Healthcare facilities widely compromised by Medjack, malware that infects medical devices to steal your information


#1

Originally published at: http://boingboing.net/2017/03/03/computers-you-put-in-your-body.html


#3

Healthcare is so complex!!


#4

Speaking from considerable personal recent professional experience in this field, I can heartily corroborate this statement.

Hospital IT generally implements two kinds of security, often simultaneously: screwed down so tight it prevents important activities, and so lax that it’s actually difficult not to circumvent it.


#5

So true.

I know a bunch of doctors who use their gmail address for their communication. One told me that if you are in a hurry, you try not to use the hospitals IT. Example given: patient going critical, call external MRT provider from private mobile phone, ask for results to be sent to your private mail account instantly.

At least this prevents this data to be exfiltrated from the hospital’s network… /o\


#6

IT security within the health care sector is mostly ridiculous, as no one wants to throw ressources at the issues* - but TrapX’ claim is unlikely to impossible. Every single facility is affected? When they perform an on-site sales event?

The threat is real, but the total panic mode the company tries to create with MedJack does not exactly help. With one exception: TrapX will get new business chances, conveniently the malware “constantly evolve[s]” and luckily TrapX identified and named it.

* source: anecdata after doing 10+ years IT within the sector


#7

Things I’ve heard during conference calls with hospitals:

“Send it to my AOL address, I don’t like our email system.”
“VPNs never work, we need everyone to have a modem and dial in.”
“I don’t trust leased lines. We should send the patient data by email.”
“None of us have the root passwords to the routers, only the IT consultants know that”
“None of us have the root passwords to the PBX, only the telephony consultants know that”
“I’ll send you an excel spreadsheet with all the userids and passwords via email. Tell you what, I’ll just CC the whole implementation team.”

Totally not kidding.


#8

 

 


#9

That is exactly how I felt.

Also, I caught a department head at one of my employers forcing all her direct employees to give her their company userids and passwords, which she then entered into a spreadsheet, and then put on a publicly shared network drive so they’d be backed up.

I think I actually did scream when I found that one. And I think that was the only time I have ever literally reported someone to HR. (I’ve threatened to report people, but I think that’s the only time I ever did it.)


#10

Hey, anyone ever that doesn’t have a legal and lawful reason to request my password, ask me my password.


#11

That’s amazing! I’ve got the same combination on my luggage!


#12

Megamaid has gone from suck to blow!!


#13

HA!
In the universities I worked so far, I saw such things more than once. The local servers had nothing to do whatsoever with medical data, so I just chuckled usually and told people that this was not best practice. They wouldn’t change their habit most times, but sometimes set up an additional password protection of the folder the collection of usernames/passwords was stored in on the LAN. Once, I informed a professor of informatics that scans of his flight tickets were actually available on his departments servers online, not only in the uni’s LAN. He replied kindly and said that he asked his secretary to take the stuff offline.


#14

This topic was automatically closed after 5 days. New replies are no longer allowed.