Comments on: Feds' red tape left medical devices infected with computer virus

Regulations stipulated that hospitals wait 90 days before updating Conficker-infected systems.

[kc6hur]

I love hearing about how medical systems that run Windoze in mission critical systems spontaneously reboot because of an automatic update or BSD in the middle of an operation. I would be very concerned if I was to learn that a computer used for robotically assisted surgery was running Windoze and was connected to the Internet during the operation.

[timber2005]

The blame there lies soley on the admins... not Microsoft.

Proof being, if it happened ONCE during a major surgery, a request filed and someone responding, it would (and should) never happen again.

[Maccess]

Someone please READ THE EULA of Windows and realize that it should NEVER be used for mission critical applications. Using Windows for that purpose violates the EULA.

[KTLA_knew]

Can you supply any links to these stories you are referring to, where a Windows PC in a mission critical operating room capacity rebooted in the middle of an operation due to BSOD or automatic update?

Are they true stories by any chance?

[Lerianis3]

kc6hur.... shut up! It's people like you who DENIGRATE alternative OS's, by using the term "Windoze". It is W I N D O W S! Get it!

There has NEVER been a case of something that is 'mission-critical' in a hospital coming up with the blue screen of death, and ESPECIALLY not any robotically assisted things.

[bananaphonerules]

I think MAC is the only OS that had recent issues with BSOD? How long are you going on about this with Windows (95)?

And by the way: Linux and MAC OS causes cancer is 87% of people.
Let stick to facts people...I'm getting bored by the inane comments.

[jtlevin]

Maccess, you're kidding right? The EULA says "Life critical" not Mission Critical. Sigh, try reading it right. And most of those hospital systems they're hooked up to are records systems and offline systems - not online surgery systems, heart monitors and those sorts of applications.

[Vegaman_Dan]

@kc6hur:

" love hearing about how medical systems that run Windoze in mission critical systems spontaneously reboot because of an automatic update or BSD in the middle of an operation"

Please give an example that can be verified? I have never heard of this happening- and it seems like exactly the sort of thing that news agencies like CNET would pounce on if it were true. Otherwise it just looks like a myth.

But then again, why would a robotically assisted surgery *ever* be connected to the internet in the first place? Did you plan on having it surf porn while doing surgery?

Sounds like just a made up story to me. I'm happy to be proven wrong with an actual factual story though.

[jtara]

It seems to me there are a couple of easy technical fixes for this:

1. The OS (or installed firewall software) on the device should not permit connection to or from the Internet. It should only permit connections to/from private IP addresses. Of course, this could be foiled by some admin setting up a router which rewrites source addresses, but this would at least be quite a conscious act. This simple modification would prevent a lot of accidental exposure of these devices to the Internet.

2. The device manufacturer should supply media from which the device software can be re-loaded, and regulation should permit a field re-load. Might be issues with saved data, I will admit. Should a re-load wipe all data? Perhaps. If the data is important, it should be backed-up elsewhere, anyway. Of course, the data itself could be an vulnerability. Again, this is a simple step that could mitigate a lot of successful attacks easily.

[Austin_Mike]

this.

easily avoidable infection. and obviously incompetent admins.

you know the saying "those who can't, teach?" well, "those who can't but aren't teachers yet, work for the government."

[Vegaman_Dan]

Regulations would still prevent you from making any changes of the nature you are describing for 90 days. This isn't a policy set by anyone in an IT environment. This is a policy set by uninformed supervisors or committees. :/

[troppp]

A medical device contracting a computer virus.

How ironic.

[markypolo911]

There IS a 'cure' for all Virus, Tojans, Worms, Hard Drive failures. APPLE.

[adhetola]

@ markypolo911:
Ok, that's so dumb! A cure for all viruses = APPLE? Did u follow the cansequest contests in the past 2 yrs at all? The Mac [= Apple] was the most vulnerable, did u miss that? Even if windows isn't the most secure OS [don't ask me which is], i'm sure the admins for the hospital determined there'd be more productive work done on the Windows platform than the Mac. And what's with the "no hard drive failures"? Are you from this planet at all? Every hard drive can/will fail at some point in time, unless you don't use it at all, and even then you have to worry about being DOA.

C'mon now, it's ok to make comments, but the more objective it is the bettercredibility u get.
PS: I'm a PC, Linux & Mac user (preferenced). :)

[Austin_Mike]

Keep on drinking the kool-aid there child. Leave the real world stuff to the grown-ups.

[Lerianis3]

Austin_Mike gets it right. NO OS is going to be totallly virus free, and the fact is that I have NEVER gotten a damaging virus on my machine in 10+ years of using Microsoft products, dating back to DOS 6!

[bananaphonerules]

@marky-mark
Dude: come back to the real world...

[mooseontheloose89]

The only reason Apple doesn't get hit with viruses is because nobody wants to infect only the ten or so percent of computers in the world. Apple is just as, if not more, vulnerable as everybody else.

[Vegaman_Dan]

@Markypolo911

There's also a cure for trolls who post nonsense such as yours designed to cause mischief.

FACTS.

Macs are exploitable as well. Hard drive failures? Hmm, even solid state drives have failures, and the very same drives that are in those PC's are in Macs as well.

You're busted.

[SenorFrog]

Obscurity is a defense. Medical devices should not be using Windows or Mac OS. While both are fine OS's, each has it's own strengths and weaknesses with regards to security, they are designed and specialized for consumers. That means they contain extra apps and processes that are not needed in a specialized device and leave potential avenues for attack. There is nothing wrong with using a stripped down, real-time operating system built from scratch or licensed if it exists. It won't need anything to do with browsing, macros, registries or anything else that has proven to be an issue with both Macs and PCs.

[monkeyfun14]

But how will those people that are supposed to be working check their facebooks..

[Vegaman_Dan]

I suppose you could be right. These medical instruments could be running off of a Commodore VIC-20, for example. That isn't network aware at all, so it should be safe enough. Granted, having it load an application from the datasette might take a while- hope you're not in a hurry to actually use it any time soon...

[SenorFrog]

@Vegaman_Dan: My post dealt with the OS not the hardware of these medical devices but you bring up another point: If the human-computer interface only needs something as powerful as a Commodore VIC-20 and not a modern PC which is more powerful than some servers of a few years ago, why not also restrict the hardware?

[graham_346]

I don't trust any items like this from CBS News, unless it is vetted by appropriate CNET personnel.
CBS (along with NBC, ABC and especially Fox) report to the general non-technical public with no idea of context or reliability--just headlines to scare. e.g. see the difference in flu reporting as compared to CDC or university reporting.

[inachu1]

I have heard horror stories here in montgomery county Maryland how bad the hospital IT dept is and how IT never fixes or upgrades things when an infection takes root. Many times mission critial systems are never backed up or upgraded and those that are backed up are still running windows 98.

[teststrips]

I work at a medical center facility - most of you don't understand the problem. Pretty much any new medical device now-a-days will have a PC with windows attached to it. Most are classified as "class 3 medical device" which means that local IT people arent' allowed to make any changes to the device.... it needs to stay configued exactly as it was when it came into the building - including - no virus def updates (if you're lucky enough to have virus protection at at all), and no security patching. If you have a "good" vendor, they'll go though the paperwork process with the FCC for updates - but it takes 3-4 months for the new approvals, so you're always at least that far behind on patching. Additionally, these machines HAVE to be on the network - you have to be able to send data to servers almost instantaniously.. we handle this with segmented networks, and sometimes little firewall devices that these things are plugged through... small hospitals wouldn't have the technical expertise to do some of this stuff + I'm sure its a huge problem nationwide... biggest issue is - no one even knows it.

[Vegaman_Dan]

That's bueracracy in action for you. IT departments are not dependant on technology so much as waiting for someone in a department elsewhere to make a decision for even the simplest of procedures. It can take weeks to months to get anything approved or certified through a change control process. Often it's far easier for the affected machine to 'break' and be replaced than to get it updated if it was already working, but lacked the updates necessary.

Dilbert and the BOFH both describe this process perfectly.

[SenorFrog]

@teststrips: scary. Unfortunately, vendors blocking the IT Department from knowing what's going on, to include preventing pen testing, is not uncommon.