Forwarded from: PaulBlair@private > "Security of the systems is the primary focus of the letter," says > Holt Anderson, executive director of NCHICA. Without the operating > systems properly maintained in terms of patching, "there is no way > to secure devices that are connected to a LAN or wireless facility," > he says. This is not true. There are more than a few ways to mitigate Windows Security issues in this type of situation. IPSEC can be used to regulate traffic between devices, and prevent the spread of the common RPC based Worms, and VLANs can keep sensitive devices confined to their own. > Some manufacturers, including Philips, contend that hospitals must > do a better job of applying security defenses to protect medical > devices by buying intrusion-prevention systems (IPS ) and internal > firewalls. I agree, but the manufacturers need to do their part by certifying patches In a more expedient manner. > There have been several instances in which viruses originated from > medical instruments straight from the vendors, says Bill Bailey, > enterprise architect at ProHealth Care, a Milwaukee healthcare > provider. Medical equipment arrived with computer viruses on it or > service technicians introduced the viruses while maintaining the > equipment, he says. Based on my own personal experience with 'third party devices', this is not surprising to me at all. In my case, the device was a Windows server which handled our voice mail. Twice it was infected with a SQL based worm and once with Blaster. None of the other machines on our network were infected, due to some of the mitigating factors I mentioned above, but they very well could have been. In the case of the SQL based worm, the infected server saturated our internal network to the point of it being useless. After these incidents, we put pressure on the vendor to certify patches more quickly. If we feel that there is a threat we now apply patches to these servers, regardless of their 'certification'. Hospitals should not be faulted for doing the same when critical patches are released. Paul Blair Information Technology Services West Hills College spam1@private _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Fri Aug 13 2004 - 10:52:05 PDT