Monday, May 9, 2016

Why everyone hates security, vol MCDXXIII

Critical medical devices crashes during heart surgery because the antivirus scanner started up:
A critical medical equipment crashed during a heart procedure due to a timely scan triggered by the antivirus software installed on the PC to which the said device was sending data for logging and monitoring. 
The device in question is Merge Hemo, a complex medical equipment used to supervise heart catheterization procedures, during which doctors insert a catheter inside veins and arteries in order to diagnose various types of heart diseases.
Whoops.

The number of things to be filed under "Bad Idea" in this situation are legion: why the logging computer ran an OS that requires an antivirus scanner (why not run Linux?), why the scanner was configured to block (as opposed to report) identified issues, why the security team was allowed to force a "fail closed"* architecture on potentially life-or-death equipment, why the Operating Room devices are connected to the Internet (if they are isolated, why would you need antivirus?).

Probably a lot more.  Stalin would have had them all shot.

* "Fail closed" is a security model where if an operation cannot be completed (say, an even cannot be logged because the log partition is full), the system shuts down.  This is opposed to "Fail open", where the system continues operating normally.  Very high security designs will require fail closed, but mission critical systems should always be fail open.

4 comments:

Old NFO said...

It's the old favorite battle, IT versus everybody else. And IT always gets their choices on back ups logging and everything else because nobody else knows enough about the system to tell them not to do it.

Jake (formerly Riposte3) said...

a) IT apparently failed to read the directions when they set up the device.

b) What the heck do they think the doctor is doing with that computer that it needs to run a virus scan every hour?

c) Who is the genius that designed a critical medical system in a way that it crashes when it loses access to a secondary device?

There is Fail all over the place, here.

Differ said...

Systems safety group not consulted.

Goober said...

Considering that the procedure in question was functionally identical to the one I endured last year, I am horrified by this.

I'll never forget when they put that mask on my face to knock me out, and realizing there was a good chance that I was experiencing my last conscious moments...

Never to meet my unborn daughter. Never see my 4 year old grow up. Never hold my wife again.

These fucking monsters need to be punished, good and hard.