Win XP, Flash, Java... healthcare makes easy pickings for hackers The healthcare industry is a long way behind the financial sector in basic security practices, according to a study by two factor authentication firm Duo Security. Duo found that healthcare devices were significantly more out of date and less secure than ones from finance, after comparing its healthcare customers' devices to …
Yeah, in our NHS lab we have a Business Objects-based enquiry tool that requires an ancient version of Java to write it's queries. (at least it doesn't use it to run them)
We also have a couple of XP machines because the software for our analysers won't run on yer flashy new operating systems.
Anon, because I quite like working....
In the UK the Java problem is worse than you may understand.
For various reasons, WinXP machines in the NHS generally require Java 6.17 and 6.21 to work.........6.17 for the single-access identity card readers to access the Spine, 6.21 for various online databases. The software looks for those specific file dependencies.
With Win7 the signon has been updated so 6.17 can be usually dispensed with, but 6.21 is still required by some users.
Two years ago I migrated the offices of one Northern NHS Commisioning Group to Win7 and each machine required 6.17, 6.21, 6.23 and four ancient versions of JInitiator to be able to run the full suite of clinical and accounting software. Whats worse......no-one on site knew exactly what software they had and what was required. I had to resolve the lot empirically.
Many popular electronic healthcare record (EHRs) systems and identity access and management (IAM) software supporting e-prescriptions require the use of Java, factors which could account for the higher installed base. But this is bad news for security because Java browser plug-ins are a popular exploit route for hackers.
I strongly suspect that the writer is confusing the word "popular" with "common".
As for requiring Java, this is because these systems were designed and written by utter fuckwits who wanted to do the "modern web thing" but couldn't get the concept of web delivery and "applications" using a standard HTML interface (where we shouldn't have dumb OS dependencies) as they were too hung up on traditional windows applications. So instead they tried to write web applications as if they were rich client applications but in order to get the degree of stupid/control in the interface they found they could only do this using Java, which "obviously" wasn't a problem because it's multi-platform, right? Frustratingly we have a continuation of this level of fuckwittery but instead of Java, "rich client applications" are being coded in JavaScript. Same concept, same stupidity.
Sorry but everybody who uses Windows is easy pickings for Hackers. Which is just about everyone who has any information about you. It's just a question of which one is easiest.
This time will be remembered as hacking's Golden Age, when all the world's organizations were as clueless about security as a newborn babe.
Oh reign it in for [deity]'s sake. Once your beloved Linux or MacOS (read: Linux) becomes the overwhelmingly popular OS that you want it to be, "hackers" and malware/virus writers will shift their attention to it and then it will be just as targeted and insecure as Windows. If you think all Linux code is perfect and bulletproof then you are living in a dream world.
I agree that Windows has its security issues and they are well documented, but this article is about the software requiring out of date and therefore inherently insecure versions of components. Not really anything to do with Windows per se.
Now go away and throw your toys out of someone else's pram.
Well, you can have XP, Java and flash and probably get hacked.
Or you can "upgrade" to Windows 10, where the user interface is pants, you have to re-learn everything about how it works and all you data goes to someone else's server that are probably hacked.
I'm thinking about going back to the dark ages with no interweb, no book of faces and a little thing called privacy. At least if someone was going to come and try and steal my stuff, I'd probably hear them knock over the milk bottles.
From the movie "National Treasure" when the FBI inspector Sadusky tells Gates [no pun intended] that "....someone has to go to jail".
Will there be backlash, of course.
MS, Apple, Google and the rest will immediately clean up their act.
Oh, a smart ass "legal disclaimer" like ABC News has in the bottom right corner...
"External links are provided for reference purposes. ABC News is not responsible for the content of external Internet sites."
You send me somewhere that infects my equipment ---- somebody goes to jail.
Since MS walked in 1995 the all think they are "above the law", especially Google.
Fix you broke junk, already.
So I know this dentist who still has XP running on several computers. They still run OK, I'm told, so leave them be. He just bought a brand new Windows 10 Home machine for use in the office because he got such a great deal on it. No matter that it won't integrate with his Windows Server 2008 R2 domain controller. He can access his X-Ray and appointments apps so he doesn't care. All of his staff log on to the network with the same user name and password. That password has been in use without change for at least 10 years now. Too much trouble to change. I've tried for years to get him to at least put in a decent firewall. Since it would cost money for no visible benefit that has never happened. I could go on...
I work with validated healthcare software. Much of the time, the reason software (and hardware) is never upgraded is because of the time and effort it would take to run the entire validation suite against a new version. This leads to some stupendously crazy situations. Let me give you an example.
In 2011, I tried to access a major vendor's cloud-based clinical trial system using Firefox. All I got was a pleasantly mid-blue page. No text, no images, no messages, nothing.
Then I tried it using Internet Explorer. This time I got a nicely centred blue message - along the lines of "Your browser is not supported. This software is validated for Internet Explorer 5.5 and 6 only." (Remember: 2011. IE5.5? WTF??)
Finally I cursed the deities of regulatory compliance (the FDA) and all those who worship them, fired up a Windows XP virtual machine on my box, and got in on IE6.
An entire major pharma company's fleet of Windows boxes - desktops and laptops - was held back to running Windows XP and IE6 because of this and similar applications. It was simply too expensive for the vendors to validate the software on each version of each browser.
Oh - and the reason Firefox didn't show the error message? The message was written by a piece of client-side Javascript... that used IE-specific techniques to show text. Inspired.
We are "blessed" with major lock in to IE 6, early Java versions and no way to escape these.
Our CT scanners still run on top of XP, the web PACS requires IE6, our RIS is a lousy JAVA GUI of a DOS application that allows eg patient ID number field to have unlimited input length. The kit won't do NTP.
We make the navy look sophisticated. its not like it impacts peoples lives and safety...
We are currently upgrading our PACS. Interesting times
One of the major problems is the regulators decided in muscle in on software validation with a breath taking cluelessness that makes a PHB a candidate for Mensa. This is a surprising common problem with regulatory agencies. It is often not noted that the Titanic carried more lifeboat (25% more) than required by the regulations of the day and could easily carry more. The Board of Trade lifeboat regulations were woefully out of date and they were no hurry to update them until after a major disaster. The FDA's stance on software validation is very similar, very outdated regulations requiring people to keep outdated software in service because there is not replacement approved by the FDA.
Why aren't hospital networks air-gapped and connected only to their internal networks with a proxy server for the application that need to connect to things outside of said network and only allows for the application to connect to those specific endpoints.
The technical debt of the NHS is quite simply staggering. Even costing it would be a staggeringly expensive job. And while the FDA has nothing to do with the NHS, the companies that make medical equip must adhere to the (worst) requirements of both which are onerous indeed. As medical companies outwith phrama tend not to make much money, they aren't going to verify/validate the upgrade path for old equip they make nothing on, nor add new security features. So to be blunt: this isn't going to change, even if bad things do happen as a result.
I've yet to see a contract for a system which included keeping it up to date and ensure compliance with the LATEST version of dependencies such as JAVA.
We have the skills in the NHS, we just don't seem to have the people listening during procurement to ensure the proper information security/governance and technical controls are in the contract before it's signed.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
