The Conficker internet virus has infected important computerised medical devices, but governmental red tape interfered with their repair, an organiser of an antivirus working group told US Congress on Friday.
Rodney Joffe, one of the founders of an unofficial organisation known as the Conficker Working Group, said that US government regulations prevented hospital staff from carrying out the repairs.
Joffe, who also is the senior vice president for the telecom clearinghouse Neustar, told a panel of the House Energy and Commerce Committee that over the past three weeks, he and another Conficker researcher identified at least 300 critical medical devices from a single manufacturer that have been infected with the computer virus.
The devices were used in hospitals to allow doctors to view and manipulate high-intensity scans such as MRIs and were often found in or near intensive-care unit facilities, connected to local area networks with other critical medical devices.
"They should have never, ever been connected to the internet," Joffe said.
Regulatory requirements mandated that the affected hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.
Joffe's testimony and earlier reports of infected medical devices show the risks involved in efforts to reap the economic benefits of a networked world. President Obama's stimulus package has allocated billions of dollars for digitising medical records and networking the nation's electric grids.
"The open internet, one of its great values is it allows you to connect fairly cheaply and fairly easily to other computers," Joffe said. He added, however, that "the internet was never designed to do the things it's doing today".
That includes connecting control systems to the internet to manipulate and co-ordinate the nation's electric grids.
"The future of widespread [electric] meter-to-meter communication does have me concerned," said Dan Kaminsky, a technology consultant who last year discovered a critical flaw in the internet's core infrastructure. "I would like to see more security for those meters."
It was recently reported that Chinese and Russian spies had infiltrated the grid networks. US politicians introduced a bill on Thursday to give the Homeland Security Department and other federal agencies more authority over utilities in order to protect the 'smart' grid from cyberattacks.
Joffe and other witnesses said that, at an operational level, the DHS is the appropriate government agency to improve cybersecurity. He called the US Computer Emergency Readiness Team, which is operated by the DHS, "woefully understaffed and woefully underfunded". As part of its mission, US-Cert acts as a liaison between the public and private sectors.
Gregory Nojeim, senior counsel for the Center for Democracy and Technology, said DHS should naturally hold jurisdiction over cybersecurity, as long as it makes its actions more transparent and receives policy guidance from the White House.
Policymakers need to be clear and open in their work with the private sector, Nojeim said, and should avoid giving anyone in the government — even the president — too much power over private networks. He urged the congressional panel to reject legislation from US senator Jay Rockefeller that would give the president power to shut down any critical network — federal or otherwise — in an emergency.
"Any such shutdown could also have far-reaching, unintended consequences for the economy and for the critical infrastructures themselves," he said. "To our knowledge, no circumstance has yet arisen that could justify a presidential order to limit or cut off internet traffic to a particular critical infrastructure system when the operators of that system think it should not be limited or cut off."
Talkback
Would you trust your health to Redmond? There is only one way to fully secure a windows based system. Never, ever, press the on button.