A hospital near Atlanta, Georgia was shut down to all but extreme trauma cases due to a malware outbreak on their network last week.
On Wednesday Gwinnett Medical Center in Lawrenceville went on “total diversion” status after malware began spreading so fast on their network that they were unable to effectively rely on it.
TV station WSBT in Atlanta talked to the hospital’s spokesperson, Beth Okun, who said “We’ve had a virus to interrupt our system within our hospital,” and continued “It’s not affecting patient care in any way, shape or form.”
She told WSBT that the malware was impacting connectivity and did not put patient records at risk. They would rely on paper-based information until they could get back online.
Several items in this story scared me a bit and unfortunately reminded me of many of the health care facilities I have consulted with over the years.
First, to my knowledge, there aren’t any fast spreading, or even recent, network worms in the wild. The last largely successful worm (Conficker) relied on a zero-day flaw from three years ago, AutoPlay (which is disabled on USB sticks on patched machines) and password guessing from a short password list.
Now I don’t know if it is Conficker, but it would be darned difficult to imagine a piece of malware that is so contagious that it shuts down the hospital LAN if the computers on it are even remotely protected.
Most threats these days are Trojans and most network worms rely on vulnerabilities in network facing services. The whole thing is a bit frightening, but it is extremely common in medical facilities.
Many medical devices now hook into hospital networks for monitoring, alerting, logging and reporting. These devices often run commodity operating systems (read: Windows) and the vendors prohibit applying patches to them.
They will not guarantee the device will operate correctly if it is patched, leaving medical facilities in a very difficult position. Some of these machines are still running Windows 95 and hospital IT workers are trying to find ways to run anti-virus and defend them against threats there are not even patches for.
Most of what happened at Gwinnett is speculation on my part, but I doubt it will be the last time we hear a story like this. Like SCADA systems, medical devices are designed to work in a very specific state and are extremely expensive.
Only a month ago a similar incident happened at an ambulance service in New Zealand.
Off the shelf hardware and software may make some of this equipment more affordable, but at what cost?