Over 300 critically important medical devices were connected to the Internet, infected with the Conficker virus, and then could not be fixed for 90 days because of federal regulations.

The medical devices in question were used in hospitals to allow doctors to view and manipulate high-intensity scans like MRIs. They were often found in  intensive care facilities, and were connected to local area networks along with other critical medical devices. These network connections exposed the medical devices to the Internet, from which they became infected with the Conficker virus.

This came out in the testimony of Rodney Joffe, a founder of the unofficial Conficker Working Group, before a panel of the House Energy and Commerce Committee. Joffe and another member of the working group discovered over 300 devices from a single manufacturer that had been infected with the virus, according to a CNET story. Joffe said, “They should have never, ever been connected to the Internet.”

Perhaps as bad as allowing the original virus infection, federal regulations require that the involved hospitals must wait 90 days before the systems could be modified to remove either the infections or the exposing vulnerabilities. Joffe’s testimony, together with earlier reports of infected medical devices, is being used to show that there are real risks involved in recent efforts to make ours a more networked world. President Obama’s stimulus package has allocated billions of dollars, for example, for digitizing medical records and networking the nation’s electric grids.

Joffe told the House committee, “The open Internet, one of its great values is it allows you to connect fairly cheaply and fairly easily to other computers, [however] the Internet was never designed to do the things it’s doing today.” Those things, in Joffe’s opinion, include connecting control systems to the Internet to manipulate and coordinate the nation’s electric grids.

Joffe and a number of other security gurus have been warning that any such control network would expose the critical systems involved to cyber-attacks. They hold up as proof the Conficker-infected medical devices and reports that Chinese and Russian hackers had already gotten into smart-grid control systems. It may be that more toughening of these systems is needed before they are implemented. At the speed we need to put these initiatives on line, that means starting right now to figure out how to make them safe.

Related:

Entry was posted on Sunday, May 3rd, 2009 at 2:17 pm under Antivirus, Hacking, Internet, Legal, Politics, Security.

Read more entries by Michael W. Jones.
Stumble It!