Security threat requires quick action to defend PACS data

The discovery of a major Windows security hole exposes PACS workstations and servers to the threat of worm invasion and hacker attack. PACS expert Paul Nagy explains what the consequences of this worm attack could be and what steps you must take to protect your system.

With this latest round of critical vulnerabilities discovered[1] in the Microsoft Windows operating system, PACS vendors and hospitals have had to scramble to patch the holes. This hole is so threatening that the Department of Homeland Defense[2] has released an advisory about the potential of exploiting this vulnerability.

This security hole allows foreign programs to gain full control over a computer through a bug in the way Microsoft handles buffer overrun errors in their DCOM RPC services.[3] The potential damage this worm can do makes Nimda and Code Red pale by comparison. It can steal your data, erase your hard drive, or cripple your system. If that isn't bad enough, the worm permits hackers to use your computer as a base of operations to launch attacks against other computers in their vicinity. These attacks can consume enormous network resources and bring a network to its knees.

So what are a hospital and a PACS vendor to do? Microsoft announced this security hole only two weeks ago. The whole IT industry is now bracing for the first exploits to be unleashed in the wild. Responding quickly to these security vulnerabilities poses a conundrum for the PACS community. It is a trade-off between having a verified stable build and responding quickly to maintain security precautions.

Here is a list of the challenges and some suggestions on how to develop an effective patch management program for your PACS. First the challenges:
? Almost all PACS workstations are affected by this vulnerability: Windows NT, Windows 2000, and Windows XP. The vulnerability extends to PACS servers: Windows NT, Windows 2000, and even the new Windows 2003.[4]
? PACS vendors, many of whom guarantee uptime greater than 99%, have a process to validate and verify changes in their software to ensure it will work for all their customers and won't interfere with any of the software. This process can take weeks to months in many cases.
? To install the security patch that fixes this hole, the computer needs to be on one of the latest service packs. Windows 2000 is currently on service pack 4, and Windows NT is on service pack 6. Upgrading service packs usually entails a personal visit to the computer and at least half an hour to upgrade and reboot the machine.
? Most PACS networks are now integrated with hospital networks and are thus much more susceptible to infection from outside sources.
? There are many high-speed Internet (DSL or cable modem) PCs from home users. Home users are easy targets, as they don't typically exercise good security policies if any. Coupling high-speed Internet access with easy-target PCs is like having a lot of kindling for a forest fire.
? Even with a strong policy inside the hospital, an infected computer at an employee's home with a VPN (virtual private network) account can tunnel that infection through the hospital firewall.

So what should one do? Well, for starters have a plan:
? Try to keep your computers up to date with the latest service pack. With the latest service pack installed, responding to vulnerabilities can be done fairly quickly. If you haven't upgraded the service pack of your PCs in over a year, you will have a harder time responding to these types of security threats.
? Talk with the hospital information system staff about contingency plans. What defensive mechanisms are needed? Don't think you are protected just because your PCs are behind a firewall. A single infected computer behind a hospital's firewall can infect the system.
? Talk with the vendor about a plan to safely upgrade the system. Read your vendor contract carefully. It is common for a PACS vendor to disavow responsibility for downtime in the event of an infection. Make sure they sign up for a reasonable response time and understand who is going to pay for rebuilding systems that do get infected.
? Develop a patch management program to track what assets have been updated with what service pack and when.
? To protect your systems, run the Windows update utility, which is found in the Start menu of the Windows operating systems.
? Encourage physicians with high-speed Internet access at home to update their systems as soon as possible.
? Have PACS diagnostic workstations locked down and deny users the authority to install software. Back up the hard drive image of the workstations in case the system does get infected. This allows an administrator to rebuild a system fairly quickly.
? Make sure that both the office PCs and the PACS workstations are updated. A few infected office PCs can take down the network, which would leave the PACS users high and dry.
? Invest in patch management tools that can assess the status of your computers and help you manage them effectively.[5]

Bryant Mascarenhas, the PACS project coordinator at Froedtert Memorial Lutheran Hospital in Milwaukee, spent the last week working on this issue.

"We were alerted to the issue by the hospital IS group one week ago. They warned that they would have to shut down any network segments showing signs of being compromised," he said. "We opened a discussion with our PACS vendor, McKesson, and ensured they understood the priority of the issue. Fortunately, our systems - 17 servers and 38 dedicated QA and diagnostic workstations - are all on the latest service packs. We validated the patch on our test system for 48 hours. The vendor was able to install the patches remotely through command line utilities so we didn't have to personally visit each machine. The only problem encountered was that the security patch did corrupt one of our NAS boxes, which then failed to boot. The PACS had to pull from tape for some priors during the time it took to restore the operating system to the NAS box."

This might seem like a lot of work, and it can be. The Aberdeen group has calculated the cost of patch management to be $2 billion for the entire IT industry.[6] Consider the additional damages on top of the downtime of this critical system. Cleaning systems infected with this worm typically involves completely erasing the hard drive and rebuilding the system from scratch.[7]

Once your system has been compromised, all sorts of viruses, zombies, and Trojan horses can be installed with ease. Consider how much work that would be. The best adage for patch management should be "An ounce of prevention is worth a pound of cure."[8]

DR. NAGY is director of the Radiology Informatics Lab at the Medical College of Wisconsin and the editor of ClubPACS, a Web-based source of PACS information. He can be reached by e-mail at PNagy@mcw.edu .

REFERENCES
1. What you should know about Microsoft security bulletin MS03-026. Microsoft, http://www.microsoft.com/security/security_bulletins/ms03-026.asp
2. Legon J, Walton M. Experts anxious over possible Web attack. CNN, http://www.cnn.com/2003/TECH/internet/07/31/internet.atttack/index.html
3. CERT® Advisory CA-2003-19 Exploitation of vulnerabilities in Microsoft RPC interface. http://www.cert.org/advisories/CA-2003-19.html

4. Waiting for the worms. Security Focus, 7/03, http://www.securityfocus.net/columnists/174
5. Microsoft Windows DCOM RPC interface buffer overrun vulnerability. Symantec, http://www.sarc.com/avcenter/security/Content/8205.html
6. Andress M. Holes in your network. Network Fusion, 2/02 http://www.nwfusion.com/reviews/2002/0204bg.html
7. Ulfelder S. Practical patch management. Network World, 10/02 http://www.nwfusion.com/supp/security2/patch.html
8. Steps for recovering from a UNIX or NT system compromise. Carnegie Mellon Software Engineering Institute CERT Coordination Center, http://www.cert.org/tech_tips/win-UNIX-system_compromise.html