So, you tell me: Why would an MRI machine need to be connected to the Internet in the first place? My guess is that you'll tell me that there's some sort of firmware or operating system upgrades that get performed automatically--that the devices can be monitored or inventoried remotely--or that you're performing some other routine network function.
All of this sounds just fine. But the truth is, connecting medical devices to the Net creates scary risks security experts have known about for years [1]. In wireless devices, meanwhile, the middleware that sits on top of the operating system is quite vulnerable to attack [2], according to technology research firm Nerac Inc.
Now, hospitals have gotten a rude notice that the experts were right, in the form of the Conficker worm. Exploiting a weakness in the embedded version of Windows, Conficker infected a range of medical devices at hospitals and around the world, including MRIs. Experts are still sorting out what other devices and computers Conficker has touched, but it's clear that many millions were compromised to some degree.
As readers of this publication know, black-hat hackers will write worms just because they're antisocial jerks who like playing with other people's toys. But medical devices can also serve as a gateway to information that's quite valuable to everyone, from freelance thieves to organized criminals. At minimum, you've got medical identity theft and HIPAA violations to worry about, not to mention network exposure that any enterprise faces.
Now that hospitals have been called out on a new network vulnerability, healthcare networking may change. It may be time to rethink entirely how specialty devices are monitored and managed, or it may just be time to change security routines and manage your MRI more like you do your laptop. Or maybe you'll go so far as to demand that manufacturers change the way they select, develop and update their operating systems and middleware.
The bottom line, though, is that if your MRI can take on a nasty worm like Conficker, it isn't your father's MRI anymore. And that has big implications for you. - Anne [3]
Links:
[1] http://www.threatpost.com/blogs/compliance-demands-prevented-repair-virus-infected-medical-devices
[2] http://www.nerac.com/nerac_insights.php?category=articles&id=181
[3] mailto:anne@fiercemarkets.com