How to Handle Viruses and Worms Effectively

Document Sample
How to Handle Viruses and Worms Effectively Powered By Docstoc
                IT SECURITY

     How to Handle Viruses
     and Worms Effectively
     Medical systems and networks are not immune
     to attacks from cyberspace. And unfortunately,
     conventional virus scanners are not an effective
     By Dr. Wolfgang Leetz, Siemens Medical Solutions

                                   It is not just the trade press that reports      vironment is far more complex. For instance,
                                   computer virus attacks. The mass media           what happens when a scanner cleans sup-
                                   cover the topic as well. Virus attacks even      posedly virus-infected medical image data
                                   make their way on to the evening news.           but instead falsifies relevant medical infor-
                                   At a highly worrying regularity, viewers are     mation at the same time? Who is liable
                                   warned of the consequences of ’I love you’       when a ’hotfix’, one not yet approved by
                                   or ’Sasser’ viruses and worms that invade        the system manufacturer, adversely affects
                                   computers and crash servers.                     patient treatment? Do users have any techni-
                                   But surely, enough has been said already         cal possibilities whatsoever to install patches?
                                   about this subject. Doesn’t every PC user        And what about the regulatory approval of
                                   know the precautions and defenses by heart?      the system then? Systems and software
                                   Don’t we get updates for virus scanners          usually are subject to an official release pro-
                                   shortly after we are faced with new threats      cedure in a precisely defined hardware and
                                   from cyberspace? And don’t the operating         software environment. A system’s safety and
                                   systems’ manufacturers send us repair            efficacy can be significantly impacted, if the
                                   programs (so-called hotfixes or patches)         user implements repair programs that
                                   that close currently exploited vulnerabilities   have not yet been officially released and
                                   against potential abuse in future?               approved by the manufacturer. Additionally,
                                                                                    the user may become liable for the con-
                                   Virus Scanners for Medical                       sequences of such a change. In the European
                                   Systems                                          Union, the CE marking would become invalid.
                                   All that is surely true for PC users at home     At the same time, the distribution paths of
                                   and in the office. However, the medical en-      viruses are changing: previously they spread

32                                                                                                                      MEDICAL SOLUTIONS JUNE 2004
          »  … Software updates must not, under any
          circumstances, endanger the security of patients.                                                    «
                              Gerd Schmidt, Vice President Quality and Technology, Siemens Medical Solutions

          via diskettes, today they are spread out on      Customers expect smooth, confidential data
          data lines. And of course, modern medical        transfers – and rightfully so.
          systems are networked. Indeed, extensive         The Joint NEMA/COCIR/JIRA Security and
          networked service solutions are part of the      Privacy Committee (SPC) is spreading light
          current trend towards expanding the capa-        into this jungle. SPC is a working group
          bilities of the classic imaging modalities.      that includes a range of manufacturers

MEDICAL SOLUTIONS JUNE 2004                                                                                    33

                         in Europe, the United States and Japan       possible vulnerabilities – ones that may
                         (                 occur with other computers as well.
                                                                      Of course, manufacturers of medical equip-
                         Repulsing Virus Attacks                      ment already do their part to ensure safe
                         SPC recommends a number of protective        operation of the IT landscape within net-
                         measures to manufacturers and users          worked healthcare institutions. For example,
                         adapted to the healthcare environment.       only the manufacturer is able to ensure
                         These were derived from an analysis of       the integrity of the software delivered or
                                                                      to provide for a safe architecture through
                                                                      suitable development tools and methods. In
                                                                      addition, application software should enable
                                                                      only the ports and services that are actually
      User Responsibilities                                           needed for data transfer via the net.
                                                                      “That is certainly our dictum for syngo soft-
      Responsibility for IT safety rests mainly with the operator     ware development,” says Frank Rabe, Vice
      of the system. Fortunately, she or he is able to select from    President Engineering of Siemens Medicals’
      a multitude of technical and organizational defenses:           Software Components and Workstations
                                                                      Development. Even the architecture of this
       1. Technical safety measures                                   uniform, comprehensive software from
          • Tools for detecting denial-of-service attacks on an       Siemens is designed to prevent possible
            operating system or a router level                        vulnerabilities.
          • Authentication of external systems, prior to              Still, at the end of the day, it is system
            establishing a system-to-system connection                operators who are the most obliged to
          • Firewalls to block unauthorized, external access          act carefully: who else can unmistakeably
          • Virus scanners in the network instead of in the medical   impress users with the need for safety
            product                                                   awareness? Additional SPC recommendations
          • Establishing audit trails and analyzing them to detect    to system operators include the following:
            suspicious user behavior                                  reducing network connections to the bare
          • Intrusion Detection Systems to detect malicious           minimum, installing both firewalls and
            attempts of infiltration                                  routers, or isolating medical IT systems into
          • Demilitarized zones to isolate networks from              so-called demilitarized zones.
            one another, but allowing access to the localized
                                                                      Most Networks Are Safe
            components from both networks
          • Avoidance of IT monoculture to reduce the number          In other words, we have both, the technical
            of systems that could be simultaneously attacked by       and the organizational means to defend
            a single virus                                            ourselves against viruses. Working together
                                                                      as a basket of individualized applications,
                                                                      they secure the networks in the healthcare
       2. Organizational safety measures
                                                                      sector. As Roman Haase, responsible for the
          • Rules, processes, and education of users
                                                                      quality of PACS systems at Siemens Medical
          • Planning of emergency processes
                                                                      Solutions, points out: ”…the operator is
          • Limiting physical access
                                                                      obliged to review and to update his safety
          • Checking of connections to other systems and
                                                                      measures regularly,” particularly when it
            reducing them as far as possible
                                                                      comes to networked systems.
          • Establishing safe access for remote services
                                                                      When this is the case, possible reminders
          • Maintaining close contact with manufacturer
                                                                      to the system administrator (e.g. to imple-
                                                                      ment the newest patches or hotfixes)
       3. Different safety measures at different locations within
                                                                      become less urgent. Although at times it is
          the IT infrastructure (defense in depth)
                                                                      tempting to rush to the Internet to down-
                                                                      load a supposed solution, especially after

34                                                                                                     MEDICAL SOLUTIONS JUNE 2004
                                                                                                                   IT SECURITY

          » The operator is obliged to review and to
          update his safety measures regularly.                                                            «
                              Roman Haase, Director Interoperability and Quality, Siemens Medical Solutions

          hearing frightening virus news, operators
          should wait for a solution approved by the          Support from the Manufacturer
          A similar policy applies to virus scanners:         Manufacturers may choose from the following measures to
          wrong alarms or system crashes caused by            support their customers:
          updates must be prevented and eliminated
          through reliable testing.                             1. Ensure system integrity
          Operators definitely have the time to do                 • Using hardware (software in ROMs or key switches)
          this, because as Rüdiger Ebert from Siemens              • Computing and comparing check sums of system files
          Customer Service puts it: “The vast majority             • Using digital signatures for extended testing of file
          of our customers have secured their own                    integrity
          networks against attacks to a point that                 • Generation of system profiles for verifying complete
          most medical products were unaffected by                   directory structures
          the ’MS blaster’ virus.“                                 • Virus scan prior to product delivery
          Siemens Medical Solutions is currently
          developing a Virus Protection Service which           2. Ensure reliable system design
          is targeted to be released by autumn this                • Use of suitable development tools that help avoid
          year. It will include the required product                 weaknesses in programs
          specific configuration of the virus scanner,             • Use program languages that offer protection against
          quick technical support in case of infection,              specific attacks
          continuous on-line provision of updates that             • Use operating systems/hardware with safety features
          are tested and validated to avoid false                  • Disable network services as far as possible
          alarms reliably.                                         • Have IT security checked regularly, e.g. via software
          It Takes Cooperation                                       audits and reviews through third parties

          Although security requirements for medical
                                                                3. Offer a virus scanner, if configuration restrictions
          systems and networks are much higher than
                                                                   do not unduly limit its effect
          for conventional computer systems and net-
          works, the logic driving virus battle is the
                                                                4. Offer safety-relevant updates and technical support
          same. It is universally true that the improve-
          ment of security is a process requiring con-
                                                                5. Take into account regulatory requirements and technical
          tinuous improvement and close cooperation
                                                                   characteristics and limits
          between manufacturers and operators.
                                                              Full text of the SPC is at

MEDICAL SOLUTIONS JUNE 2004                                                                                                      35