back to article Imagine you're having a CT scan and malware alters the radiation levels – it's doable

As memories of last May's WannaCry cyber attack fade, the healthcare sector and Britain's NHS are still deep in learning. According to October's National Audit Office (NAO) report (PDF), 81 NHS Trusts, 603 primary care organisations and 595 GP practices in England and Wales were infected by the malware, with many others in …

  1. Anonymous Coward
    Anonymous Coward

    Imagine..

    ..that a CT scan is worse than all the radiation you ever received from Chernobyl, all in one go...

    ...and that its still 50 times less than you will get from prostate cancer treatment.

    If you want sensational headlines, try sticking to something sensational

    1. Voland's right hand Silver badge

      Re: Imagine..

      ...and that its still 50 times less than you will get from prostate cancer treatment.

      Who said you cannot overdose that. There are also next-generation "pin-point" radiation treatments like that one which resulted in the European arrest warrant for the couple which took their kid out of NHS hospital to take him to Czech republic to undergo it.

      Those work in a similar manner to a CT - scan. Preprogrammed sequence of "points" which are hit by higher power radiation than you can manage using what NHS uses in most cases today(*). Program the step motors differently and you have a patient without vision or speech for the rest of their lives. Or just whack one of the deeper "ancestral" areas in the brain and terminate them altogether.

      (*)After the really bad publicity they got that time NHS was negotiating to buy a couple of those

    2. Anonymous Coward
      Anonymous Coward

      Re: Imagine..

      I was curious so I looked this up.

      CT Scanner Max 30msv, 1000msv in 1sv, 5sv kills 50% of people within a month though 350msv was criteria for moving people from Chernobyl. (millisievert/sievert)

      So unless the max can be overridden it's not a danger from what I can see, obviously this doesn't take into account continued exposure.

      You learn new stuff everyday.

      1. This post has been deleted by its author

      2. GnuTzu

        Re: Imagine..

        Well, perhaps. But, I'm under the impression that dosage is exponential. So, with 350msv is between 2^3 and 2^4 times 30msv. I don't think it's that much of a difference. But, don't quote me; I'm no radiologist.

        Also, I think they try to limit CT scans to once a year, as they do produce more radiation than regular x-ray.

        1. find users who cut cat tail

          Re: Imagine..

          > But, don't quote me; I'm no radiologist.

          No, please don't.

          Sievert is simply J/kg, i.e. absorbed energy per mass. Getting the absorbed energy right makes it a bit more complicated, but this does not change the basic idea.

          Why you decided to write the ratio 350/30 as ‘something between 2^3 and 2^4’ is beyond me (even though technically it is indeed between 8 and 16).

      3. Anonymous Coward
        Anonymous Coward

        Re: Imagine..

        Once upon a time, I went in for a CT x-ray scan. I was already aware that they have a reputation of being moderately radiation-intensive, but I also knew that it was not too serious.

        The operator ran the CT machine once, and then she advised me that it hadn't correctly captured the data. So she ran the machine for a second time!!

        At this point my imagination extrapolated into very dark comedy...

        "Oh. I think I see a small indistinct spot. Let me run the machine again. Yep, it's a bit more distinct now. A small tumour? Let me try again. Yep, it seems to be larger now. Let me double-check the size. Oh yes, more distinct now, and it must be a couple inches across. ...That's strange. Is it growing? Let me check that again, just one more time. OMG!! It's at least a foot across now... Are we sure? One more scan... Holy Moley; it's huge now. Sir? Sir? Hello sir? CODE RED IN THE CT ROOM, STAT!!"

    3. Alan J. Wylie

      Re: Imagine..

      Perhaps a CT scanner was a poor example. As someone else has already mentioned, we should remember the Therac-25 tragedy.

    4. John Smith 19 Gold badge
      WTF?

      ...and that its still 50 times less than you will get from prostate cancer treatment.

      Or

      Program it so someone is not being treated and instead of them getting better they get worse.

      Honestly those MID mfg.

      Cheap motherf**ing ba***ds.

      Literally f**k all notion that this thing could run for decades on site.

      Would a stripped down Linux be so much more expensive?

    5. TheVogon

      Re: Imagine..

      Stupidity is still a much higher risk:

      https://interestingengineering.com/indian-man-loses-his-life-after-getting-sucked-into-mri-scanner

    6. The Man Who Fell To Earth Silver badge
      WTF?

      Back when I actually ran MRI systems

      The Bruker MRI microscope system I ran ran Solaris on Sun boxes. The CT scanner in the lab down the hall wasn't running Windows, and had Sun boxes, so I presume that ran Solaris as well. That was in the early 2000's. I would have thought these days MRI, CT & the like would all be running some version of Linux.

  2. Nano nano

    NMRI is CT ...

    Of course, Nuclear Magnetic Resonance Imaging is a "computed tomography technology".

    Hence the distinction should really be between X-ray CT and NMR CT.

    I should get out more, but I belong in Private Eye's pedant's corner ...

    1. Medical Cynic

      Re: NMRI is CT ...

      If you want to be pedantic, Nuclear Magnetic Resonance is a physical phenomenon that can be exploited to obtain computed tomography images, but interpreted differently it can be used to give the characteristic spectra of individual molecular species for biochemical analysis both in vitro and in vivo.

  3. Anonymous Coward
    Anonymous Coward

    ex-NHS

    In general the NHS IT is baaad. It's one thing hearing it but it becomes a different type of animal when you actually face it every day. The problems start at the very beginning - recruitment processes and interviews. One in ten (at best) IT managers are actually suitable to be IT managers. The other 9 are there for the holidays, pension and secure position. Half of them don't even have proper background and experience.

    1. LucreLout

      Re: ex-NHS

      Half of them don't even have proper background and experience.

      In fairness to NHS IT, that's not entirely unusual in the private sector. Some of my managers have been outstanding, most have been ok, many have been incompetent, and a few have been mailicous & incompetent.

    2. Anonymous Coward
      Anonymous Coward

      Re: ex-NHS

      I’m starting a uni placement year in an NHS FS Finance department helping look after their data and transition to new platforms, can’t wait :-/

  4. Jason Bloomberg Silver badge
    Childcatcher

    OMFG!

    While systems should be more robust than it seems they are, should be hardened against script kiddies, vandals and collateral damage in digital attacks, I find it hard to accept that deliberate targeting like this is at all likely to be a thing and the risk of being run over in the hospital car park is likely higher.

    There's too much "if it could happen, it will happen" scaremongering these days.

    Watch out for the bogeyman. He could be under the stairs, hiding in the dark, hacked into your router, draining your bodily fluids as you sleep.

    1. Prst. V.Jeltz Silver badge

      Re: OMFG!

      Yes , but as the article says it could , AND DID , happen by accident.

    2. Nano nano

      Re: OMFG!

      The "attack surface" is big .... there are lots of people "trying things" ...

    3. LucreLout

      Re: OMFG!

      @Jason Bloomberg

      While I agree with the sentiment of your post and am not worried about personally being zapped by a malware inifected medical device, I do disagree with several parts of your post.

      I find it hard to accept that deliberate targeting like this is at all likely to be a thing

      Why? There's potential to become famous which seems to motivate too many people these days; there's potential to make a lot of ransom money, which seems to motivate too many people these days; and its not like we don't already have some rather lovely chaps who are only too keen to screw up the lives of others for seemingly no personal gain (revenge porn, intimate photo hacking of strangers etc etc).

      There's too much "if it could happen, it will happen" scaremongering these days.

      Yes, for most walks of life I'd agree, however in hacking terms, much of what can happen does in fact begin to happen. I'd imagine this owuld make a great way for a rogue state to assasinate their emenies leaders - just wait for them to go for an MRI and nuke them (temporarily suspending disbelief because other posters have shown why this would be unlikely to be fatal).

      Watch out for the bogeyman. He could be under the stairs, hiding in the dark, hacked into your router, draining your bodily fluids as you sleep.

      As long as he's not hacked into my laptop web cam while I'm draining them then it could be worse....

      I'd agree that we don;t need to panic and we don;t need a knee jerk reaction to this article, but surely it must be evident that we do need to see increasing standards of computer literacy and efficacy within the NHS as an organisation?

  5. Blitheringeejit
    WTF?

    Genuine question

    So we have a number of highly expensive mission-critical machines, which are controlled using software running on outdated and unsupported workstation OS platforms.

    Why exactly is it hard to write new control software which talks to the machine in exactly the same (hopefully well-documented) protocol/API, but runs on a modern, maintained (and ideally non-proprietory) platform? Is there a technical problem with this, or is it something to do with developers not being allowed to see the docs or reverse-engineer the APIs for legal/licence reasons?

    Since the cost of the hardware is the biggie, surely there would be enough commercial benefit from such an update project to make it worth everyone's while..?

    Or do the manufacturers expect healthcare services to buy a whole new CT scanner just because they won't update their XP control software?

    1. Anonymous Coward
      Anonymous Coward

      Re: Genuine question

      "Why exactly is it hard to write new control software which talks to the machine in exactly the same (hopefully well-documented) protocol/API, but runs on a modern, maintained (and ideally non-proprietory) platform? Is there a technical problem with this, or is it something to do with developers not being allowed to see the docs or reverse-engineer the APIs for legal/licence reasons?"

      The firts thing is that there is a logical contradiction in the question which imagins that the software is somehow seperate from the device. There will be seperate processors running software which communicates together to deliver the overall device functionality. Without looking at each specific systesm architecture it is impossibe to say which software sub-systems present which risk.

      These systems are complex, have a long life time and suffer from obsocolesence problems. I have seen medical imaging devices which are more than 30 years old being used routinely. The system may well consist of say six or seven intellignet subsystems running a variety of operating systems from embedded real time operating systems through (on the processing/UI/DB side) general purpose operating systems. The hardware the software controls is necessarily proprietary and specialised with unique APIs and interfaces. There are quite rightly standards for the development and maintenanc eof such systems including the sofwtare and they require version and change control, risk management and verification. The verification task is complicated by the many different hardware versions that need to be supported and different user options.On one system I worked on a full verification cycle running on 3 shifts 24 hours a day would take 3 months work. The medical device market is incredibly diverse with a huge variety of different systems many successful examples of which may only have an installed base of thousands.

      To answer your question on older systems it is only practical to fix critical issues ie those that would affect patient safey and which have no reasonable work arounds. The hardware platforms of older devices cannot simply be upgraded to modern platforms without new custom hardware design, the effort to create a brand new modern software version on a modern platform would be similar to the effort to create a completely new design. The platforms these legacy systems run on and tools that were used to cretae the sofwtare are frequently unsupported long before the end of product life. Medical instituitions are not forced to buy new systems which is why they run very old ones and why they are advised to hide those systems behind VPNs, firewalls etc.

      The risk management aspect of medicla device design means that risks resulting in injury shoudl have been considered and means to control them put in place. On a typical imaing device that would mean collision sensors to prevent a collision with the patient causing injury if motion control failed and hardware limits on exposure rates and duration. malicous sofwtare coudl cause indirect problems through delivering the wrong results, mixing up patienst data etc but teh risk of direct injuries are probably controlled.

      The manufacturers do not allow or at least advise against the hospitals installing OS patches/updates etc which have not been verified by the manufacturer because such patching invalidates the testing/risk management process. I have seen hospitals thatinstalled OS patches which were not authourised and broke systems.

      This is not an easy problem and it is not only a problem for device manufacturers but also of sensible IT management bearing in mind the limitations of the systems concerned. The real concern shoudl probably be of failures leading to lack of availability rather than actual injury.

      1. Prst. V.Jeltz Silver badge

        Re: Genuine question

        Thats a very comprehensive answer, much longer than the one i forgot to press post on (see below)

        Your reasons are the same reasons that if you go into the cockpit of a 737 it will look much the same as it did 30 years ago, with good reason , but its not running windows 95 , presumably its in house OS and software on custom hardware , like you said , and thererfore faitrly invulneranle to accidental ransomware , but not a targetted custom made in depth attack i guess

        on smaller gear:

        I've seen several smaller peices of medical hardware (blood pressure / hearing test gear ec) made by flash in the pan comapanieis long since gone or bought out , where the only software is XP (or ealier) only - and what can you do , if there is no support anymore even for xp?

        "Well it worked great until you turned up and window7ned my pc!!" they will cry.

        Maybe you could isolate / firewall / airgap / virtualise a safe XP environment , but in practive , yes , thay buy newer gear. Do they ask for guaratees of support through further OS's , or standardise the gear being bough countrywide to force vendors to get their shit togheter? no they dont.

        You'd think though that with a million pound MRI machine , or evan a 128k CT scanner , theyd provide some sort of mamangement solution with a life longer than the average MS OS.

        1. werdsmith Silver badge

          Re: Genuine question

          if you go into the cockpit of a 737 it will look much the same as it did 30 years ago,

          Don't look much the same to me. Between a 737-400 and the NGs and MAX the amount of glass panel display has increased considerably.

      2. el_oscuro

        Re: Genuine question

        I get all of this. All of this shit has to be certified and work. Medical review boards are like aviation - and for the same reasons.

        But here's the question: If someone buys an MRI scanner in 2003 with a commodity PC to control it, what happens when the hardware goes TITSUP? You are not replacing that fried motherboard that ran XP (or Linux 2.4). Never mind the shitty security of Windows. In aviation, they have custom interfaces for everything which can be serviced and replaced for the life cycle of the aeroplane, and all of this shit is certified. Why not for these medical devices?

    2. martinusher Silver badge

      Re: Genuine question

      Industrial and medical systems undergo very rigorous testing before release, a process that can be very time consuming and expensive. Any change to those systems, even an apparently insignificant one, can trigger the need for a complete recertification so naturally customers avoid doing any upgrades unless they're forced to (and even then they will only accept changes that fix a specific bug).

      Given this is something of an anomaly that they'd build industrial systems on a Windows platform but, unfortunately, its the one that's most common. Having old code isn't an issue unless you change the software or directly connect the machine to the Internet. Upgrading Windows is problematical because the specialized code and interfaces that are often found on industrial machines is often version dependent (and, anyway, Windows is often not compatible with itself). The only way you could upgrade the code would be to treat it as a new product and test it from the ground up.

      An example of the kind of problems you run into is that one piece of software we're aware of (for a CAT scanner, BTW) runs on VxWin, a hybrid of VxWorks and an older version of Windows. Our part in this is to just build user libraries that interface with our EtherCAT drive products using the Acontis family of EtherCAT master software. I'd guess that the entire job could be done better using VMWare and Linux but the considerable effort needed to move all of the customer software and certify some kind of EtherCAT master running on Linux would make this development unrealistic.

      Still, if anyone's thinking of changing the platform I'd lead the charge. I don't have to develop on Windows for the most part -- I just do embedded code in the drives -- but developing embedded anything on a Windows platform is a major pain because none of the platforms are native Windows, they're all Linux based using the Cygwin adaptation layer. Of necessity each manufacturer's software development team has to assume that their customer has just the one platform on it (theirs, of course) so they all politely avoid the pitfalls from unintended interactions -- they're just "someone elses' problem".

  6. Herring`

    Given that the cost of the scanning machine is about a bajillion dollars, while the Win XP machine running it costs about £4.50, that sounds like an argument for having a cold standby. Mind you, I can see this never being tested and it being shut in a cupboard for years while the CMOS battery drains.

    1. DNTP

      I have been in this exact situation many times- an instrument that costs as much as a house running off a fifteen year old PC running XP, and wondering why we couldn't have a cold standby. It's not as easy as you think, or as it should be, because it's not just a PC.

      Sometimes its custom interface boards with proprietary serial connectors that were only produced by the OEM fifteen years ago, no one has made any new ones in the last fifteen years, and no one has spare parts. These days when everything runs off Ethernet or USB (thank god) its more likely to be a software licensing issue.

      I wish it were as simple as 'clone hard disk, swap into old Dell, run instrument' but that is really not possible most of the time.

      1. Anonymous Coward
        Windows

        I've seen a fair amount of medical imaging machines using crappy unmaintained proprietary software (for proprietary USB protocols) that only runs on Windows XP. Maybe they're shifting to Win7 by now, I don't know - I've avoided this crap for a few years.

        IMHO an airgapped hardened Linux-based 100% open source system would not be secure enough for medical equipment.

        And they're running Windows.

        1. ibmalone

          IMHO an airgapped hardened Linux-based 100% open source system would not be secure enough for medical equipment.

          It would be, these things operate on the balance of risks. A CT will very very slightly increase your risk of cancer, but if you have a suspected stroke (or a head injury while on certain drugs) an A&E department will bung you in one without a second thought, because one risk massively outweighs the other. While it's definitely a worry that malware could accidentally affect a scanner (or a therapy system, which could cause more direct damage) and a possible worry that people might make targeted attacks (requires harder to get hold of implementation information and not easily converted to financial reward reduces the motivation for criminal gangs to get involved), the possibility of state level resources being used to attack a device don't really outweigh the benefits that imaging devices bring.

  7. Fursty Ferret

    Even a fault that required a second scan is bad enough given the radiation dose delivered during a full-body x-ray CT scan.

    If a second scan failed it's likely the machine would be taken offline for troubleshooting - can you imagine if all the machines in a hospital - or across the country - failed simultaneously? That's the real risk in this scenario, not one person being given a higher dose*.

    * I believe the accurate dose calculations are derived from the software running on a normal computer, but I'd be highly surprised if the machine itself wasn't capable of keeping track of the radiation delivered at a firmware level, even if it's a rough and ready estimate that will shut it down if it becomes extreme.

    1. S4qFBxkFFg

      "I'd be highly surprised if the machine itself wasn't capable of keeping track of the radiation delivered at a firmware level"

      I'd want there to be a safety feature at a lower level than that:

      My idea (based on 5 minutes thought and near-zero levels of medical technology knowledge) is to have some sort of dosimeter in the path of the beam physically connected to the machine's power source - the goal would be that once the dose goes above a certain level, the machine totally loses power - in such a way that some serious thought is required before restoring it (e.g. severing the cable, or blowing a big fuse). This could either be a hard limit, or something the technician has to physically dial in before the procedure starts. Could this be made only using mechanical (and simple electronic - no computation) components?

      1. Stoneshop

        Crowbar

        Could this be made only using mechanical (and simple electronic - no computation) components?

        Probably, although I'm saying that based on my general understanding of this stuff; might need a different approach in specific cases.

        Portable radiation meters, despite containing a bunch of electronics with quite probably a microprocessor at its centre, are meant to be autonomous (and usually portable, but that's not really relevant here). So they would make a decent base for such a crowbar system, provided they're sensitive to the radiation used in the CT or treatment device.

    2. Anonymous Coward
      Anonymous Coward

      > If a second scan failed it's likely the machine would be taken offline for troubleshooting

      I don't get why you got a downvote. I've seen it happen. Some patients got x-rayed twice, then all x-rays were canceled for the rest of the day, because the imaging software was losing data.

      It wasn't particularly dangerous, although one patient freaked out, but it was disruptive as hell.

    3. Real Ale is Best

      Radiotherapy machines

      Having just had 30 daily treatments in one of these, I'm interested in the treatment machine's security:

      https://www.varian.com/oncology/products/treatment-delivery/clinac-ix-system

      I was dosed with over 50 Gray of radiation over that time, albeit concentrated on an area the size of a golf ball. These machines can easily provide that dosage to large areas as well as small.

      Incorrectly programmed, it could easily kill you in one sitting.

  8. Anonymous Coward
    Anonymous Coward

    Worry more about bad programming

    A classic here on piss poor QC/QA software development, The Therac-25 radiation therapy machine debacle where massive overdoses were given due to software errors :

    https://en.wikipedia.org/wiki/Therac-25

    1. Anonymous Coward
      Anonymous Coward

      Assumption is the mother of all fuck-ups:

      "Leveson notes that a lesson to be drawn from the incident is to not assume that reused software is safe: "A naive assumption is often made that reusing software or using commercial off-the-shelf software will increase safety because the software will have been exercised extensively. Reusing software modules does not guarantee safety in the new system to which they are transferred..."[6] This blind faith in poorly understood software coded paradigms is known as cargo cult programming. In response to incidents like those associated with Therac-25, the IEC 62304 standard was created, which introduces development life cycle standards for medical device software and specific guidance on using software of unknown pedigree."

      1. Alan J. Wylie

        Re: Assumption is the mother of all fuck-ups:

        "A naive assumption is often made that reusing software ... will increase safety because the software will have been exercised extensively. Reusing software modules does not guarantee safety in the new system to which they are transferred...

        As demonstrated by the Ariane 5 Launch Faliure

  9. JakeMS

    Yet another reason...

    This is being added to my list of reasons of never seeing doctors.

    Thankfully I've avoided doctors/hospitals for 17 years now. I hate them.

    Plus I'm massively obese (16.3 stone, 5"11, yes I'm on a diet, a month ago I was 16.13 stone) so I'd just be an additional burden on the system anyway. Fat people cost too much money as it is, I'd rather not add to the expense.

    That's my excuse anyway. I don't do medication, I don't do operations and I don't do health checks.

    But yup, CT scan hacks are now firmly on that list of reasons not to go haha.

    1. This post has been deleted by its author

      1. JakeMS

        Re: Yet another reason...

        Also, don't forget that the human body has its own healing methods. In the majority of cases a doctor merely aids your bodies own mechanisms, perhaps speeding them up, or reducing pain. However, they still rely on the body "doing its thing" in most cases and repairing itself.

        You technically don't need pain killers, or antibiotics in most cases. They are actually used too often these days to the point that they are becoming less effective[1]. Ironically, in some cases you'd be better off with probiotics rather than antibiotics[2], yet a doctor would still prescribe antibiotics.

        People have become far too reliant on doctors for even the most basic problems. Got a cold? Off to the doctor for medication! Got a small fracture? Off to the doctor! etc

        I've had colds, flu's and fractures (One on my arm was the worst after being pushed down a set of concrete steps) since not seeing a doctor, all of which have healed themselves without any medication, pain killers or assistance.

        Thing is, unless you have massive amounts of blood loss, displaced bones, serious things such as MS, cancer, life threatening infections or other serious disabilities/problems then you don't strictly need a doctor. But if you have something serious (like in prior list) then you probably do need a doctor.

        But why waste doctors time with minor things like colds which your body can heal on its own?

        Your body can do more than you think. You just have to let it.

        Plus at the end of the day, I would rather NHS money is spent on patients who need medical attention rather than me.

        [1] https://www.cdc.gov/antibiotic-use/community/about/antibiotic-resistance-faqs.html

        [2] https://www.webmd.com/digestive-disorders/what-are-probiotics

        1. This post has been deleted by its author

  10. Anonymous Coward
    Trollface

    The next russian spy story

    "He died of a radiation overdose from an MRI scanner in an NHS hospital. It was Russian hackers wot dunnit".

    1. Nano nano

      Re: The next russian spy story

      (N)"MRI" does not deliver ionising radiation ...

  11. Anonymous Coward
    Anonymous Coward

    NHS security

    I can still download executable files, why is that? I cant think of any situation where someone outside of the I.T. department of a Hospital would need to do that - certainly not often enough that it would be such a pain in the arse for IT to do it for them as to grant blanket rights to everyone.

    Also I can still easily bypass the"Web Filtering & Internet Security Solution" by unticking a box in the proxy settings.

    Are we learning yet?

  12. Dr. G. Freeman
    Mushroom

    NMR can be hacked to max out ?

    hmmm..... As an NMR Boffin, feel an experiment coming on.

    Cue Clarkson-like "POWERRRRR !!!!!" https://www.youtube.com/watch?v=ygBP7MtT3Ac

    1. Anonymous Coward
      Anonymous Coward

      >hmmm..... As an NMR Boffin, feel an experiment coming on.

      You only do the Debit card (old magnetic strip) unintentional experiment once as I discovered when using a 600mhz NMR and forgetting to remove my wallet when loading up the autosampler, 14 Teslas of ATM refusing magnetism.

      1. Korev Silver badge
        Facepalm

        Last autumn I stay in a hotel in Athens and decided that reading by the pool would be a nice way to spend an afternoon. I put my room key card on top of my Kindle which has a magnetic case; I ended up have to go to the reception in rather wet swimming gear to get back into my room...

      2. Dr. G. Freeman

        Yes, "the Monday after the holidays" experiment, as its known round here.

  13. Anonymous Coward
    Anonymous Coward

    IoT @ CES 2017 & 2018

    I don't pretend to know the answer here. But I'm pretty sure it starts with going to Vegas each year during CES and strapping sales-people to machines that can be easily hacked... Then hack some human parts off!

    What's being learned in the security / privacy stakes between this medical example and all the new shinny products coming out of Vegas.... How can we have such a disconnect between reality and used-car salesman tactics?

  14. Anonymous Coward
    Facepalm

    WannaCry was a wake-up call for healthcare

    "Because they're using a full-blown OS, they have the capability to use a browser, download applications and to do lots of thing you are not supposed to do on an OS controlling an X-ray machine."

    Just who in their right minds would run a CT scanner under Microsoft Windows accessible over the Internet?

    1. Korev Silver badge
      Terminator

      Re: WannaCry was a wake-up call for healthcare

      I don't think the OS matters in this scenario. It seems obvious to me that all these medical instrument controllers should be isolated from the rest of the network (with some proxy to get information like patient name in and the data out).

  15. Bucky 2
    Coat

    We thought it was hacking...

    But it turned out to be a disaffected nun in an episode of Death in Paradise.

  16. jelabarre59

    burst mode

    Just why would medical devices (CT scanners, MRI, ultrasound, etc) need to be permanently connected to the network anyway? It should be done with burst-mode (?) transactions; pull down a file of the patient information (if even that is needed), then a burst-transmission of the results of the scan sent back. Firmware/software updates should be done as an offline process (specifically scheduled the way you would do physical maintenance.

  17. Juillen 1

    What about the Linacs?

    There's been a lot of talk there about CT/MRI, but the big problems would occur with the Linear Accelerators used in cancer treatment. If you manage to target those, you could do some serious damage.

  18. Dante Alighieri

    Radiation Safety + MRI

    Hello.

    I am a Radiologist.

    I have an interest in radiation safety.

    There is NO limit to the dose my CT scanner gives a patient.

    I authorise the use of radiation. I have had patients receive >50mSv for a diagnostic test.

    The UK accepted rate for cancer induction is 1:20000 / mSv.

    My patient has a death risk of 1:400 to look for a possible pathology they have a <1:4000 of having.

    Dose is cumulative

    Induction time lag is around 15-20 years.

    I'll fry your granny - but not your kids.

    Comparing targetted radiotherapy doses to tiny areas is not appropriate.

    Yes we run XP / 7 for our underlying systems as the suppliers will not warrant any other environment.

    The business end (custom hardware) works with its own internal systems (think CNC machine or 3d printer) screwing with the dose regulators is beyond the XP bit. When that goes down I have shut several scanners over the years - including writing one off! Mr Popular...

    Dose is controlled by exposure factors set at the operators console (the XP bit) and the area covered and how many times.

    The first acknowledged Fukishima related cancer is at a dose of 10-20mSv.

    In the larger adult this dose is not uncommon on our current scanner(s) which are not particularly low dose.

    New algorithms and technology is reducing delivered dose - but better tech is leading to multi phase exams that increase dose.

    We have patients with accumulated doses of >200mSv, in an age range where this is an issue and a worse than 1:100 risk of death from their radiology scans.

    Re MRI : it is a giant microwave. never mind there is no ionising radiation, it is perfectly possible to induce fits from neuronal stimulation from aggressive gradients or literally cook some one with RF energy.

    We cannot air gap the provider need dial in access for fault finding and remote management when required.

    We run NTPc on CT that connect to GMT-8 (ish) as that that is the worldwide system clock.

    Radiology runs on a private subnet the firewall and bridging is managed.

    Denial of service : highly likely

    Manipulation of target devices : low - too varied, custom device v operators console manipulation

    This is my day job at the pointy end. I spend some time on IT projects at work.

    I remain a competent 6502 assembler programmer.

    1. Nano nano

      Re: Radiation Safety + MRI

      Yes, I think that firewalling is the very least these devices should have ... but there should not really be any suspect kit (eg Win XP running IE8 etc) on the same subnet ...

    2. ibmalone

      Re: Radiation Safety + MRI

      Re MRI : it is a giant microwave. never mind there is no ionising radiation, it is perfectly possible to induce fits from neuronal stimulation from aggressive gradients or literally cook some one with RF energy.

      I'm curious how far "literally cook someone" goes. It certainly resembles a giant microwave, and there are SAR limits for very good reason (I've got a book on my desk with demonstration of RF coil burns), so serious injury is certainly possible if safety measures are ignored. But I've also seen gradient coils (in a pre-clinical technology demonstrator) burned out, and the RF hardware is not intended for continuous use (probably a key difference to a microwave oven, which can generate RF continuously via a magnetron for tens of minutes), so would hardware give up before there's a serious risk to life?

      (Disclaimer: not a radiologist, so you don't have to worry about me accidentally cooking anyone...)

  19. Anonymous Coward
    Coat

    Sick o' this

    Medical devices manipulation has been happening for sometime, among other methods via WiFi, Bluetooth which separately have terrible firmware and hardware holes in many of these devices you could be killed with, the authorities have had ample time to regulate and then act on.

    Many medical diagnostic devices require electronics or computers to function properly they may be connected to a small network, but in no way are required to be on the main hospital network or connected to the internet.

    As for medical sabotage, the agencies have long sought your medical data, and could learn of your ailings and KILL you with something you are suffering from to look like you died of natural causes.

    They can collect fingerprints at airports, reproduce them with lo-tech techniques and then leave them at a crime scene. Israel Intelligence agency Mosad stole a disabled New Zealand mans identity, to get a NZ passport, it's all fair game they say, ! ? !

    A Military education unit at a John Hopkins University was stated to be collecting all the medical database keys for medical databases around the world. What would one do with those ? Collect them like Football cards ? Australia was looking to acquire a national medical database system at the time the story hit. it has later acquired one. got the key anyone.

  20. vtcodger Silver badge
    Meh

    They run XT. So What?

    Is it unreasonable to hypothecate that there things in the world that should NOT be connected to networks? Voting machines come to mind. And nuclear reactors. But potentially dangerous medical devices also would seem to be high on the list. I suspect in a really rational world, no one would allow anything any more complex than Windows 3 anywhere near a radiation emitting medical device. But we don't live in a rational universe. It would seem to me that isolating medical devices running dangerously complex sotware from potential problems induced via networks (and sneaker nets as well) would be a major step toward securing them.

  21. a_yank_lurker

    Risk?

    While I am not enthused seeing any outdated OS running expensive kit, just how risky is it in reality? Often these are devices that do not require network connection to work so they could be airgapped by default. If one does connect them to a network, they can be buried underneath layers of security. Plus if a hacker did get in would they know what to do, we are not talking office macros here.

  22. RobertLongshaft

    Shock horror the communist NHS is total incompetent at technology.

    If you didn't see that coming you must have been blinded by post modernism.

    If you are any level of good in technology you avoid public sector work like that absolute plague, it's literally where careers go to die.

    1. Nano nano

      Do I detect an ideological bias here ? Don't get seriously ill !

    2. ibmalone

      This will affect private institutions too. Actually, there's a thriving market in second hand imaging devices, which I guess end up at smaller private imaging centres, I don't have any reason to believe they are that much superior at IT security.

  23. mrjohn

    Don't tell Putin !

  24. Christian Berger

    Can that even happen?

    I mean an X-Ray CT needs a certain range of radiation power, after all the stronger your source is the more expensive it will be. Shouldn't there be hardware saveguards in place to keep the (moderately expensive) X-Ray tube from being overloaded? I mean every CRT TV has internal overvoltage and overcurrent protection to make sure the TV turns off immediately in case the CRT is operated out of spec.

    It seems to me that this could just be some cheap alarmism to attract attention. Just like we had with the guy who claimed that running your own firmware on a printer would cause fires.

    Obviously though you should never run any part of that equipment, not even the GUI, on unhardened Windows.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like