[ISN] Fed up hospitals defy patching rules

InfoSec News isn at c4i.org
Fri Aug 13 13:01:39 EDT 2004

Forwarded from: PaulBlair at westhillscollege.com

> "Security of the systems is the primary focus of the letter," says
> Holt Anderson, executive director of NCHICA. Without the operating
> systems properly maintained in terms of patching, "there is no way
> to secure devices that are connected to a LAN or wireless facility,"
> he says.

This is not true. There are more than a few ways to mitigate Windows
Security issues in this type of situation. IPSEC can be used to
regulate traffic between devices, and prevent the spread of the common
RPC based Worms, and VLANs can keep sensitive devices confined to
their own.

> Some manufacturers, including Philips, contend that hospitals must
> do a better job of applying security defenses to protect medical
> devices by buying intrusion-prevention systems (IPS )  and internal
> firewalls.

I agree, but the manufacturers need to do their part by certifying
patches In a more expedient manner.

> There have been several instances in which viruses originated from
> medical instruments straight from the vendors, says Bill Bailey,
> enterprise architect at ProHealth Care, a Milwaukee healthcare
> provider. Medical equipment arrived with computer viruses on it or
> service technicians introduced the viruses while maintaining the
> equipment, he says.

Based on my own personal experience with 'third party devices', this
is not surprising to me at all.  In my case, the device was a Windows
server which handled our voice mail. Twice it was infected with a SQL
based worm and once with Blaster. None of the other machines on our
network were infected, due to some of the mitigating factors I
mentioned above, but they very well could have been. In the case of
the SQL based worm, the infected server saturated our internal network
to the point of it being useless. After these incidents, we put
pressure on the vendor to certify patches more quickly. If we feel
that there is a threat we now apply patches to these servers,
regardless of their 'certification'. Hospitals should not be faulted
for doing the same when critical patches are released.

Paul Blair
Information Technology Services
West Hills College
spam1 at toadlife.net

More information about the ISN mailing list