Hospital MRI and Other Medical Devices Infected with Conficker Virus – FDA Required 90 Day Notice before Windows Update Patch Co
Posted Apr 30 2009 10:49pm
This is an interesting story all the way around. First of all I hope all the medical devices found were disconnected from the Internet until the FDA gives the stamp of approval. The manufacturer also said the device was not meant to be connected to the internet, but it was. Last week in the story about Morgan Hill and the cyber attack, the hospital’s system failed and paper charts were used for a day and they discovered they were more dependent on the outside world and web than originally thought.
What I find is really strange is the 90 day requirement for patches to be applied from the FDA. Does the FDA review Windows Patches to make sure the software running the imaging equipment is ok? That would be the only reason I can think of for this to occur. There were over 300 similar devices found in hospitals that were infected. Come to think of it, the last computer in the world one would expect an attack would be from an MRI machine. Hearings are scheduled to change this law, thank goodness.
The FDA has had their own issues with getting up to date with technology and this somewhat adds one more issue, but this may not be their fault. With Web 2.0 it could be hard to keep some devices from being connected but again the individual device and use may tell the story better there. Nice that this was found or we could have experienced the cyber attack of the MRI machine with some potentially ugly images. BD
A computer worm that has alarmed security experts around the world has crawled into hundreds of medical devices at dozens of hospitals in the United States and other countries, according to technologists monitoring the threat.
The worm, known as "Conficker," has not harmed any patients, they say, but it poses a potential threat to hospital operations.
"A few weeks ago, we discovered medical devices, MRI machines, infected with Conficker," said Marcus Sachs, director of the Internet Storm Center, an early warning system for Internet threats that is operated by the SANS Institute.
Around March 24, researchers monitoring the worm noticed that an imaging machine used to review high-resolution images was reaching out over the Internet to get instructions — presumably from the programmers who created Conficker.
The researchers dug deeper and discovered that more than 300 similar devices at hospitals around the world had been compromised. The manufacturer of the devices told them none of the machines were supposed to be connected to the Internet — and yet they were. And because the machines were running an unpatched version of Microsoft's operating system used in embedded devices they were vulnerable.
"For 90 days these infected machines could easily be used in an attack, including, for example, the leaking of patient information," said Rodney Joffe, a senior vice president at NeuStar, a communications company that belongs to an industry working group created to deal with the worm. "They also could be used in an attack that affects other devices on the same networks."