Botnet Attack Shuts Down Hospital Network

aricusmaximus writes "A California student is now facing felony conspiracy charges after unleashing a botnet attack that shut down the network of a Seattle hospital intensive care unit. This indictment comes a few weeks after another California man pled guilty to similar charges. Both attacks were attempts to make money off of adware affiliate programs. So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"

Re:Student's Fault

[OffTheLip]

I agree with much of what you say with exception of "And what kind of intensive care unit is "shut down" when they can't use computers?". The acute shortage of bedside nurses elevates computers and networks to a big player in short staffed ICU's. Patient to nurse ratios are improved because of computers. Sure the ICU can continue to function but things would be hectic and possibly deadly for some patients.

The Perpetrators Are At Fault

[Kurt Wall]

Suggesting that the hospitals are at fault for failing to secure their networks adequately is assinine. The perpetrators are at fault. Adware companies might provide incentive and the hospitals evidently need to secure their networks, too, but culpability lies solely with the two defectives who committed the crime.

Re:Student's Fault

[malkavian]

And what kind of intensive care unit is "shut down" when they can't use computers?

I work in a hostpital as one of the business continuity team; we keep the place running in the event of something just like this, and have to evaluate the problems that'll occur in an outage if it happens.
ITU is dependant on having patient records, history, full charts and responses available in a very rapid fashion. When the computers go down, they don't stop working, just all the communications that happen near instantly suddenly have to be ordered from medical records, and use sneakernet, which is a massive time overhead. In time critical requirements, this may mean the difference between life and death.

Fair enough, the hospital should have been more secure, but there again, it all comes down to how many admins they have on the job. I know my time is allocated (still) in a very small part on security. I'm pressing to have more allocated. And my budget for security tools is small. Hell, with the NHS budget cuts next year, we'll be lucky to have much budget at all. Still, it's improving slowly. I'm still not happy with it, which gives me more incentive to work harder on it.
But anyone who would attack a hospital system has to be aware that lives are at stake here, not just a few pounds/dollars. In commercial places, I'd frequently warn people if I could work out who they were, or the admin of the sytems they came in from if I couldn't. Eventually, I'd call the police if I believed they were being too persistent, as a last resort.
In the hospital, I spot an attack, police will be warned promptly. No messing around. The place I work at saved my brother's life years back in ITU (when, by rights, his injuries should have killed him). I'm a little protective of the work they do, and the systems that let them do their job more efficiently. After all, they may just make that difference between life and death in the borderline cases, and every little win by the skin of the teeth means a lifetime to somebody.

That was just a clarification, not a dispute. I'm behind you all the way in the sentiment you express. They're in trouble, and justly so.

Re:Student's Fault

[cide1]

Because all software patches must be validated through an FDA audit procedure. You can't just go patch a computer that someone's life depends on. This case makes this procedure look funny, but you can't just put any software on medical equipment. I'm sure most people are aware of the case of the Therac-25. http://courses.cs.vt.edu/~cs3604/lib/Therac_25/The rac_1.html [vt.edu]

I'm not sure what the real solution is, but I am sure who the criminal is. If the students didn't release malicious software, that network would still be up.

The doctors are at fault

[mangu]

You have administrators who don't really know much about computers and doctors who are frequently the biggest prima donnas in the world when it comes to getting what they want, in a corporate culture which caters to them.

Then it's very obvious that the doctors are at fault. A doctor who doesn't scrub thoroughly enough before performing a surgery cannot blame the infection on the germs. A hospital that relies on a computer system that isn't secure enough cannot blame the crackers.

Microsoft software shouldn't be allowed in hospitals for the same reason pets aren't allowed in surgery rooms. A doctor who insists in having his MS-Windows computer connected to a critical hospital network is like a surgeon who insists in bringing his pet labrador into the surgery room. They may love their software and they may love their dog, nothing wrong with that, but when other peoples' health and life are at stake they are responsible for taking the best precautions, even if it causes them some inconvenience and even it they must follow instructions from people they consider intellectually inferior in some way.

When my dad was in a cardiac ICU

[Intraloper]

all the monitoring info was radio relayed to a monitoring statin at the central desk, where a single nurse monitored it full time. The unit had a staffing ratin of one nurses per three patients; the monitoring nurse was one of them If they had lost that connection, they would not have had sufficient staff to keep every patient adequately monitored. They didnt have sufficient staff to personally monitor the patients anyway, even with the electronic monitoring helping them out. The nurses were acutely aware of this, and were not happy about it.

Re:Student's Fault

[Anonymous Coward]

The deserve some blame, but nowhere near half. If you leave your keys in your car and someone takes yet, yes you could have prevented that, but the car theif is still a car thief. "It was unlocked" is no excuse.

Re:Student's Fault

[RESPAWN]

I provide IT services in the healthcare industry, including work at several different hospitals, so here's my perspective on the situation. That said, please note that I'm not 100% up to date on the most current technologies since the hospitals I've worked at hadn't implemented many of them.

Most likely, the ICU wasn't "shut down". Instead, it's much more likely that only those computer systems used for ordering, transactioning, etc. were shut down. Please note that any life critical equipment is typically placed on a physically seperate network from the rest of the hospitals computer systems. It is acceptable to put things like MRI machines and such on the hospital LAN, but patient monitoring devices will not be affected. If this is not the case for some reason and the patient monitoring equipment was put on the same lan as the general computing systems, the IT staff and the hospital administration should be canned.

Most likely the system most affected would be the hosptials ordering system. That is, the system that handles ordering medicines from the hospitals internal pharmacy. In an ICU, that shouldn't be as big of a deal, because 1) they should already be well supplied to handle any emergencies, and 2) unless the hospital is using VOIP (seriously doubful), somebody can always call the pharmacy and tell them in person. The system won't be as automated as usual, but that shouldn't matter too terribly much. The simple truth is, despite our reliance on technology, every hospital should have a contingency plan in case the technology fails. If it's not a law, it should be. And if it's not a law and this hospital doesn't have a contingency plan, then the hosptial administration should be sacked and the hospital closed down due to unsafe conditions. These are people's lives at stake and we need all of the safety nets we can get. The same goes for if the personnell aren't properly trained on the contingency plan.

That said, this event will cost the hospital money. Mostly in personnell costs as they will undoubtedly require personnell to work longer shifts or extra shifts as they work to input the data collected during the outage (medicines administered, procedures performed, etc.) back into the hospital's computer system. In the end, that information needs to be entered into the hospital's systems if they want to get paid.

As for blame, well there's plenty of blame to go around. Firstly, the administrator of the botnet should most certainly be sent to prison for his actions. What he did was illegal, and he sure as hell should know that. Secondly, the local IT staff should be partly to blame here. Nurses and doctors get bored, they surf the internet, and junk gets on their computers. If they don't have technological methods in place to protect against such occurrances (installing the latest patches, anti-virus/anti-spyware software, etc.), they should be dismissed and somebody more competant brought in. If the IT staff had proposed such measures, but they were shot down by the CFO for financial reasons, then the CFO should get the boot. The staff using the PCs should also be to blame since they were most probably violating hospital policy

Now... the reality. Hospitals are very political entities. More so than other environments I've worked in. I doubt anybody will actually get the axe, but sometimes shakeups and/or disasters like these are needed to show the powers that be that the resources previously requested are indeed necessary for the smoothe operation of business.

To respond to your assertion that his actions had grave consequences, they are most likely not as grave as the article would have you believe. It's just more sensational to claim that the entire ICU was "shut down" due to scary computer virii. (Is there such a thing as impartial, just-the-facts-ma'am reporting these days?) Most likely the ICU continued to function on their contingency plan using pen and paper just like they probably did only a few years prior. His actions were probably no graver than they would be with any other company that would experience lost productivity due to the loss of computer systems.