Virus Hits MedStar Health Hospital Network (zdnet.com) 96
An anonymous reader writes: IT staff at multiple hospitals have been forced to stop all routine and net new operations and perform an all hands on deck emergency malware control effort in the last several weeks. The latest instance of this can be seen at MedStar Hospital. From a ZDNet report, "Malware has infected the computer network of MedStar Health, forcing the healthcare provider to shut down large portions of its electronic operations. A statement by the health system said that all facilities remain open, and that there was "no evidence of compromised information." The not-for-profit healthcare system operates ten hospitals across the Washington and Baltimore region, with more than a hundred outpatient health facilities. According to the system's website, it has more than 31,000 employees and serves hundreds of thousands of patients annually." This outbreak appears to be fairly widespread and not limited to the single story listed. A similar story appeared on Slashdot several weeks ago and a quick search on Google provides multiple hits that indicate that this type of incident is much more commonplace than I would have believed. Hospitals provide round the clock service to patients and many of these services are critical to the health of the hospital clients. Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents. IT analysts predicted that 2015 would be the year that hospitals became targets for hackers. It appears that 2015 was just the first wave of the potential storm coming that is headed directly towards our healthcare IT infrastructure. How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?
Sounds like a job for (Score:2)
appropriately aimed cruse missiles.
Re: (Score:2)
cruse missiles aimed at who?
or are you advocating yet another shoot first ask questions later strategy.
as in many usa foreign policy disasters and defeats.
Re: (Score:2)
cruse missiles aimed at who?
or are you advocating yet another shoot first ask questions later strategy.
as in many usa foreign policy disasters and defeats.
I think the idea is to just nuke everything that isn't the USA...
Re: (Score:2)
Re: (Score:2)
cruse missiles aimed at who?
or are you advocating yet another shoot first ask questions later strategy.
as in many usa foreign policy disasters and defeats.
Has worked for us in the past ;) IMO, a visit by Seal Team 6 with a road trip to Gitmo included would be nice.
Re: (Score:2)
These days you can buy individual 2 port firewall modules, often designed for industrial equipment but would be equally suited to medical devices. Every single device can have a firewall in front of it an only allow specific ingress AND egress traffic.
It's really not difficult to fix.
Re: (Score:2)
I'd guess the cost of one of those (something like a RPi) would be ~$20 each.
And the cost of a medically certified one would be ~$2000 each.
Re: (Score:1)
Having worked there in the past I can assure you that most of their UNIX/Linux box are compromised in some fashion or another.
Re: (Score:3, Informative)
Just a few years ago I worked as a DBA/Unix Admin at a hospital for almost 2 years. Most hospitals appear to use EMR software produced by three different companies: Epic Systems, McKesson, and Cerner. The hospital I worked at used McKesson. This software package was installed there just a few years ago, but uses technology that was state of the art back when Clinton was president; we're talking fat-client installs with direct connections to the SQL database. I can actually remember running SQL traces th
Re: (Score:3)
All of these packages I've talked about are Windows based, so unless a hospital were to develop their own stuff (using Linux or whatever), their hands are somewhat tied. From what I've told, the cause of the big technology gap is the CDC and AMA approval process; by the time a new piece of software passes through certification, it's already out-dated.
Yes, all the EMR vendors use Windows so we're stuck there, but no, the CDC and the AMA do not approve software. CMS [cms.gov] (Centers for Medicaid and Medicare Security (???)) gives guidelines about how to go about looking for certified EHRs. A quasi governmental body called CCHIT used to certify EHRs [informationweek.com] but they've given up on that.
And there is no real 'technology gap' in modern EHRs. They are large, complicated programs so, like other large, complicated programs they tend to be conservative in how they are constru
Re: Have many more times does... (Score:1)
As long as Microsoft keeps paying kickbacks, they'll keep getting exclusive contracts with government entities. With the contract we have with Microsoft at my hospital, we have to buy a copy of Windows Server for every server even if they don't run Windows.
Sorry I'm AC, but this is very relevant. (Score:4, Insightful)
I worked (as a sys admin / tech support) for both the University Hospitals Health Systems and the Cleveland Clinic (Cleveland.) I'd estimate that about 65%+ of the really expensive machines had some type of malware that the doctors actively ignored because they were under strict orders not to update machines or it would 'invalidate the warranty from the manufacturer.' Some of those machines literally cost millions of dollars. It was well understood that they were infected, but it was explained to me that I was not allowed to remove the malware or update the machine to prevent further infection or spread of infection "because, if the machine stops working, the manufacturer will refuse to support it and it'll become a 6 million dollar paper weight"- I imagine most hospitals have some similar silliness going on.
ah yes, the machine that goes "PING!" (Score:1)
"because, if the machine stops working, the manufacturer will refuse to support it and it'll become a 6 million dollar paper weight"
Nice priorities there, docs.
Not "it could kill patients"
Nor "we can't change even the tiniest thing otherwise we lose FDA certification".
But "it might cost the hospital money" (to brick an infected device and have to replace with an hopefully more secure updated version).
Re: (Score:2)
Why do you blame the doctors for that?
It's not the doc's fault that the company will not support something if you screw with it. I mean, sure, they can invalidate the warranty, and then who is going to fix it when it breaks?
I'm guessing you don't work with this stuff very often or you'd know that you don't screw with something that invalidates your warranty on equipment that costs millions to replace. The doctors don't have a plethora of products to choose from where they can simply pick one that is a lit
Re: (Score:2)
Already broken? Maybe. But as long as the medical function is not impaired, it will still fulfill its primary purpose. And changing the software can trigger an expensive recertification process.
Plus, when every choice is broken, what do you do? Just toss all the machines? Diagnose patients without MRIs and ultrasounds? The doctors and medical directors don't really have many options.
Hospital IT should setup these devices with network ACLs that permit only the barest minimum communication required for the de
Re:Sorry I'm AC, but this is very relevant. (Score:4, Insightful)
Correct, sir.
I worked IT in a hospital system for 9 years (one that works with Cleveland Clinic every now and again, as a matter of fact). A lot of XP still deployed. Some Windows2000 deployed still. A lot of old unix-style systems from 1980s that have never been upgraded. A lot of servers without RAID controllers (single disk) that are running life and death systems. This isn't necessarily by choice. You're at the mercy of the vendor and FDA a lot of the time. These vendors... McKesson comes immediately to mind, will SELL you 7-8 year old obsolete junk as a brand new solution if you buy a system / software / widget from them. That's all they sell and it's what they support. You want the McKesson PACS system? Great! Here's your old HP DL380 Gen4 server with Windows2000 SP2, because it's what we "certify," for the low low price of $19,000 for said server. It gets worse when you have systems critical enough that the FDA gets involved in (expect to see a lot of 3.5" floppy disks).
Same goes for some of the major medical equipment. You bought that multi-million dollar, state of the art CT scanner, but GE is going to give you a crap workstation probably running WindowsNT. God forbid you try to upgrade it, or apply Windows updates, or put antivirus on it... they'll cancel your service contract before you can click the mouse then rat you out to the FDA for messing with it. I can't tell you how many systems we were FORBIDDEN from 1) applying patches and 2) running antivirus on.
Now before you start with the smartass Windows vs Linux comments... let's reiterate that you get what the vendor gives you. This isn't a personal gaming and coding rig. You're talking about PCs for medical equipment that is specialized, only a handful of vendors make, and the FDA is breathing down their and your neck over it. You don't get the option of "oh I'm just going to migrate it to Ubuntu"
Re: (Score:1)
Doctors time is limited; do you want them to have to walk up to every machine and look at the results ? Or move back in time and print low resolution fixed contrast scans that have to be moved by someone so the doctor can have a look ? It would be nice though if a little arduino could be put in front of those machine, receiving serial data on the USB line and sending to a network server acting as a dispatch using a network shield, with SPIEN=1. Cost, with a box, 25$
Re: (Score:2)
Here's the deal, if you're going to blame the FDA for this, you're gonna stir some serious shit up.
1) FDA is that way, because it is Government. (queue the "I'd rather have old busted FDA than Somalia" counter arguments) ... well big Pharma can't handle the competition
2) This is the same FDA that said Walnuts growers couldn't use Factual Information on their products, because only Drugs can make those claims
3) FDA won't even STUDY cannabis for medicinal use because
FDA has indemnified the makers from lawsuit
Re: (Score:2)
All of what you said may be true. However it hasn't stopped fake research, it just makes it harder. Plenty of drugs that turned out to be awful passed FDA muster.
And if you see what the FDA did for Walnuts, you'll know that it doesn't just test "drugs", it defines what constitutes a drug, to the point where making factual claims on a nut makes it a "drug" by FDA rules, and thus "illegal" because ... it hasn't passed FDA approval for said claims. In other words, facts don't matter, only rules matter. Which i
Re: (Score:2)
You inadvertently made my point. Thanks. Cannibis is not Cannabinoid byproduct being developed. My guess, is that they will genetically engineer something that can mass produce the Cannibinoid and that is what is actually going to be protected. See Monsanto for further references.
Re: (Score:2)
Sorry guy, GE CTs run Linux. Just watch the boot screen.
Re: (Score:2)
Realistically, the devices probably run whatever was reasonably current when the actual device was designed and tested. They're not *trying* to run old shit, they just don't want to re-certify every time they make a change to the system. Certification with the .gov is expensive and time consuming, which I know from first hand experience, and medical certification is even worse.
On this board, it is important to us that people take IT security reasonably seriously. To medical equipment makers, that's secon
Re: (Score:2)
I'd estimate that about 65%+ of the really expensive machines had some type of malware that the doctors actively ignored because they were under strict orders not to update machines or it would 'invalidate the warranty from the manufacturer.'
These medical devices are on a separate network VLAN, has no direct access to the Internet, and have a dedicated IT support team? If not, your hospital is doing it wrong.
Re: (Score:2)
Airgap (Score:2)
Airgap seems like an excellent place to start. Date does need to come in and out, but you could limit it to usb drives that are virus scanned before being reconnected to the internal network. It would be a nusance, but less so than these infections.
Re: (Score:2)
Re: (Score:2)
How do the charges that the patient is racking up get sent to the insurance company? You think hand billing is an option? What about lab reports from external labs? Consulting reports from a consulting physician? Reports to/downloads from governmental registries (immunization, etc.)? Or do you expect all of this (and more) to be hand transferred?
Have you ever seen what goes into (and comes out of) a modern EMR system?
Re: (Score:2)
Anyone who's ever dealt with healthcare insurance has. It epitomizes GIGO. And yes, healthcare was much less expensive when it was done by hand.
Re: (Score:2)
It was much less expensive when it was done by hand, but it doesn't scale.
Re: (Score:2)
Re: (Score:2)
I expect them to spend $2000 on a set of 4TB external usb hard drives, and have three employees (one per shift) rotate them between three systems: inside, AV, and outside. That's going to be orders of magnitude cheaper than cleaning up after these infections, or getting layer 7 firewalls for everything. It will require some coding to automate all the transfers, but it's worth it.
Some employees will need two desktops, inside and outside.
Re: (Score:2)
And what happens in the case of billing issues, which are, by the way, quite frequent? If you have to go back and forth with BC/BS 10 times to get a claim approved for payment, what happens when you can only transfer the necessary files once a day?
Everyone thinks air gapping is a magic bullet. And it is never practical.
A hardened gateway device sitting between the two networks might work though. Most importantly, it won't run an obsolete operating system with a plethora of public vulnerabilities nor does it
Re: (Score:3)
Separate networks are definitely key. But how many organizations actually practice it? And if they do, are they doing it correctly? For example, are the network access points secured? Do they only allow certain MAC addresses on certain switchports?
This is where technology like Cisco ISE (I'm only a customer, not a vendor - and I don't have this product yet) would help reduce the attack surface for different areas of the network.
Re: (Score:2)
It seems easy conceptually, but these threats have crept up on a sector where the product approval cycle is measured in years or even decades. They have old equipment and facilities that were meant for medicine first, and IT a very distant second (or third). And if IT security was an afterthought in the products they selected, they're not going to be able to turn them around fast.
Hell, even re-doing the network could be a multi-million dollar project so they can update routers, add more physical wiring an
Re: (Score:2)
They could start using Virtual Desktops, which when properly implemented would reduce exposure to such things in the first place.
Re: (Score:2)
"How can hospitals guard themselves against these attacks"
They could, as a start, keep the medical (patient records, diagnostic, monitoring, etc.) networks segregated from each other, and especially from the Internet. But that would prevent staff from checking the Bookface, so it wouldn't go over well.
You enforce blocking of "Bookface" since it is non-work related. You try to access site and you get
"URL Prohibited
Access to this website has been prohibited due to possible concerns over its safety, reputation, or due to company policy.
Event Details:
URL: https://www.facebook.com/ [facebook.com]
Category: Social Networking
Policy: Extended Access
If you have a business reason for accessing this website, please click the link below and submit the form to be routed for approval
We do that in my organization and works p
seems obvious (Score:3, Insightful)
How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?
STOP USING WINDOWS!
Re: (Score:1)
Re: (Score:3, Insightful)
Take some time to familiarize yourself with the economy of malware. This is not an operating system problem.
security is about reducing risk and windows is the highest risk operating system by a HUGE margin. it's not the entire solution but it is most of it.
Re: (Score:2)
windows is the highest risk operating system by a HUGE margin.
It isn't Win95 any more. The Windows kernel is no more or less vulnerable than anything else commonly used. Windows users may have bad habits in terms of volunteering to install malware, but that doesn't apply to kiosk-style workstations attached to equipment.
Re: (Score:2)
When the imaging system vendor only supplies and supports Windows 2000 or XP workstations in 2016, you're looking at a serious problem.
The problem is Windows, specifically the obsolete and unsupported versions of Windows that the equipment manufacturers force the hospitals to use.
And inadequate isolation of these vulnerable hosts.
Re: (Score:1)
Re: (Score:3)
Probably not an option. Since the OS decision is usually based upon what what software will be running on it.
But how can the "guard themselves against these attacks"? Maybe they can't. But first try recognizing the means by which machines get infected. Can those be blocked? Limited?
Secondly, backups. Lots of backups. And testing of the backups. Even if you are infected, you should be able to recover from backups.
Third, SEGMENT YOUR NETWORK. Machines that can access CRITICAL SYSTEMS should
Re: (Score:2)
Probably not an option. Since the OS decision is usually based upon what what software will be running on it.
which is why management should talk to security people BEFORE buying any software/hardware. just because you are fucked now, doesn't mean the solution has changed.
Re: (Score:1)
Re: (Score:2)
who said anything about FOSS? also, they didn't attack the medical software, they attacked the operating system.
so tell me, what is this alleged FOSS medical software that you exploited and how did you do it? kinda sounds like you a full of shit.
Re: (Score:1)
Re: (Score:2)
I will abstain from providing details that could easily be used to track down my real identity. Rest assured I've contributed plenty of security fixes to software you probably use on a daily basis.
LOL. you are so full of shit. well done.
Re: (Score:1)
even GPs say prevention better than cure (Score:2, Insightful)
...except in the case of IT infrastructure, where a broken PC keeps a sysadmin in work.
I disagree with this, however.
Systems made essential by feature-request-creep from the hospital administrators should have ZERO downtime. Or close as dammit. Preventative measures are therefore essential. Strict user policy, coupled with strict sanction and for fuck's sake, live failback to paper and pencil! Yes, I've been in situations where failure is NOT an option. Measures should be enforced to PREVENT failures whethe
Re: (Score:2)
Those good ideas you suggest are not certified for medical or mission critical activities. Therefore they will not be used.
It could be certified, but it will take about five years to get through the process and cost probably about a million dollars to do it before they could even sell a single unit to a hospital.
And if it's free, that's much worse. Then there is no one who will be able to pay for the certification process.
This is medicine and the process must be followed as long as it fucks you over for l
Re: (Score:2)
they are probably glad I haven't because I would be the bitch sysadmin from Hell. When it comes to information security I. Do. Not. Compromise. Period. The High Court in London learned that the hard way when some dink of a paper pusher demanded my client file and I told her to get fucked.
Re: (Score:2)
someone please mod #51803685 up, he makes a good point. Although, in this country when a doctor walks from a hospital he doesn't get to take his patients with him, those who are left get to take up the slack. That will soon no longer be the case as the NHS is sold piecemeal to the private sector.
Re: (Score:2)
I wonder if Ransomware could infect Google Docs on a Google Drive.
Please summarize... (Score:2)
"Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents."
Er...what?
Don't run it (Score:1)
Don't run malware. It is easier and cheaper to abstain from running malware, than it is go ahead and run it. Show me someone who has malware, and I'll show you someone who went to a lot of extra trouble to make that happen. You simply have to stop going to all that extra trouble.
Secure systems? (Score:1)
Hospital systems should be segmented and isolated between networks. I bet you 10 million bucks that everything is sitting on a flat network.
Grats and good luck.
Bet you they haven't disabled USB access.
Re: (Score:2)
For once, this has nothing to do with Cloud security. These folks got owned all by themselves on their own network.
They might have actually been more secure in the Cloud. Which is not meant to be a ringing endorsement of Cloud security, but Hospitals are notoriously insecure and their IT is run on a shoestring.
Just because you have your data on-site, doesn't make you safer. If you're a screw-up, or you aren't taking security seriously, it is entirely possible for your security to be worse than any Cloud
Re: (Score:2)
I doubt that they are ignoring security, they just aren't either prioritizing it highly enough, or they don't have the resources to do so.
IT security is overhead. You need it, but it is all expense. This is not a job where all you have to do is just do it. You need to show very clearly why the expense is needed and security is one of those things that seems like a jobs program... until you're hacked, and then its too late.
Ask a... (Score:2)
How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?
They will have little choice but to devise systems that pay little attention to these "operating concerns" lest those concerns become non-operating concerns.
Which EHR? (Score:1)
Re: (Score:2)
Let's be clear, computers open new dangers, but a lot of our current medical capabilities and even billing and records keeping actually relies on the capability.
This isn't something that hospitals are doing because they love whiz-bang gadgets. Going back to paper is not a solution.
Hospitals invest in security? (Score:1)
That would be news to me that Hospitals invest in security. If so then how do they keep getting hit. And would this MedStar Health malware be a Windows executable that only runs on Microsoft Windows.