WannaCry and NHS
Anyone know if there's been any reports on the number of deaths caused? I've seen plenty about not patching, but nothing about the actual impact.
Docs ran a simulation of what would happen if really nasty malware hit a city's hospitals. RIP :(
Electronic medical equipment is supposed to help humans save lives, but their lamentable security could result in considerable death, we were warned over the weekend. Speaking at DerbyCon in Kentucky, USA, on Saturday, three medics with have a side interest in hacking gave an update on their work analyzing security flaws in …
-
-
Tuesday 26th September 2017 07:12 GMT Anonymous Coward
Re: WannaCry and NHS
"Anyone know if there's been any reports on the number of deaths caused? I've seen plenty about not patching, but nothing about the actual impact.
No, but if their are any it'll be blamed on 'computers' .. what ever you do .. don't mention the Operating system platform. It doesn't matter what OS, Mac OS X gets hacked too and Linux doesn't get hacked as much as Windows because nobody uses it.
-
-
Tuesday 26th September 2017 09:13 GMT TRT
Re: WannaCry and NHS
Believe me, if any deaths occurred directly as a result of WannaCry, it won't be just the IT guys that will have their feet in the fire. Clinicians must consider the possibility that devices, information, drugs, procedures etc will not be available and have alternative care plans in place. Certainly this is a wake up call to those who have become complacent about the previously good(ish) record of reliability in medical IT systems, but even so they will be acutely aware that it's just a tool, its not a replacement for good practice and patient care.
-
-
Tuesday 26th September 2017 10:18 GMT Anonymous Coward
Re: WannaCry and NHS
Have you heard anything about a major supplier to the NHS not having access control lists on devices as they said they had, then checked again and said YES WE TOTALLY HAVE.
Then didn't.
That's how Wannacry got into many trusts, nobody seems to want to take it up with that CRAP IT compan-A.
-
-
Tuesday 26th September 2017 06:42 GMT Pascal Monett
The lessons will be costly in money and lives
I can understand that medical equipment was not created with security in mind. Who in their right mind would want to hack a pacemaker ?
The problem is that there are many people who are not in their right mind, for whatever reason. So now we're going to have to add security to our medical environment and we're going to have to do it right, because when you're having a heart attack the last thing you want is the doctor having mistyped his password wrong for the third time and locking his account.
-
Tuesday 26th September 2017 09:22 GMT Korev
Re: The lessons will be costly in money and lives
having a heart attack the last thing you want is the doctor having mistyped his password wrong for the third time and locking his account.
This seems like a good scenario for RFID chips; my physiotherapists have them in their badges and just tap the badge near on a sensor near the computer, this gives them access to the appointments system. If they want to look at X-rays etc. then they need badge + password. You could see how the trauma staff could have the speedy access in area where every second counts and then in other areas need more security.
-
Tuesday 26th September 2017 21:34 GMT toughluck
Re: RFID
Except you will run into problems regardless.
The badge can be compromised.
The badge might malfunction and fail when it's needed the most.
Given how a brand new USB token sometimes registers and sometimes (like 95% of the time) doesn't, it's not a stretch of the imagination to think that it might not be viable where lives are at stake.
Then there's the matter of the network being up to negotiate access to the device using the RFID chip, which essentially means that both the device and badge connect to a wireless network successfully and that the network is running and able to connect both devices to a server.
-
-
Tuesday 26th September 2017 07:02 GMT Roland6
Take results with a pinch of salt
The group ran a simulation exercise with the authorities ... The three-day simulated cyber-disaster involved one hospital in the city being infected by destructive malware that crippled essential services, followed by other digital assaults on hospitals across the city on the second day, and then a physical attack similar to the 2013 Boston marathon bombing on day three.
From the article, no systems were actually infected and the sequence of events was obviously chosen to create a worse case scenario. I see a security expert spreading FUD and trying to drum up custom.
Not to say that hospitals and medical equipment don't need better security etc., only not sure what the real benefit of running the simulation - wonder what the lessons learnt are, that a hospital could be put immediately into practice.
-
Tuesday 26th September 2017 07:30 GMT Richard Jones 1
Re: Take results with a pinch of salt
Do nothing 'cause it is hard, is not an option.
I suggest that the first steps are that either (a) facility by facility review is needed to decide what needs to be internet or even intranet connected or (b) some overall relevant guide line is needed to define the achievable objective across a wider, e.g multi facility area, examples. insurance company/ health standards body, OEMs, etc or several working in concert. This process must be health system and political influence independent.
By the way, 'nice to have connections' need not apply!
Authorisation processes need some critical examination to find out whether it really does need years of expensive prevarication to secure life saving/threatening equipment.
-
Tuesday 26th September 2017 17:59 GMT Paul 195
Re: Take results with a pinch of salt
"In general, it takes about six years to get approval from American regulators on a new medical devices and that rises to 10 if the device has to be implanted into a human."
There's a strong argument that such devices should always be airgapped - if you can't patch them in timely fashion, they will always be at risk.
-
Tuesday 26th September 2017 08:45 GMT Doctor Syntax
Re: Take results with a pinch of salt
"wonder what the lessons learnt are, that a hospital could be put immediately into practice."
Why would the lessons learned have to be put into practice immediately? Some, maybe. But the fact that some or even all may take longer doesn't invalidate the exercise.
Have you ever carried out a DR practice? If you have I'm pretty sure that at least the first time you would have learned a great deal about how to prepare for a real DR event. Given that you don't see the point of this exercise I'd guess you haven't.
-
-
Tuesday 26th September 2017 21:13 GMT Doctor Syntax
Re: Take results with a pinch of salt
"Things have to be done RIGHT NOW because hospitals are vulnerable"
Let's look at that a little more carefully.
What has to be done right now?
I'd say the first thing that has to be done is to find out what has to be done (yes I did spend time living in Ireland ;).
The medics have a term for this, it was used in the article: triage.
Some things can be done quickly but everything can't be done at once because you always have a finite number of people to do it and things have to be done in order: if you think the network needs to be rearranged so as to isolate the more vulnerable equipment then that has to be planned, otherwise you may accidentally fail to do so by missing out on some bridge or you may separate a piece of equipment from other systems it needs to work with. Then you may need to buy more kit which has a lead time.
You can start doing things right now (Starting telling TPTB you're going to need to budget time and money is one). You will actually be able to finish doing very little right now.
Above all you need to avoid the politician's syllogism: something needs to be done, this is something therefore it must be done.
-
-
Tuesday 26th September 2017 13:30 GMT Roland6
Re: Take results with a pinch of salt
Have you ever carried out a DR practice? If you have I'm pretty sure that at least the first time you would have learned a great deal about how to prepare for a real DR event.
Precisely! You learn "how to prepare" and deal with a real DR event. However, looking at the thumbnail sequence of events in the simulation and the "destructive malware" (what were the parameters used to define destructive - the malware knows all the known and unknown exploits in all hospital systems?), I get the impression this simulation was more about sensationalism than real learning, particularly as no reference is made to any previous simulations, ie. this simulation was staged to make a point.
Personally, I start from the basics and build up, this allows me to take an organisation step-by-step through the change process, with reduced risk of shocking the client into paralysis.
-
Tuesday 26th September 2017 14:10 GMT Roland6
Re: Take results with a pinch of salt
wonder what the lessons learnt are, that a hospital could be put immediately into practice.
By this I meant, okay we've done the simulation what do we do next, ie. what can I action/task people with - this is both things that can immediately change things on the shop floor and investigations etc. that will result in change.
My reading of the article is the main finding seemed to be that the hospital effectively ceased to be a hospital on day 3. Which is the sort of finding I seem to remember some consultancies liking, as it provided the opportunity for a rather large, loosely scoped consulting assignment - just sign here...
-
-
-
-
Tuesday 26th September 2017 07:44 GMT Peter Prof Fox
It's not a slight risk times one
Suppose for sake of argument that the probability of severe consequences is 1 in 100 and 'merely' disruptive 1 in 10. Now attack 100 hospitals. Oh my giddy aunt!
We have to realise that this isn't the same as an isolated event such as say a fire or lunatic with a grudge and a few bullets or passwords, but a many thousands of targets campaign. It's the environment that's deadly not just a couple of bits of kit.
-
Tuesday 26th September 2017 07:56 GMT Anonymous Coward
All plausible
however, although the devices themselves may not be able to be secured, it can be made harder by putting them on a private network, and using MAC authentication etc. This will reduce exposure to many network based threats. Every enterprise has a few devices (vendors like to call them appliances) like this.
As for attacks being made locally - this can never really be mitigated technically - equipment has to be out all the time therefore staff eyes are the best defence here until new designs are approved. In my experience devices are more likely to be stolen than hacked anyway...
-
Tuesday 26th September 2017 18:20 GMT Mark 85
Re: All plausible
I'm thinking along the same lines. Why does the equipment have to be on the main hospital network except (as the article points out) most hospitals don't have a security department in IT. If all the equipment were on a private, isolated network, it would make an attack damn difficult. I see no reason for most equipment to be public facing.
Sure, they connectivity for the equipment and the computers for patient info. But reality.. none really need to be public internet facing. To move data from doctor's offices to patient files could be done from internet facing equipment via filtering computers (for lack of a better word) and securing the network interfaces... the switches themselves. Won't completely solve the problem but it would sure as hell remove the low hanging fruit that is there now.
-
-
Tuesday 26th September 2017 08:01 GMT Bilious
Entangled
Some emergency services of hospitals need coordinated efforts at full capacity and full attention from a number of different sources now. If one computer-dependent service is crippled, that will easily influence negatively throughout the system. No med tech equipment needs to be affected: decreased availability of patient history or lab results is enough to cause delays and increase risks.
-
-
Tuesday 26th September 2017 08:52 GMT Doctor Syntax
"The rest makes sense but that's just a bit far fetched."
There was an internet connected dishwasher mentioned here a few months ago: https://www.theregister.co.uk/2017/03/26/miele_joins_internetofst_hall_of_shame/ That turned out to have been intended for use by medical services so it doesn't surprise me that they would have actually found internet connected fridges. This sort of exercise should lead to questioning the wisdom of such devices.
-
Tuesday 26th September 2017 09:17 GMT Korev
Who in their right mind has internet/computer controlled and connected refrigerators?
A lot of drugs, blood etc need to be kept cool, having monitoring of the conditions would be useful. for example, if a drug is kept at room temperature for too long then it could be chucked away, a fridge could notice some odd parameters and have an engineer look at it etc.
The fridges etc. really should be on a separate network to the rest of the hospital though and definitely not on the Internet.
-
Tuesday 26th September 2017 21:19 GMT Doctor Syntax
"having monitoring of the conditions would be useful"
Every freezer I've had monitors itself. If the temperature rises above a limit it sounds an alarm. If a fridge or freezer isn't located where the alarm wouldn't be heard it's not beyond the wit of man to run a bit of twin core to sound the alarm somewhere where it would be. It doesn't need to be connected to the internet; that's just needless - and dangerous - shiny for the sake of shiny.
-
Tuesday 26th September 2017 09:24 GMT TRT
Hmm... not really. I mean, we have a lot of incubators, fridges and freezers and -80°C freezers and liquid nitrogen tanks etc. Currently they are monitored by a third party add-on thermal scanning system that beams measurements by radio back to IP connected base stations (thick walls), that then relays the signals to a central C&C computer. But the same C&C system can accept suitably formatted input from a device with an integral self-monitoring system. We just haven't bought any because a plain old fridge is cheaper.
And then there's the question of the fridge contents. We are currently implementing a sample labelling and storage system in order to track every single aliquot of DNA, tissue, plasmid, you name it, that goes into storage. We aim to be able to pin down the exact shelf, drawer and box location of every sample, primarily so that freezer doors need to be opened for a far shorter time leading to a reduction of energy use and defrosting requirement. It will also enable an exit policy so that ownership of samples will not "stutter" when someone leaves - it was discovered in a recent audit that around 40% of our storage capacity is taken up with ownerless legacy material. Now, each fridge, freezer and storage unit will have a barcode reader tacked to the outside for people to record what they put where and when. These records are tied into electronic lab books and electronic protocol lists.
I wonder what would happen if we lost all those data in a cyber attack?
-
-
Tuesday 26th September 2017 10:46 GMT TRT
Yes. The principle is simply that the data are stored in a relational database, and you can do with it what you will. It was originally designed for chemists, so you can even put in floor plans and the system will alert you if you try to store too much of a particular class of material in the one space, or try to put two potentially hazardous reactants in the same area. On top of which it's web based and there's an emergency services access code so that responders can determine where stuff is in the building, what hazardous materials are there etc etc even from the back of a fire engine en route.
-
Tuesday 26th September 2017 10:57 GMT Korev
Sounds good :)
The emergency services system sounds good; I know of a laboratory which had a "slightly more exothermic than planned reaction" a few years ago and "understandably" the Fire Brigade wanted to know what radiochemicals were in the building. At this point the DBA was the most important person onsite (oddly enough the report was very quickly added to their system).
-
Tuesday 26th September 2017 11:16 GMT Anonymous Coward
Ha! A certain university that has had problems with its IT systems... ooh! coming up to the first anniversary of that, has recently built a hotel / student dorm next to a research building. Queue the first visit by the coal-face techs from the labs next door... "Err... you do realise that the wall you've just built your hotel across the side of is a sacrificial wall, designed to blow out if there's an explosion in the chemical store behind it?" "Err... no. Really? Well, I guess you'll have to find a new chemical store."
Did they not give these people any blue prints?!
-
-
-
-
-
-
-
Tuesday 26th September 2017 22:13 GMT toughluck
Re: Seems you can't win.
They don't need to get it right. They just need to be able to cause some havoc.
Seems the NotPetya crims were unable to decrypt drive contents after victims paid up. Never mattered to them, they still got paid.
Suppose they'd used a known vulnerability, but only managed to infect and severely disrupt (=shut down) one hospital in a hundred. That's still a terrifying prospect if they attacked a thousand of them. Worse still, the remaining 99 would still be infected to some extent, possibly disrupted, potentially having a lingering latent threat.
The only real problem for criminals is developing a business model that would allow them to extract money from such an attack. If there's no benefit*, there's little likelihood that anyone is going to do it just to cause havoc.
*) Allowing for a scenario of an attack gone out of control by an arsonist firefighter, some hacker with a grudge or somebody on a vendetta against the medical system, but I don't think these are likely, or we would have had them by now.
-
-
Tuesday 26th September 2017 09:15 GMT Anonymous Coward
Not just the UK, I was in a rather nasty vehicle accident just over a year back in a not so foriegn hospital, and I ended up in a burns unit in a isolated room with its own aircon etc for two months while bits grew new covering skin and I was attended to by aliens with just their eyes visible, and while I was in there, I saw a few things that made my hair curl a bit. First the machine that went ping that hooked onto me, was networked back to a central nurses station so if anyone popped off, they could rush in to their rescue which was awkward as I kept pulling the ping sensors off when asleep. This connected to a in room display with a rubber keyboard (so it could be disinfected daily) in the room itself also for staff to enter extra data taken or food/drugs administered during regular observations in room into some central database of stuff done to each person. I was given the printouts from my records on discharge, it was pretty impressive to read.
I was quite surprised to see a nurse able to pop onto their facebook account using the obs entry computer one night, especially as the machine was unpatched XP, and the machine that went ping ran windows 98...
Also I was permitted a tablet and a smartphone after I agreed to use brand new devices and that they could be passed through decontamination protocols. I was not allowed to use wifi under any circumstances as use of it would disrupt their local equipment signalling network but 4g was ok. I bluetooth shared my tablet to the phone after some rooting activity to get out and get some sanity saving connectivity. On one occasional I accidentally switched the wifi on for a few seconds, and it managed to find a open ap and sign onto it before I pulled it down as quick as I could.
Towards the end of my stay I was able to get up out of bed and they brought in people to do various bits and bobs and maintenance to the system to make sure the room was ready for the next unlucky occupant, and one such repair involved someone reflashing the first alert button systems, which turned out to be a single board computer with a ethernet connection behind a lcd panel in the wall connected to the big red button. Chatting to the engineer like y'do, they had reflashed it externally to try and resolve the false alerts before deciding the issue was hardware in the room related, he showmed me how to make it cycle the lcd display to show ip info and version and stuff from button combo's on the panel itself, great, really interesting, no credentials required. And a very recognizable network topology too :-)
Given the machine that went ping had outbound connectivity, I wouldnt mind betting that system had it too and not just to the mothership for reflash purposes. All gluing the infrastructure with that central database of very very personal information at its core...
If your curious, I'm all growed back now, but I have some cool leg, torso and arm scars that I tell children at the swimming pool was from when I was attacked by a man eating great white shark as I poked its eyes out to escape :D
At the end of the day, I was there to be helped, there's no way I would take my curiosity further or try to make any of the excellent staff's jobs harder, and indeed there's no way I'd risk the legal repercussions of taking any of my concerns further without a contract covering engagement to do so.
I think that there's a real dearth of people with the security & testing mindset not being allowed into the operational areas because of a fear of what they might find in what is a already overstretched and underbudgeted area without the resources to address fixes, and that is leaving vectors open that could be shut for smaller expenses without making anyones job more difficult because with patients they already have enough grief to start with. And I have no idea how that network is seperated out, but if its arch'd the way it appeared to be from 3rd party observations, someone with security architectural experience needs involving too.
So I read things like this from derby con and nod my head, life's rich tapestry has yielded a similar experience...
Posting anon, but some people will know me from the above alone.
-
Tuesday 26th September 2017 09:24 GMT ExampleOne
"With elevators and HVAC systems out, and no refrigeration for medicines, patients had to be shuttled to other medical facilities and some were not making it there alive."
Because we could never do elevators/HVAC/refridgeration without computers?
Honestly, if an attacker can completely take out your elevators/fridges/HVAC, you have a LOT of other problems, and I would question if this "study" goes far enough. What if the attackers instead simply take out the electricity grid and the hospital back-up generators/power sources? The problem here isn't "poor IT security", it's a complete lack of ANY form of effective "business continuity plan" and disaster response planning.
If a hospital can cope with a complete loss of all electricity, it can cope with anything the hackers can throw at it by simply switching everything off. If it can't? The rest is simply details.
-
-
Tuesday 26th September 2017 10:16 GMT Anonymous Coward
To quote the previous poster:
What if the attackers instead simply take out the electricity grid and the hospital back-up generators/power sources?
If the internal power management is computer controlled, then that would be relatively trivial, and it doesn't matter how mahoosive your generator is.
-
Tuesday 26th September 2017 10:28 GMT TRT
It's not computer controlled. It uses solid state zero-switching regulators. And very big pieces of metal that move. But the point was that hospitals can't survive without electricity, so turning the power off doesn't help with a cyber attack. Well, hospitals as we understand them. Obviously a field hospital in the middle of an African plain where the closest thing they get to electricity is a battery powered fob watch, a pen light and a solar rechargeable sphygmomanometer is another thing. I reckon they could cope.
-
-
Tuesday 26th September 2017 11:42 GMT ExampleOne
"Hospitals cope with a complete loss of grid electricity by having a mahoosive diesel fed generator and a contract with a major fuel distributor such that they can get a great big tanker there to refill it every 6 hours, 24 hours a day, 7 days a week, 365 days a year"
If we are going to play hypotheticals, how does the tanker get there? How much chaos can our attackers cause taking out the traffic control systems?
Given the threat model in the original article included bomb attacks as part of the exercise, how much damage would a well placed van of fertiliser cause? What happens if an attacker takes out your generators or manages to set fire to your fuel reserve?
In the face of wide-spread, deliberate, electronic attacks, there isn't any service in the western world that would cope. The brutal truth is "we ain't seen nuthin yet". A determined electronic attacker launching large scale coordinated attacks against multiple targets is probably going to make all these threat models look like children's exercises. The lucky truth is that the terrorists really aren't that good at this.
Going back to my original point, why are the hospital fridges doing anything more than one-way unicasts of their data? Why are they controllable over the network? Logging what is in the fridges doesn't need to be connected to the fridge control systems.
Similarly, why don't the elevators have a switch to shut off all their "remote control" functionality? I think every elevator system I have seen has had similar options using keys. Worst case you need someone in every elevator managing them using hand-held radios - expensive, but not an unbearable burden.
HVAC: Again, why is it not possible to quickly disable the computerised management systems and manually dial in target settings?
Failures like these are not "IT security failures", because really these shouldn't be IT systems. They are systemic failures, the blame for which lies with senior management trying to trim costs aggressively and equipment suppliers who are prepared to provide equipment that doesn't "fail safe" cheaper than equipment that does.
-
Tuesday 26th September 2017 12:38 GMT Charles 9
"Failures like these are not "IT security failures", because really these shouldn't be IT systems. They are systemic failures, the blame for which lies with senior management trying to trim costs aggressively and equipment suppliers who are prepared to provide equipment that doesn't "fail safe" cheaper than equipment that does."
You can't fault the management, though. They have budgets to keep or they have to explain to financial boards, maybe even government officials with potentially serious consequences. Forget potential disasters when those officials CAN AND WILL confront you. IOW, the certain threat trumps the uncertain one.
-
Tuesday 26th September 2017 13:15 GMT ExampleOne
"You can't fault the management, though. They have budgets to keep or they have to explain to financial boards, maybe even government officials with potentially serious consequences. Forget potential disasters when those officials CAN AND WILL confront you. IOW, the certain threat trumps the uncertain one."
If the fault for decisions doesn't lie with the people who made the decisions, who does it lie with? You claim that they decided to play roulette with the safety of the hospital and peoples lives to avoid dealing with budgetary problems now, and you suggest that this decision isn't their fault?
In practice, here, I would say if the financial pressure leading to these decisions is coming from the financial boards or government officials, than you have identified the senior level of management responsible: Those boards or government officials. But someone, somewhere, is making a decision to sacrifice safety to meet financial targets, and I seriously doubt that decision is being made in the IT departments of hospitals.
-
Tuesday 26th September 2017 14:58 GMT Charles 9
"In practice, here, I would say if the financial pressure leading to these decisions is coming from the financial boards or government officials, than you have identified the senior level of management responsible: Those boards or government officials. But someone, somewhere, is making a decision to sacrifice safety to meet financial targets, and I seriously doubt that decision is being made in the IT departments of hospitals."
Thing is, when the bad decision is coming from UP TOP (and when it comes to governments, a SOVEREIGN entity with no higher authority), what can you do? You're basically outranked. And given the scope of the problem, voting with your feet is simply a matter of leaping between sinking ships.
-
-
-
-
-
-
-
Tuesday 26th September 2017 17:26 GMT Anonymous Coward
simple hacking
"All of these deaths, in the simulation, were caused by simple hacking"
Something which apparently takes out things which aren't network connected such as refrigitation and HVAC(*) systems is far from 'simple hacking', as it would have had to take out the electrical and water supplies.
(* Although generally digitally controlled, such systems are rarely ever network connected)
-
Tuesday 26th September 2017 17:35 GMT John F***ing Stepp
This is really a worse situation
Than you could imagine.
Before IoT hospital care and the machines involved needed a common language, so one was devised (by commitee*) that allowed each machine to talk to another. This language is coded to the point that it would take a person at least a week to be able to read off the codes as if it were plain text.
At least one hospital (one that I know of) uses Perl script to do all of the tasks (nothing wrong with that, right?) because Perl is a get it done language.
All or most of the equipment suppliers are hard codeing in the common language into the various machines, really, I think that the only reason this disaster waiting to happen has not happened is that most hackers would not deam it much of a challenge.
* not naming common language, two letters and a number.
-
Tuesday 26th September 2017 20:01 GMT Ken Mitchell
Triage, Defined
The article (or perhaps the doctors, it isn't entirely clear) is confused about the meaning of "triage". The original (Napoleonic War-era) definition divided combat casualties into three categories. The first group was expected to die, no matter what treatment was provided. The second group would probably survive, if treated immediately. The third, less severely injured, group would survive with minimal, perhaps "first aid"-level treatment.
The first group would get palliative, comfort care to make their deaths as easy as possible. It is the SECOND group that got the doctors' attentions, because they were the ones who could PROBABLY be saved.
-
Tuesday 26th September 2017 21:59 GMT Charles 9
Re: Triage, Defined
It's not that different today. Modern triage uses more than three categories these days (I suspect you were emphasizing the "tri" in triage), but the basic three you describe are still there: from the minor cases up through emergency cases (just with more levels in between), and they do keep a level for terminal cases. The most visible symbol of triage I can recall from memory is a tag that's attached to each triage patient. It has multiple tearaway tabs, and you're considered the bottom level still intact. It runs from yellow for the basic cases up through to red for emergencies. The last level is black for terminal.
-
Biting the hand that feeds IT
