The infestation even reached the attention of the U.S. Congress after three expert witnesses testified on May 1 in the U.S. House of Representatives about network threats and policy challenges related to cybersecurity. One witness testified that the Conficker worm had been identified in 344 computers operating medical devices from a single vendor.
The Conficker case highlights the sensitivity of healthcare's increasing reliance on Internet-connected software for basic functions. The situation indicates that PACS administrators and other healthcare IT professionals must test and retest their computers regularly to identify infestation by the Conficker worm and other potential viruses.
Rooting out the worm
The Conficker worm was first identified in November 2008, targeting computers running the Microsoft Windows operating system. The infestation won widespread media attention following reports that it would trigger a major attack on April 1, April Fools' Day. Although that date passed without major incident, Conficker continues to infect computers and is estimated to infect 50,000 new PCs each day.
In March, word began to surface that the worm was digging into healthcare computer networks. On April 23, Marcus Sachs, director of the cybersecurity cooperative the Internet Storm Center, mentioned in a panel discussion during a national conference for security professionals in San Francisco that Conficker had infected several hundred machines and critical medical devices located in hospitals, according to a story published by CNET News.
Sachs stated that a member of the Internet Storm Center, operated by the SANS Institute in Bethesda, MD, had identified that "an imaging machine" used to review high-resolution medical images was reaching out over the Internet to get instructions from the Conficker creator, as reported subsequently by the San Jose Mercury News. An investigation by researchers identified more than 300 similar devices at hospitals around the world that had been compromised, Sachs told reporter Elise Ackerman.
Although initial reports indicated that the infected computers were MRI workstations, subsequent investigation revealed that the infected computers were operating on PACS networks. Because they could be identified, most of these have been dewormed, but at least 50 have not, according to the security expect who first identified the threat and has been monitoring it.
Watching Conficker work
One of the security professionals who has watched the Conficker saga unfold is Rodney Joffe, senior vice president and senior technologist of NeuStar, a Sterling, VA-based company that provides IT services, and one of the founders of the Conficker Working Group. The Ultra Services division of NeuStar operates a core directory that enables data to be correctly routed on the Internet for many domain names. This directory includes 19 top-level domain names and approximately 15 million domain names for more than 4,000 companies and organizations.
In a telephone interview with AuntMinnie.com, Joffe said that several members of the Conficker Working Group, which included employees of the Internet Storm Center, had written a computer program that was able to intercept signals sent every 24 to 48 hours by Conficker-infested computers. By sheer fluke, Joffe and a researcher from the Georgia Institute of Technology identified a distinctive IP address, which was traced to a medical center.
Further investigation revealed that the IP address and a unique browser name were associated with a single vendor, whom Joffe and fellow researchers mistakenly believed manufactured imaging modalities. However, after discussions with AuntMinnie.com, Joffe believes that the product is a PACS diagnostic workstation and other PACS components, based on the vendor's Web site product descriptions.
Joffe stated that the vendor was immediately telephoned. The vendor said that the infected computers were not supposed to be connected to local area networks because they were running an unpatched version of Microsoft's operating system, according to Joffe, who will not reveal the name of the vendor or the identity of any of the infected healthcare facility sites.
Monitoring of this computer group continued to determine if the sites would rid the computers of worms. When nothing changed, Joffe and peers began to telephone the chief information officers of the hospital IP addresses they were able to identify. Of this group of 344 infested PACS computers, approximately 50 still send Conficker worm outreach signals.
None of the medical facilities that were contacted had been notified by the vendor, according to Joffe.
In addition, thousands of other infected computers within unidentified healthcare facilities were infected. Joffe and several Conficker Working Group members, one of whom was Sachs, telephoned healthcare organizations to request that organization members be alerted to the situation and the threat. Sachs mentioned the discovery at the San Francisco RSA conference.
After news of Conficker's inroads into healthcare was made public, Joffe decided to mention it as an example of potential cyberterrorism in his testimony to Congress. He also was deeply disturbed by information he had received from the vendor about how difficult it was to make software changes due to U.S. Food and Drug Administration (FDA) regulations, and he wanted to alert members of Congress to this weakness in the regulatory process.
The recent publicity has not reduced the level of Conficker infestation in healthcare. In fact, on May 11, there was a noticeable increase in the number of infected computers in healthcare facilities, including some major multihospital enterprises, according to Joffe. He said that as soon as the healthcare facilities are identified, top-level executives starting with the chief information officer are notified by telephone.
Because the Conficker worm is instructed to migrate to other computers on a network or with which it can communicate, Joffe believes that there are also infected computers within a hospital or hospital enterprise whose signals are blocked by firewalls from responding. In the case of PACS, all computers on a PACS network could be infected, but only computers on the network that are allowed to transmit information, such as a Web server, are able to transmit the Conficker worm signal.
Have other hospital PACS been infected? One vendor's technical support manager advised that one of its customers requested information about how to rid its PACS of the worm. They acknowledged that the facility may not have had robust firewalls, and they did not know when an intrusion-detection inspection had been performed. After the firewall vulnerability had been rectified, a low-level hard drive purge for each computer on the network was performed, and uninfected software was completely reinstalled in every computer.
Confusion over FDA rules
The ability to react quickly to infestations like Conficker has been hampered by confusion over FDA rules regarding changes made to software that's been cleared by the agency. Joffe said that the PACS vendor with the infected sites told him via a telephone conversation that the FDA required a 90-day notice before workstations could be patched.
"For 90 days, these infected machines could easily be used in an attack, including, for example, the leaking of patient information," Joffe told the Mercury News. "They also could be used in an attack that affects other devices on the same network"
But other vendors believe that there's no such 90-day rule.
"The referenced 90-day notice is misinformation," Nick Mankovich, senior director of product security and privacy of Philips Healthcare of Andover, MA, told AuntMinnie.com. "The FDA does not require a 90-day notice from medical device vendors to make quality, safety, or security changes."
Mankovich, who oversees ongoing global product security efforts for Philips and its customers in more than 100 countries worldwide, agreed that medical devices can be vulnerable to viruses and worms. He explained that adding security to protect a medical device from external intrusion did not begin in earnest until five or six years ago.
"Manufacturers had always presumed that medical devices would be utilized in a network protected by a robust firewall. They resided in a secure enclave before interconnectivity through the Internet proliferated," he said. Because some medical devices have a life span of 10 to 12 years, there are some being used in medical facilities that cannot be updated with patches designed for current computer operating systems.
As a result, infections do occur on a consistent basis where today's IT network security standards recommended by a medical device vendor are not maintained. Mankovich recommends use of the "Department of Veterans Affairs Medical Device Isolation Architecture Guide," a free "cookbook" that describes the steps to put medical devices in a well-controlled, isolated security network.
Mankovich also pointed out that many computer and security industry professionals do not realize that patches cannot be installed automatically onto most medical devices without careful testing and validation.
"Safety and effectiveness have to be evaluated whenever we make a security decision relating to a medical device. When a vulnerability is announced on Microsoft Tuesdays, we can't just install patches automatically. It's one thing if a patch disrupts the operation of a laptop computer. If a third-party patch breaks a cardiovascular system in the middle of a cardiac catheterization, a patient's safety may be compromised," Mankovich said.
Because of the need for in-factory testing, there is almost always a delay after patches have been announced before they are installed in medical devices. In addition to the need to determine what patches are applicable for specific operating systems, each product change, including patches, must be tested and validated by the manufacturer. For diagnostic and many other kinds of equipment, after the patch has been installed on a particular device, the field service engineer needs to verify that the installation was successful and that the equipment functions properly.
What to do?
Security is expensive, but necessary. Security experts recommend that facilities schedule intrusion-detection checks on a regular basis to identify points of vulnerability in a network.
It's not difficult to determine if a computer is infested with the Conficker worm, according to John Lazarus, senior manager of healthcare industry solutions of Symantec of Cupertino, CA. After being properly protected from infection, every computer needs to be checked because a computer with a Conficker worm can infect every device on a network.
Removal tools and advice are posted on many Web sites, including that of the Conficker Working Group. Symantec's removal tool can be downloaded by clicking here.
Security experts advise healthcare facilities to contact their vendors if they believe that their medical devices or PACS have been infested. Such feedback is key to helping vendors learn about infestations, they say.
By Cynthia E. Keen
AuntMinnie.com staff writer
June 2, 2009
IT networks shut down three London hospitals, November 26, 2008
Intrusion-detection testing finds network vulnerabilities, August 11, 2008
New protocols offer hope for wireless security, June 6, 2005
Copyright © 2009 AuntMinnie.com