Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Malware Is 'Rampant' On Medical Devices In Hospitals

Soulskill posted more than 2 years ago | from the physician-heal-thine-pc dept.

Operating Systems 234

Dupple sends this quote from MIT's Technology Review: "Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable. While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion. [He said], 'Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.' ... Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed."

Sorry! There are no comments related to the filter you selected.

WELL, THAT'S OKAY SINCE WE ALL DIE SOMETIME !!! (-1)

Anonymous Coward | more than 2 years ago | (#41683807)

A little sooner than we should, but that's them bones !!

Re:WELL, THAT'S OKAY SINCE WE ALL DIE SOMETIME !!! (4, Funny)

ackthpt (218170) | more than 2 years ago | (#41684181)

A little sooner than we should, but that's them bones !!

Need a sign out front - Caution: This Hospital Uses Microsoft Windows.

Re:WELL, THAT'S OKAY SINCE WE ALL DIE SOMETIME !!! (4, Insightful)

pentalive (449155) | more than 2 years ago | (#41684453)

Caution: This Hospital Uses Microsoft Windows 98

Meh... (4, Interesting)

Anonymous Coward | more than 2 years ago | (#41683809)

When someone does get hurt, it will be a very clear case of negligence on the part of the manufacturer, and the lawsuit will bring everyone else in line.

Sad that this is the way it works in America though.

Re:Meh... (5, Funny)

robthebloke (1308483) | more than 2 years ago | (#41683939)

Everyone would just start leaving hospital with an enlarged wanger, and a $12,000,000,000,000,000 bank deposit from a Nigerian prince.

Re:Meh... (2)

jellomizer (103300) | more than 2 years ago | (#41684217)

Except for when they pinpoint the nurse or tech who used to device to connect to another site.

It is a Damn if you do and Damn if you don't situation.

You don't update your OS you could get hacked. You do update the updates makes the device unusable.

Re:Meh... (5, Informative)

Anonymous Coward | more than 2 years ago | (#41684459)

The question is why would medical devices get malware on them just because the OS is unpatched? The frigging device could be Win95 but it shouldn't matter if all it ever runs is the vendor's software.

If people are browsing the internet on them or sticking USB drives in them they are doing things very wrong.

Medical people should be familiar with the terms "quarantine" and "isolation".

Re:Meh... (5, Insightful)

HideyoshiJP (1392619) | more than 2 years ago | (#41684675)

While this should be true, these devices are increasingly being connected to networks to offer integration with EHR/HIS for polling information, and especially in radiology, where images are being sent digitally to PACS. These machines often stay unpatched, yet get connected to the network for transfers. It's important to maintain a separate "medical device" network, but this only goes so far, especially when vulnerabilities bypass the Windows firewall on the medical device, allowing some infected PC/device/server to broadcast worms all over the place.

Re:Meh... (2)

Krojack (575051) | more than 2 years ago | (#41684651)

Hospital IT tech to patient: Sir, I need to reboot the computer controlling your heart pump to install some Windows updates. I need you to keep squeezing this "squeeze bulb" a few times a second while the computer is rebooting.

Nurses/Doctors (0)

Anonymous Coward | more than 2 years ago | (#41683827)

Well if the nurses/doctors would quit browsing the internet for coupons and shopping sites.

What about networks (5, Interesting)

Anonymous Coward | more than 2 years ago | (#41683841)

I don't know about medical devices, but I do know that the last time I was in the emergency room I brought my laptop since I knew I would be there for a few hours. After getting tired of games and slashdot I decided to poke around the wifi network that I was on. I found an unsecured smb share on the network and downloaded a 17gb .bak file of patient records. Needless to say I deleted the file and sent an anonymous email to the administrator. 3 months later nothing had changed....

Re:What about networks (3, Insightful)

FacePlant (19134) | more than 2 years ago | (#41683943)

Hospitals are notorious this this kind of IT stupidity.

Re:What about networks (4, Informative)

ackthpt (218170) | more than 2 years ago | (#41684331)

Hospitals are notorious this this kind of IT stupidity.

Most institutions are, including the financial sector, government, schools as well as millions of homes.

Back when Windows 95 rolled out Microsoft was incredibly naive. Where for decades mainframe operating systems were hardened against attacks, Microsoft failed to learn from those experienced in the field and some clever lads found they could manipulate financial software remotely, thanks to a complete lack of security with ActiveX. Shocking. For over a decade Windows continued to be loaded with security holes and a lack of internal checks to ensure software should be allowed to do things it was. Where we had process monitoring applications on RSTS and *nix systems, there was no means to track what was going on, particularly with DLLs on your desktop or laptop Windows system. Yet Windows attempted to be able to do everything and uneducated users (for who is truly educated where a home computer is concerned?) trusted it to be a good steward of their data and other assets. Meanwhile good Bill Gates and Chair-tosser Steve Ballmer were plotting next conquests and becoming fabulously wealthy. Honestly, should anyone be surprised? A good bet would have been requiring a standard operating system, a good clean one, for medical systems as life depends upon them. Nope, everyone gets cheap - use Windows and commodity hardware.

They really should include a warning that the healthcare facility may have information of a personal nature about you on Windows or that the maching going 'Bing' which keeps you alive may also and you accept these risks and relieve them of responsibility when it all goes to pot.

Re:What about networks (0)

Anonymous Coward | more than 2 years ago | (#41684411)

'use Windows and commodity hardware', and charge premium prices.

Re:What about networks (5, Informative)

BVis (267028) | more than 2 years ago | (#41684761)

Probably more accurate to say that hospital administrators would rather rip their own arms off than fund IT adequately. Hospitals are *notorious* for under-funding IT departments.

Re:What about networks (4, Interesting)

drainbramage (588291) | more than 2 years ago | (#41684023)

Same thing I've seen in hotel web sites, but I digress.
An additional problem in a HIPPA perspective is that (per your experience) the data was not encrypted...
That may seem to be a huge oversight to someone on /. but a lot of medical staff are not terribly computer security conscious.
Heck, too many IT staff don't understand security.

When devices, networks, and users fail to protect data individually or collectively there will be issues.
That is no excuse for wide open access to medical devices. I do wonder if they have to go through a full FDA acceptance period for software/firmware updates? I suspect that could be an issue.
--
No brain, no pain.

Re:What about networks (1)

HideyoshiJP (1392619) | more than 2 years ago | (#41684713)

I've heard conflicting statements on updates and FDA certifications. Some vendors say that you can't patch due to having to recertify with the FDA. Other times, I've dealt with vendors who will advise you to patch, but will provide a patch certification list to use; a list that's unfortunately constantly behind.

Consider yourself very lucky... (5, Insightful)

Anonymous Coward | more than 2 years ago | (#41684353)

I found an unsecured smb share on the network and downloaded a 17gb .bak file of patient records. Needless to say I deleted the file and sent an anonymous email to the administrator. 3 months later nothing had changed....

Usually anyone who dares tell the Emperor that he's actually naked and not wearing any "new clothes" gets his head chopped off for pointing out the truth.

Lemme tell you what would've happened at one particular hospital I know of: The IT administrator would've contacted law enforcement and provided them with all the video footage from the multitudes of security cameras around the place, along with the patient and visitor lists, as well as all the the wifi access and activity logs containing your mac address and anything else logged and/or identifiable about your laptop, to try to find out your real identity for criminal prosecution purposes.

Despite the fact that they are extremely weak in securing their network resources in the first place nor do they have any realtime alerting mechanisms to detect any kind of unauthorized access while in progress.... they do go to ridiculous lengths to log and record everything necessary to try to identify you so they can come and get you long after the fact.

Re:What about networks (3, Informative)

Anonymous Coward | more than 2 years ago | (#41684481)

I don't know about medical devices, but I do know that the last time I was in the emergency room I brought my laptop since I knew I would be there for a few hours. After getting tired of games and slashdot I decided to poke around the wifi network that I was on. I found an unsecured smb share on the network and downloaded a 17gb .bak file of patient records. Needless to say I deleted the file and sent an anonymous email to the administrator. 3 months later nothing had changed....

Deleting the file and sending an anonymous email to the hospital administrator is like deleting a tape and telling a car thief that he was videotaped and to be more careful next time. If their network is still unsecured, why not be awesome and protect other patients by filing a complaint and cc'ing lots of people at the hospital that you have reported their irresponsible negligence to the US Dept of Health & Human Services at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html

Re:What about networks (3, Interesting)

shentino (1139071) | more than 2 years ago | (#41684549)

That's because they have no incentive to listen to you.

Report it as a HIPAA violation and stay anonymous (5th amendment implications for you downloading it yourself), and watch them get burned.

If the regulators don't even care, then give up.

The system may be broken, but it sure as hell doesn't belong to you.

And this is why the USA is in trouble (1, Informative)

SmallFurryCreature (593017) | more than 2 years ago | (#41684601)

Why was he in the emergency room yet capable of deliberately bringing a laptop for the long wait?

Because he was using the ER for something he should have gone to the doctor paid through his insurance rather then the ER which is free if you don't have insurance.

And he wonders why hospitals have no money to spend on IT security.

Re:And this is why the USA is in trouble (3, Informative)

CowTipperGore (1081903) | more than 2 years ago | (#41684745)

I get your point but this a stupid example to use for it. Should he have gone to his GP for a severely twisted ankle or for a high fever on Saturday evening? For that matter, he could have been there with his significant other, child, or friend.

Re:And this is why the USA is in trouble (1)

Anonymous Coward | more than 2 years ago | (#41684835)

> Why was he in the emergency room yet capable of deliberately bringing a laptop for the long wait?
> Because he was using the ER for something he should have gone to the doctor paid through his insurance rather then the ER which is free if you don't have insurance.
> And he wonders why hospitals have no money to spend on IT security.

Last time I went to the ER, I had cut myself and needed stitches. Yes, I could have gone somewhere else, except that it was at 11pm, so I'd have to wait 10 hours while I held it together myself. There was literally no where else to go. I *wish* that I had brought a laptop -- I was able to stop at a restaurant for breakfast by the time I got out of there (and no, it wasn't a 24h place).

conventional malware = windows malware (5, Insightful)

Anonymous Coward | more than 2 years ago | (#41683879)

Windows is not intended to be used in life-critical situations such as medical hardware or nuclear reactor control. It's right there in capital letters in the EULA.

Someone's being a cheapskate here and decided to use windows instead of paying to develop a custom medical OS.

Re:conventional malware = windows malware (0)

Anonymous Coward | more than 2 years ago | (#41684317)

Some ERs use CERNOR or whatever its called running in a web browser with Windows XP as the OS and wireless networking.

Multiple risk factors there and an ER is emergency medical records access.

Re:conventional malware = windows malware (3, Interesting)

dubdays (410710) | more than 2 years ago | (#41684415)

Windows is not intended to be used in life-critical situations such as medical hardware or nuclear reactor control.

I totally agree. However, this, to me, is the main question: Why in the FUCK would these devices be connected in ANY way, shape, or form, to the INTERNET in the first place??!?!? That's just asking for it, no way around it. It's stupid, careless, and shouldn't be allowed under any circumstance (barring VPN via a WIRE and ONLY when absolutely necessary). We're dealing with people's health and lives here, and this is a totally preventable situation.

I can understand the issue with USB drives, but there need to be policies in place that prevent the use of them unless absolutely required.

Re:conventional malware = windows malware (2)

NatasRevol (731260) | more than 2 years ago | (#41684621)

It's as simple as this.

The doctors demanded it.

They're the goose with the golden egg, so they get what they want.

End of story.

Re:conventional malware = windows malware (0)

Anonymous Coward | more than 2 years ago | (#41684451)

Windows is not intended to be used in life-critical situations such as medical hardware or nuclear reactor control. It's right there in capital letters in the EULA.

Someone's being a cheapskate here and decided to use windows instead of paying to develop a custom medical OS.

Who reads the EULA?

Re:conventional malware = windows malware (0)

Anonymous Coward | more than 2 years ago | (#41684485)

Windows is not intended to be used in life-critical situations such as medical hardware or nuclear reactor control. It's right there in capital letters in the EULA.

Someone's being a cheapskate here and decided to use windows instead of paying to develop a custom medical OS.

Windows is not to be used anywhere where performance, stability, security, or interoperability matter. You're right, and I love how most people manage to ignore the fact that Windows' unsuitability for "mission critical" applications is mentioned right there in the EULA. Imagine buying a car, and having to sign a document acknowledging that you have been made aware of the fact that the car is an unsafe pile of shit before they let you drive off. Yet people still buy their miserable, worthless shitware.

Then again, there is no excuse for not using any of the much superior, vastly more secure alternatives such as Linux, or a BSD-variant. I say, take those patient records you find on networks where there's no security, download them, and e-mail them to the government agency in charge of prosecuting organizations for failure to be diligent about safeguarding people's medical records, and let THEM sort it out.

What's that? There isn't one of those? I didn't know. That does explain a lot though.

Re:conventional malware = windows malware (0)

Anonymous Coward | more than 2 years ago | (#41684503)

A lot of devices are used in medical situations but are not life-critical. Such things might be a device to measure blood pressure, or heart conditions (like Cardionet devices, which run on WinCE, and yes, because the company was cheap).

Re:conventional malware = windows malware (2)

Darinbob (1142669) | more than 2 years ago | (#41684705)

I agree there's some idiotic stuff out there. But hospitals are cheap and so a lot of things are just boards in PCs. I'd hesitate to say malware was rampant, except for all the thousands of generic windows machines out there which are turned into medical devices by running an app.

There is a bit of lax security even in embedded devices. The goal is not to stop terrorists or hackers, but to prevent someone from breaking your licensing or cloning your machines or firmware. Most embedded medical devices don't have Windows, some don't even have an operating system. You have to know the details of each individual machine to crack into them, and the attack that works will not work on a machine from someone else or from a different model line of the same manufacturer. If these machines ended up being as politically senstive as SCADA machines then the security would likely go up (not in terms of anti-malware which is nonsensical, but in encryption and certs and the like).

What are these machines running? VxWorks, Nucleus, uC/OS, LynxOS, eCos, etc. These are not things your IT goons are going to know about.

Of course as Stuxnet shows, you must secure your network infrastructure and train your personnel.

Activate legal team (0)

Anonymous Coward | more than 2 years ago | (#41683883)

Sue the bandagers.. er, bastiges.

Sad but true (3, Interesting)

kheldan (1460303) | more than 2 years ago | (#41683887)

I used to work for an ophthalamic ultrasound company. You'd think that doctors, having all those years of college and medical school, would know better than to browse the internet on a medical device, or know enough to ensure that the USB flash drive they're carrying around and using to transfer images from one ultrasound to their computer is free of malware, but the sad reality is they're not, and while I can't speak for other devices manufactured by other companies, ours couldn't run antivirus and still run the ultrasound application effectively, so it was essentially wide-open to malicious software.

Re:Sad but true (0)

Anonymous Coward | more than 2 years ago | (#41684155)

Plenty of people were able to become doctors for no better reason than they have superb memory.

Re:Sad but true (1)

Anonymous Coward | more than 2 years ago | (#41684309)

I'll back that up ; I quit being a doctor because (amongst other reasons) I was bored stupid.

You can learn to be a doctor if you're a hard worker with a decent memory. And willing to tolerate working like a dog for 80 hours a week.

Un/fortunately I'm the typical computer programmer - clever, good memory, but bored senseless by doing the same thing all the time.

People who aren't quite as bright probably do better, having a higher boredom threshold.

Posted anonymously for anti-smugness reasons.

Question.... (1)

Anonymous Coward | more than 2 years ago | (#41684571)

Q: What do you call the guy who graduated very last place at the bottom of his med school class?
A: Doctor.

Re:Sad but true (0)

Anonymous Coward | more than 2 years ago | (#41684239)

The workflow seems to run like this:

1. Aquire data using your neat ultra sound machine
2. Connect usb stick and write data onto it
3. Read data from usb stick on a workstation

Unless some other procress which requires stuff to be read from usb sticks, why not simply lock it down ?
You could even format the stick as soon as its been plugged in. It would only enforce the idea of keeping only little bits of sensitive data on there only for very short times.

The economists might even figure that they could sell one-time-use only sticks (with a propietary connector) in analogy to one-time-use needles.

Re:Sad but true (0)

Anonymous Coward | more than 2 years ago | (#41684337)

Great. Blame the user. No, it can't be that running root is stupid. The user is stupid.

Re:Sad but true (1)

whoever57 (658626) | more than 2 years ago | (#41684391)

You'd think that doctors, having all those years of college and medical school, would know better than to browse the internet on a medical device

IMHO, doctors have over-inflated views of their own abilities outside the narrow field of their medical training. For example, this respected neurosurgeon claims to have scientific evidence of the existence of an afterlife, based on his own experiences.

Re:Sad but true (1)

nigelo (30096) | more than 2 years ago | (#41684679)

Nice catch.

I want to learn more about these 'outer-body' experiences he refers to (paragraph 4).

Of course, it could just be another damp squid ;-)

I worked at a hospital (2)

slashmydots (2189826) | more than 2 years ago | (#41683915)

I worked at a hospital for about a half year and noticed that their policy was if it isn't a "normal" computer, we don't touch it. We leave it up to the lab techs and pharmacy staff and cardiology people. So there's 99% of the problem.

Re:I worked at a hospital (1)

jader3rd (2222716) | more than 2 years ago | (#41684253)

if it isn't a "normal" computer, we don't touch it.

Who is 'we' in this case? The Board of Directors?

Re:I worked at a hospital (4, Interesting)

RKThoadan (89437) | more than 2 years ago | (#41684295)

I work in hospital IT and we have an entire separate department for working with any clinical equipment. In most cases they can't do anything either because the vendors do not allow us any admin level access and none of them are part of our regular domain/AD. The lab/pharmacy techs quite literally have more access to those systems than we do. It's extremely aggravating.

Re:I worked at a hospital (1)

shentino (1139071) | more than 2 years ago | (#41684575)

Why are your vendors allowed to have admin access in the first place?

That sounds like a HIPAA violation right there.

Re:I worked at a hospital (1)

Darinbob (1142669) | more than 2 years ago | (#41684731)

The IT people can't touch that stuff anyway. It's not Windows, it's not Mac OS, it's not even Unix. Trying to get IT people to put better security on it would be like asking your IT staff to put an antivirus in your Prius.

Obvious cause is obvious (0)

Anonymous Coward | more than 2 years ago | (#41683919)

The majority of computers in hospitals/doctor offices/dentists are budget machines running windows XP. Whatever software is intended to be run on them is installed right when the machines are purchased, and then the machines sole purpose for the next 5 years is to run that software. No one bothers to run Microsoft Update or similar because there never is an apparent need, hence the numerous "unpatched" machines.

Impossible! (1)

Billly Gates (198444) | more than 2 years ago | (#41683927)

Only IE 6 is supported and certified for use with the equipment and software. Not to mention there is no sense upgrading $300,000 equipment which is now certified with the all uber secure IE 7 when the older works just fine according to the accountants.

What could possobly go wrong! FYI no updates after May 2009! They are not certified for medical use yet

Willful Ignorance (5, Insightful)

Anonymous Coward | more than 2 years ago | (#41683937)

Dad has owned an ultrasound service business since the late 70s. My brothers and I all worked for him in varying capacities, before becoming engineers ourselves.

In my experience: the amount of willful ignorance towards all manner of IT in the medical field is nothing short of astounding.

I hate to say it, because I love alot of these people- but I chalk it up to the arrogance of the doctors and administrators. They treat anything IT related on the same level as an issue regarding say, HVAC or sanitation. That is to say, beneath them.

Which is fine, except in this case the "HVAC" can be programmed by a remote intruder to emit Zyklon B.

"easy" to remedy (2)

MrLint (519792) | more than 2 years ago | (#41683955)

The technical issues that cause this are "easy" to remedy. You don't allow people to use the instrument to have administrator access. A good portion of applications can be remediated to work in a low privileged environment via file system ACLs. Those that cannot need to be network isolated and stripped down to the bare essentials needed to do the task it is for. *These are technical steps*

Administrative steps to take is to demand that the outside vendors don't get to dictate your network policies. Frankly in a hospital you can go all HIPPA on their asses.

To give an anecdote, we had a vendor who delivered an instrument, for with the edict was that *NO* settings could be changed. They shipped it with a manually configured IP of an ISP in Germany. Presumably they wanted us to buy the IP block to get it on the network.

Re:"easy" to remedy (4, Insightful)

drinkypoo (153816) | more than 2 years ago | (#41684061)

You don't allow people to use the instrument to have administrator access

I guess you've never heard of a privilege escalation exploit. If you're not performing updates then you're vulnerable, end of story. It's a good argument for eliminating the full-fledged computers inside of general-purpose medical devices, and making them instead some kind of peripherals used with computers of some sort when an interface is needed.

Re:"easy" to remedy (0)

Anonymous Coward | more than 2 years ago | (#41684407)

While there is probably some truth to this, you need to understand how some doctors work; quite a few in the profession still think that being a doctor means they're in charge of everything; it's not uncommon for them to go to some conference, learn about new tech, purchase with dept. funds and set it up without ever telling IT what they're doing, and they're able to because they have free reign on the network/domain to do what they please. Some of this is that IT needs to clamp down on what can and cannot get on the network.

Re:"easy" to remedy (1)

drinkypoo (153816) | more than 2 years ago | (#41684923)

it's not uncommon for them to go to some conference, learn about new tech, purchase with dept. funds and set it up without ever telling IT what they're doing

And that's why the regulations need to demand that they can only purchase secure devices, at least, as secure as they can reasonably be made. It's not reasonable for game consoles to get more security updates than medical devices.

Re:"easy" to remedy (3, Informative)

chill (34294) | more than 2 years ago | (#41684187)

Admin access is a red herring. If I'm after patient medical or billing data and that is readily accessible by the logged-in user account, why do I care about Admin rights?

Yes, it helps for propagation and hiding, but for data access it is superfluous.

An Easy Fix... (0)

Anonymous Coward | more than 2 years ago | (#41683959)

Haven't they heard of http://kaspersky.ru ???

Mission Critical Systems? LolWAT? (5, Insightful)

ShooterNeo (555040) | more than 2 years ago | (#41683965)

Ok, I'm only a student. So I don't know anything. But I sorta THOUGHT that the standard for a mission critical system (aka something like a heart monitor, blood gas analyzer, etc etc etc) would be to NOT use any software in your system that you don't have 100% control over.

You know, rather than picking some version of windows, use an embedded linux. Add the bare minimum graphics libraries you need in order to draw a gui. Isolate the threads that actually do the mission critical stuff (say, reading the sensor and displaying the output) from the ones that do other tasks (like handling all the complex menus and the network connectivity and so on). Heck, use a separate physical CPU for the mission critical stuff, and give it it's own dedicated display so that no matter what, it keeps displaying the important data. The hardware to do this is cheap.

And firewalls should be integrated into the devices themselves - even Linux can theoretically catch a worm, and so it should apply strict filtering rules on any communications with the network.

I can fully understand the reluctance of the manufacturers to issue software patches. Building the system so that it's practical to not ever patch it (well, maybe patch it a couple times to eliminate any bugs found after release) is a good thing. Everyone here must know that the best way to break a working machine is to shut it down and change something.

Re:Mission Critical Systems? LolWAT? (1)

dgharmon (2564621) | more than 2 years ago | (#41684157)

"Ok, I'm only a student. So I don't know anything. But I sorta THOUGHT that the standard for a mission critical system (aka something like a heart monitor, blood gas analyzer, etc etc etc) would be to NOT use any software in your system that you don't have 100% control over.

You make a lot of sense for a student ...

Re:Mission Critical Systems? LolWAT? (0)

Anonymous Coward | more than 2 years ago | (#41684191)

'But that costs money'
'But that's difficult' (Security usually is)

Capcha: liquor ; if I drank alcohol this topic would probably drive me to do so...

Re:Mission Critical Systems? LolWAT? (1)

Anonymous Coward | more than 2 years ago | (#41684203)

What you have all described sounds good.

BUT.

It will cost money.

So we're not going to do any of that security crap until someone makes us do it. And then we're gonna drag our feet on deploying it. And still use the cheapest option out there.

Re:Mission Critical Systems? LolWAT? (0)

Anonymous Coward | more than 2 years ago | (#41684489)

What you have all described sounds good.

BUT.

It will cost money.

So we're not going to do any of that security crap until someone makes us do it. And then we're gonna drag our feet on deploying it. And still use the cheapest option out there.

The alternative, in this world that we live in, is to have no product at all.

Re:Mission Critical Systems? LolWAT? (1)

Anonymous Coward | more than 2 years ago | (#41684363)

And firewalls should be integrated into the devices themselves

Firewalls don't help much when the telnet port is open and you can find the default root password for the device by invoking google.

Re:Mission Critical Systems? LolWAT? (4, Interesting)

TheCarp (96830) | more than 2 years ago | (#41685035)

Ahahahahahahah I totally understand why you would think these things, but, you need a little history.

I worked in Healthcare IT for about 6 years, until a few short months ago. Before that, I actually started my career as a service tech. The thing to realise is...the group I worked in moved out of the office they were in while I was there.... the original office had a room full of chest high benches, with a built in shelf above, and lots of plugs. If this sounds like the kind of setup that would have soldering stations, then you are getting very warm...because that what they used to do!

In fact, some of the same guys I worked with...had been there since core memory that was tacked to the wall was decommed.

That sort of attitude makes perfect sense if you are building a new network, in the total absence of road blocks. A hospital environment however... well.... we are talking about an environment thats been in CONTINUOUS operation since the early 1800s. (not all hospitals are that old, of course) all new equipment, all upgrades, all troubleshooting, all goes on, while operations continue. There is no weekend downtime. There is no middle of the night downtime.... thats just to START.

Add to that the federated 'academic' model that most hospitals use for their budgeting (ask your professors to explain how departments are budgeted and why money gets suddenly spent before the end of the fiscal year, and thats very much like how hospitals work). They started bringing in all this equipment before they even had central IT. They have their own budgets and egos, sometimes bigger departments will have their own mini-IT staff even! It is utter chaos.

Now the departments decide what they want, get most of the way down the path of purchasing it, then bring in IT late in the game. IT fights with them and the vendor about their standards, but can't fight too hard or else they will tell IT to go fuck themselves and just go do it with their own money, since IT can't actually say no. (or they make a stink up to a level where IT gets the smack down)

Then patching and OS upgrades.... often you can't patch or upgrade because the vendor claims they wont support it. Occasionally they blame the FDA saying they certified it on the OS version its on (we often questioned whether that held water).

In short, the vendor and department often act like they are on the same team and IT is the roadblock, rather than the department and IT working as a team. The department, especially if they are clinical, but sometimes research too, has more clout than IT, because the trustees are from the medical professions and they are the final say.

Very early on in my career I got a stack of work orders. First I was told "they can't have windows 95 because their department hasn't been upgraded yet" (and there were internal reasons involving training and federation that meant each dept needed one or two people trained before it could be upgraded).

A week later the hardware arrived and I was told "they are getting Windows 95, OEM build, not ours" (which was a HUGE exception for them)....from that point on, every day I showed up to do something for them based on what we were doing yesterday, and every day they had already had a meeting that I wasn't privy too, and my department had made new concessions to them, totally changing what I was supposed to do ..... the ego maniac who was making them do all this, of course, just got mad at me for constantly doing the wrong thing, even though, nobody had told me the plans changed.

Eventually I heard, through more connected people than me, that he had a huge and prestegious grant and was threatening to take his grant and go to another institutiuon if they didn't give him everything he wanted....and he got it.

Now.... tell me how you control what you are using when the final say on policy comes from people who don't understand IT, and are willing to see it as a roadblock rather than part of their team? Believe me when I say there are a lot of people (not everyone of course) who know what they should be doing, and want to do things right, but, they lose a lot of battles.

The fine print mentioned in TFA (4, Interesting)

ShooterNeo (555040) | more than 2 years ago | (#41683993)

All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices.

Validated. That costs a bunch of money. And this basically is saying that if the manufacturer DOESN'T validate the changes to the FDA's satisfaction (meaning do a heck of a lot more testing than just applying the patch real quick and booting it up and making sure it's still working) then they are totally vulnerable to lawsuits.

Also, just as importantly : the manufacturer does not receive money from medical devices already sold. Their new ones (with new hardware which is why they can't back-port the software) are where the revenue is. In fact, it's sort of beneficial if the hospital's old equipment starts running slowly and badly because they can push their new gear (now with enhanced cybersecurity!)

Re:The fine print mentioned in TFA (3, Informative)

RKThoadan (89437) | more than 2 years ago | (#41684429)

Maintenance contracts and pay-per-incident support means that manufacturers make plenty of money on already-sold devices. In many cases the cost of the device is a rather minor part of the contracts.

They refuse to support Windows 7 (1)

Anonymous Coward | more than 2 years ago | (#41684015)

I see this as a huge problem for us. The vendors we use don't support Windows 7 and often don't play nice without local administrator. I also find it frustrating that they don't provide Microsoft Certified Drivers (Makes deployment an issue).

When we have issues, they tell us to turn security features off. They must be administrators, you must turn UAC off, you much disable Data Execution Prevention, you must run on Windows XP. We have disproved the XP requirement over and over. We have done the same for administrator access. Stuff would work if it was written better or updated.

I wish I had leverage to force vendors to fix these issues. But in many casses they have the best or only device. When everyone else uses it and generally likes it, IT has a hard time holding out. Our issue is compounded because of our field. Most of our vendor's customers are small offices with 2-5 single purpose computers. They don't have an IT staff to understand what is really wrong.

Its these same packages and drivers the prevent VDI or cloud adoption in these locations.

Instant Failure... (1)

Anonymous Coward | more than 2 years ago | (#41684189)

...to be using Windows as a medical devices platform to begin with.
As a security auditor, I wish I could consider that to be an automatic "willfull negligence" HIPAA/HITECH violation, but my superiors will not allow me to do so.

PEBKAC (2)

concealment (2447304) | more than 2 years ago | (#41684041)

In industries where arrogance and demanding people are common, the only people who work the jobs are those with a tolerance for such behavior.

This means you're picking your IT guys by whether they put up with your drama or not.

If you wonder why many law firms and hospitals have such bad IT staff, this is the reason. High turnover, low investment beyond what is demanded. Mainly because the demands are constant and irate.

These people are probably dropping 4000 Windows XP machines into a hospital, and then complaining about the reboots for patches and/or that weird orange browser they have to do now.

As a result, they get a ton of malware. The solution is obvious: turn on Windows update, and train staff to rein in their egos and drama for just a few minutes every day.

Re:PEBKAC (1)

TubeSteak (669689) | more than 2 years ago | (#41684223)

The solution is obvious: turn on Windows update, and train staff to rein in their egos and drama for just a few minutes every day.

First off, this is not how enterprise software management works. It's a terrible idea and you're a terrible person for suggesting it.

Secondly, medical software management is a whole nother ball of wax, because the manufacturer has to certify the software to a higher level of confidence (regardless of whether or not any update has to go through regulatory review).

Re:PEBKAC (0)

Anonymous Coward | more than 2 years ago | (#41684593)

Said differently, the FDA prohbiits uncertified patchs (all, at least for the first 6 mnonths until the patch is certified.)

Legality of "malware" ?? (1)

AwesomeMcgee (2437070) | more than 2 years ago | (#41684043)

Unless I'm mistaken, it is illegal to create and distribute a computer virus, but "malware" somehow does not fall into this category because it's not deliberately destructive I guess. It *is* however, destructive in so much as the security holes it usually creates along with the system resources it takes.

Shouldn't we just be able to follow a piece of malware to it's source company and have the DOJ take care of them?? I recall legislation against spam having been written and people even being convicted for violating such laws, yet somehow we haven't decided malware is equally bad??

Re:Legality of "malware" ?? (1)

ShooterNeo (555040) | more than 2 years ago | (#41684167)

The in-efficiency of trying to do that...is mind boggling. Most of the malware authors probably aren't even within the U.S. Extradition is very slow and expensive and does not always succeed. It is possible for malware authors to cover their tracks so effectively that even finding out who they are is de facto impossible.

Basically, I see trying to eliminate malware as being about as practical as trying to eliminate bacteria from the planet. Much better to secure your system so it can't get through.

Re:Legality of "malware" ?? (1)

AwesomeMcgee (2437070) | more than 2 years ago | (#41684595)

This is true of certain types of malware yes, but there is still a whole industry of companies out there who create spyware and software that does all kinds of 'malware' tasks which are doing it right out in the open due to the current legality of these practices. There is no industry segment of companies openly generating virii due to the legality. I'm just saying, I think we need some legislation for this stuff. Virii still exist regardless of the legislation but much less than it would without the legislation.

Re:Legality of "malware" ?? (1)

CanHasDIY (1672858) | more than 2 years ago | (#41684231)

"Malware" does not refer to a specific type of software; rather, it is a blanket term used to define all malicious software, including virii, trojans, worms, adware, et. al.

I surmise the reason for not creating a law to specifically outlaw malware is twofold: The first (and, IMO, rational) reason being that criminalizing malware in general would cripple the efforts of businesses and academics who make their living researching and creating countermeasures for such code.

The second, less rational (again, IMO) reason being that if the government criminalized all forms of malware, the advertising companies who profit from drive-by downloads of your personal information would stop donating so generously to political re-election campaigns.

So, essentially, the "real" reason such software isn't illegal to create is that doing so might cut into someone powerful's profit margins... and we just can't have that, now can we?

Re:Legality of "malware" ?? (1)

AwesomeMcgee (2437070) | more than 2 years ago | (#41684533)

So basically you're saying spammer's should have bought a lobby about 10 years ago, god knows they were raking in the dough.

It figures (0)

Cro Magnon (467622) | more than 2 years ago | (#41684065)

Everyone knows that hospitals are full of viruses. Obviously, not just the expected variety.

Re:It figures (0)

Anonymous Coward | more than 2 years ago | (#41684625)

Oh hah hah hah. Very funny. Would be funny if computers one day had hospitals. Or robots. Then they would joke about there being humans in the place, who had viruses of their own. Picture a robot walking up to you with a fake syringe, held aloft, as if ready to inject you, offering you antivirus software, then laughing in an echoy, robotic way, with rasping metal reverberating sounds sending chills up and down your spine. Uh-ah ahzzzzz haaz haaz haaz haaz uhzzzzzzzzzzzzzzzzzz! (I can't think of how to translate this sound using just the 26 letters, but you understand what I meant.) Actually, now that I've pictured it, I think that IS the stuff nightmares are made of.

What is the current threat? (2)

SpzToid (869795) | more than 2 years ago | (#41684067)

Okay, this is a valid point, and people need to pay attention when they engineer, build, support, and actually use these things. Still, what is done is done and paid for, and I imagine hospitals retain some I.T. department services of some sort, and all this gear is networked behind a firewall or two.

New gear absolutely must take these concerns into consideration and address them long-term because the threat will not go away. But what is the current threat on the legacy devices? What can an attacker hope to accomplish? What would be the motivation of a hacker or two, to reverse-engineer the MRI scanner, oh and by the way where did these guys get a redundant MRI scanner (etc.) to reverse engineer for their evil motivations?

Oh wait, much of this gear is beased upon Windows XP and that is the vector. Uh huh. Well that sort of shelf-lifes the security on your hardware I suppose. It might be best to support a long-term and truly open-system like Linux or FreeBSD rather than base your product on what the Microsoft Corporation can deliver for your own business requirements.

Or, if Microsoft is so good for (medical equipment) developers to base products on, than why can't the software be upgraded to support Windows 7 or 8?

Re:What is the current threat? (1)

0123456 (636235) | more than 2 years ago | (#41684163)

Or, if Microsoft is so good for (medical equipment) developers to base products on, than why can't the software be upgraded to support Windows 7 or 8?

My guess is: certifying medical software on a new OS costs about a gigazillion dollars and no-one is willing to pay for it.

Re:What is the current threat? (1)

SpzToid (869795) | more than 2 years ago | (#41684289)

yes, TFA mentions the regulatory costs for such updates. So there's the thing: you based your (hardware) product on Windows XP and now XP is end-of-lifed and either you support your hardware with software upgrades and get that approved, OR your hardware gets either end-of-lifed, or your (supported) patients might end-of-life prematurely themselves (so you also have the risk of malpractice costs to consider).

Looking at this lesson in security, if I was a manufacturer of MRI gear (or whatever) I'd get away from past decisions, and I'd base my engineering on a more open-OS with less vendor control.

Re:What is the current threat? (0)

ISoldat53 (977164) | more than 2 years ago | (#41684251)

The deaths associated with this threat has to be lost in the noise of all the other deadly threats in a hospital. Hospitals kill more people than car wrecks.

Re:What is the current threat? (1)

msauve (701917) | more than 2 years ago | (#41684557)

"Hospitals kill more people than car wrecks."

ITYM "More people die in hospitals than in car wrecks. There's a difference. Unless the hospital collapses, it's hard to imagine how it could kill anyone.

The sentiment behind your statement is, of course, entirely flawed. One could just as easily say that fewer people are killed in war (0.3%) than in traffic accidents (2.1%), and imply that being in a war is safer than driving.

Started much earlier than 2009 (0)

Anonymous Coward | more than 2 years ago | (#41684091)

HIMSS was actively working this topic in the early to mid 2000's. Check out their bibliography: www.himss.org/Content/Files/deviceSecurity/Bibliography.doc

Not just hospitals... (1)

Anonymous Coward | more than 2 years ago | (#41684121)

Windows has become the de-facto standard embedded OS because it quick and easy to develop for. I work in a technical field and we can't even buy diagnostic equipment that doesn't show an XP logo before firing up. That means that unlike my 30-year old oscilloscope at home, these devices will fail and fail hard in the future and there will be no repairing them since their software will be completely tied to the machine ID they shipped with. It just all seems so freaking lazy.

this is important, but it isn't news (1)

Curseyoukhan (2601315) | more than 2 years ago | (#41684153)

it's been heavily reported for several months.

Not so simple (5, Informative)

kullnd (760403) | more than 2 years ago | (#41684255)

I worked as an IT Manager in a hospital for a few years, and know a little bit about this... The first issue is that these systems typically CAN NOT be upgraded, and this is not due to the MFG not wanting to upgrade, this is a FDA compliance issue... If they upgrade the software, they have to do some very expensive certifications with the FDA, these same certifications delay the release of medical equipment to the point that much of the technology is already close to being outdated when it hits the market.

Our solution, which seems simple enough, was that every type of medical equipment was located on a different physical network (for critical pt. monitoring equipment) or at a minimum a seperate VLAN on the main network. All network access to this equipment was blocked except for very specific exceptions that were allowed based on the absolute need of that piece of equipment. We had no issues with any of these infections or malware, although it did increase the man-hours overhead especially when working with the vendors that would sometimes wonder why they could not hit the internet from the X-Ray machine ... but we managed just fine.

Suprise, the medical hardware industry is shit. (0)

Anonymous Coward | more than 2 years ago | (#41684297)

Embedded systems, done wrong.

Whoever let network connected medical devices with un-hardened operating systems be certified needs to be thrown in prison. Seriously.

This is extremely common. (5, Informative)

ChumpusRex2003 (726306) | more than 2 years ago | (#41684351)

The term medical device has a broad definition; it includes obvious things such as laboratory analysers, X-ray equipment, etc., but it also includes PCs running specific types of software, such as medical records software. Most of these things run general purpose OSs - some embedded; some desktop.

E.g. Windows XP is a common platform for things like ultrasound scanners, MRI scanners, etc. XP embedded is quite common on things like laboratory equipment. Variants of linux are also in widespread use - albeit, often old. E.g. I work with an MRI scanner that runs a 2.2 kernel.

Now, things like analysers and scanners are usually on their own VLAN (or should be) with connections only to their application servers, with the servers heavily firewalled from the general purpose VLANs; however, this often isn't the case, and I've seen a number of installations where you can just sit down at a random PC, and SSH into an MRI scanner (these things usually have generic root passwords which are written in the service manual - once you know what the passwords are, you can get into any device of that make and model).

The biggest problem, however, is that these machines never get updated. The manufacturers often won't support any updates to the OS, or even permit hotfix installation, nevermind a 3rd party security package (for more general purpose devices). For example, one hospital earlier this year, upgraded their PACS system (software for storing and displaying X-ray/MRI/CT images) and bought a new set of dedicated workstations (quad core, Xeon E5, 8GB RAM, Dual Quadro), but because the PACS client software had to interface with a number of other client software packages, and those vendors had strict requirements; these machines ended up being loaded with XP SP1 32-bit and Java 1.4. Unsurprisingly, these aren't regularly patched, and more importantly, they can no longer update their anti-virus software as the current version of their chosen AV software won't run on this configuration (so they're stuck using an obsolete, unsupported version).

I saw an extreme example of this a few years ago when the Confiker worm hit. There were a group of hospitals in a major city, which shared the same infrastructure, and they had a very large PACS system. The worm got onto the PACS VLAN, and essentially killed the servers. The system was completely down for days, because as soon as the servers we rebooted or re-imaged; the worm killed them again. The vendor stubbornly refused to apply the hotfix and refused permission to install the hospital's antivirus system on the servers/workstations. The only thing that got it moving was when the CEO of the hospitals made a conference call with the hospitals lawyers and the CEO of the PACS vendor, telling them that they were going to f**k them so hard with the SLA stick, that they wouldn't be able to sit down for a month. After that call, the vendor agreed to install the hotfix, and the system came back online.

The computer virus's aren't getting people sick (2)

jader3rd (2222716) | more than 2 years ago | (#41684377)

A little over a month ago I was in a hospital and noticed a work station in a hallway that was obviously setup for visitors to use. I checked it out and it was running XP. Since the OS had noticed that a user had woken it up the balloons from the task bar started fighting with each other for my attention. Norton said it was months out of date, it also said that it had 400+ issues that needed looking at (found active virus's running, or something). I half wonder if someone with mal intent setup the computer and no one questioned it being there (the IT guys must have set it up), because the hospital sure wasn't taking care of it.

From the front lines? (3, Insightful)

Kaldesh (1363017) | more than 2 years ago | (#41684393)

Before I begin let me preface this post by saying I work in a hospital in the IT Staff, and I have for the past 10 years now (as scary as that sounds to me typing it out). At any rate I can say that malware, spyware, virus' etc are a constant concern for the staff here. When I started working here it was the 'Wild West' for computing, people did what they wanted, when they wanted to on their computers, and we've slowly curbed that. Especially now that electronic medical records are being used. The key we've found to keep malicious software off computers used for medical purposes, or with confidential data is actually three fold -- First segregate those devices with ePHI (electronic protected health information) off onto their own network, strip the computers of all but the most essential software, and the medical staff all have to sign agreements when they're hired that strictly prohibit them from using computers for personal tasks. Want to check your e-mail? Bring in your smart phone, or laptop etc, and do it with that device (we actually provide a wireless for the entire staff to use 'just' for that purpose). Nobody can keep 'on task' all day, so allowing them the outlet with some caveats has been a great success. However, all machines that have access to the ePHI network are imaged once put into service, but we re-image the machines on a staggered schedule so every 6 months they're a fresh install. Virus software (AVG) is installed and on an automatic update / scan schedule as well -- with a central server that reports results to us. Also for security concerns every Laptop is encrypted (thank you Truecrypt), and every device that accesses ePHI comes through a VPN. If a Laptop get's stolen (and one has in the past), the VPN access for that device is revoked immediately. So between the VPN and Encryption, the odds of a 'break' in our security are astronomical. Anyway all these procedures may seem a bit excessive, but we've yet to have a PC with ePHI or EMR softwaret be compromised where I work thanks to them. I sleep slightly better at night thanks to this system actually. I do know of several other hospitals / medical facilities that are far far less secure though, and frankly it scares the hell out of me how cavalier they are about the whole ordeal. One of our doctors is Per Diem and his home office supplied him with an unencrypt, unsecured, laptop with full admin rights, and their EMR software installed on said Laptop for his free use. PS -- A tip to anyone working in a medical facility, one of the ways we had our providers (Doctors) agree to this stringent of a system was to point out that infractions where ePHI is compromised put their necks on the line, even more so then they do ours. So all this security is for their benefit as much as yours. Also, this goes double if you have a counseling staff because the rules around ePHI regarding counseling services are even more strict and crazy. Anyway hopefully that helps someone out.

Re:From the front lines? (0)

Anonymous Coward | more than 2 years ago | (#41684729)

quick question. public or private hospital?

SCADA (1)

Hawat (266650) | more than 2 years ago | (#41684475)

Malware Is 'Rampant' On Medical Devices In Hospitals
http://science.slashdot.org/story/12/10/17/1741225/malware-is-rampant-on-medical-devices-in-hospitals [slashdot.org]

Kaspersky To Build Secure OS For SCADA Systems
http://slashdot.org/index2.pl?section=&color=green&index=1&view=stories&duration=-1&startdate=20121017&page=1 [slashdot.org]

Similar problems, so the solution should work for both. Of course, it costs millions in regulatory costs to make such a change in the med device. I’d argue reducing the regs would be far less dangerous for patients than running 10 year old versions of WinCE.

Completely True (1)

musicon (724240) | more than 2 years ago | (#41684779)

I once worked for a company that produced equipment used in hospitals, and I can vouch for the issues installing updates as well. Moreover, hopelessly stupid things were done such as hard-coding the hosts file for remote diagnostics, and logging in and running applications as the Windows Administrator account. Furthermore, the hospital IT staff was equally incompetent, in that even if (by some miracle) we wanted to patch the products we had to jump through hoops to do so, and even simple things like DNS resolution were filtered for our devices.

It's the medial software (0)

Anonymous Coward | more than 2 years ago | (#41684795)

I work in a hospital IT department.

I would like to say first off medical software is slow to upgrade we're just now getting to the point where all the software is Windows 7 compatible. XP has a lot of bugs.
Second, a lot of the companies write the software with the intent of having Administrator rights. I have gotten into arguments with vendors on this, why would they continue to do this but they just shrug and say that it's the only supported way of doing things.

I think those two reasons are why there is so much vulnerability on hospital desktops.

HIPPA, HIPPA, HORRAY (0)

Anonymous Coward | more than 2 years ago | (#41684813)

Nuff said

Easy Fix (1)

EvilSS (557649) | more than 2 years ago | (#41684849)

Publicize the Manufacture and Models vulnerable, then wait for the malpractice trial lawyers to sink their teeth in. Doesn't matter if no one was actually hurt because of the vulnerability. If a device was in use when the patient suing was being treated and the device had malware (or even could have) they will latch onto that and suck in the device maker into the lawsuits. Fighting malware with malpractice lawyers. Seems dirty somehow.

Extreme laziness... (1)

Bert64 (520050) | more than 2 years ago | (#41684895)

Just why in the hell are embedded medical devices running on a full blown windows system that is prone to malware infection, and likely to break functionality of the device if regular system updates (many of which will be for functionality that isnt being used) are installed?

Such devices should be using a custom, minimalist OS which is configured specifically for the purpose it serves, has no extra unnecessary functionality, and support for the entire package (device, hardware, application and os software) is provided by the device supplier...

If your OS is minimalist the chances of vulnerabilities existing are much smaller, and therefore the number of patches required is much smaller. Less risk, less maintenance.

The average attitude of corporations is to keep their devices horrendously insecure and hide them behind firewalls, basically gambling that noone will attack them...

Hospitals are _NOT_ secure networks, most hospitals are open to the public and it is trivially easy to walk in and gain access to an ethernet cable somewhere within the building. Just visiting several hospitals recently i have seen open ethernet ports in areas where members of the public could just walk in, and many hospitals are open 24 hours while the IT dept only really works 9-5.

Re:Extreme laziness... (1)

Sir_Eptishous (873977) | more than 2 years ago | (#41685071)

Yea, that is the real question, why Windows? Almost funny if it wasn't such a house of cards ready to collapse. Well, it might be Windows for much of it because the client-side piece and/or server software only runs on Windows, so they just port it to run on the devices/instruments also.

But yes, you're absolutely correct, the OS "footprint" should be small and tight and secure for these types of applications. But they're not.

Jail terms. (1)

Tough Love (215404) | more than 2 years ago | (#41684991)

Jail terms for those guilty of reckless endangement by selling or using medical devices running Windows.

Not Surprising (2)

Sir_Eptishous (873977) | more than 2 years ago | (#41685037)

Anyone who works in laboratory environments knows about this problem. Certain lab instruments that run a certain firmware that can only be supported on a certain version of windows. The firmware can't be updated because that instrument is no longer supported, but the lab keeps using it because it works and its too expensive to replace... Were talking Windows NT or 2000 here.

The computer systems at fault in the monitors were replaced several months ago by the manufacturer, Philips; the new systems, based on Windows XP, have better protections and the problem has been solved

This is a serious issue. Someone do something? (1)

burisch_research (1095299) | more than 2 years ago | (#41685059)

It's clear that diagnostic manufacturers prefer XP for various reasons, not least because it's really easy to develop for.

This leaves a gap in the market for:

  a) retrofitting existing wayward devices with better software that's less vulnerable (wine/XP ++, or another win emulator??)

  b) offering a secure medical OS

Seems like the kind of challenge the /. crowd would be keen to take up, GPL or no :)

Hey it's medical, so there's serious dosh to be made here!

I have first-hand experience (1)

EmagGeek (574360) | more than 2 years ago | (#41685085)

My wife had to get a CT scan to investigate her liver. I went with her and was able to see the machine and its operator while she was having the scan done.

Not only did the CT machine run Windows (XP), but the operator was surfing the web on it during the procedure, checking her hotmail and facebook.

Unbelievable.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?