Who would have suspected that a legitimate visit to a trusted website could be so dangerous? Earlier this month it was discovered - by sheer accident - that two websites hosted by CareFusion have been delivering infections to visitors' computers for months. At risk are customers, including hospitals and other medical offices, who rely on the sites to purchase healthcare equipment such as infusion pumps and ventilation and respiratory products and software updates for them.
Visitors Were Redirected to Malicious Site
The evidence suggests that a massive SQL injection attack caused the websites to secretly redirect visitors to a malicious site that then infected their computers. For more than two months, site visitors were exposed to malware and web-based attacks when they attempted to download updates for medical devices purchased from CareFusion.
Old Software Versions and Lax Patching
Analysis of the breach indicated that not only was CareFusion lax in updating the software used to host one of its sites, but also that other sites were using 6-year-old versions of ASP.NET and Microsoft Internet Information Services version 6.0, which was released way back with Windows Server 2003. Both platforms are known to have critical vulnerabilities and are highly susceptible to compromise if not patched and properly managed.
Given the nature of the infection and how widespread it may be across the healthcare spectrum, CareFusion is receiving investigative assistance from the Department of Homeland Security's Industrial Control System (ICS) Computer Emergency Response Team (CERT).
What You Can Do
At this point, it might be difficult to demonstrate that a given medical facility or provider actually received a malware infection from CareFusion. However, anyone who visited a CareFusion website between mid-March and mid-May 2012 should have their network and data security program professionally assessed for vulnerabilities and security issues as soon as possible.
It would also be wise to deploy an inline cybersecurity solution that incorporates network intrusion prevention and data loss prevention, with a proven record in effectively protecting networks from breaches that originate inside and out. CloudJacket is such a solution, and complimentary 30-day evaluations are available to qualified healthcare organizations.