A computer worm that has alarmed security experts around the world has crawled into hundreds of medical devices at dozens of hospitals in the United States and other countries, according to technologists monitoring the threat. The worm, known as “Conficker,” has not harmed any patients, they say, but it poses a potential threat to hospital operations.
“A few weeks ago, we discovered medical devices, MRI machines, infected with Conficker,” said Marcus Sachs, director of the Internet Storm Center, an early-warning system for Internet threats.
Around March 24, researchers monitoring the worm noticed that an imaging machine was reaching out over the Internet to get instructions — presumably from the programmers who created Conficker.
The researchers discovered that more than 300 similar devices at hospitals around the world had been compromised. The manufacturer of the devices told them none of the machines were supposed to be connected to the Internet — and yet they were.
It’s surprising at first to hear of hospital technical equipment running on Windows, but it’s quite common. Walk around a hospital and you’ll see lots of Windows-based devices.
One actually surprising claim in the story is a claim attributed to a device manufacturer that the FDA requires 90 days of notice before applying software patches, such as the patch issued by Microsoft in October that would block the vulnerability exploited by Conficker.
Even if true, it doesn’t seem to be the problem here; the patch was issued in October, 90 days after which is January. The story states that the infected machines were found by outside researchers in March.
On top of that, the infection strongly indicates a lack of proper network security at the hospital. Good firewall configuration on the device could have blocked the attack, for example, and it’s clear that users were allowed to bring unprotected outside systems, probably some notebook computer, onto the same network as the MRI.
Normally, the solution would be simply to install a patch, which Microsoft released in October. But the device manufacturer said rules from the U.S. Food and Drug Administration required that a 90-day notice before the machines could be patched.
![rss-feed[1]](http://techflaps.com/wp-content/uploads/2010/07/rss-feed1-150x112.jpg "rss-feed[1]")
No comments yet.