Zombies at the Hospital

René Pfeiffer/ October 31, 2012/ High Entropy, Security

It’s 31 October, so we have to talk about these zombies. You know them from the horror films. Dead, evil, and always hungry for brains (the latter also being true for any self-respecting HR department). Security researchers know a different kind of zombie. A zombie computer is a machine or device infected by a computer virus. It is considered compromised and contains additional features such as information retrieval, remote access or anything else you can put into code. Usually this is undesirable and fought with anti-virus software or (even better) strict security procedures. Now let’s combine the two types of zombies and add a spiffy virus outbreak into the mix. To go even further cinematic we use a hospital as the stage. Too unrealistic? On the contrary, hospitals do have a virus and zombie problem.

Medical facilities use computer systems for controlling equipment such as devices used for computer tomography, magnetic resonance imaging, or monitoring data of patients. Hospitals have internal networks where these devices connect to. Add a pinch of Internet or removable storage devices plugged into one of the computer connected to the local network. Now add the requirements of passing strict reviews and following clearly defined standards to the mix. This means that vendors of the digital equipment are reluctant to modify their systems, thus resulting in the use of proven operating systems which might be out of service. In addition there’s the problem of adding security measures. In standard office environment rolling out new software is comparable easy. In an medical environment this is much more complex, because you have to pass reviews after change. Too much change increases the risk of not passing the review, and besides, never change a running system.

You do not have to be a hospital to run into this problem. There are a lot of companies out there that also deal with these dreaded reviews. Just walk into an IT department and casually mention the word compliance in a loud voice. If you get unfriendly or nervous glances, then you are at the right place. Having reviews, procedures, certifications, and passing tests is not a bad thing. It get really bad if you do not improve the security measures just to avoid change. Security is a cycle, so there is automatically change involved. This has to be reflected when reviewing infrastructure and devices. The zombie outbreaks in US hospitals are a perfect example. The FDA is currently reviewing the reviews by questioning its regulatory stance on software. We agree with Kevin Fu. Medical devices need to stop using insecure, unsupported operating systems. You may joke about Windows 98 or Internet Explorer 6, some hospitals use these zombies for daily work (old code from other vendors applies, too; it’s just an example). This is your resident evil and an outbreak waiting to happen.

Don’t be a sheep, but don’t be a zombie either.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.