Conficker worm may signal new era for healthcare networking
So, you tell me: Why would an MRI machine need to be connected to the Internet in the first place? My guess is that you'll tell me that there's some sort of firmware or operating system upgrades that get performed automatically--that the devices can be monitored or inventoried remotely--or that you're performing some other routine network function.
All of this sounds just fine. But the truth is, connecting medical devices to the Net creates scary risks security experts have known about for years. In wireless devices, meanwhile, the middleware that sits on top of the operating system is quite vulnerable to attack, according to technology research firm Nerac Inc.
Now, hospitals have gotten a rude notice that the experts were right, in the form of the Conficker worm. Exploiting a weakness in the embedded version of Windows, Conficker infected a range of medical devices at hospitals and around the world, including MRIs. Experts are still sorting out what other devices and computers Conficker has touched, but it's clear that many millions were compromised to some degree.
As readers of this publication know, black-hat hackers will write worms just because they're antisocial jerks who like playing with other people's toys. But medical devices can also serve as a gateway to information that's quite valuable to everyone, from freelance thieves to organized criminals. At minimum, you've got medical identity theft and HIPAA violations to worry about, not to mention network exposure that any enterprise faces.
Now that hospitals have been called out on a new network vulnerability, healthcare networking may change. It may be time to rethink entirely how specialty devices are monitored and managed, or it may just be time to change security routines and manage your MRI more like you do your laptop. Or maybe you'll go so far as to demand that manufacturers change the way they select, develop and update their operating systems and middleware.
The bottom line, though, is that if your MRI can take on a nasty worm like Conficker, it isn't your father's MRI anymore. And that has big implications for you. - Anne
Comments
By Anonymous | Posted 12:41pm | May 12, 2009
Forgive my ignorance but did a rash of MRI's get hit by this worm? We do security work for dozens of hospitals and all the MRI devices and modalities I run into are Sun/Unix. I have never seen one allowed out to the Internet... not good practice to run "updates" on a machine that is running a 10k study on someone. These devices are maintained by private networks or VPN tunnel access and maintenance is Scheduled!
If radiology systems did get hit, I would imagine it would have been windows based PACS. For some reason vendors started dropping MAC/Unix and started using Windows.
If anyone knows of medical equipment being hit.. I mean real equipment, like MRI,PET, CT not PC's that process the end results. please post some info.
By Robert Urbina | Posted 1:26pm | May 13, 2009
I am working for a startup medical device company as an electrical engineer that is developing an X-ray device. We just finished our 60601 compliance testing. From the engineering side, “networking” a medical device is a nightmare that I would never want to approach in reference to IEC compliance standpoint (again from a start up angle).
We had considered making our device network compatible for the reason of ease of retrieving data and software upgrades but on further review, we found it more advantageous to send a clinician to the site or have the clinician load\download any data from a company issued “thumb drive”. They are clean, controllable (password enabled) and are traceable. Traceability is the ultimate desire for any medical company.
Post new comment
Home
| Subscribe | Advertise | Mobile Edition | RSS |
Privacy
| Site Map | List in Marketplace | Supplier MarketplaceTHE FIERCEMARKETS NETWORKFierceFinance | FierceFinanceIT | FierceComplianceIT | FierceHealthcare | FierceHealthFinance | FierceHealthIT | Hospital Impact | FierceMobileHealthcare | FierceCIO | FierceCIO:TechWatch | FierceContentManagement | FierceMobileIT | FierceGovernmentIT | FierceBiotech | FierceBiotech Research | FiercePharma | FierceVaccines | FierceBiotechIT | FiercePharma Manufacturing | FierceIPTV | FierceOnlineVideo | FierceTelecom | FierceVoIP | FierceBroadbandWireless | FierceDeveloper | FierceMobileContent | FierceWireless | FierceWireless:Europe© 2009 FierceMarkets, Inc. All rights reserved. |
 |