The well-publicized and damaging Internet virus—Conficker—has infiltrated medical technology. Actually, more of a worm, Conficker made its way into critical <"https://www.yourlawyer.com/practice_areas/defective_medical_devices">medical devices
, but, said CBS News, government bureaucracy stalled repair activities, citing a spokesman for an anti-virus working group.
Rodney Joffe, organizer of the Conficker Working Group and senior vice president for Neustar, told Congress last week that because of governmental regulations, hospital staff was prevented from making necessary repairs, said CBS News. Joffe told the House Energy and Commerce Committee that he and another Conficker researcher found no less than 300 medical devices from just one maker that were infected with Conficker, according to CBS News. Neustar is a telecommunications clearinghouse.
According to Joffe, the devices, “should have never, ever been connected to the Internet,” quoted CBS News, which explained that the devices involved enable hospital physicians to look at and work with high-intensity scans, such as MRIs and other significant technology connected to local area networks (LANs). Under existing government mandates, the hospitals affected by Conficker are required to wait 90 days before updating their systems to eliminate both the system infections and any “vulnerabilities,†said CBS News.
Witnesses that included Joffe have all said that, operationally, the Department of Homeland Security (DHS) is the government agency that should be tasked with improving cyber security, said CBS News. Joffe also pointed out that the U.S. Computer Emergency Readiness Team (USCERT), which operates under the DHS, is “woefully under-staffed and woefully under-funded,” quoted CBS News. USCERT senior counsel, Gregory Nojeim, agreed adding that more transparency is necessary, as is government guidance, said CBS News.
CNET explained that Conficker affected hospitals worldwide, noting that it poses a serious problem to hospital operations. The medical devices, which were not intended for Internet connectivity, were further compromised because they ran on an unpatched version of Microsoft’s operating system. The solution to such worms and viruses is a patch install, which was released late last year by Microsoft, explained CNET. Because the device maker advised that U.S. Food and Drug Administration (FDA) regulations require the 90-day notice, the patch was not installed, said CNET.
“For 90 days these infected machines could easily be used in an attack, including, for example, the leaking of patient information,” said Joffe, who added that, “They also could be used in an attack that affects other devices on the same networks,” quoted CNET.
Joffe said not only MRIs were seeking out the Conficker virus and that “thousands†of hospital machines were vulnerable, said CNET, which pointed out that machines could be anything from a PC on a desk to sensitive patient devices.
Of note, said Joffe, “Microsoft Windows is a common operating system for embedded devices that is used in all industries. There is no reason to believe that other industries don’t have the same problem.” At one point, the Conficker Working Group estimated that over 10 million devices were infected worldwide with the virus. Patching continues, but stopping the virus has not been realized.
Conficker self copies on machines that run Microsoft Windows and that do not have the security patch. By installing itself and looking for directions from its creator, Conficker rewrites software code, increasingly embedding and potentially destroying files and applications, explained CNET.
