IT systems at Melbourne Health, who run the Royal Melbourne Hospital, have been infected with a computer virus that has forced the hospital to shut down many of its systems.
Information Security in organisations such as hospitals can be extremely difficult, and I feel for the IT professionals currently working to resolve this problem. Whilst many organisations lag behind in updating their software such as Operating Systems (OS), hospitals (and manufacturers, and utilities) often can’t update all of their systems: Many of the devices used in hospitals require some kind of computer to operate them, and the vendors who produce those devices can be very slow to update their software to work with modern OSes.
This creates a security minefield.
The article linked at the top of this post notes that the infection may have started with Windows XP computers. Windows XP is no longer supported by Microsoft and is terribly insecure when compared to modern OSes. It will be interesting to watch this story unfold and discover more about the circumstances of this event. I would like to know:
- Was Windows XP only on those computers that required it for support of medical devices? Or had they been extremely lax in updating systems across the entire organisation?
- What measures (if any) were taken to (better) secure the Windows XP machines?
- Were they isolated on the network?
- Were restricted to just their required purpose (operating medical devices)? Or were staff checking email and browsing the web on these machines?
- Were intrusion detection and prevention systems in place?
- Virus and malware scanning?
- What security protocols and training were in place to help staff making security blunders?
Primarily, I hope no patients suffer with worse outcomes as a result of this issue. But further, I hope — this being a public hospital — we will see a proper review completed and a report released that will let us learn from this incident.