back to article Medic! Uncle Sam warns hospitals not to use outdated IPnet freely on their networks

The US Food and Drug Administration is warning hospital IT admins to keep a close eye on their networks following the discovery of security vulnerabilities in a relatively obscure and dated TCP/IP stack – IPnet – used in embedded devices. The flaws, mostly buffer overflows and memory in various components of IPnet, can be …

  1. Shadow Systems Silver badge

    Make these a federal crime.

    Anyone holding a hospital, fire, police, ambulance, or any other public emergency service hostage in these kinds of attacks should be immediately be turned over to the FBI for tracking down, locating, & dragged into court by the short & curlies.

    The crims are putting innocent lives at risk of *death* if those services can't do their job to protect the public, so how is this not considered a terrorist attack on national infrastructure?

    If some shit for brains started blowing up cop cars with the cops inside then the feds would be all over it like fleas on a mutt, but since it's "only" hospitals (at the moment) it's not an issue?

    Fuck that. Get the feds involved, track down the crims, & drag their asses into court.

    1. DougS Silver badge

      Re: Make these a federal crime.

      I'm sure all the criminals in Russia, China, Bulgaria or wherever will be quaking in their boots over that. I'll bet very few attacks against US hospitals, utilities, governments etc. are carried out by people inside the US. If you want to do that and you live in the US, you should probably target places with no extradition treaty with the US that you are unlikely to ever visit, like Russia...

    2. IGotOut
      Mushroom

      Re: Make these a federal crime.

      How about the Hospitals / Goverment agencies do some fucking work and patch the bloody systems, lock down devices and do basic IT security.

      Yes, you will have specialised equipment that can't be updated because the vendor insists XP is the only OS it will work with, but that PA's laptop, sorry no excuse.

      1. Richard Jones 1
        FAIL

        Re: Make these a federal crime.

        I am not sure that the issue is of vendors insisting on using only XP, but I suspect that items with long amortisation lives run past the point of software life expiry. Not only that, but in many cases the parts used to build systems may come from different sources, some of whom are no longer in business. There my well be a future in building or applying special techniques to multi million piles of currency worth devices that are not yet time expired, e.g. NOT connecting them to networks directly? There are ways to link output from a device into other database set-ups that do not rely on last century's level security direct connections.

        That said, what is the betting that it was either sloppy email habits or careless browsing that did the damage? Bluntly, the problem lay outside the keyboard interface.

      2. Anonymous Coward
        Anonymous Coward

        Re: Make these a federal crime.

        Don't moan about hospitals/governments, moan about those in C-suite who don't allow us to. We haven't had XP on endpoints for years, we'll soon have no W7 either, yet that specialist equipment you mentioned will still be XP, some even older because C-suite don't want to invest in replacing it and individual departments can never afford to.

        1. Doctor Syntax Silver badge

          Re: Make these a federal crime.

          "because C-suite don't want to invest in replacing it and individual departments can never afford to."

          The replacements will probably have the same problem because general purpose OS vendors' products have shorter life cycles than expensive H/W. Tying H/W replacement to the life of the OS effectively means that working H/W which cost serious money is junked and the cost of using it is inflated.

          I'm not sure to what extent this still operates but there used to be public appeals to buy a scanner or whatever for the local hospital. Such appeals are likely to fall on deaf ears if the public realise that the product of the last appeal has been dumped prematurely for no good reason (and an OS vendor abandoning their product isn't a good reason).

          Even if the OS is replaced the revised system would need to be recertified and that's also expensive.

          AFAICS the long term solution is to ensure that the components, including S/W of medical systems adhere to well-defined stable and open interface standards so that any one component, and especially the more peripherals ones, can be replaced with certification applying only to the interfaces they present.

      3. GnuTzu Silver badge

        Re: Make these a federal crime -- Keys in the Car

        There should be fines for this, just as there citations for leaving your keys in the car.

        Oh wait, did I hear that HIPAA was not a compulsory standard? Are law suits for non-compliance possible?

  2. Oengus Silver badge
    Alert

    Not only Alabama

    Just this week another ransomware attack has impacted health systems in the Australian state of Victoria. With Australia implementing their "My Health Record" system (automatic opt-in but you can choose to opt-out) integrating with other systems I wonder how long before one of these attacks is used to mask leaks of patient data.

    1. Mayday Silver badge
      Meh

      Re: Not only Alabama

      I optd out the moment it became a thing.

      I can see some merit in the concept (ie centralising info to assist seeing a new doctor, stopping doctor shopping to get multiple prescriptions etc) however the risk of another attack surface and having your info on the interwebz for all to see is bit of a no from me.

    2. Anonymous Coward
      Anonymous Coward

      Re: Not only Alabama

      This is coming to the UK, or something very similar. Also expect automatic opt-in, it's the lazy way of pushing use of it.

  3. razorfishsl

    Ahhh.. .yes IPNET.......

    Wait until they start looking into "netburner"

    1. GrapeBunch Silver badge

      "IPnet freely" I was expecting an article by Bart Imps-sin.

  4. GrapeBunch Silver badge
    Joke

    "IPnet freely"

    Is that prose, or is it a BART SIM PSONnet?

  5. Crisp Silver badge

    Get decent IT staff and make the insurance companies pay for it.

    You'd think with the amount Americans are overcharged for their healthcare that they would have the best IT that money could buy.

    1. Simon Ward

      Re: Get decent IT staff and make the insurance companies pay for it.

      "You'd think with the amount Americans are overcharged for their healthcare that they would have the best IT that money could buy."

      Nope, just the best lawyers money can buy ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019