There is something ironic about three hospitals in
London being severely hit by a virus which has nothing to do with
the human immune system.
And yet the Mytob virus, which has brought down networks and
systems at
Barts and The
London NHS Trust, has everything to do with patients.
The virus, with the official name of
W32/mytob.gen@mm, plants a Trojan horse which could put
confidential personal data at risk, said
Graham Cluley, a senior technology consultant at IT security
supplier Sophos.
Hackers could exploit the virus to gain control over infected
networks and computers, and potentially access confidential
information on patients without the knowledge of the trust's
security and IT specialists.
The
virus was first detected at Barts and The London on Monday 17
November in what Barts described as a "major incident". By Thursday
some parts of the network were still down. Ambulances were diverted
to neighbouring hospitals and doctors reverted to using paper
records and making requests for x-rays on paper. The incident has
caused backlogs of work and delays in care and treatment.
And once the systems have been disinfected, staff will need to
key in information from paper to update the electronic records. The
hospital declined to comment on the backlogs of work, the effects
of the virus on patients or on the running of the hospitals. And it
is unknown how much it will cost to cleanse IT equipment.
"There are two real pains here," said Cluley, "One is that
doctors and nurses will not be able to access electronic patient
records which could interrupt treatment. Also hackers could
potentially be able to access confidential records. When the
hospital took down networks that was a very sensible thing to do -
hackers would not be able to access records." This could explain
why the networks were down for days.
Barts said it is disinfecting desktop systems one by one.
"If they have just one computer still infected, even if they
have cleaned up 99% of the other computers, that one computer could
re-infect the rest of the network. It is like a biological virus.
One individual with a virus could give it everyone else," said
Cluley.
Barts is an "early adopter" of LC0, a London-specific version of
Cerner Millennium Care Records Service which has been installed by
BT as part of the NHS's £12.7bn National Programme for IT. Barts'
networks and systems have to be of a high standard to connect to
the Care Records Service.
Experts say the three most likely causes of the attack are that
anti-virus software was not installed on one or more devices on the
network, anti-virus software failed to detect all of the hundreds
versions of Mytob, or not all systems were running the latest
version of anti-virus software. It was perhaps unfortunate for IT
security staff at Barts that anti-virus software suppliers have
categorised Mytob as a "low-risk" for corporate users.
For hospital IT staff the threat of viral attack - and the
possible loss of confidential patient data - is increasing, in part
because of centralisation and regionalisation of IT. The National
Programme for IT is intended to replace fragmented networks and
systems with central databases and large, complex networks. Yet
fragmented systems, if infected, have caused only isolated or
localised disruption.
Labyrinthine networks that allow patient data to be widely
shared could make the difference between life and death. But
viruses are such powerful opponents to central databases, and large
complex networks, that they may never be wholly beaten or
overcome.
What is Mytob?
Anti-virus software suppliers McAfee and Symantec describe the
risk of infection by Mytob as "low". Symantec describes it as a
"mass-mailing worm that uses it own SMTP engine to send an email to
addresses that it gathers from the Windows Address Book on the
compromised computer". The worm also has the ability to "open a
back door and spread through the network by exploiting
vulnerabilities".
It may send repeated network messages to trace other computers
to infect, which will generate masses of irrelevant network
traffic, bringing systems to their knees. A Barts spokesman has
conceded that its networks have been overloaded with viral
messages. The virus may also send information to hackers about the
configuration of each infected computer and what data is
accessible.
The presence of the virus poses a risk that hackers could
control the network and devices on it, and possibly access
confidential patient information.
Computer Weekly asked McAfee why it (and other suppliers) had
categorised Mytob as low risk when it had caused a major incident
at three London hospitals. A McAfee spokeswoman said,"McAfee
classes threats based onthe speed of attack, the damage caused and
its prevalence. A rating as 'low' is not to say that a threat is
not damaging but ratings are comparative and based on all
criteria.
"When rating the generic variation of this particular threat,
the fact that it does not damage the hard drive or delete files, as
some other threats have been seen to do, is taken into account.
With updated anti-virus protection in place, organisations should
not find themselves impacted."
Whitelisting - a solution for viruses?
Is it possible for IT security staff to block all viruses when
anti-virus software suppliers are faced with understanding and
tackling 20,000 new pieces of malicious code every day, one piece
every four seconds?
Some suggest whitelisting -allowing on the network only approved
applications and devices. But even then approved systems could be
hit by viruses. Experts say that organisations need to block from
the network any devices that are not running the latest version of
anti-virus software, and that software must defend against all
known threats.