Comments on: The alarming state of computer security in healthcare https://www.emsisoft.com/en/blog/23161/the-alarming-state-of-computer-security-in-healthcare/ Straight-talking security advice from the Malware Experts Fri, 18 Nov 2022 12:21:56 +0000 hourly 1 By: TheChosen https://www.emsisoft.com/en/blog/23161/the-alarming-state-of-computer-security-in-healthcare/#comment-718203 Wed, 17 Aug 2016 13:17:00 +0000 http://blog.emsisoft.com/?p=23161#comment-718203 In reply to Pepper.

The answer is as obvious as it gets => To NEED LESS WORKERS, to do the same amount of work in less time and/or to be cheaper.

See? Internet of things is REAL. That is what it`s about. Connecting everything in your world (be it a chair, your smartphone or your fridge with the internet).

Making all attackable from outside.

But normal people don`t know this. They think it´s all fine and easy.

They just care about for the lesser amount of work needed to do what they want to do.

]]>
By: Sokrates https://www.emsisoft.com/en/blog/23161/the-alarming-state-of-computer-security-in-healthcare/#comment-716303 Mon, 15 Aug 2016 18:15:00 +0000 http://blog.emsisoft.com/?p=23161#comment-716303 In reply to Sean Elvee.

Are you meaning that each time someone in Redmond changes the rules of the game you really re-write all the drivers and the pieces of software that interact directly with the hardware, and then re-check everything all over again until you’re completely sure? You must be a team of very wealthy heroes!

]]>
By: Sean Elvee https://www.emsisoft.com/en/blog/23161/the-alarming-state-of-computer-security-in-healthcare/#comment-716065 Mon, 15 Aug 2016 12:47:00 +0000 http://blog.emsisoft.com/?p=23161#comment-716065 In reply to Sokrates.

Many opinions and few facts in the comments above.
I’m in the process of ensuring GLP compliance for a UK based internationally respected Medical Research company to MRHA and OECD guidelines, as recently updated. Timely updating (i.e. inside 30 days from publishing) of OS and application security patches & service packs IS MANDATORY for any computer based system connected to the network, as is change management testing and assurance, i.e. keep it secure, test all software changes for errors / crashes / bugs etc. in a limited subset of systems and when sure, update all systems.
Perhaps medical regulation in the US is less rigid, but I doubt it. Perhaps they are less worried about compliance, but I somehow also doubt that.
The real issue was the delay from 1995 (yes, really!) until last April for a new guidance document to be published by the OECD. Sit back and consider if ANYTHING in the IT field is still as it was in 1995.

]]>
By: Sokrates https://www.emsisoft.com/en/blog/23161/the-alarming-state-of-computer-security-in-healthcare/#comment-713229 Fri, 12 Aug 2016 17:43:00 +0000 http://blog.emsisoft.com/?p=23161#comment-713229 True, having critical pieces of equipment connected to the web is foolhardy (just a bland euphemism). But few managers would seek competent advice about something they think they already master (after all they know perfectly well how to turn on their own computers, don’t they?), and then setting up an intranet costs dear money that could be used to finance the next Christmas party…
Little they seem to consider that along with professional hackers and malware-spreaders there are also legions of clever kids and teenagers out there, each one eager to check if he or she is good enough to push a satellite out of orbit, or to stop a heart, or to cause a terribly exciting general black-out. I know because I was one of them – until my father explained very persuasively to my buttocks the meaning of “responsibility”.

Nevertheless there’s nothing shameful or sinful (as many here seem to imply) in sticking with an ‘old’ software rather than replacing it with a newer – not necessarily better nor fully compatible – version. On the contrary, that’s very often the only way to keep a satisfactory piece of equipment (or of software) up and running rather than keeping up with the whims of fashion and junking it.
Once an OS is put in charge of a complex critical equipment it becomes an integral part of it, and updating to the next commercial version of the OS would be deadly even in the most optimistic scenario.
There are incredibly complicated and outrageously expensive scientific monstrosities whose computers run on XP, on 98 or even on good old DOS – reliable, predictable, no frills. And as they aren’t expected to be used to play solitaire, or to chat, or to watch porn on the web, they all talk and listen only on a strictly local intranet.

]]>
By: Un bischero https://www.emsisoft.com/en/blog/23161/the-alarming-state-of-computer-security-in-healthcare/#comment-713130 Fri, 12 Aug 2016 16:45:00 +0000 http://blog.emsisoft.com/?p=23161#comment-713130 IMHO, in this mission critical cases they should use two different, not physically interconnected networks: an “Internal” isolated one and another connected to the outside network.
For any update or manteinance task that will require a download, they should transfer manually the update packs downloaded.

]]>
By: Pepper https://www.emsisoft.com/en/blog/23161/the-alarming-state-of-computer-security-in-healthcare/#comment-713027 Fri, 12 Aug 2016 09:31:00 +0000 http://blog.emsisoft.com/?p=23161#comment-713027 I still don’t understand why important systems like administration, hospitals or power supply’s etc, are conn to the outside network?
It’s incredible stupid to hang a nuclear power supply on the internet, every kid today can reach important system’s and by accident open or close an important valve for cooling for instance etc.
A second dangerous thing is old software, dumb low cost ICT personal.
My son thus a ICT education and for this he must make a practice at a high school, nothing important would you think, but a high school with 3000 systems in a network and only one person for the network safety it’s nearly impossible, everyday over 500 hacks from outside and then the 1000 try’s from inside over 50 server/modems unless they are behind 5 firewall’s there are hackers come true, which needs a load of work to find and close the hole.
A student with Straight A’s for his work and then fales all exam’s then you know there is something fishy, looking in the system showed he or a friend falsely changed his testst from D to A .
Suppose its was/is an hospital, and yes most of them work with low cost low educated IT personal with old systems.
Even with near bed systems for hart/lung/temp etc work with Windows 98 connected to the internet server, from out a 1 patient room you can easily close valves for oxygen on another floor in the hospital or even shut down the operation theater floor so nothing works and people would die.
Really it’s that easy if you want to, just a linux or windows phone and all the necessary programs are downloadable from the internet, make contact to 1 system and, well you can imagine what could happen.
Hospitals and insurance companies make every year billions profit,and loose true greatness thousands of lives with the excuus his/her hart stopped suddenly, sorry!

]]>
By: Eagereagle https://www.emsisoft.com/en/blog/23161/the-alarming-state-of-computer-security-in-healthcare/#comment-713026 Fri, 12 Aug 2016 09:27:00 +0000 http://blog.emsisoft.com/?p=23161#comment-713026 In reply to FirstSpear.

Ha Ha These machine become part of a network because people (at the top or in the hierarchy) are often lazy and computer illiterates and think that efficiency is when all commands are in one hand, thus networking ensures that and reduces maintenance costs and payroll since all is located at one level. The real diseases or malware in our society nowadays are bonuses for the top and high dividend for the shareholders. No Emsisoft, unfortunately” can change that. This being said, I love Emsisoft.

]]>
By: Sokrates https://www.emsisoft.com/en/blog/23161/the-alarming-state-of-computer-security-in-healthcare/#comment-713013 Fri, 12 Aug 2016 09:04:00 +0000 http://blog.emsisoft.com/?p=23161#comment-713013 Looks like there’s a major misunderstanding behind all this.
Once for practical reasons a satisfactorily working commercial software is put in charge of some critical equipment, that software should NEVER be touched again – except perhaps to update it to a new version specifically tailored on that particular application and thoroughly tested.
In many occasions sticking with an ‘obsolete’ operating system is not a capital sin but rather the only way to keep a critical piece of hardware (or software) working properly without potentially disastrous surprises.

Scientific and medical equipment are exempt from keeping up with the fashion trends: they are definitely not meant to play solitaire, to chat or to watch porn on the internet. For a damn complex (and shockingly expensive) space project we resolved to exhume the good old DOS (reliable, predictable, no frills), though slightly retouched to fit our special needs. And no one of us feels guilty or ashamed of it.

That said, having such an equipment connected to a public network would be utterly irresponsible: along with professional hackers and malware-spreaders there are a lot of quite smart kids and teenagers out there, each one eager to ascertain whether he or she is really good enough to draw a satellite out of orbit, or to stop a heart, or to cause a terribly exciting general black-out.
Curiously enough whenever this happens the traditional scapegoats are the software people and the faceless attacker, seldom (if ever) the budget-wary management that decided to save the few K$ required to set up a dedicated intranet not accessible from outside.
It’s a funny world…

]]>
By: FirstSpear https://www.emsisoft.com/en/blog/23161/the-alarming-state-of-computer-security-in-healthcare/#comment-713001 Fri, 12 Aug 2016 08:19:00 +0000 http://blog.emsisoft.com/?p=23161#comment-713001 How can such machines be attacked unless they are part of the network? Why do individual machines need to be part of the network? Revert to dumb, individual-use machines, or cluster networks; small groups of machines that can only interact with each other and have no connection to anything outside their cluster. Given the evidenced impossibility of maintaining security of anything connected to a wide network, why keep making machines that act that way. Asking for trouble, and stupid.

]]>
By: cat1092 https://www.emsisoft.com/en/blog/23161/the-alarming-state-of-computer-security-in-healthcare/#comment-712996 Fri, 12 Aug 2016 04:24:00 +0000 http://blog.emsisoft.com/?p=23161#comment-712996 What is & should be scary is that some practitioners are still running XP for their day to day operations for some types of programs/procedures. There’s some software & equipment that there’s no replacement for, and was very expensive at time of purchase (say takes 20 years to repay for itself).

Well, if the ones who initially distributed the equipment never updated the software or hardware for use with Windows 7 or above (or a Linux distro), even if offline only, those computers are a threat to the hospital’s or clinic’s network. Many imaging facilities in particular are using XP powered hardware, so the risk is very high, even with a high powered protection with Emsisoft Anti Malware or Internet Security.

What many doesn’t realize is that there’s been over 200 patches/updates post EOL of XP, and many of these has been patched for Vista & above. For that matter, not even Vista gets fully updated (using IE9 for an example).

Until medical providers fixes the underlying issues, and has more control over employee access to Internet (to include restrictions on plugging in USB drives & other devices), the problem is not going away any time soon. And in the medical field, it takes years to change.

Maybe they should had been thinking of the future when purchasing these expensive devices w/out an upgrade path & held off spending, after all, Windows was predictable until W10, providing a new OS every three years (a bit longer between XP & Vista), and it may be that period that’s the issue. The medical clinics cannot gain a ROI if trading for newer equipment, so they run older & pay the consequences as these happens.

The other looming issue is spending, there’s limited cash in the budget to upgrade equipment, as well as the OS’s that powers these, so in essence they’re stuck. Insurers are reimbursing less, and patients pays less, plus many doesn’t meet their end of the deal, paying their fair share.

It’s very complicated, yet in the meantime hospital & clinics has to figure out how to better secure their Internet. When running EOL OS’s, it doesn’t take much for a botnet to be created, perhaps by a disgruntled employee at a high level, knowing the end of their job is near & inflicting damage however they can. All it would take is a USB drive that has an app like EEK, used on many computers & infections caught. Those infections could somehow be injected throughout the place from that drive’s quarantine folder loaded with nasty Malware by one with skills, or simply dump it in a place where it’ll spread on it’s own, like a cancer.

It’s up to the medical care industry to police themselves, trade current equipment, even if some negative equity has to be rolled into the new loan, and stay in tune with the times. Of course this will take time, so today is as good as any to begin looking for solutions to secure the facilities.

Cat

]]>