Red tape keeps Conficker on medical devices

Red tape keeps Conficker on medical devices

Summary: The Conficker Internet virus has infected important computerized medical devices, but governmental red tape interfered with their repair.

WASHINGTON--The Conficker Internet virus has infected important computerized medical devices, but governmental red tape interfered with their repair, an organizer of an anti-virus working group told Congress on Friday.

Rodney Joffe, one of the founders of an unofficial organization known as the Conficker Working Group, said that government regulations prevented hospital staff from carrying out the repairs.

Joffe, who also is the senior vice president for the telecom clearinghouse Neustar, told a panel of the House Energy and Commerce Committee that over the last three weeks, he and another Conficker researcher identified at least 300 critical medical devices from a single manufacturer that have been infected with the computer virus.

The devices were used in hospitals to allow doctors to view and manipulate high-intensity scans like MRIs and were often found in or near intensive care unit facilities, connected to local area networks with other critical medical devices.

"They should have never, ever been connected to the Internet," Joffe said.

Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.

Joffe's testimony and earlier reports of infected medical devices show the risks involved in efforts to reap the economic benefits of a networked world. President Obama's stimulus package has allocated billions of dollars for digitizing medical records and networking the nation's electric grids.

"The open Internet, one of its great values is it allows you to connect fairly cheaply and fairly easily to other computers," Joffe said. He added, however, that "the Internet was never designed to do the things it's doing today."

That includes connecting control systems to the Internet to manipulate and coordinate the nation's electric grids.

"The future of widespread (electric) meter-to-meter communication does have me concerned,” said Dan Kaminsky, a technology consultant who last year discovered a critical flaw in the Internet's core infrastructure. "I would like to see more security for those meters.”

It was recently reported that Chinese and Russian spies had infiltrated the grid networks. Politicians introduced a bill on Thursday to give the Homeland Security Department and other federal agencies more authority over utilities in order to protect the "smart" grid from cyberattacks.

Joffe and other witnesses said that, at an operational level, the DHS is the appropriate government agency to improve cybersecurity. He called the U.S. Computer Emergency Readiness Team, which is operated by the DHS, "woefully under-staffed and woefully under-funded." As part of its mission, USCERT acts as a liaison between the public and private sectors.

Gregory Nojeim, senior counsel for the Center for Democracy and Technology, also said DHS should naturally hold jurisdiction over cybersecurity, as long as it makes its actions more transparent and receives policy guidance from the White House.

Policymakers need to be clear and open in their work with the private sector, Nojeim said, and should avoid giving anyone in the government – even the president – too much power over private networks. He urged the congressional panel to reject legislation from Senator Jay Rockefeller, D-W.Va., that would give the president power to shut down any critical network – federal or otherwise – in an emergency.

"Any such shutdown could also have far-reaching, unintended consequences for the economy and for the critical infrastructures themselves," he said. "To our knowledge, no circumstance has yet arisen that could justify a presidential order to limit or cut off Internet traffic to a particular critical infrastructure system when the operators of that system think it should not be limited or cut off."

Topics: Networking, Browser, Government, Government US, Health, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And of course we [i]want[/i] the government

    to run healthcare?

    If they are interfereng with routine patching due to their regulations, then having those regulations interfere with fixing the issues the regulations caused, maybe it is time they stepped aside and let the staff maintaine the devices propperly?

    Just a thought...

    • I'm sure the problem is simply that

      Dear Leader didn't know. If he did, he would have personally taken care
      of the matter. Because he cares. I love Dear Leader.
      • No, the problem is

        You dont have what we do in the UK.

        We call it the Department Of Health, or DOH for short.

    • RE: Bureaucratic Regulation

      I would offer that the bureaucratic ID10T who is using "the book" to prevent fixing this "infection" be punished.

      [i]My idea of appropriate punishment is to take 100 people at random; give each one 100 hypodermic needles, [b]and use that ID10T's bare ass as the target![/b][/i]

      In fact, I would offer up a bonus of $10,000 to the first person to put a needle in that ID10T's nutz!
  • RE: Red tape keeps Conficker on medical devices

    "They should have never, ever been connected to the Internet"

    Is incorrect.

    The proper way of putting it is that "They should have never, ever been connected to the Internet in a manner that permitted close interaction with the data sets and IP ports associated with the collection and correlation of the data."

    Distribution of the data, or correlation of data sets can be published without exposing the underlying data sets or data collection systems to malicious manipulation.
    It is the lack of infrastructure, management, and control of the "publishing" vs. the collection and data set systems themselves that become an issue here.
    The MRI machine should be permitted to talk to the Medical Center maintained data storage systems, ONLY. These Data Storage systems should only be allowed to talk to "Middleware" systems, also maintained by the entity.
    the Middleware or interpretive systems should only be able to talk through port, protocol and data specific IPS systems before it actually leaves the facility.
    It is unfortunate that most communities do not recognize the need to issolate their data in this manner, thus the exposure. If, in this era of "virtualization" of services within a single physical server, this was recognized, but the OS and HW manufacturers, then this type of liability could be a thing of the past....unfortunately, this is not true. Nor is it true in companies that do not virtualize servers/services with a single IP address with many ports open to investigation.
  • And you people want government healthcare?

    Good luck with that. You should take more than hints from Canada and Europe.... it SUCKS!