Conficker computer virus snakes its way into medical devices

The widespread Conficker computer worm has crawled into hundreds of medical devices, including MRI systems, at dozens of hospitals in the United States and other countries.

The San Jose Mercury News reported that the worm has not resulted in causing harm to patients, but poses a potential threat to hospital operations.

"A few weeks ago, we discovered medical devices, MRI machines, infected with Conficker," Marcus Sachs, director of the Internet Storm Center, told Mercury News. The Internet Storm Center is an early warning system for internet threats that is operated by the SANS Institute in Bethesda, Md.

Around March 24, researchers monitoring the worm noticed that an imaging machine used to review high-resolution images was reaching out over the internet to get instructions - presumably from the programmers who created Conficker.

The researchers discovered that more than 300 similar devices at hospitals around the world had been compromised. Because the machines were running an unpatched version of Microsoft's operating system used in embedded devices, they were vulnerable. Normally, the solution would be to install a patch, which Microsoft released in October 2008. However, the device manufacturer said rules from the FDA required that a 90-day notice be given before the machines could be patched, the Mercury News reported.

"For 90 days, these infected machines could easily be used in an attack, including for example, the leaking of patient information," said Rodney Joffe, a senior vice president at Neustar, a communications company that belongs to an industry working group created to deal with the worm. "They also could be used in an attack that affects other devices on the same networks."

Conficker spreads by copying itself onto machines running Microsoft's Windows operating system that lack the security patch. Conficker installs itself and periodically reaches out for directions from its maker that cause it to rewrite its code, increasing its capabilities for malicious action and decreasing its chance of detection.

"Hopefully the malware writers didn't have a lot of insight into how these medical devices work," Patrik Runald, chief security adviser for F-Secure, a Finnish computer-security company, told Mercury News. Runald said the worm had also been found at a hospital in Sweden and several hospitals in England earlier this year.

Joffe, who testified before Congress on May 1, asked lawmakers to remove the barriers to coordination between federal agencies so cyber threats, like Conficker, can be addressed.