. Most of what this is referring to are clinical workstations used for doing all sorts of work related to medical care. For example, a workstation that interfaces to some sort of scanner to set up and initiate a scan. Or a workstation that crunches data that comes off some piece of medical hardware. Most devices that physically touch you and control something which can harm a person are coded in hardware, not windows, and have hardware in place to prevent such a thing from harming someone.

Please realize that the FDA must approve ANY piece of hardware that comes in contact with a human and the process is EXTREMELY restrictive and scrutinizing (and expensive). It's actually one gov't institution that I feel really does protect people in a lot of ways.

Re:Here is why and how (0)

Anonymous Coward | more than 5 years ago | (#27780905)

Many of these devices are on a LAN with no DNS (although plenty are on the 'net). Why? Again, because vendors insist that they be connected so they can VPN in and support them (often using LogMeIn, Webex etc).

So run on (Open)BSD and come in via SSH. You even still have nice GUIs using X11 forwarding, or do a port redirect to an Xvnc server that's listening only on 127.0.0.1.

Many ways to skin this cat besides using an OS that's known for it's remote vulnerabilities.

Re:Here is why and how (1)

el_cepi (732737) | more than 5 years ago | (#27781151)

... Vendors of these devices almost across the board disallow local IT admins to put any windows patches on the machines ... they usually have a list of "qualified updates" that is usually MONTHS behind MS's patch ... usually the vendors claim that THEY will apply patches regularly, in practice, they almost NEVER do
To everyone screaming how idiotic it is that medical devices have Windows on them: ... Why? Because it's widely supported

Can you explain this a little bit more. No patches sound does not sound like widely supported to me.

In Portugal.... (0)

Anonymous Coward | more than 5 years ago | (#27780327)

Nothing new here.
In Portugal I came across with at least 12 servers in major hospitals.

bugs on hospital computers (3, Funny)

Cederic (9623) | more than 5 years ago | (#27780385)

Suddenly I have this horrible urge to write a virus called "Swine Flu" that only attacks medical systems..

Re:bugs on hospital computers (1)

altek (119814) | more than 5 years ago | (#27780567)

black helicopters should be hovering above your house right... about... NOW

New Sources of SPAM! (3, Funny)

happy_place (632005) | more than 5 years ago | (#27780401)

This SPAM was brought to you by a heart monitor!

Mabey it just wasn't a good time to upgrade? (5, Funny)

Chasmyr (1261462) | more than 5 years ago | (#27780419)

"Hi it says I need to upgrade my RAM, what is that?"... "RAM is a part of your computer, if you have more of it, you can expect it to run faster... tell me what your computer is running and I'll see if I can help you out."... "Uh, right now the computer is running Bob's heart and lungs for him."

"A patch was released..." Big freaking deal! (2, Insightful)

Anonymous Coward | more than 5 years ago | (#27780439)

The article says "A patch was released by Microsoft last October ..." The availability of a patch doesn't mean squat. Before a patch can bve installed on medical equipment, the hardware vendor has to validate the patch. In other words, the vendor has to test the ever loving crap out of the software to insure it does not conpromise patient safety.

The fact that cornflicker got on life safety and mission critical systems at all raises the question of why anyone would use a consumer grade operating system for mission critical systems or for life support systems. At a minimum, these systems should have been running Unix or Solaris. Vx Works or Linux are also good, but require a higher level of computer engineed to implement.

This is just plain lunacy.

Swine flu? (5, Funny)

Sockatume (732728) | more than 5 years ago | (#27780471)

So, we have Conficker infecting hospitals now. And meanwhile, after Conficker's payload goes live, there's a massive outbreak of swine flu. And conficker spreads spam... spam is a pork product... COINCIDENCE?!

Re:Swine flu? (1)

angelwolf71885 (1181671) | more than 5 years ago | (#27780853)

in that case congriss has had swine flu for a long time..

fail (0)

Anonymous Coward | more than 5 years ago | (#27780615)

$tupid fail

Windows market share (1)

Me! Me! 42 (1153289) | more than 5 years ago | (#27780701)

Kind of makes you wonder what percentage of the prestigious Windows market share is special purpose devices like this (or mundane devices like cash registers.) I know Case equipment (CNH) uses WinCE on almost everything. At least that is pared down to the essentials.
In any case this seems like lazy engineering if the item is vulnerable to viruses.

The question (4, Informative)

thePowerOfGrayskull (905905) | more than 5 years ago | (#27780707)

The question here is this: did the sub-human wankers who created this ever consider this possibility? Now that it's happened, do you think they give a shit? Is there a chance that someone is saying, "Gee, maybe this wasn't such a good idea..." right about now?

Re:The question (0)

Anonymous Coward | more than 5 years ago | (#27781301)

There are most likely many people behind the virus. The ones who programmed it most likely experience some psychological trauma if someone dies, but the ones deploying it and using it for business purposes most likely dont give a shit

-Dreen

I am jack's... (0)

Anonymous Coward | more than 5 years ago | (#27780861)

...Complete lack of surprise.

I work with some hospital software ... Recently, a bittorrent client was found on the main server of one of our products. We have very strict protocols regarding product installation and media creation which just goes to prove, once again, the weakest link is the luser.

Removable Drives (3, Informative)

Samah (729132) | more than 5 years ago | (#27781015)

As I unfortunately found out yesterday, one of the more common ways the virus spreads is through removable drives. If autorun is enabled for removable devices (which it is by default, and no MS basher responses please), Windows will load autorun.inf straight away, infecting you.

A work colleague brought over a USB stick with some music on it, which I happily acquired, along with Conficker. For some retarded reason the resident shield was disabled. After we received an email about it, I noticed this and re-enabled it. I didn't realise I had the virus until this guy came over again with some more music and the AV software exploded in my face with a nice "warning conficker detected and removed" message. Of course that meant "removed from the USB stick" and not "removed from the PC".

Virus scans would no longer run, and I couldn't access most conficker-removal-related websites unless I went through a proxy. Incredibly, the Microsoft Malicious Software Removal tool worked a treat. After using that, rebooting, and disabling autorun in the registry, it's gone.

I blame partly myself for not disabling autorun (security lockdown on these work PCs is ridiculous; I would have had to ask an admin to do it), and for whoever disabled my bloody resident shield.

I hinted to our admin that I wanted Debian instead, but that didn't go down well. :)

tl;dr version: Conficker is bad, mmkay.

Keep the hospital network away from the Internet (1)

madmod (988136) | more than 5 years ago | (#27781397)

Let's assume that the hospital equipment can't be patched enough or in a timely-enough manner to make it safe enough to use with the Internet. To me it's obvious: don't ever allow connections to the Internet in any way.

Totally Unacceptable (1)

nurb432 (527695) | more than 5 years ago | (#27781411)

Critical medical equipment should never have been even remotely connected to anything not 100% secure.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>