|Home » Industry Watch
Medical Software Overrun by Microsoft Malware
Lives are at risk. Some may have been lost. It's time to stop.
Technology reporter Dave Lee of BBC News reports that high-risk medical technology has been found to be infected by malware, according to health and security experts. Most if not all of this technology is run by software on the Windows platform. Lives are at risk. Some may have been lost. It's time to stop.
Part of the problem has been that Windows is by far the most prevalent small scale operating system where most independent software vendors will naturally gravitate.
Part of the problem is a lack of understanding of how dangerous Windows can be.
But the overwhelming brunt of the blame is Microsoft's. Microsoft have long been able to produce a secure operating system virtually impervious to attack - but they choose not to, out of a worry that their market dominance might evaporate. Instead they put people's lives at risk.
A medical centre in Boston had 664 pieces of equipment running old versions of Windows. Says medical technology expert Kevin Fu: 'Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow updates or security patches.'
Those medical devices can also be recruited into botnets. 'Imagine you have a heart monitor that's running Windows and it gets infected by a computer virus and slows down', says Fu. 'This mere slowing down of the computer could cause the device to miss a sensor reading. It certainly raises an eyebrow. Who's watching out for that?'
Not Bill Gates for sure. The Microsoft hegemony is predicated on barriers of entry and exit. Microsoft so dominated the world of the personal computer before the web revolution that no one could catch them once it began. Steve Jobs declared the war of the desktop over and Microsoft the winner.
But no one wins with a situation like this. And sound operating systems - almost always based on Unix - have appeared in the intervening years.
Microsoft could release a secure version of Unix - they once owned such a version - or create their own secure Linux. But they won't. They're too afraid developers will find a way to circumvent Windows itself and code software directly for the Unix/Linux underbody, and thereby make Microsoft irrelevant. And insolvent.
It's been seventeen years since the web revolution began, twenty since Tim Berners-Lee unveiled the 'World Wide Web', and little has changed on the security front. An hysterical amount of largely unsuccessful energy is wasted fighting the insecurities of a system (Windows) that was never meant to be used on the Internet in the first place, all the while Microsoft spin doctors continue to downplay and ignore the consequences.
And people get hurt. Or worse.
McAfee specialist Raj Samani states: 'The need to implement security and privacy in the design of all systems, whether they're embedded or not, is of paramount importance, particularly to the health industry.'
Yet Samani, like so many 'experts' at McAfee, probably runs a Mac or a Linux jalopy privately. They all know Microsoft Windows is a mess.
'Software-controlled medical equipment has become increasingly interconnected in recent years', says David Talbot of the MIT Technology Review, describing the infection level as 'rampant', and then adds in the understatement of the century: 'many systems run on variants of Windows, a common target for hackers elsewhere'.
Windows is more than a common target. Windows is, for all practical purposes, the only target. And it's the only target for two very sensible reasons.
- Attack area. Windows has nearly 90% of the market in small scale systems. It's the IT version of 'broad side of the barn'.
- Ease of exploit. In contrast to attacks on most non-Windows systems which take a lot of hard work and still might not succeed, attacks on Windows can be carried out by 'script kiddies' with one hand on a games console.
Windows: it's just too easy and there are too many suckers out there.
Are you sure you want to risk your life with malware-infected Windows software systems?
The US National Institute of Standards and Technology's Information Security & Privacy Advisory Board sponsored a panel discussion last Thursday in Washington DC. One participant described how malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive care.
'It's not unusual for those devices, for reasons we don't fully understand, to become compromised to the point where they can't record and track the data', he said. Surely any honest computer security expert could get him to understand.
The old Windows XP machines in those wards have been replaced by Philips machines running a system based on Windows. 'The problem has been solved', says the naïve MIT reporter. Solved until the next calamity hits.
There is only one way people can feel safe in hospitals. That is to get crucial software systems - and ultimately all software systems - off Windows. That takes special willpower and a refusal to accept the attentions of Microsoft's sales department. But there's a line in the sand, Microsoft have made it very clear they're going to continue to spin, and that leaves only one alternative.
BBC News: Computer viruses and malware rampant in medical tech
MIT Technology Review: Computer Viruses Rampant on Medical Devices