Hospitals shutdown computer systems due to Mytob worm
The register has an article about three London hospitals shutting down their computer systems due to a worm. However, except for transportation, all functions of the hospital seem to be continuing despite the lack of computer systems.
I took away three things from this article: computer systems are not essential for health care, someone wasn’t patching or following security policies, and the worm provides a back door for attackers. The doctors and the hospital are still providing medical care to patients. The computer systems certainly help them do this job more efficiently, but they’re not required. I think this points out the importance of security vs convenience. The doctors just want to help their patients, and if they have to do that without computer systems, so be it. Most of the computerized equipment they really need should not be (and usually isn’t) connected to a network. If the computer systems become difficult to use because of security – the doctors will just not use them.
The second thing I noticed, but wasn’t mentioned directly in this story was that the worm had to get on those systems in the first place. That was either over the network, or brought in from a user. Either way, it tells me that patches weren’t applied and anti-virus was not running on access. Someone wasn’t following policy.
The final piece of information that was glossed over in the Register’s article is that the worm opens back doors on systems and contains spyware. Now, I’m sure the writers of the worm didn’t think that it would end up on a healthcare system, so they’re probably not looking for Personally Identifiable Information (PII), but that information is still there, and likely accessed by the users of those systems. If a keylogger was installed, all of that is now “public” to the botnet’s users. I think the hospitals will have a larger job of cleaning up after this and determining what the worm did with that information than they do now in getting the systems back up and running.
Recovering from an “attack” is not as simple as restoring last known good configurations. You have to duplicate the drives, re-install the systems, then restore data (and hope you have good recent backups). If you want any chance of prosecuting the individual(s) responsible, duplicating the drives for forensic analysis is one of the most important steps. And until that’s done, these hospitals will be without computer systems.

2008 Summer Olympics, you should think carefully about the security and safety of your personal belongings, as well as your information. Travelers should be aware that as in any large metropolitan area, any computing devices (such as smart phones, PDAs, and laptops) are at a high risk of theft. Additionally, the United States State Department has