Advice Request Medical Security Ethics

Please provide comments and solutions that are helpful to the author of this topic.

I

illumination

Thread author
Today, I have come across something i would like to bring up and discuss, and this is Medical facility/device security practices.

My significant other is a stage 1 diabetic, that has been placed on a newer insulin pump to help regulate her A1C. This pump requires her to upload data to our main system, and this folks, was where i could not believe what i was seeing... Upon opening Google Chrome and signing into the site she needed to be, it left us with a prompt that blew my mind..

Browsers compatible with our software: I.E. 10/11 or Firefox 38
Browsers not compatible because of Java restrictions: Current MS Edge, Chrome , or Firefox

You need to download Java application to the system to use it for either I.E. 10/11 or outdated Firefox 38...

DO what i stated? I have to use Java "swiss cheese of security holes" and i have to do it on insecure browsers or i can not use your software for her life saving device?

To top this off, she is scheduled for surgery soon, and why the absolute control of her A1C is necessary.

Why is it a company like Medtronic/carelink that literally make millions of dollars, can not afford to update their systems and software to better secure their customers/patients?
Why are these establishments not held accountable for insecure practices with peoples medical/health at stake, it is a responsibility.

Share your thoughts, as this is a much wider spread problem then what i have discussed here.
 
D

Deleted member 65228

Thread author
Wow, this is sad. I don't know what to call it, irresponsible or ignorant or what.
I'd say it is both irresponsible and ignorant. I'd go further to say that they have a lack of thought for security and need to get their act together because with the resources they will have as a company due to how much money they will have, they should be doing 10x better IMO.

Java? Seriously?

"Let's use Java, it's great for security" said no one ever.
 
I

illumination

Thread author
Holy cow.

I'm speechless.

If you've already installed Java, it's too late. You can't turn back the clock now. Burn the systems. ATTENTION EVERYONE, BURN THE JAVA-INFESTED SYSTEMS ASAP!
Indeed! I did not install it, nor allow her to use those browsers, told her we are going to have to find another way, even if it is traveling to the doctors office often and having them upload it on their systems. I wanted to share this though, it is eye opening.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Indeed! I did not install it, nor allow her to use those browsers, told her we are going to have to find another way, even if it is traveling to the doctors office often and having them upload it on their systems. I wanted to share this though, it is eye opening.

First thing that came to my mind was, what does the Doctor say about all this? Not the IT security issues because I doubt they can fully grasp it but the other stuff. The travelling part, maybe not using the pump when it's supposed to etc.
 
I

illumination

Thread author
First thing that came to my mind was, what does the Doctor say about all this? Not the IT security issues because I doubt they can fully grasp it but the other stuff. The travelling part, maybe not using the pump when it's supposed to etc.
This is the insane part, it has to be done, it has to be used, and this is one of their latest state of the art pumps...

I have pulled out my Linux laptop, and i am in the process of converting it back to windows 10, as the software will only work on Windows or Mac, and not linux. I will have to "contain" this laptop on the network, while running Java on it allowing her to upload. This system is only going to be used for this period. It is my only course of action at this time, as the data will not be transferred fast enough to make a difference doing it manually by traveling.

I can state, that no one in this forum has seen over kill in security, until they come across a situation like this. The laptop is going to make Ft. Knox look weak... ;) :D
 

BoraMurdar

Community Manager
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
What shoud I say as a doctor when a hospital in my place is 80% covered by Windows XP. Not POSReady. Just Windows XP... Unupdated and outdated from 2014...
IT "experts" say they couldn't upgrade to at least Windows 7 because of some printing drivers that work only in XP...
I've checked, there are drivers for W7... Those things are for jail
 
I

illumination

Thread author
What shoud I say as a doctor when a hospital in my place is 80% covered by Windows XP. Not POSReady. Just Windows XP... Unupdated and outdated from 2014...
IT "experts" say they couldn't upgrade to at least Windows 7 because of some printing drivers that work only in XP...
I've checked, there are drivers for W7... Those things are for jail
In other countries, a surgery may run around $7,000, here in the US, that same procedure could be $30,000 to $40,000.
Life saving insulin without insurance could run you several thousand a month. Every Doctor you see is driving high end vehicles and living in high end homes, yet the Hospitals always seem understaffed, poorly managed, Nurses and CNA"s are run ragged to save costs of hiring others, budgets are spread thin...


I have the situation under control for now, but mind was blown that they literally are having users install Java and use insecure browsers to connect a monitoring meter to transfer data, from a newer machine learning device.
 

In2an3_PpG

Level 18
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
What i do not understand, is that as software and devices evolve, how is it not harder to keep running out dated, not barely compatible with anything any more software and hardware, how can this be practical, and or even money saving?

Besides @Opcode's comment on IT Admins not knowing, laziness plays a part as well. Also from my experience, it does not always fall onto the IT Admins for making a change. Its the people at the higher levels (C level) giving the funds to make the change. A lot of time their not willing to go forward with spending the extra money. Even though in the long run, keeping the old systems alive would cost them even more. With possible damages and lawsuits if anything were to happen. Its unfortunate really. I hope everything works out for your significant other.
 

BoraMurdar

Community Manager
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
People are expendable and curative methods are unprofitable. That's how the "they" think. Those who can change something... But world's priorities are something else...
I can write novels about this theme, but this isn't the right place and the theme is very sensitive.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Here's another case that's just sad : A Lifesaving Pump for Cancer Patients Is Being Phased Out

The devices, called Codman pumps, are made by Cerenovus, a subsidiary of Johnson & Johnson, which told doctors in a letter dated April 4 that it had decided to stop production effective April 1 “because of significant and multiple raw material supply constraints within the manufacturing process.” Dr. Kemeny said she and other physicians had appealed to the company to keep making the device, but it had declined.

“It has likely saved many lives and prolonged the lives of many more,” Dr. D’Angelica wrote to the company. “I would implore you to reconsider this decision, if not just for economic or logistic reasons, for ethical reasons.”
 
F

ForgottenSeer 58943

Thread author
I have some experience with this.. My wife is an MD, and my employer supports compliance and audits. First, my wife's continuing education website required flash and java both to be installed and all security layers disabled. How pathetic is that?

As for HIPAA, it's a complete and uttery joke.. I can count on my hand how many full HIPAA audits we've seen in the last 5 years.. 75% of all medical offices I have seen are NOT HIPAA compliant. Without any fear of an audit there is little regard for honoring HIPAA. It's just a piece of paper that's never enforced.

I've seen everything from worms on Xray machines to backdoored Xray storage servers, doctors sending confidential records over Yahoo and Hotmail. Doctors exchanging confidential patient data over HTTP SMS. Improperly secured medical record storage. Pharmacies using Linksys Routers and Win7 machines that haven't been updated since 2015.. What a joke.. All of it..

It's mostly all gone already.. It's all broken. Everything has already been backdoored, hacked, or stolen by nefarious actors. One of the next major IT catastrophe will be in health care.. Mark my words.
 
I

illumination

Thread author
How ironic, after writing this post this morning, i went to get the mail, upon returning and opening a letter from our Local Hospital, it seems they regretted to inform us, that their security was breached and a mass amount of Patient data was stolen. I'm literally standing here shaking my head.

They stated: To Date, we have no indication that any of your personal information has been misused in any way.

They have also stated that they have just now, secured the services of a company to provide identity monitoring at no cost to us for one year... A little late, now that the information is out there, and no cost to us for one year?

I started this thread not to call out the greatly misused medical practices, but to address security issues, that obviously are well past needing addressed.
 
D

Deleted member 65228

Thread author
Awhile ago a security researcher found a remote vulnerability for a heart device or something like that (small box) and posted the source code on GitHub. I think it was fixed before it was posted but this was maybe a year ago or a year and a half.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top