Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Medicine Security IT Technology

Virus Hits MedStar Health Hospital Network (zdnet.com) 96

An anonymous reader writes: IT staff at multiple hospitals have been forced to stop all routine and net new operations and perform an all hands on deck emergency malware control effort in the last several weeks. The latest instance of this can be seen at MedStar Hospital. From a ZDNet report, "Malware has infected the computer network of MedStar Health, forcing the healthcare provider to shut down large portions of its electronic operations. A statement by the health system said that all facilities remain open, and that there was "no evidence of compromised information." The not-for-profit healthcare system operates ten hospitals across the Washington and Baltimore region, with more than a hundred outpatient health facilities. According to the system's website, it has more than 31,000 employees and serves hundreds of thousands of patients annually." This outbreak appears to be fairly widespread and not limited to the single story listed. A similar story appeared on Slashdot several weeks ago and a quick search on Google provides multiple hits that indicate that this type of incident is much more commonplace than I would have believed. Hospitals provide round the clock service to patients and many of these services are critical to the health of the hospital clients. Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents. IT analysts predicted that 2015 would be the year that hospitals became targets for hackers. It appears that 2015 was just the first wave of the potential storm coming that is headed directly towards our healthcare IT infrastructure. How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?
This discussion has been archived. No new comments can be posted.

Virus Hits MedStar Health Hospital Network

Comments Filter:
  • appropriately aimed cruse missiles.

    • cruse missiles aimed at who?
      or are you advocating yet another shoot first ask questions later strategy.
      as in many usa foreign policy disasters and defeats.

      • cruse missiles aimed at who?
        or are you advocating yet another shoot first ask questions later strategy.
        as in many usa foreign policy disasters and defeats.

        I think the idea is to just nuke everything that isn't the USA...

      • cruse missiles aimed at who?
        or are you advocating yet another shoot first ask questions later strategy.
        as in many usa foreign policy disasters and defeats.

        Has worked for us in the past ;) IMO, a visit by Seal Team 6 with a road trip to Gitmo included would be nice.

  • by Anonymous Coward on Tuesday March 29, 2016 @03:03PM (#51802531)

    I worked (as a sys admin / tech support) for both the University Hospitals Health Systems and the Cleveland Clinic (Cleveland.) I'd estimate that about 65%+ of the really expensive machines had some type of malware that the doctors actively ignored because they were under strict orders not to update machines or it would 'invalidate the warranty from the manufacturer.' Some of those machines literally cost millions of dollars. It was well understood that they were infected, but it was explained to me that I was not allowed to remove the malware or update the machine to prevent further infection or spread of infection "because, if the machine stops working, the manufacturer will refuse to support it and it'll become a 6 million dollar paper weight"- I imagine most hospitals have some similar silliness going on.

    • "because, if the machine stops working, the manufacturer will refuse to support it and it'll become a 6 million dollar paper weight"

      Nice priorities there, docs.
      Not "it could kill patients"
      Nor "we can't change even the tiniest thing otherwise we lose FDA certification".
      But "it might cost the hospital money" (to brick an infected device and have to replace with an hopefully more secure updated version).

      • by tnk1 ( 899206 )

        Why do you blame the doctors for that?

        It's not the doc's fault that the company will not support something if you screw with it. I mean, sure, they can invalidate the warranty, and then who is going to fix it when it breaks?

        I'm guessing you don't work with this stuff very often or you'd know that you don't screw with something that invalidates your warranty on equipment that costs millions to replace. The doctors don't have a plethora of products to choose from where they can simply pick one that is a lit

    • by Anonymous Coward on Tuesday March 29, 2016 @03:24PM (#51802669)

      Correct, sir.

      I worked IT in a hospital system for 9 years (one that works with Cleveland Clinic every now and again, as a matter of fact). A lot of XP still deployed. Some Windows2000 deployed still. A lot of old unix-style systems from 1980s that have never been upgraded. A lot of servers without RAID controllers (single disk) that are running life and death systems. This isn't necessarily by choice. You're at the mercy of the vendor and FDA a lot of the time. These vendors... McKesson comes immediately to mind, will SELL you 7-8 year old obsolete junk as a brand new solution if you buy a system / software / widget from them. That's all they sell and it's what they support. You want the McKesson PACS system? Great! Here's your old HP DL380 Gen4 server with Windows2000 SP2, because it's what we "certify," for the low low price of $19,000 for said server. It gets worse when you have systems critical enough that the FDA gets involved in (expect to see a lot of 3.5" floppy disks).

      Same goes for some of the major medical equipment. You bought that multi-million dollar, state of the art CT scanner, but GE is going to give you a crap workstation probably running WindowsNT. God forbid you try to upgrade it, or apply Windows updates, or put antivirus on it... they'll cancel your service contract before you can click the mouse then rat you out to the FDA for messing with it. I can't tell you how many systems we were FORBIDDEN from 1) applying patches and 2) running antivirus on.

      Now before you start with the smartass Windows vs Linux comments... let's reiterate that you get what the vendor gives you. This isn't a personal gaming and coding rig. You're talking about PCs for medical equipment that is specialized, only a handful of vendors make, and the FDA is breathing down their and your neck over it. You don't get the option of "oh I'm just going to migrate it to Ubuntu"

      • Here's the deal, if you're going to blame the FDA for this, you're gonna stir some serious shit up.

        1) FDA is that way, because it is Government. (queue the "I'd rather have old busted FDA than Somalia" counter arguments)
        2) This is the same FDA that said Walnuts growers couldn't use Factual Information on their products, because only Drugs can make those claims
        3) FDA won't even STUDY cannabis for medicinal use because ... well big Pharma can't handle the competition

        FDA has indemnified the makers from lawsuit

      • Sorry guy, GE CTs run Linux. Just watch the boot screen.

        • by tnk1 ( 899206 )

          Realistically, the devices probably run whatever was reasonably current when the actual device was designed and tested. They're not *trying* to run old shit, they just don't want to re-certify every time they make a change to the system. Certification with the .gov is expensive and time consuming, which I know from first hand experience, and medical certification is even worse.

          On this board, it is important to us that people take IT security reasonably seriously. To medical equipment makers, that's secon

    • I'd estimate that about 65%+ of the really expensive machines had some type of malware that the doctors actively ignored because they were under strict orders not to update machines or it would 'invalidate the warranty from the manufacturer.'

      These medical devices are on a separate network VLAN, has no direct access to the Internet, and have a dedicated IT support team? If not, your hospital is doing it wrong.

    • So very true, and no they typically don't isolate them network wise, or at least not the extent necessary for safety. Hospitals and health care in general is where I've witnessed some of the absolute worst IT practices of my 25 year career, topping this list is entrenched legacy systems like what you mention, and management that refuses to press the vendors for proper software maintenance, thinking that it's somehow unnecessary. The industry use of unmaintained embedded software (doesn't matter what OS) is
  • seems obvious (Score:3, Insightful)

    by Gravis Zero ( 934156 ) on Tuesday March 29, 2016 @03:15PM (#51802611)

    How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

    STOP USING WINDOWS!

    • Take some time to familiarize yourself with the economy of malware. This is not an operating system problem.
      • Re: (Score:3, Insightful)

        by Gravis Zero ( 934156 )

        Take some time to familiarize yourself with the economy of malware. This is not an operating system problem.

        security is about reducing risk and windows is the highest risk operating system by a HUGE margin. it's not the entire solution but it is most of it.

        • by lgw ( 121541 )

          windows is the highest risk operating system by a HUGE margin.

          It isn't Win95 any more. The Windows kernel is no more or less vulnerable than anything else commonly used. Windows users may have bad habits in terms of volunteering to install malware, but that doesn't apply to kiosk-style workstations attached to equipment.

          • When the imaging system vendor only supplies and supports Windows 2000 or XP workstations in 2016, you're looking at a serious problem.

            The problem is Windows, specifically the obsolete and unsupported versions of Windows that the equipment manufacturers force the hospitals to use.

            And inadequate isolation of these vulnerable hosts.

        • Nope, the issues we're facing have virtually nothing to do with platform. Move to different operating systems and the APTs will follow. In fact, they already are. Arguments that other operating systems will provide adequate security in the meantime amount to little more than security through obscurity, which is widely accepted as an anti-pattern. Until we address the underlying issues, nothing will change for the better, regardless of OS used. Quite the opposite, I assure you.
    • by khasim ( 1285 )

      STOP USING WINDOWS!

      Probably not an option. Since the OS decision is usually based upon what what software will be running on it.

      But how can the "guard themselves against these attacks"? Maybe they can't. But first try recognizing the means by which machines get infected. Can those be blocked? Limited?

      Secondly, backups. Lots of backups. And testing of the backups. Even if you are infected, you should be able to recover from backups.

      Third, SEGMENT YOUR NETWORK. Machines that can access CRITICAL SYSTEMS should

      • Probably not an option. Since the OS decision is usually based upon what what software will be running on it.

        which is why management should talk to security people BEFORE buying any software/hardware. just because you are fucked now, doesn't mean the solution has changed.

        • Having personally discovered and exploited vulnerabilities in FOSS medical software, I can tell you that your "solution" isn't one.
          • who said anything about FOSS? also, they didn't attack the medical software, they attacked the operating system.

            so tell me, what is this alleged FOSS medical software that you exploited and how did you do it? kinda sounds like you a full of shit.

            • Generally, when people suggest using an alternative to Windows they are alluding to FOSS alternatives. It doesn't matter though, because it's highly unlikely the attackers actually exploited an operating system zero-day to compromise the systems affected. That's not how this sort of thing works, you see; a zero-day in a modern operating system is worth far more than can be had with a few ransoms. And to be clear, persistence in an already compromised system isn't really part of the "attack", excluding stuff
              • I will abstain from providing details that could easily be used to track down my real identity. Rest assured I've contributed plenty of security fixes to software you probably use on a daily basis.

                LOL. you are so full of shit. well done.

                • Not at all. If you look at my post history, it's quite clear I'm a security researcher. What you think doesn't matter, though. I'll keep you safe regardless, end user.
  • ...except in the case of IT infrastructure, where a broken PC keeps a sysadmin in work.

    I disagree with this, however.

    Systems made essential by feature-request-creep from the hospital administrators should have ZERO downtime. Or close as dammit. Preventative measures are therefore essential. Strict user policy, coupled with strict sanction and for fuck's sake, live failback to paper and pencil! Yes, I've been in situations where failure is NOT an option. Measures should be enforced to PREVENT failures whethe

  • ...this poorly written wall of text. At first glance this looks like an India-sourced whitepaper.

    "Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents."

    Er...what?
  • by Anonymous Coward

    How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

    Don't run malware. It is easier and cheaper to abstain from running malware, than it is go ahead and run it. Show me someone who has malware, and I'll show you someone who went to a lot of extra trouble to make that happen. You simply have to stop going to all that extra trouble.

  • Hospital systems should be segmented and isolated between networks. I bet you 10 million bucks that everything is sitting on a flat network.

    Grats and good luck.

    Bet you they haven't disabled USB access.

  • How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

    They will have little choice but to devise systems that pay little attention to these "operating concerns" lest those concerns become non-operating concerns.

  • Anyone know for sure the EHR sfotware they are using? A quick Google search seems to say they were switching to Cerner a couple years ago, but would like conformation...
  • "Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents."

    That would be news to me that Hospitals invest in security. If so then how do they keep getting hit. And would this MedStar Health malware be a Windows executable that only runs on Microsoft Windows.

Whatever is not nailed down is mine. Whatever I can pry up is not nailed down. -- Collis P. Huntingdon, railroad tycoon

Working...