The Conficker Internet virus has infected important computerized medical devices, but governmental red tape interfered with their repair, an organizer of an antivirus working group told Congress on Friday.
Rodney Joffe, one of the founders of an unofficial organization known as the Conficker Working Group, said that government regulations prevented hospital staff from carrying out the repairs.
Joffe, who also is the senior vice president for the telecom clearinghouse Neustar, told a panel of the House Energy and Commerce Committee that over the last three weeks, he and another Conficker researcher identified at least 300 critical medical devices from a single manufacturer that have been infected with the computer virus.
The devices were used in hospitals to allow doctors to view and manipulate high-intensity scans like MRIs and were often found in or near intensive care unit facilities, connected to local area networks with other critical medical devices.
"They should have never, ever been connected to the Internet," Joffe said.
Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.
Joffe's testimony and earlier reports of infected medical devices show the risks involved in efforts to reap the economic benefits of a networked world. President Obama's stimulus package has allocated billions of dollars for digitizing medical records and networking the nation's electric grids.
"The open Internet, one of its great values is it allows you to connect fairly cheaply and fairly easily to other computers," Joffe said. He added, however, that "the Internet was never designed to do the things it's doing today."
That includes connecting control systems to the Internet to manipulate and coordinate the nation's electric grids.
"The future of widespread (electric) meter-to-meter communication does have me concerned," said Dan Kaminsky, a technology consultant who last year discovered a critical flaw in the Internet's core infrastructure. "I would like to see more security for those meters."
It was recently reported that Chinese and Russian spies had infiltrated the grid networks. Politicians introduced a bill on Thursday to give the Homeland Security Department and other federal agencies more authority over utilities in order to protect the "smart" grid from cyberattacks.
Joffe and other witnesses said that, at an operational level, the DHS is the appropriate government agency to improve cybersecurity. He called the U.S. Computer Emergency Readiness Team, which is operated by the DHS, "woefully understaffed and woefully underfunded." As part of its mission, USCERT acts as a liaison between the public and private sectors.
Gregory Nojeim, senior counsel for the Center for Democracy and Technology, also said DHS should naturally hold jurisdiction over cybersecurity, as long as it makes its actions more transparent and receives policy guidance from the White House.
Policymakers need to be clear and open in their work with the private sector, Nojeim said, and should avoid giving anyone in the government--even the president--too much power over private networks. He urged the congressional panel to reject legislation from Senator Jay Rockefeller, D-W.Va., that would give the president power to shut down any critical network--federal or otherwise--in an emergency.
"Any such shutdown could also have far-reaching, unintended consequences for the economy and for the critical infrastructures themselves," he said. "To our knowledge, no circumstance has yet arisen that could justify a presidential order to limit or cut off Internet traffic to a particular critical infrastructure system when the operators of that system think it should not be limited or cut off."
This story was originally published on CBSNews.com.
Updated 7:50 a.m. PDT April 24 to specify that the infection was in the U.S.
SAN FRANCISCO--The Conficker worm infected several hundred machines and critical medical equipment in an undisclosed number of U.S. hospitals recently, a security expert said on Thursday in a panel at the RSA security conference.
"It was not widespread, but it raises the awareness of what we would do if there were millions" of computers infected at hospitals or in critical infrastructure locations, Marcus Sachs told CNET News after the session. Sachs is the director of the SANS Internet Storm Center and a former White House cybersecurity official.
It is unclear how the devices, which control things like heart monitors and MRI machines, and the PCs got infected, he said. The computers are older machines running Windows NT and Windows 2000 in a local area network that was not supposed to have access to the Internet, however, the network was connected to one that has direct Internet access and so they were infected, he said.
Conficker spreads via networked computers as well as through removable storage devices and a hole in Windows that Microsoft patched in October, but these machines were too old to be patched, according to Sachs.
In the U.K., PCs at hospitals in Sheffield were found to be infected with Conficker in January, The Register reported.
The situation illustrates the dangers of connecting critical networks, like in hospitals and in SCADA (Supervisory Control and Data Acquisition) systems used by utilities and other critical infrastructure providers, with networks connected to the Internet, he said during the panel "Securing Critical Infrastructures: Infrastructure Exposed."
"We haven't found any nukes yet that are infected with Conficker or that are trying things like Twitter," he quipped. But "that is within the probable as we take shortcuts," he said.
"We're seeing a huge uptick in probing for SCADA systems," said Jerry Dixon, director of analysis and vice president of government relations at research firm Team Cymru. For years, the SCADA systems were separated from the public networks, but that's not the case anymore, he said.
Utilities move to remote access and other Internet-based technologies so workers can have access to the control systems when they are not at the plant and to cut costs, Sachs said. Workers have been known to access control systems using BlackBerrys for no reason other than that they can, he said.
Asked after the panel if cyberattacks had led to any utility outages, Michael Assante, chief security officer of the North American Electrical Reliability Corporation (NERC), said "none in North America."
"There is no evidence of computer compromise that led to a disruption of service," he said. "We're not immune to it; it's not hypothetical."
Government officials maintained that an electricity blackout in 2003 in the northeastern United States was not caused by the Blaster Internet worm that was circulating at the time as was suspected, but officials also were never able to reveal why it happened.
(Credit:
Barts and The London)
Three hospitals in London were forced to shut down their networks Tuesday after being infected with a computer virus.
"Emergency procedures have been activated to ensure that key clinical systems continue while network access is being established. We have maintained a safe environment for our patients throughout the incident," a statement on the site for Barts and The London NHS Trust hospital system said.
"Manual backup systems are in use and we are in the process of restoring the computer systems with priority being given to the most important areas for maintaining patients services," the statement said.
The hospitals affected are St. Bartholomew's, the Royal London Hospital, and The London Chest Hospital. The BBC quotes a spokesman for Barts and The London as saying the virus was "not malicious" and the infection was "self-contained."
Doctors are using pen and paper as backups as a result of the infection, according to The Register.
The virus is believed to be the Mytob worm, which spreads via e-mail and plants a backdoor Trojan on infected computers that can be used to remotely take control of the machine, according to security firm Sophos.
"There will, no doubt, be concerns that the confidentiality of patients' data may have been put at risk, and the hospitals will surely be keen to reassure the public that security has been maintained," Graham Cluley, senior technology consultant at Sophos, wrote in a post on his blog.
Updated 1:30 p.m. PDT with laptop being found.
The perils to consumer privacy are getting greater day by day.
In a recent headlines, nearly 130 workers at UCLA Medical Center are accused of prying into the medical records of celebrities and other patients. One woman is even accused of selling information about Farrah Fawcett's cancer treatment to tabloids, according to the Los Angeles Times.
California Gov. Arnold Schwarzenegger, whose wife, Maria Shriver, is believed to have had her records snooped on at the hospital, has endorsed legislation that would impose penalties on hospitals and workers for patient privacy breaches.
The breach opens UCLA Medical Center up to lawsuits and government investigations related to alleged violations of the Health Insurance Portability and Accountability Act of 1996, which requires medical providers to safeguard the privacy of patients, said Brian Cleary, vice president of marketing at Aveksa, which provides access governance solutions to enterprises.
"UCLA has had this happen multiple times," but is not unique, he says. For instance, the passports of presidential candidates John McCain, Barack Obama, and Hillary Clinton were looked at by unauthorized government workers earlier this year, and George Clooney's medical data was breached after a motorcycle accident in New Jersey last year.
"The number of incidents suggests that these organizations do not have an effective (data access) control framework," Cleary says. "Even the federal government needs some work here."
Apparently, the San Francisco Airport could use some help, too.
A laptop containing data on about 33,000 travelers who applied for a national airport fast pass card was believed to have been stolen from a locked office at the San Francisco Airport in late July, according to The San Jose Mercury News.
The Associated Press reported on Tuesday that the laptop was found in the room where it was supposed to be.
The alleged breach had forced officials to temporarily halt enrollment in the program, The San Jose Mercury News report said.
- prev
- 1
- next
