Security → Hospital's Windows XP Computers Cause Chaos After Getting Infected

»news.softpedia.com/news/ ··· 99.shtml

"Windows XP support came to an end in April 2014, but despite the numerous warnings issued by Microsoft, there still are a lot of companies that are yet to upgrade their computers.

The Royal Melbourne Hospital is one of them, and the network’s administrators found on their own how dangerous it is to run unsupported software when all Windows XP computers got infected with malware last week.

The virus first hit the hospital’s pathology department, so the staff had to manually perform a number of operations that were previously conducted automatically by Windows XP machines, including blood and tissue processing.

Furthermore, nurses and the food service worked together to make sure that each patient receives the proper meals, as computers that stored patient information were also infected.

An email sent to staff at the Royal Melbourne Hospital warns not to open any link or click on websites that look suspicious or ask for credentials, such as Facebook and Google.

IT teams working day and night to remove the virus

The hospital, on the other hand, claims everything is almost under control now, and the IT teams are working day and night to get rid of the virus.

“Elective surgery and our Emergency Department are operating as normal. There have been a very small number of outpatient cancellations. Our staff have worked tirelessly over the past couple of days to maintain patient safety and ensure minimal disruption. Our IT team are making good progress in rectifying the issue and we hope to be back to normal as soon as possible,” the hospital said in a statement.

While delays have already been experienced at the hospital, the administration team said only a few patients were actually impacted by the computer outage, as most of the processing tasks were performed manually by staff.

Windows XP support came to an end nearly 2 years ago, and Microsoft warned that every single vulnerability found in the operating system could be used by cybercriminals for exploits and malware infections. The only way to avoid this is to upgrade to a supported Windows version, such as 7, 8.1, or 10."

So it happened.
So.
Otherwise simply sounds like more FUD.
[I say this as I gleefully type away on this {un-updated} XP computer, heaven forbid!]
(See, Microsoft Warns Windows 7 Has Serious Problems.)
Could have been written by MS directly rather then Softpedia, & you wouldn't have known the difference.

Or, they could properly air-gap their hospital network and their care-computers from the public-facing Internet. Properly done, they could even have ancient DOS-based computers if only the necessary software could run on them. As long as the computers on their internal network face the Internet (directly or indirectly), a finite hacking risk will continue, regardless of the OS being used.

This would be accurate, aside from the fact that it isnt. Windows XP support is available until April 2019.

One has to wonder what level of (in)competency exists in the IT department such that they were/are unaware of this and either didn't purchase an extended support contract or otherwise provide network-wide registry tweaks to obtain the updates. They even could have upgraded to 7 etc.Only way? Purchase an extended support contract, use the windows update registry tweak, etc. When nearly 2 years worth of known security vulnerability patches are available and aren't installed, well....was there another expected outcome?

Utter incompetency.

Nothing to see here...move along...

Fire that entire IT staff and start again. Starting with a serious network admin that has a little common sense & understands the importance of network segregation and isolation, deny all unless explicitly allowed for all subnets/VLANS/etc.

It's an industry problem. Far far far to many medical device vendors run their product on XP and hide behind the FDA's certification process on why they can't be upgraded or even patched.

I wonder how long it took the OP to find an article to discredit a 10+ year old OS, just to make the new windows 10 look good by comparison.

If I had to chose between only XP or 10 - it's XP every time.

from what i have heard, in the past, this has been a long, ongoing problem, because a lot of equipment is not certified to work with updated versions of windows xp, like win xpsp2 or win xpsp3..

Frankly, I believe that hacking of medical programs, equipment, and computers was not deemed to be that much of a threat until recently when across-the-board Federal computerization initiatives began making the resultant newly-digitized medical databases a worthwhile personal-data and ID-theft target. As attention on the medical arena has grown to include computerized medical equipment in general, the full potential array of possibilities in hacking for ransom, blackmail, extortion, terrorism, theft, and vandalism has come into view. Prior to all this, I don't think developers, IT departments, or even hackers paid that much attention to hacking into medical/hospital environments... in part because many medical facilities previously lacked integrated, highly-networked infrastructures, which made them targets with fairly low payback. Alas, that's no longer true. And the necessary costs of upgrading equipment and robustly protecting networks will be borne by everyone who incurs medical bills...

That and the lack of updates provides well documented security flaws to choose from.

Had a chance to wander a hospital campus about a month ago -- family member was in an extended stay there -- EVERY
FREAKING COMPUTER on the floor was Windows XP. From a quick glance of the system tray, no network icon... I was
half way tempted to plug in a USB drive... just to see what happened.

But yeah, some basic segmentation both physical, logical, and layer 3 would be called for -- unfortunately said
article doesn't go into exact details how the Royal Melbourne Hospital had theirs set up...

Regards

Why would 7, 8.1, or 10 fare any better?

My dentist still Windows XP. My other dentist uses 7. :/

quote:

---

Otherwise simply sounds like more FUD.

---

Yes More scare tactics!!!!!

Good of you to notice

My dentist, he must be in his 90's (years of age, that is), has no computer at all .

"hide behind"? Something tells me that you've never worked in a highly-regulated environment before! In such situations you don't just go around changing things if you want to - even if you need to - without having to jump through a bunch of regulatory hurdles (which cost both time and money), and even then you might get denied. So normally a change like this might have to wait until a whole new product was released, or at least for a major refresh of an existing product. Breaking, or even bending, the rules here may cause you to lose your job, and you and your employer might be subject to massive fines, and/or have to deal with jail time.

But the real problem here isn't XP, per se, it's the fact that they're using any version of Windows at all! I've kind of gotten over this now, but as a long-time Microsoft customer (since before most of you had ever heard of them, maybe even since before many of you were even born), I used to shudder whenever I saw Windows used in any type of critical installation. And I suspect that many of the people who chose to use it that way have long since come to regret that decision.

Indeed - same vendor, same design, much the same code base - ergo, same flaws, same problems! It astounds me that more people don't recognize this. It astounds me even more that they let Microsoft get away with trying to use it as a selling point for "upgrades".

Not very comforting when walking through Hospital hallways and seeing BSODs on kiosks or rolling carts...

What irks me to the core is the amount of money bounced around and wasted in the medical field on junk technologies. Purchasing software that only runs on dying or dead platforms is only the tip of the iceberg.

I know; my wife is a nurse, and I've heard an awful lot about such things from her over the years. Apparently hospitals often have quite a bit of very expensive but unused (or useless) equipment tucked away here and there. And concerning rolling carts and such, her pet peeve for quite a while was big battery packs for these things which never lasted anywhere near as long as they're supposed to. They were always running out of charge at inconvenient times.

The difficulty I have with that is that upgrading and securing systems very likely require executive approval for staffing, capital and training budgets to upgrade systems and software. There are still plenty of people in boardrooms who are clueless about IT best practices and their value. I have little doubt that IT department managers and staff would have made their desires for upgrades know to the budgetary powers. Nobody I know in IT staff or departmental management likes working with old hardware, obsolete software and no vendor support when there are issues.

The people who should be punished are those decision makers who determine the IT budget and funding priorities, but are more interested in this year's numbers than next year's breach.

Yes, hide behind. I currently work in cyber security for a medical university. My past employment was with the Dept of Energy in a national lab working with industrial control systems managing nuclear processes. I'm very familiar with proper testing and change control. The medical device industry chooses not to do ANY of that because they don't want to spend the money, because they can hide behind FDA certification. It wasn't until recently the FDA even began to hold their feet to the fire making the vendors responsible for updates and issuing formal guidance on allowing patching to be performed if the patch did not alter the method in which care was directly granted. In that guidance they pointed out this has always been the case, but some vendors felt specific language was needed.

We've been around and around and around with vendors over security issues and patching schedules. All to many times their opinion is the device is behind a firewall so it should be ok. I have no hair left to pull out... literally.

Link: »www.fda.gov/MedicalDevic ··· 0634.htm

So, assuming that a medical device manufacturer has made the highly-questionable decision to use Windows in its products, does that mean then that come every patch Tuesday (or shortly thereafter), technical reps from that device manufacturer would need to go out into the field, apply the latest patches to their devices, do the appropriate testing, keep their fingers crossed that nothing goes wrong, and be prepared to roll back one or more of those patches if something DOES go wrong? (Or is maybe the IT staff at the hospital supposed to take on this responsibility themselves?) Because that's pretty much the rule when it comes to Windows patching - if, you know, you actually make the effort to keep current with such patches. (Which I do personally, BTW - and I've got the scars to prove it.)

Now, granted, maybe there would be a way to streamline this and make the process a bit less painful and less time-sensitive. But given the number of zero-day issues that Windows is constantly having, and given that the patching is just never going to stop (although the process itself may have changed with Win10), and given that there is really no way to make Windows truly "secure" (note how Microsoft itself states that XP is "not secure" even after three service packs and countless other patches over a period of more than a decade), then the whole idea just seems like wasted effort! And any cost savings (or whatever) that were expected to come from using COTS software like Windows certainly go out the window. (No pun intended.)

Like I said, Windows was just a bad choice to begin with. And I suspect that the folks involved here have come to regret using it, and (if they're smart) are already taking steps to get off that particular bandwagon. And the FDA should probably be stepping in on this, too.

And he still works. Wow.

No, patch Tuesday they apply the patches to their test beds and run them through testing then approve the patches to be applied. Even if they took a 6 month delay to approve patches it would be an incredible improvement over their current process. Many take over a year, others simply don't ever do it.

It's not just the OS, many rely on very old unsupported versions of Java. They run telnet with root access and no password.

They don't allow you to patch without their approval. They determine what your level of acceptable risk is. But if patient data is breached, it's not the medical vendors that pay the fines, it's the health care provider.

Who is "they" here, though? Is it the vendors? Is it internal IT? Who is ultimately on the hook for this stuff if something goes wrong? And why even step on this treadmill if you are constantly being hit with a steady stream of new zero-day vulnerabilities anyway, and you can never hope to come close to catching up with all of the patches for these?

Once again, the real problem here is not so much "not patching" as it is using software that's simply "not fit for purpose" to begin with.

BTW, I said earlier that I try to stay current with OS patches. But the fact is that I put little to no faith in these patches, and instead I rely on my anti-malware software and various other defenses to keep things in line.

"They" are the medical device vendors. And, medical device is a broad category. It contains more than just devices like IV pumps but radiological viewing systems. Ultimately, as I said earlier, the health care provider is responsible. The only real risk the vendor has is a lawsuit from the patient or health care provider. But most contracts severely limit the health care providers legal recourses. We're been actively trying to add security addendums to our contracts, but the push back has limited our progress. We're starting to see more acknowledgment from the vendors for security issues, but there's a long way to go. Right now it's mostly lip service. What they've managed to do is shift the risk to the provider, but then tie the vendor's hands in mitigating risk (and from a security analyst standpoint.. it's a lot of risk).

I understand you don't feel the choice of operating systems is correct, but then they don't allow us to choose. And while unpatched Windows systems are issues, unpatched Linux, openSSL, DBMS, Java and other dependent third party tools are large issues too. Even taking the OS out of the equation there are a plethora of vulnerabilities and insecure configurations to close.

Many vendors don't allow you to run anti-malware software on these devices. In many cases you're just given an ovm without root access and are expected to stand it up. Due to a healthcare industry that has not felt like they were historical targets of cyber attacks, no one on the purchasing side has expected security and no vendor has been willing to add it when they felt it there was no point in spending the money on typical IT VM.

Sadly enough someone is going to have to die before the FDA, vendors, and many hospital administrators will actively do something to change the landscape. As seen in this article (»www.wired.com/2015/04/dr ··· -limits/) to many vendors simply react with indifference when challenged on problems.