In the ‘malicious implants’ thing of a few days ago, I mentioned the possibility of a virus infecting a defibrillator-programming device, and propagating outward through patients to new programming devices to more patients. It seems hospitals’ IT tends to be in such bad shape that such a scenario isn’t just eminently plausible — it seems like it could almost happen by accident. Such a state of affairs is particularly troubling considering how much we generally prize medical confidentiality.
Bottom line: if you care about security, avoid hospitals like the plague. (Genuine, ohshitgonnadie injuries only, and even then start thinking about proactive defense…)
The Slashdot discussion also has some amusing/horrifying anecdotes and discussion on why hospital IT is in such sordid shape:
“Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals. The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.
In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change–even to add antivirus software–because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says.
As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel.
“I find this mind-boggling,” Fu says. “Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.””