Woman dies after hospital is unable to treat her during crippling ransomware infection, cops launch probe A woman in Germany died after a ransomware infection prevented her hospital from giving her emergency treatment. The unnamed patient died en route to a hospital in another city after she was unable to get treatment in Düsseldorf due to the malware affecting computer systems. A manslaughter investigation is now underway against …
Why is a computer/device that is necessary for ensuring you can serve emergency cases connected to the internet?
Surely, something so critical should be Offline (Installed/Configured, just works, no need for the internet)?
If it's the case of needing to transfer patient data, say for blood type, couldn't a doctor just call another hospital (by phone) for the patients emergency records and perform the operation?
If it's the case of needing to transfer patient data, say for blood type, couldn't a doctor just call another hospital (by phone) for the patients emergency records and perform the operation?
It isn't just blood type, it is the full medical history.
One of the problems is manufacturer support... They do remote support these days and access the devices and applications over the Internet. No Internet, no support when something doesn't work.
I know the admin at a manufacturing facility, they have an old cutting machine that is bound to software running under XP - it won't install or run on Windows Vista, 7, 8 or 10. To upgrade the software to Windows 10, they'd need a new machine. The old one works fine, reliably and does what is needed of it, so why throw it away and replace it with a new machine costing 7 figures, when it is just the software that doesn't work on newer versions of Windows?
They have isolated it and they do force the manufacturer to do remote support. The first question is the TeamViewer ID, the support are told the device is offline. They say to put it online. They are told, provide software for Windows 10 and we'll put it online. Until that happens, you will remote-control the machine operator with verbal instructions.
That might work for a single manufacturing machine, but a whole hospital full of "machines that go bing" is another matter, unfortunately.
Then there is patient data transfer. The Krankenkassen (health insurance companies) hold the patient data and they collect the billing information from the hospital systems. This should be over a secure Telematik system, but that is still running over the Internet, albeit in a secure tunnel.
That individual monitors, and whole operation rooms are online is a different matter, they should certainly be isolated, whether standalone or an internal isolated network. And there should be disaster recovery scenarios to allow them to keep working if the systems go down. But re-directing patients that are en-route to other hospitals, if there are problems, is SOP - and according to local news, the woman was en-route to the hospital and her ambulance diverted, because the ER was offline and couldn't accept new patients, she wasn't transferred.
The germ of the solution is in your cutting machine story. The owners were able to force an admittedly not very satisfactory solution. For medical equipment there , in principle, an easier way to do this and do it better. A couple of decades or more back it wasn't unusual for servers to have remote support via dial in lines which could be unplugged when not required. Medical equipment has to be certified. A certification requirement of remote support via a disconnectable channel would cut out one weakness. The politics of getting such a requirement in place, however ....
For us here in the machining/widget bashing game, the thought of 'patching' and 'upgrading' fills us with terror.
why?
well apart from notices in the maintence manuals saying 'if pc is patched/upgraded, then the machine tool manufacturers with not be liable for any borkage'
The thought of having an upgrade applied which causes different motion(s) to be applied to the robots can result in parts being ejected from the machining cells.
We had a case of that 2 years ago where a fixture broke and 0.5kg of aluminium plate was spun upto about 4000-6000 rpm before being fired out of the machine and hitting the wall 40 feet away, safety screens not withstanding.
Now you imagine that happening because of an 'upgrade' and the legal borkage that would result if anyone got injured....
But just get another PC..... ok... maufacturer has to certify that then attatch it... then charge 1000's for the service
But back to the subject in hand, the hackers who crashed the hospital systems in the first place... their punishment should be a go in the radiation treatment unit.... will they get off with a trivial dose or a screwed up lethal one... lets see how fast you can debug the control.....
That's great and all, but if your systems can't be patched they need to be airgapped.
And if it can't be airgapped, any manufacturer putting a notice like that in the manual needs to take full liability for any hacking incident that occurs, including being charged with manslaughter for situations like this where a system not being patched caused a death.
This post has been deleted by its author
Virtual XP doesn't usually help. I had a telephone system at home (still being sold by Siemens in 2014) that only worked with XP. I tried the virtual XP environment in Windows 7 Pro at the time and a full virtual machine. No dice. It needed low-level hardware access and could only run on bare metal.
In the end, I repurposed an old laptop just for managing the telephone system, and that device was never attached to the network. I then looked at replacing the system with a more modern alternative that doesn't need dedicated management software.
Windows XP, how modern :-)
I sorted out a CNC machine tool controlled by a W98 machine a few years back. Might even have been 95, memory fades. Managed to track down a spare mobo and disk drive that were compatible for spares before they became (even more) like hen's teeth.
It also had one of those multi-serial-port cards so beloved of green screens connected to *nix back in those days, used to talk to the various components.
That is the problem. The physical equipment lasts a lot longer than the OS. I still have to be familiar with W95 on some systems also Windows NT and Windows 2k. You just don't connect any of it to the internet.
As an example the helldesk today is supporting a computer problem on a 1982 CNC machine. Sadly there is no easy way to upgrade the computer.
As for warnings we routinely warn against everything. Otherwise you get sued for failure to warn. "You didn't tell me pouring gasoline (petrol for our British friends) on a fire is dangerous."
We also have a sign printing system (signs printed on metal and perspex). It is DOS only. We have a spare machine and "collect" old PCs, for when the controller PC dies. The spare printer cost only a couple of grand (25 years old), a modern replacement costs high 5 figures, so there is no hurry to replace a working system.
"...because the ER was offline"
I'm not trying to excuse ransomware, but has anyone thought that if an ER can go offline, that ER isn't a ER? You can get caught up in a fish bowl pretty quickly thinking about software, but at the end of the day 99.9% of emergency services is actually non-software related. Remember, emergency isn't LONG-TERM care. So while software related devices are always helpful, but in an emergency you can't ever factor it in.
Man falls down having a heart attack, which software is needed to save him?
Woman starts chocking...?
Entering a diabetic comma...?
Bleeding out...?
... Is the ransomware sharks the only party that should be investigated?
Personally, I am surprised that the ER was unable to function on at least a basic level, it's worth remembering that, for instance, patient records in a lot of hospitals is entirely stored digitally. That might not sound that important, but bear in mind your patient record will include your health records, and, if you have any know allergies, will contain details of them. Important if your allergy is to certain drugs because if you are allergic to the drug they prescribe for you, it will likely kill you.
An ER should be able to provide some level of treatment for a patient without having medical records or even an identity. If they have severe allergies, one hopes that they might have something like a Medic Alert bracelet listing them. Assuming that allergies to drugs the may never have taken before would even be on record anyway.
They could operate, they could take care of their existing patients. The problem is the emergency procedures.
If the systems fail, SOP is to divert all incoming patients to another hospital that is fully functional. In a catastrophe, where multiple hospitals have all lost key systems, they run manually. But the insurance says, if there is another hospital that is fully functioning, the patient has to go there. It is risk minimisation, but that doesn't take all things into account - like whether the patient can live through the extended journey time.
Airports are the same. If their systems fail, they land the aircraft already on final manually, everything else with enough fuel gets diverted to its alternative.
Again, the hospital carried on operating in emergency mode. Existing patients were still cared for. Non-essential operations were postponed, but critical care continued.
Then the emergency plan was put in place, which says that all incoming patients get diverted to a fully functioning hospital. The problem is, the emergency plans don't always take into account the travel time, just that the affected hospital isn't running at 100%, so patients are diverted to a hospital that is at 100% effectiveness. In this case, the patient didn't survive the extended journey. There is, unfortunately, no evidence that she would have survived if she had been taken to the affected hospital running in emergency mode either.
No, it wouldn’t stop hackers looking for holes and it wouldnt make it go away, but if you take away the anonymous and untraceable pay system, they won’t be able to collect their ransom or at least make it extremely difficult for them get the cash, and makes it a less attractive and profitable proposition.
Pretty sure hospitals were treating patients before they had computers, if the diversion is an hour away emergency patients should be seen and paperwork can be sorted out down the line.
As much as the ransomware folk are culpable, so is the hospitals IS team, companies like mine can be a little lax, we do market research, it's not life or death, these should be isolated in groups, physically as much as possible, yes route out to the internet if you have to (such as support mentioned elsewhere can be something enabled/disabled as required) but even internet access doesn't mean they should be able to access the next machine to prevent a cascading failure.
Yes it's complicated, but, that's why hospitals pay so much in IT. You can't take the pay-cheque that comes with responsibility and then shirk it when you fuck up.
<quote>Pretty sure hospitals were treating patients before they had computers</quote>
We don’t know the details of the situation, but my guess is that the IT reliance was for something more than “paperwork”.
Maybe she was an RTA casualty, and needed a CT to diagnose internal injuries. You can’t use “pen and paper” to transmit the results of something like that if the network is in bits because of a ransomware incident.
I’m pretty sure that the mortality rate for that kind of stuff “before they had computers” was not good.
But I expect the IT staff at that hospital would take comfort from the fact that some a-hole in a marketing company thinks that it’s as much their fault as the ransomware perpetrators. Well done.
I've done work for a company where production, handling lots of PII was kept well separate from the office system and its vulnerabilities. It was, in fact, a condition of some of their contracts. It might be inconvenient in some ways but it would have been a lot more inconvenient to admit to their clients that they'd been breached or to have production stopped for days because some toe-rag had encrypted their systems.
"if the diversion is an hour away emergency patients should be seen and paperwork can be sorted out down the line."
Wouldn't it be great if there was a technology that would let you scan in paper-work, transmit it over an ordinary telephone line and print it out at the other end. Might not have helped in this case but as a fall-back it would be worth having.
How do you get electronic images out of a borked system?
With so much of the diagnosis now the output of the raw information is electronic. In the old days you had an Xray that was a bit of film. Now you have a CT scan that requires a computer to look at the images. Even a digital Xray still needs a computer to view the image. They are completely incomprehensible any other way, you cannot just screen print something as the people doing the scans are experts at working the machines, not diagnosis. They may has some ideas but that is for the radiologist to sort out.
I requested a copy of a CT scan I had on CD and it requires a viewer (provided) to be able to do anything. The data is just a series of binary blob files. Talking to my radiologist friend what I had on the CD is what comes out of the CT scanner.
Patch it or airgap it.
Virtually no ransomware in the wild will work on a patched-up system. It can't get to a properly airgapped system to f it up.
That CD you had may well be the result of things right, if burning a CD is the only way to get the data off the CT scan system, malware is going to have a hard time getting on.
The Iranian government would beg to differ. Their nuclear research labs were affected, despite being air-gapped. As long as there are humans in the chain, nothing is 100% secure.
And being full patched is a 100% guarantee either. There are still hundreds or thousands of unknown attack vectors that can be exploited once found until the manufacturer can get around to patching them.
All you can do is minimise risk as best you can.
We get calls from our users every day about, "is this genuine or a fake email?" I'd rather have to deal with 10 cases a day of a user being unsure than one case of a user not bothering to ask and infecting the whole network!
"How do you get electronic images out of a borked system?"
You start by looking at how to avoid getting the system from which the images come from being borked. Start off by considering the system to be standalone. If it isn't terribly useful what is the minimum set of remote access facilities needed to make it useful? You want somebody to view the images remotely? Just sticking it on the hospital LAN is not minimal. Minimal might be a connection running through a firewall that only allows X-11 protocol. Even if you run the X server* on a Windows PC that gets borked X-11 is not going to be the sort of protocol to tell the CT system to go bork itself.
It's like the old saying puts it - if you don't design a system to be secure it's hard to add on security afterwards.
* The server is the bit that supplies display services, the one with a screen attached, not the one that provides the images.
The problem is, that information collected by the disparate machines have to be collected centrally and put under tight access controls, so that only the relevant doctor can see the patients information, and that from the bedside, in his office, in an operating theatre etc.
And that central patient information also needs to pull in the external medical record from the insurance company...
"You can't take the pay-cheque that comes with responsibility and then shirk it when you fuck up."
This is absolutely correct. Even a complete black out of all power isn't an excuse.
However in this case, we have witnessed that when insurance company Y will up your rates and investment firm Z might stop payments along with the risk of a "Jones" lawsuit... then it's better to let people die.
In this case, they had assumed the were attacking the medical university, not the medical university clinic (hospital).
The local reports say, that as soon as they realised what they had done, they stopped the attack and handed over the keys.
Good of them, in the circumstances, but it would have been better if they never attacked anyone...
As a general rule: Sure.
But you also must consider that patching can break things, too.
Additioanlly and ironincally in security-relevant areas like hospitals, patching is additionally slowed down by the necessary certifications a patch has to retrieve, before it can be rolled out.
Factual security and on-paper security might differ substantially in especially those areas that need it most...
We have over 120 clinical systems, when MS release a patch BY LAW I have 14 days to patch under NIS.
How the hell am I mean to get 120 systems tested? In truth I can't - I either patch and cross my damn fingers or delay and allow developers a chance to catch up, which in truth they never will as many of the contracts don't even require them to keep on the latest versions of third party cr@p like Java.
It's an impossible situation which lands on low banded tech staff / infosec day in, day out.
No, they are not terrorists. We can't label any particular nasty strain of criminal as 'terrorist', as then what do we call those groups who use crime and violence for political reasons? These guys are just criminals: extortionists, much like the goons who come to your shop to extract protection money from damage threatened by them. If the goon is using the money to finance a political group, then yep, terrorist.
Take away his shoes, everyone!
Experts (the real ones) have been complaining for decades that running Windows machines in hospitals, connected to the Internet, is a recipe for disaster. We kept saying that people are going to die due to this STUPIDITY. We got brushed off.
Then, when it happens, they just reassign the blame; (sponsored) media helps them in doing so and thereby keeping this turd afloat.
Nowhere does it state in the article that Windows was the culprit "one of the software suites they use".
Now that could be Office on Windows or more likely some specialised software that needed to access data that was scrambled. It could easily be a Windows machine that was the entry point but equally malware is not just targeted at Windows. Windows is only more vulnerable because there is more of it. If Linux had become as ubiquitous as Windows it would be the main target. At least with Windows the OS is managed by a single supplier, updates are released to a schedule and can be easily installed. Whether people install them is another matter that affects every OS and piece of software. This "Linux is more secure than windows" is a panacea because most of the people who use it understand it.
There is plenty of Linux out there running stuff, it is either hidden or only used by specialists. Most people particularly in the workplace use Windows because of all the infrastructure that goes with it. However you look at it Linux is still trying to play catch up and unless you have a single commercial vendor that is able to compete, it will not change.
Claiming that Linux is 'playing catchup' to Windows is kind of like saying that a bulk shipping carrier is trying to play catchup with Maserati.
One looks fancy, everyone knows the name, but it needs a lot of nursing.
The other one just gets the job done for the whole world.
Guess which is which.
"updates are released to a schedule and can be easily installed"
My experience with Windows is that updates are a complete and utter pain to install. They're slow to download hang up the entire machine for as long as they want, they fail, they reboot the machine. Linux upgrades download and install quickly unless you're doing a complete OS version upgrade. They only need a reboot - at your convenience - if they're kernel upgrades (and there are ways of patching running kernels) although if a service is upgraded it will need a restart. In my experience upgrades of services ask before restarting.
It's worth remembering that most people who run other OSes have also suffered Windows and are in a position to make comparisons. If you only run Windows you don't know any better.
I understand where you are coming from but in the corporate world where businesses need commercial support and consistency Linux still has issues. I am not saying there is no place for Linux there is, however it is not the "everything is perfect and rosy, Windows sucks" that many pertain to.
It has to be patched and there can be just as many issues as with Windows. We probably have more Linux servers (1000s) than Windows but in order to maintain them there is just as much infrastructure as Windows. The testing and due-diligence is the same.
The biggest downfall for Linux is the people who believe passionately that it is the only OS that matters and Windows is rubbish. One has to embrace both and understand where they fit.
If Novell and eDirectory had been a bit earlier then the story just might have been different however it did not happen. Windows was already entrenched on the desktop and combined with NT Server/Exchange they became unstoppable. We ran Novell for years but in the end it went, it does not matter how much better it may have been, it simply was not viable and the costs became untenable. GEM Desktop was arguably better than Windows 1.x/2.x but Microsoft managed to convince suppliers that PCs should be distributed with MSDos & Windows. Was there a viable Linux alternative with a GUI that worked as well and could be operated by the growing number of computer users?
One has to remember that Windows gained because it hid lots of things under the GUI and in general it worked well enough for the average user. You could install software and it worked, casual users did not want to be struggling with a terminal console trying to fix a broken repo or distribution. It is only the minority of techies that understand these things that care.
"The problem is that looking at medical images in ASCII art on a Linux terminal is pretty useless..."
Yesterday my wife bought "The Island" (Ewan McGregor, Scarlett Johansson) on DVD.
When she got home she ripped it (on her Raspberry Pi4B) to an MKV file:
$ ls -l the_island.mkv
-rw-r--r-- 1 movies movies 1466848852 Sep 17 19:13 the_island.mkv
Then we watched it, sitting on the sofa with the dogs. We played it on a Raspberry Pi2.
The 'dollars' symbol is what thos of us who know anything about computers call a 'prompt'.
Sure, using a CLI is what physicians are well versed in... when people like you start to understand how the real world works, outside your cubicle with Linux, you'll start to understand why people keep on using Windows, and Linux keeps on with a tiny percentage on desktops - and if you from it remove IT professional that percentage becomes infinitesimal...
Unix windowing goes back at least to 1984 with X. The X protocol reached the current version, 11, in 1987. I'm not sure W95 was eve a gleam in Bill Gates eye in 1987. It was also possible view X with a dedicated X-terminal although I'm not sure if anyone still makes those. I'd hazard a guess that all early development of CT systems was done on Unix graphics.
If you really think Linux and other Unix and Unix-like systems are restricted to characters you really need to get out more.
Yes, the problem it's still there. Not surprisingly a large number of Linux UI applications are written in Java to shield them from the utterly fragmented windowing environment under it - and the lack of tools to make development faster.
The sooner Penguinistas understand it, the sooner Linux will have far greater chances to become a desktop UI. As long as the status quo is defended because "Linux is never wrong", Windows will rule...
microsoft is good, they are worth ££££ , says clueless exec... loonix??? unsupported stuff... win 7?? no support!!...
I have experienced M$ 'support'.. I have 30 years experience IT support with a big company, and they thought I was a hacker until I got my manager to shout at them!!
That was years ago, before they went onto office365 support.. BUT some home workers are using it OK on apple, so there may still be hope... :)
The only GOOD support out there is hundreds of users in internet forums, and many companies still support win7 and linux!!
a quick goggle even found an ancient site, saying update win 8 to win8.1 :O - and I bet it will take the poor user straight to win 10, unwanted..
and thereby keeping this turd afloat.
As long as it floats, is shiny, and is a turd, it will be marketed to others.
"Hey, it makes money, so what's wrong with it?" <--- the root of the problem
Oh, and another thing. Sure, they promised not to target hospitals. Yeah, sure. Pulle the other onne, it has belles onne.
Until you get the maverick who have absolutely no qualms and will cryptolock hospitals (and other healthcare facilities) and demand payment... and it will happen.
Remember, ne'er-do-wells will think outside the box, and they held themselves to other standards, not ours.
icon - everything will go up in flames sooner or later -->
Linux isn't a magic pill (pardon the pun). It has bugs itself and can be poorly configured, just like Windows.
There have been problems with ssh and other key services in the recent past that would have allowed hackers to capture a Linux box, especially if it hadn't been kept up to date and patched straight away... Something that is very common in such institutions - the hardware and software suppliers only guarantee and support their kit and software if certain patch levels are used. If you patch a critical flaw without their permission, you are on your own if there are any problems...
I've worked at places where the PLC manufacturer have caused months or years of backlogs on Windows updates, because they don't keep their software current and test it in a timely manner against the critical patches coming out of Redmond. The same would be true if the PCs were running Linux, no updates without prior authorization. Medical equipment is also certified, which means it can't get OS patches until they have been certified by the equipment manufacturer, which can take an age.
The only real option is isolating the networks, but there still has to be some automation with the outside world, to exchange patient information and billion information.
Having a Linux admin who doesn't know how to batten down a Linux box doesn't bring you any advantage over a Windows admin who doesn't know how to batten down a Window box. Then you have the weakest link, the users...
I love Linux and I have used it extensively and administered it. But keeping it up to date and safe is not any easier than keeping Windows up to date and safe. And the more services you are running on the computer, the more complex the issues of keeping that Linux box secure.
"Medical equipment is also certified, which means it can't get OS patches until they have been certified by the equipment manufacturer, which can take an age."
Let's deal with that one straight away. No commitment to prompt certification of OS patches, no certification for your potentially lucrative piece of medical kit. And all source code must be documented and escrowed - perhaps along with a dowry to enable someone to take it over if you decide to duck out.
The problem is, this is medical equipment, so any changes to the device need to re-certified, before they can be issued. That costs the company money to go through the external re-certification process and it also takes time (limited federal testing capacity etc.).
"Experts (the real ones) have been complaining for decades that running Windows machines in hospitals, connected to the Internet, is a recipe for disaster. ..."
Yeah, it even used to say it on the inside fromt cover of the Windows documentation.
In the old days.
When there was any documentation.
VxWorks is used on a lot of the low-level medical equipment, and on the very rare occasion a problem is found then they always work with the medical equipment manufacturers to sort it out quickly.
The same goes for trains, planes, automobiles, nuclear, military and all the other sectors where the application is critical.
This was a targeted attack by a criminal organization (ignoring the fact that they hit the wrong target) not a malware infection caused by someone downloading an application from a dodgy site. The attackers would almost certainly have found a vulnerability to exploit in an old unpatched linux or unix system just as easily as in windows. In fact my understanding of this event from other reports is that the initially exploited vulnerability was not in windows but in VPN concentrators.
Victim blaming in IT attacks is just as unattractive as it is in real life assaults.
That is not the architecture of modern medical imaging department.
The scanners push to a central archive (PACS), the diagnostic workstations access that directly and sit on the same network. There is a webviewer for PC's on the hospital LAN.
The department sits on a private VLAN with controlled bridges to the main LAN.
The volume of data from a CT scanner is non-trivial and producing CD (DVD) would slow things to a halt.
CT scanners don't have CD burners - we have a robot that does that.
The days of printing to laser film are long gone.
We rely on internet connectivity to do our jobs - looking up current research and best practice. as well as to access the multiple other systems in the hospital to check patient information or receive requests etc.
When the network goes down we can't work.
You would divert emergencies as the care possible would be extremely compromised,
Yes there are business continuity plans but you would not take on new work.
Core software on our scanners and digital rooms are upgraded locally by the engineers. There is no role for hospital IT to manage these machines - they are under regulatory control as you would expect for machines designed to use ionising radiation. Some still boot into XP, 7Pro - back to the machine thing - our kit is usually significant 6 figure sums.
ps there are a variety of DICOM viewing software on linux including 3D reformatting.
have you ever been to a gp before covid, and been in the waiting room?? and you see the gp, and see they have a computer system that has your details?? they have to document *everything*.. when I went for a hosp check, he gave me a printout, to make sure that my details got there properly!!
Speed. Any business that considers IT a cost-centre only, I recommend they try to run their business on paper and pen for a month.
I've been in a few businesses, ones that can completely run on pen and paper, and ones that refuse to even put a procedure in place. But even the prepared ones work markedly slower when they're doing everything without a computer.
The problem is keeping hospital systems secure. No organisation can run on moated-fort technology or even on none. Ships abandoned masts and sails at long last, even thought hey were then dependent on coal and then oil, because finally you have to use the better technologies.
You definitely can create proper air-gaps though with only-secure strictly-neccesary comms between several systems that understand what both ends want and expect, and then don't blindly execute whatever's been sent across. It's very doable.
Problem is implementing that properly over x-hundred systems is expensive, time consuming and in most delivery cases pretty much impossible without buckets more time, energy and $ going to the people implementing. In hospitals in my very limited experience, the barest minimum of time, energy and $ aren't even on offer, never mind copious amounts of them.
IT-department probably asked for anything that was recommended in the comments above (separation, IDP, whatever) but management told them "No budget, make it work".
A while ago I was at an event (yeah, it was a while ago, because it was still physical and there was food served afterwards) that was primarily some talks about DNS and DNSSEC and also hosted a panel with politicians and engineers where the audience could fling questions at the panel.
There was one guy from a rather large and well-known hospital, begging the politicians on the podium for stricter laws so he could get the manager at his hospital to give him more money to fight the incoming threats. If it wasn't so sad, it would have been comical.
Hospitals in Germany mostly belong to large chains that are profit driven. If they can shave a Euro from the budget by buying cheaper mice, they will.
But if a security-measure costs money to implement and isn't obviously required by law, they'll just skip it "because we've been good so far, right?".
Hospitals in Germany mostly belong to large chains that are profit driven. If they can shave a Euro from the budget by buying cheaper mice, they will.
But if a security-measure costs money to implement and isn't obviously required by law, they'll just skip it "because we've been good so far, right?".
I assume they have insurance. The insurers should look at what they're on the hook for with badly protected systems and make sure protecting the systems is cheaper than paying the premium. If people will only do things right if it costs them less up-front then make it more expensive up-front to not do things right.
I work for an insurance company and this is exactly what they do. We are clear that risk-prevention is both required, and will get them lots of discounts and expert help if they have done all the right things and some unknown unknown has appeared (exactly the thing insurance is there for).
Do all companies understand their policies or avail themselves of risk prevention measures (that we help with) or do anything but whistle in the dark? }}sound of whistling wind{{
*Errm, no*. Your "reasoning" (is there any) seems to be, though.
Citrix is a known "back-door vendor". The idea of being able to “lock out all the bad stuff from the Internet and only let the good stuff through” is heinous. Putting another patch on top of it is not going to solve the problem. It has always failed. It will keep failing.
But as we know, the one thing you can't anticipate can often happen. It's hard to get 'wild card' thinking from people who are process-oriented. I have seen this in projects, where we brought in a consultant that we were recommended, but dubious about, and he started throwing really crazy things at us, and we saw immediately that we had simply assumed users would do A, B or C when they were just as likely to do Q, W and G, because we were so used to our systems that we forgot that people out there are animals.
If I am not mistaken, the MS-DOS and Windows licenses since Chernobyl have had clauses put in them quite explicitly to say the software should not be used in provision of critical services; which, your average piece of hospital equipment certainly is.
I'm aware of industrial metering and control anywhere and everywhere dependent on all marks of Windows back to 3.1 still in service. Proper PLC's and the tech support behind them are available; at a price. People use Windows because it's cheap and (relatively) well understood. Price is (often) a deciding factor on tenders. God forbid your tender for hospital gizmo x should score the tender on basis of applicability of licenses to the application intended.
I'm quite fond of older, simpler software architectures; they are easier to audit for sure. The morass of stuff that's out there now it's just such a mess the idea of cleaning it up; it'll be easier to nuke it from orbit and start over than get it under control.
When Spanair flight number JK 5022 crashed in 2008 one of the "holes in the cheese" that lined up was that the maintenance database (or the computer systems attached thereto) had been infected with malware, which meant that it wasn't flagged that the plane in question had suffered multiple problems over several days and so should have been taken out of service on the first failed take off.
Subsequently the crew made a configuration error and theconfiguration warning did not sound, so the second take off attempt was made with fatal consequences.
https://www.theregister.com/2010/08/20/spanair_malware/
http://avherald.com/h?article=40b73189/0024&opt=0
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
