Feds' red tape left medical devices infected with computer virus

The Conficker Internet virus has infected important computerized medical devices, but governmental red tape interfered with their repair, an organizer of an antivirus working group told Congress on Friday.

Rodney Joffe, one of the founders of an unofficial organization known as the Conficker Working Group, said that government regulations prevented hospital staff from carrying out the repairs.

Joffe, who also is the senior vice president for the telecom clearinghouse Neustar, told a panel of the House Energy and Commerce Committee that over the last three weeks, he and another Conficker researcher identified at least 300 critical medical devices from a single manufacturer that have been infected with the computer virus.

The devices were used in hospitals to allow doctors to view and manipulate high-intensity scans like MRIs and were often found in or near intensive care unit facilities, connected to local area networks with other critical medical devices.

"They should have never, ever been connected to the Internet," Joffe said.

Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.

Joffe's testimony and earlier reports of infected medical devices show the risks involved in efforts to reap the economic benefits of a networked world. President Obama's stimulus package has allocated billions of dollars for digitizing medical records and networking the nation's electric grids.

"The open Internet, one of its great values is it allows you to connect fairly cheaply and fairly easily to other computers," Joffe said. He added, however, that "the Internet was never designed to do the things it's doing today."

That includes connecting control systems to the Internet to manipulate and coordinate the nation's electric grids.

"The future of widespread (electric) meter-to-meter communication does have me concerned," said Dan Kaminsky, a technology consultant who last year discovered a critical flaw in the Internet's core infrastructure. "I would like to see more security for those meters."

It was recently reported that Chinese and Russian spies had infiltrated the grid networks. Politicians introduced a bill on Thursday to give the Homeland Security Department and other federal agencies more authority over utilities in order to protect the "smart" grid from cyberattacks.

Joffe and other witnesses said that, at an operational level, the DHS is the appropriate government agency to improve cybersecurity. He called the U.S. Computer Emergency Readiness Team, which is operated by the DHS, "woefully understaffed and woefully underfunded." As part of its mission, USCERT acts as a liaison between the public and private sectors.

Gregory Nojeim, senior counsel for the Center for Democracy and Technology, also said DHS should naturally hold jurisdiction over cybersecurity, as long as it makes its actions more transparent and receives policy guidance from the White House.

Policymakers need to be clear and open in their work with the private sector, Nojeim said, and should avoid giving anyone in the government--even the president--too much power over private networks. He urged the congressional panel to reject legislation from Senator Jay Rockefeller, D-W.Va., that would give the president power to shut down any critical network--federal or otherwise--in an emergency.

"Any such shutdown could also have far-reaching, unintended consequences for the economy and for the critical infrastructures themselves," he said. "To our knowledge, no circumstance has yet arisen that could justify a presidential order to limit or cut off Internet traffic to a particular critical infrastructure system when the operators of that system think it should not be limited or cut off."

This story was originally published on CBSNews.com.

[kc6hur]

I love hearing about how medical systems that run Windoze in mission critical systems spontaneously reboot because of an automatic update or BSD in the middle of an operation. I would be very concerned if I was to learn that a computer used for robotically assisted surgery was running Windoze and was connected to the Internet during the operation.

[timber2005]

The blame there lies soley on the admins... not Microsoft.

Proof being, if it happened ONCE during a major surgery, a request filed and someone responding, it would (and should) never happen again.

[Maccess]

Someone please READ THE EULA of Windows and realize that it should NEVER be used for mission critical applications. Using Windows for that purpose violates the EULA.

[KTLA_knew]

Can you supply any links to these stories you are referring to, where a Windows PC in a mission critical operating room capacity rebooted in the middle of an operation due to BSOD or automatic update?

Are they true stories by any chance?

[Lerianis3]

kc6hur.... shut up! It's people like you who DENIGRATE alternative OS's, by using the term "Windoze". It is W I N D O W S! Get it!

There has NEVER been a case of something that is 'mission-critical' in a hospital coming up with the blue screen of death, and ESPECIALLY not any robotically assisted things.

[bananaphonerules]

I think MAC is the only OS that had recent issues with BSOD? How long are you going on about this with Windows (95)?

And by the way: Linux and MAC OS causes cancer is 87% of people.
Let stick to facts people...I'm getting bored by the inane comments.

[jtlevin]

Maccess, you're kidding right? The EULA says "Life critical" not Mission Critical. Sigh, try reading it right. And most of those hospital systems they're hooked up to are records systems and offline systems - not online surgery systems, heart monitors and those sorts of applications.

[Vegaman_Dan]

@kc6hur:

" love hearing about how medical systems that run Windoze in mission critical systems spontaneously reboot because of an automatic update or BSD in the middle of an operation"

Please give an example that can be verified? I have never heard of this happening- and it seems like exactly the sort of thing that news agencies like CNET would pounce on if it were true. Otherwise it just looks like a myth.

But then again, why would a robotically assisted surgery *ever* be connected to the internet in the first place? Did you plan on having it surf porn while doing surgery?

Sounds like just a made up story to me. I'm happy to be proven wrong with an actual factual story though.

[jtara]

It seems to me there are a couple of easy technical fixes for this:

1. The OS (or installed firewall software) on the device should not permit connection to or from the Internet. It should only permit connections to/from private IP addresses. Of course, this could be foiled by some admin setting up a router which rewrites source addresses, but this would at least be quite a conscious act. This simple modification would prevent a lot of accidental exposure of these devices to the Internet.

2. The device manufacturer should supply media from which the device software can be re-loaded, and regulation should permit a field re-load. Might be issues with saved data, I will admit. Should a re-load wipe all data? Perhaps. If the data is important, it should be backed-up elsewhere, anyway. Of course, the data itself could be an vulnerability. Again, this is a simple step that could mitigate a lot of successful attacks easily.

[Austin_Mike]

this.

easily avoidable infection. and obviously incompetent admins.

you know the saying "those who can't, teach?" well, "those who can't but aren't teachers yet, work for the government."

[Vegaman_Dan]

Regulations would still prevent you from making any changes of the nature you are describing for 90 days. This isn't a policy set by anyone in an IT environment. This is a policy set by uninformed supervisors or committees. :/

[troppp]

A medical device contracting a computer virus.

How ironic.

[markypolo911]

There IS a 'cure' for all Virus, Tojans, Worms, Hard Drive failures. APPLE.

[adhetola]

@ markypolo911:
Ok, that's so dumb! A cure for all viruses = APPLE? Did u follow the cansequest contests in the past 2 yrs at all? The Mac [= Apple] was the most vulnerable, did u miss that? Even if windows isn't the most secure OS [don't ask me which is], i'm sure the admins for the hospital determined there'd be more productive work done on the Windows platform than the Mac. And what's with the "no hard drive failures"? Are you from this planet at all? Every hard drive can/will fail at some point in time, unless you don't use it at all, and even then you have to worry about being DOA.

C'mon now, it's ok to make comments, but the more objective it is the bettercredibility u get.
PS: I'm a PC, Linux & Mac user (preferenced). :)

[Austin_Mike]

Keep on drinking the kool-aid there child. Leave the real world stuff to the grown-ups.

[Lerianis3]

Austin_Mike gets it right. NO OS is going to be totallly virus free, and the fact is that I have NEVER gotten a damaging virus on my machine in 10+ years of using Microsoft products, dating back to DOS 6!

[bananaphonerules]

@marky-mark
Dude: come back to the real world...

[mooseontheloose89]

The only reason Apple doesn't get hit with viruses is because nobody wants to infect only the ten or so percent of computers in the world. Apple is just as, if not more, vulnerable as everybody else.

[Vegaman_Dan]

@Markypolo911

There's also a cure for trolls who post nonsense such as yours designed to cause mischief.

FACTS.

Macs are exploitable as well. Hard drive failures? Hmm, even solid state drives have failures, and the very same drives that are in those PC's are in Macs as well.

You're busted.

[SenorFrog]

Obscurity is a defense. Medical devices should not be using Windows or Mac OS. While both are fine OS's, each has it's own strengths and weaknesses with regards to security, they are designed and specialized for consumers. That means they contain extra apps and processes that are not needed in a specialized device and leave potential avenues for attack. There is nothing wrong with using a stripped down, real-time operating system built from scratch or licensed if it exists. It won't need anything to do with browsing, macros, registries or anything else that has proven to be an issue with both Macs and PCs.

[monkeyfun14]

But how will those people that are supposed to be working check their facebooks..

[Vegaman_Dan]

I suppose you could be right. These medical instruments could be running off of a Commodore VIC-20, for example. That isn't network aware at all, so it should be safe enough. Granted, having it load an application from the datasette might take a while- hope you're not in a hurry to actually use it any time soon...

[SenorFrog]

@Vegaman_Dan: My post dealt with the OS not the hardware of these medical devices but you bring up another point: If the human-computer interface only needs something as powerful as a Commodore VIC-20 and not a modern PC which is more powerful than some servers of a few years ago, why not also restrict the hardware?

[graham_346]

I don't trust any items like this from CBS News, unless it is vetted by appropriate CNET personnel.
CBS (along with NBC, ABC and especially Fox) report to the general non-technical public with no idea of context or reliability--just headlines to scare. e.g. see the difference in flu reporting as compared to CDC or university reporting.

[inachu1]

I have heard horror stories here in montgomery county Maryland how bad the hospital IT dept is and how IT never fixes or upgrades things when an infection takes root. Many times mission critial systems are never backed up or upgraded and those that are backed up are still running windows 98.

[teststrips]

I work at a medical center facility - most of you don't understand the problem. Pretty much any new medical device now-a-days will have a PC with windows attached to it. Most are classified as "class 3 medical device" which means that local IT people arent' allowed to make any changes to the device.... it needs to stay configued exactly as it was when it came into the building - including - no virus def updates (if you're lucky enough to have virus protection at at all), and no security patching. If you have a "good" vendor, they'll go though the paperwork process with the FCC for updates - but it takes 3-4 months for the new approvals, so you're always at least that far behind on patching. Additionally, these machines HAVE to be on the network - you have to be able to send data to servers almost instantaniously.. we handle this with segmented networks, and sometimes little firewall devices that these things are plugged through... small hospitals wouldn't have the technical expertise to do some of this stuff + I'm sure its a huge problem nationwide... biggest issue is - no one even knows it.

[Vegaman_Dan]

That's bueracracy in action for you. IT departments are not dependant on technology so much as waiting for someone in a department elsewhere to make a decision for even the simplest of procedures. It can take weeks to months to get anything approved or certified through a change control process. Often it's far easier for the affected machine to 'break' and be replaced than to get it updated if it was already working, but lacked the updates necessary.

Dilbert and the BOFH both describe this process perfectly.

[SenorFrog]

@teststrips: scary. Unfortunately, vendors blocking the IT Department from knowing what's going on, to include preventing pen testing, is not uncommon.