Sophos Cloud Optix
A hospital near Atlanta, Georgia was shut down to all but extreme trauma cases due to a malware outbreak on their network last week.
On Wednesday Gwinnett Medical Center in Lawrenceville went on “total diversion” status after malware began spreading so fast on their network that they were unable to effectively rely on it.
TV station WSBT in Atlanta talked to the hospital’s spokesperson, Beth Okun, who said “We’ve had a virus to interrupt our system within our hospital,” and continued “It’s not affecting patient care in any way, shape or form.”
She told WSBT that the malware was impacting connectivity and did not put patient records at risk. They would rely on paper-based information until they could get back online.
Several items in this story scared me a bit and unfortunately reminded me of many of the health care facilities I have consulted with over the years.
First, to my knowledge, there aren’t any fast spreading, or even recent, network worms in the wild. The last largely successful worm (Conficker) relied on a zero-day flaw from three years ago, AutoPlay (which is disabled on USB sticks on patched machines) and password guessing from a short password list.
Now I don’t know if it is Conficker, but it would be darned difficult to imagine a piece of malware that is so contagious that it shuts down the hospital LAN if the computers on it are even remotely protected.
Most threats these days are Trojans and most network worms rely on vulnerabilities in network facing services. The whole thing is a bit frightening, but it is extremely common in medical facilities.
Many medical devices now hook into hospital networks for monitoring, alerting, logging and reporting. These devices often run commodity operating systems (read: Windows) and the vendors prohibit applying patches to them.
They will not guarantee the device will operate correctly if it is patched, leaving medical facilities in a very difficult position. Some of these machines are still running Windows 95 and hospital IT workers are trying to find ways to run anti-virus and defend them against threats there are not even patches for.
Most of what happened at Gwinnett is speculation on my part, but I doubt it will be the last time we hear a story like this. Like SCADA systems, medical devices are designed to work in a very specific state and are extremely expensive.
Only a month ago a similar incident happened at an ambulance service in New Zealand.
Off the shelf hardware and software may make some of this equipment more affordable, but at what cost?
Those vendors aren't too bright. After an outbreak like that who will *ever* buy their software again?
I suspect the vendors are quite intelligent, and are acting rationally considering the small and highly regulated market they are in.
Like aircraft parts medical devices require type approval from a risk adverse regulator. Once a device has been approved, any change will render the approval invalid, including software changes, so the vendor is correct when they say that patching or AV software are not allowed. If a hospital IT department did that then they could be blamed for anything that went wrong, and the hospital would loose any law suit.
Argubly the device designer should have used a hardened embedded OS instead of windows, but they rationally chose windows because of the range of features, and because it was easy and cheap to find software developers who could write windows software.
I live in Gwinnett, this is not a small facility. It is a major regional hospital and should have sufficient funding for the IT department.
While this was probably not a focused attack, it points out the vulnerabilities within the healthcare industry. Imagine the 1000s of sole practitioners who don't have adequate IT security in their business offices and the millions of pieces of medical equipment which are running vulnerable versions of software which can't be updated or patched. Very scary.
This "do not patch" mentality is not isolated to the health care industry. There are also variants of this with which the vendors will support the software, but only if patched with their proprietary patches. Wouldn't be so bad, but when these patches have software such as Adobe bundled in with them, it starts to get scary very quickly given that Adobe is exploited so much and the proprietary patches are so few and far between.
I am a virus expert here in the states and regularly see medical offices with infected pc's. Most of the time it's exactly what was mentioned above: patches and newer version won't work with the medical software or equipment so they can't upgrade or patch holes. All of this can be in complete violation of the HIPAA laws which deal with privacy of medical records. Dealing wit the vendors can be a pain since they have created a stable version on old platforms and are unwilling to invest in updating their own software. issues like this are a great wake up call to the medical community, but they prefer to keep hitting the snooze button as often as they can.
I work in the Medical Equipment Industry on machines such as MRI and CT Scanners and all of the OEM's that I know of limit or prohibit Microsoft/Windows updates and patches and most operate on Windows 2000 NT and XP. Furthermore, most of them prohibit a virus scanner from running on their Systems too. They say all of these things have potential to interfere with the operation of the machine. They tell the customer to make sure that their Network is secure so nothing can get through and that the machine operators do not get on the Internet. However, you must have Internet access as these machines need updates and remote diagnostics from the OEM. Of course, most of the time the operators figure out how to get on the Internet from these machines and check their email and Facebook and malware/viruses get on the machines and cause many problems. Those are fun service calls!
The problem is cost.
To comply with the regulatory authorities ANY change will require a complete test of the system.
I did IT work for a medical facility. I found exactly what was described above. No updates, and lack of security. They used a Scada system attached to Seimans workstations. The Seimans rep once showed up to fix a problem, and loged on to his admin account that was used not only to send info to the workstations, but for remote control from their central console at their office. yes, you guess it, Admin/Password. I asked him why they would use such a laxed account, and he replied that they were not allowed to change that.
In this hospitals case, I would bet it was a user who decided to read their AOL email, or such, then forward an attachment of Justin Beiber to a co-worker. (Example). If they are not going to patch system, then internet access MUST be removed.
The ownership of the problem still lies with the hospital, despite the fact that some vendors do very little to protect their devices, and put their customers in a risky position. Ask your medical vendors for their policy on IT security, and this becomes pretty clear. The best thing that hospitals can do is to make a thorough security analysis up front – when they are purchasing any new hardware/software, stay up with approved software updates and patch up to the maximum allowed degree. It is kind of sad that under existing rules, it is allowable to scan a patient with a device that is infected with Conficker, but it is unacceptable to install Windows patches to inoculate it. Why so many medical devices run Windows is a mystery to me, doesn’t seem like a good OS choice for something that a life could depend on. Perhaps this problem is worse because decision-making for medical device purchases is owned by clinical management, often without collaboration with representation from IT. By the way, would you buy a Windows box for personal/business use – if you were never allowed to patch it or run antivirus ?
The answer to your question is no. I wouldn't buy ANY box if I could make sure all security updates were in place. But, as you say, in most cases these decisions are made by business managers who look at features and bottom line profits. The thought to make sure that they can update machines does not occur to someone who is not practiced in IT security.
Most PACS servers have to have access to the internet to allow them to send images from one facility to another. The workstations need to have access to the internet for the remote control software. However PACS systems use hard coded IP addresses for the DICOM transfers to happen since IP, AE Title, and Port are needed to set up the transfer, and those have to remain the same from one transfer to the next. The vendor has an option to not provide DNS addresses to the workstations. They can still access those devices and servers which are hard coded IP addresses, so the software works fine. Without DNS, most users will not be able to access the internet however. There are always a few sharp ones that know how to enter that in later, so there is still a risk, but it’s minimal. The only thing the hospital can do is threaten the employees that surfing the web on a medical device is grounds for firing. Unfortunately, if they surf on the office PC, they still run a risk of infecting the whole network.
I agree with the comments on pragmatic ways to limit user access to web browsers/internet. However, this is only one part of the problem. Worms like Conficker do not require internet access to run their course. They can come in on a stick from a service person or employee, then spread from device to device inside the firewall.
"First, to my knowledge, there aren't any fast spreading, or even recent, network worms in the wild."
In fact, there appears to be a major outbreak that started at the end of November.
The infection will happen simply by browsing. Executable code runs then installs a rootkit which so far seems to be redirecting Google search result URL's, as well as running fake scareware antivirus program .exe's (name depending on your OS; "XP/Vista/Windows 7 Security 2012", it might be called something else like "Cloud AV" as well).
This outbreak appears to affect every version of Windows (including Win7 x64), and every browser (including Chrome, Firefox, and IE). It also appears that MalwareBytes, MSE, and most all other real time malware protection programs do not stop the infection. HijackThis won't show it. If you find the infected files, if you upload them to VirusTotal only the uninfected portion of the file will be uploaded and it will show a clean scan. That's why it's a rootkit. Your system appears clean and all affected files have clean checksums, when in fact they don't.
So far, very little is known on where this infection is coming from and how it's running executable code just by browsing. Everything from ad banners to imgur to reddit to servers on various websites have been suggested, as well as Flash, Java, Javascript, Microsoft .NET, and Adobe Reader.
Microsoft did release four updates to .NET on 12/29, which is not only an out of band update, but one that must have required Microsoft employees to come in over the holidays to work on. I read on ZDNet the holes they patched do in fact allow arbitrary code execution, and that it affects every version of Windows from XP to 7 (workstation and server of all versions), so it certainly seems possible that could be the back door this infection is using.