Juha Saarinen: When IT security gets a hospital pass

IT in hospitals, clinics, doctors' surgeries and elsewhere should be safe and reliable - and maintained. Photo / iStock

If you thought that computers, software and networks in environments where it is literally life or death that they work are kept secure, up to date and modern, you thought wrong: hospitals and health authorities seem to be some of the worst at maintaining IT set ups, and that should scare all of us.

Last week, the computers in the pathology department at the Royal Melbourne Hospital suffered a virus infection.

That can happen to any organisation of course. The RMH virus infection is different though, if you look at the details of what happened.

READ MORE:
• Government unveils new strategy to take on cybercrime
• Kiwis 'naive' about cybersecurity

First, the malware in question was Qbot or Qakbot, which has been known since 2009 - the variant that ripped through the RMH pathology department was apparently a new one that wasn't detected by Melbourne Health's unnamed enterprise antivirus.

The antivirus not detecting Qbot is one thing, but the malware got in via the very vulnerable, and totally obsolete Windows XP operating system that is still running on something like 1800 computers at the health authority.

Qbot incidentally is an "info stealer" that normally attacks banking systems and snags passwords and user keystrokes, and joins infected machines to botnets as remotely controlled zombies.

Worse, Qbot appear to have crashed the Windows XP computers it infected, and rendered them inoperable. With no computers, pathology department staff were forced process blood tissue and urine samples manually. Not a disaster, perhaps, but nevertheless a situation that shouldn't have happened.

Melbourne Health is now doubling down on upgrading the old, unsupported and terribly unsafe Windows XP to... Windows 7. But wait, Windows 7 is out of mainstream support since a year ago so why go from one obsolete operating system to another?

The answer to that seems to be staff resistance to new IT - Windows 7 isn't that hard to get to grips with if you come from XP, compared to say Windows 8 or Windows 10 which look and act in a different manner.

Also, and this is really worrying, certain medical software that the health authority uses requires Windows 7 (apparently) to remain certified and licensed. Re-certifying and re-licensing software would no doubt cost money and take time, both of which are short supply with health agencies.

Melbourne Health is not alone in being caught between a rock and a hard place when it comes to keep its IT systems up to date.

Insecure health IT is a worldwide problem, and two security researchers presented some hairy and scary anecdotes at a recent security conference including the tale of one hospital that had a Windows 95 (!) machine that ran its magnetic resonance imaging scanner.

Why? Because upgrading from Windows 95 to a newer and safer operating system meant the whole scanner would have to be replaced.

Other examples included a pacemaker that had an completely open debug function that could interrupt heartbeats, and a device manufacturer that shipped a system with no fewer than 38 malware that infected hospitals.

This an unacceptable situation of course. IT in hospitals, clinics, doctors' surgeries and elsewhere should be safe and reliable - and maintained.

It's not that difficult to fix things either: as the security researchers noted, nine out of ten problems found could be sorted out with common sense, like applying patches from the vendor in question.

The common sense should apply for the whole life of the equipment as well, with licensing and certification traps that prevent upgrades being outlawed.

Someone's life could depend on a computer in a hospital working properly and health authorities and their IT staff, as well as vendors and software developers really need to recognise that before it's too late.