Alright, yes, it was a computer virus outbreak that infected the hospital network. And yes, the hospital network was disconnected by the administrators to prevent further spreading of the problem. But this seemed like the perfect story for a sensationalist headline, and I decided to take it.
Three hospitals in London, St. Bartholomew's, the Royal London Hospital and the London Chest Hospital had their networks shut down earlier in the week after detection of a virus outbreak. Over the past few days the IT staff has been slowly bringing key systems and departments back online as they can be secured. Initially the staff thought they had it contained, but it turned out to be worse than they thought, crashing systems when doctors and staff tried to log on to systems, prompting to more drastic shutdown and disconnection.
The entire story, with many more details, is available here. Luckily for the hospital it looks like their disaster recovery planning has actually gone pretty well. According to the story the operations of the hospitals have continued mostly unaffected throughout the network outage, and it's taken the staff 2-3 days to bring key parts of all 3 hospitals back online. Although there is one thing that struck me as a little off about the whole thing...
From the article:
A serious computer virus infection at the Trust - later identified as caused by the Mytob worm - was first detected on Monday.
Wait, the Mytob worm is what brought down 3 hospital networks? You mean, this Mytob worm? Mytob primarily spreads via mass mailing. The malware grabs the address book from a Windows computer and sends email with an attachment to everyone in it. The Sophos information page also notes that it can spread using the LSASS vulnerability, a flaw patched in Windows 4 years ago. I think I know why that disaster recovery plan was locked down so tight.
This is another great example of how hard security is, especially on large networks that must support legacy software, and it's even harder on healthcare networks that have a huge amount of specialized hardware installed on them. If nothing else, the hospitals are in good company, the Wikipedia page on the Zotob worm (a Mytob variant that spreads via a Microsoft flaw patched in 2005) quotes a Businessweek article that lists ABC, CNN, AP, the New York Times and Caterpillar, Inc. as companies being hit by this worm (all of whom, presumable, have larger IT security budgets than a UK hospital group).
And, speaking of being in the company of larger budgets, news also came out today about a worm that's been spreading across military networks. All the details are still classified, so we don't know what worm or anything else about it, except that the DoD has taken the drastic step of banning all external media from the network (everything from thumb drives to burned CDs and DVDs). It's really easy to get viruses into a network, really hard to get them out, and it only takes one mistake to open the door. Defense-in-depth and compartmentalization are great strategies, but they're also expensive to implement, difficult to implement well, and a determined user can usually outmaneuver the systems.
Also, as an interesting side note, a frequent solution to these kinds of problems, both by lawmakers and non-security people, is that we need tougher legislation or new laws to handle these kinds of things. In the case of the Mytob and Zotob worms, the creators were both arrested after the fact. While law enforcement takes some time to work, even if they were arrested the day after the worms were released (or the hour after, for that matter), it wouldn't have mattered.
Once the worm is on the network, it's a feeding frenzy. A pathology-mimicking performance with the new code playing the part of the biological attacker seeking the machines with no defenses prepared, and system administrators playing the role of evolution, trying to keep their systems working against the onslaught of malicious code. Just like in the real world the viruses don't get tired, they just try and replicate using whatever is in reach, whether the vulnerability is 4 days or 4 years old. And even when the systems are patched and everything seems safe, it just takes one email attachment to bring the attacker inside, and it all starts again.
I'm not sure exactly what the solution to these problems is, but I'm pretty sure it has less to do with the "new legislation" method and more to do with the "disaster recovery" method the hospitals used: having trained, professional people on hand to put things back together when they all fall apart.
Comments