A US study finding malware is rampant on medical equipment shouldn’t come as a surprise to those running industrial computer systems in their businesses.
It’s notoriously difficult to update medical equipment or other sensitive systems as a security patch could have unintended consequences. Unlike a home or business computer, these patches have to be thoroughly tested beyond the precautions vendors take.
So it isn’t surprising that these systems aren’t kept up to date although some equipment suppliers are more tardy than they should be in updating the servers they supply.
A few years ago I came across CCTV systems running on the original version of Windows 2000 which were hopelessly compromised. This is an unacceptable situation for the customer and was more the result of vendor carelessness than any concern that customers could be affected by these unsecured machines.
Not having the latest software patches creates a weakness in any computer device as most common way viruses find their way onto networks is through systems not being updated – Australia’s Defense Signals Directorate rates unpatched systems as being the number one cause of corporate security breaches.
This is what caught out the Iranian nuclear program with the Stuxnet worm as the Siemens SCADA devices used by the Iranians were running older, unpatched versions of Windows. The designers of Stuxnet took advantage of a number of known weaknesses in the software and were able to damage the equipment being controlled by the systems.
Obviously systems should be patched wherever they can be and there’s no excuse for not patching most office and home computers. It’s also worthwhile carrying out a number of other security steps to ensure an infected computer can’t damage your network or catch a virus through your Internet connection.
The survey looking at these medical systems is a good wake up call to all of us that we need to take computer security seriously in our businesses.