Current Event: 3 London Hospitals Infected
According to articles from BBC and TheRegister back in November of 2008, three London hospitals fell victim to the Mytob Worm. Originating from early 2005, this worm spreads itself through email and prevents removal by disabling any attempts to retrieve virus update definition files. The hospitals needed to shutdown their systems for three days to ensure proper eradication of the virus. An efficient emergency procedure was executed promptly, minimizing impact. Hospital directors claimed the hospital was not targeted and reassured patient records were not compromised.
Although it does not seem the hospital suffered much more than delays and confusion from the incident, it is apparent that the hospital was not fully prepared against such a sophisticated worm. The source of the initial infection either was not found or was not released, but judging from the nature of the worm, chances are that an unsuspecting employee clicked a bad link in an email and started the whole process. (If anyone can verify exactly how the hospitals were initially hit, please leave a comment to this post.)
Several simple preventative measures would have drastically shrunken the probability of or even prevented this infection. For one, all employees should have been made aware of the grave responsibility involved in maintaining an electronic medical record keeping system. There are countless disastrous scenarios that can arise from carelessness and ignorance; employees should be trained to recognize security risks, such as potentially hazardous email links. While it’s unreasonable to expect extensive computer knowledge from the average employee, it the responsibility of the hospital to keep their employees informed of basic security risks such as mysterious emails.
The IT support at hospitals must also make it a priority to keep the virus definition files and operating system patches up to date. Keeping safe and isolated electronic backups could have also prevented the entire computer network from going down for three whole days in the face of an attack.
It is rather unnerving to see that three major institutions guarding information as critical as medical data fell prey to such easily preventable attacks. The news reports this event as if it were a minor annoyance; nothing hospital related was directly targeted, and there were no serious damages, so it is treated like a harmless scare. But the hospitals were just incredibly lucky. If the security of the network was so poor that it could not prevent an almost 4-year-old worm, a targeted attack could have had catastrophic results. Hospitals have a wide range of possible adversaries, from politicians to terrorists to extortionists. Any of these adversaries might desire particular patient’s data pertaining to diseases, insurance policies, and medication received. What if an attacker could have gained access to passwords relating to purchasing orders of medical supplies and drugs? Attackers may also want to change insurance information in the system resulting in denial of care for patients. All patients and employees related to these hospitals are at risk now that the system was compromised. This should serve as a wake-up call for hospitals everywhere to review the robustness of their record systems.
Nonetheless, the hospital directors did a great job handling the public response to this mess. Their prompt and concise public statements assured patients that their privacy was intact, and this likely prevented mass panic with hospital patients. However, for the sake of the patients, I hope the hospitals are only superficially downplaying the incident and are taking serious measures to enhance the security of their network.
Comment by Tim Crossley
January 9, 2009 @ 8:02 am
It is terrible that such critical systems like these, carrying confidential private data, were not kept up to date in terms of anti-virus definitions and the like. Certainly, it would not have been difficult for someone to spend the short time it takes to ensure proper anti-virus software was present and set to auto-update on all critical systems.
What makes this even worse is the three days it took to get hospital systems running again. Prevention of an attack is always the preferred method, but exploits do exist and they will be found. Therefore, any critical system like those in hospitals must be able to recover from attacks. As ando already mentioned, these hospital systems should have been (and hopefully are) regularly backed up. Upon detecting the worm, the systems could be reloaded from a backup, with lost updates (those occurring between the last known ‘good’ backup and the time the worm was detected) filled in by hand or recovered in some other way.
Comment by jimmy
January 9, 2009 @ 5:14 pm
It seems to me that hospital systems should be designed such that critical applications, such as patient databases and pharmaceutical information, run on machines relatively isolated from non-critical applications, such as email and web-browsing. This would somewhat limit the danger of email worms and compromised websites, because these attacks would find it more difficult to compromise critical information. Furthermore, this would limit the ability of security illiterate doctors and nurses to crash an entire system, because they would not have direct access to the actual critical machines.
Obviously this presents its own problems. Developers would have to perfect the connection between these two system genres such that health care providers could still easily use critical systems through a more limited access point. Backups would still be necessary given potential for insider attacks. While not altogether solving the problem, separating critical components from the world wide web would close a large door through which attacks could pervade.
Comment by erikturn
January 9, 2009 @ 5:40 pm
Luckily they didn’t loose any data. I attended a talk last year about computing in the developing world hosted by Yaw Anokwa and Brian DeRenzi. They mentioned how difficult it was to keep worms from spreading at hospitals in Rwanda. They discovered that for the most part there are almost no safeguards on networks, computers fall behind in software updates, and antivirus software simply cannot keep up with the rate that these machines become infected. One of the most common ways that worms are spread in these situations are by hospital guests or employees sharing data via USB keys, which almost always contain viruses. These hospitals also don’t have the IT staff necessary to support all of their machines.
Here is their paper if you are curious.