Best way to transfer software update files on healthcare instruments without a USB?
Posted by Dismal_Yogurt3499@reddit | sysadmin | View on Reddit | 105 comments
I'm an engineer for lab instruments and my company recommends we use USB's for file transfers. Before I go to a customer lab, I always print out the paper copy of the blank report before and I run the USB through a virus and malware scan before and after putting on any of my files. I never need to transfer patient data or anything pertaining to the customer's use of the instrument.
Sometimes though, I need to carry out software updates which can only be done by transferring the update file to the customer computer and running it there. This is how I was trained to carry out updates and none of my customers have ever had a problem with using a USB to do so.
I've been reading into using USB's as a 3rd party and im seeing a lot of conflicting information on how to safely use these. Without using a USB, what is the most secure way I can transfer software update files for my customers?
VacatedSum@reddit
See, I would think that an organization like that would have a WSUS server to distribute updates, assuming the PCs or servers in question have LAN access.
stuckinPA@reddit
Some vendors say absolutely no updates at all. These devices are on their own highly restricted VLAN. I’ve argued the need to update and have been shot down too many times.
GeneMoody-Action1@reddit
This is why hospitals get held for ransom. It is so unnecessary. Vendors should test updates against their products, and sound an alarm on failure, as well as address the failure...
"No updates" is a fools game. Isolation or not, airgaps get hit, these systems could too if they are networks, one misconfig at a network level, one computer plugged into the incorrect port, things happen.
commissar0617@reddit
we're not talking windows update.
VacatedSum@reddit
Ah. Missed that.
bluecollarbiker@reddit
WSUS for updating lab instruments… the spectrometers, centrifuges, analyzers, etc. probably aren’t running windows. They might be connected to windows machines to pull data from. The firmware on the instruments themselves seems to be wha Op is updating.
NetworkingNoob81@reddit
Treat every machine and device as if it’s hostile. Someone else suggested write once media; it’s a PITA but makes the most sense
commissar0617@reddit
yeah, but then you have to use a USB CD drive. because nothing comes with them anymore.
NetworkingNoob81@reddit
Ok.
Need_no_Reddit_name@reddit
We use USB write blockers, allows you to read but not write. The don't sell the driverless 2.0 stick any more, but you can find the USB 3.2 version from weibetech. This version requires windows (no vm based) and drivers.
If you can find it we use this one for USB firmware updates to routers and switches CRU WiebeTech USB WriteBlocker 31300-0192-0000
bedel99@reddit
dvd rom drives? your not going to pick up something off a client machine at least then. I think there are also ways to make RO USB drives.
vikramdinesh@reddit
Read only usb drive makes sense.
bedel99@reddit
But do they exist ? I seem to remember a long time ago ones with a switch that you could make read only but I havnt seen any thing like that for a long time if at all.
nightwatch_admin@reddit
Kanguru from Germany: https://www.kanguru.com
vikramdinesh@reddit
You can use diskpart command on Windows to make any usb drive read only.
I have also posted a link to a fully encryptable drive below. Check it out. 😂
bedel99@reddit
But windows can make it readable though ?
vikramdinesh@reddit
Not without human intervention.
bedel99@reddit
I do t think that’s true. But please correct me. It’s a software change to the usb. The software can also change it back.
vikramdinesh@reddit
You have to manually run diskpart again to do it. It cannot change back on it's own.
bedel99@reddit
You have heard of computer virus right ? They spread around all by themselves
vikramdinesh@reddit
Well if the PC already has a virus then it's no good anyways.
Also in the scenario OP has mentioned the systems don't have access to the network also. So probability of a virus is almost zero. My recommendation is based on this scenario.
bedel99@reddit
But they do have people stick usb drives in them. Who cares if the clients computer has a virus on it. We update the software and leave.
What we don’t want to do is put one there or take one away from there.
vikramdinesh@reddit
Didn't the OP clearly state no access to USB?
bedel99@reddit
Huh ? No access to internet.
A software locked device is not locked at all a hardware read only device is required and I am not sure if they exist. Which is why I suggested a dvdrom
geegol@reddit
File share? OneDrive?
ChristmassMoose@reddit
Write once cd/dvd and a usb disk reader
commissar0617@reddit
what if the reader is compromised?
ChristmassMoose@reddit
Buy direct from dell or hp. If their supply chain is compromised it doesn’t matter what you do at that point
Geek_Wandering@reddit
It's been over a decade, so I may be misremembering. However, c. 2013 leaks showed attacks against in transit equipment from Dell and Cisco amongst others. It would be silly to assume that attacks got less capable in the last 12+ years.
jspears357@reddit
Just embed your USB divide in the cable that the dvd reader is attached to
tech_is______@reddit
Bring your own laptop with a nic. Plug it into the device, set static IP's and run...
If that won't work, get permission from their IT to access the network to do the updates from your laptop. It's a process, you have requirments and they need to make it happen for you.
tfsprad@reddit
Plugging a laptop into my network is even more invasive than plugging in a USB thumb 'drive'.
tech_is______@reddit
first, why... it's not like it's unheard of for vendors to have equipment to support the equipment they're their to work on
second, if your IT isn't accolading or the device is getting a DHCP address and it's not something you can change for the service, then what else are your options
there's thinking about security and then being so paranoid that nothing is viable
but in your case, you can have a laptop and a usb stick and use whatever one you want...
but since this is health care, their could be a PAM that would block any utility thats not on an allow list used to update devices on any old workstation... which would make the vendor laptop necessary. unless IT is going to take the time to provide something
Skyhound555@reddit
You do realized what you described is a MITM attack, right? Lmao
If you ever did this in a hospital, you would immediately be fired and may end up having to deal with authorities. "Being so paranoid, nothing is viable" is exactly how it works in a critical work environment like a hospital.
I know a dude who lost his job because he regularly transferred too much data with a single robocopy. Medtech doesn't mess around. Ignorance isn't an excuse either. They don't tend to give benefit of the doubt when it looks like what you're doing is similar to an attack.
commissar0617@reddit
so you can't update your equipment or have to send it out to be updated. gotcha.
Skyhound555@reddit
It's always funny when little redditors think snarkiness is a replacement for actually being informed on a subject.
No, nothing gets updated without strict change control and incident management involved to properly document the protocol needed to complete the update. Things like configuring a static IP would likely make it so that the equipment you are updating ceases to function altogether. Most hospitals have blanket deny rules to lock out mysterious IP addresses their team didn't assign themselves.
Especially with HIPAA and PHI involved. One should genuinely not be able to bring in their laptop and expect to have anything other than basic guest wifi access. An external technician would need to be granted access into the network somehow and bunch of other hoops.
commissar0617@reddit
i guess my perspective is a bit different, because im an internal tech
tech_is______@reddit
I'm not sure where u/Skyhound555 is coming from. It seems like he's taking things to the extreme and projecting situations out of the blue. Not sure why.
An authorized vendor using their authorized equipment to update the equipment they support to avoid needing access to the network is fine and in a large org is something that would have been figured out when when the relationship with the vendor started.
If the equipment is taken offline for scheduled maintenance, changes to it's configuration to facilitate that work doesn't create an incident or an extra change request either as long as the original operating state is back when the maintenance is done.
In a big healthcare org with IT governance the documentation process should be followed, but not every company in health care is large or has that kind of governance... so back to the question in the post, it's a solution for best practice... which is use your own equipment so you don't have to mess with your customers managed environment to get your work done. If there's a problem with governance or what the tech did, that's all above his paygrade or responsibilities.
commissar0617@reddit
your assuming that there's not shadow IT because of the inherent debilitating bureaucracy in large orgs.
tech_is______@reddit
that's true... but I guess we're all left with a lot of assumptions because OP didn't provide a lot of details.
tech_is______@reddit
lol, how in the world is that a man in the middle attack. YOU do realize that both the organizations have cyber security plans and policies in place. We're talking about a vendor working on equipment not some unknown hacker being given access to a network.
But there ARE different kinds of orgs and from what the OP described you can get the sense that not all of these are traditinal.
Everything I said implied working with IT, but some places are different.
Icolan@reddit
As someone who works in IT for a healthcare company, I can tell you that there is no way your USB drive is plugging into anything on my network.
Dismal_Yogurt3499@reddit (OP)
So what is the most secure way to get an update file transfered on then? Some of my customers are completely locked down and don't allow software updates unless they request it, but I'm sure I'll come across someone who does want one when I'm on site.
Icolan@reddit
If your customers are "completely locked down" and they allow you to plug a USB drive into their systems, they are not "completely locked down".
There are a ton of ways to transfer files across the internet to your customers, from HTTPS or SFTP connections to secure email and more. Any of those would allow you to send a file to a customer and let them transfer the file to whatever device it is needed on. That way you are not exposing yourself to liability if you mistakenly transfer something malicious to them.
commissar0617@reddit
assuming the equipment is not airgapped
Icolan@reddit
OP did not say anything about air-gapped equipment, they only said "completely locked down" but they still let USB devices connect.
commissar0617@reddit
have fun with that, when the equipment vendor send you the software for their device on USB and nothing else.
Icolan@reddit
We don't have anything running a non-supported OS version.
commissar0617@reddit
you must not work with lab instruments
Icolan@reddit
Depends on the type of lab I guess, we have 3 labs that run tests as ordered by the doctors. All of those lab machines are either connected directly to the network or they are connected to a PC on the network.
captkrahs@reddit
It will in mine
Icolan@reddit
Ok, not sure what you want me to say?
1991cutlass@reddit
Same. I don't even know where to find an approved USB. And I'm in IT
justaguyonthebus@reddit
In the case where it is locked down, provide the links to the vendor site for the site IT to download and place on the network or device for you. If they don't allow USB, then they need to provide an alternative process.
naturalorange@reddit
Setup a secure web/sftp server on your domain. Ask local sites to white-list your domain.
Get a write-lockable USB drive (or SD card). This at least ensures you're not spreading anything if you do plugin to something compromised.
jfoust2@reddit
You are assuming that these lab instruments are on a network.
Antique_Grapefruit_5@reddit
Healthcare IT director here. I agree with the SFTP approach. Your customers would much rather allow you access to a single IP address/port somewhere than have you potentially use the same USB device to move data between multiple customers. Bonus points for always verifying the downloaded file's hash before updating.
siedenburg2@reddit
Same here, working with healthcare data and I would never allow "random" USB devices, way to high risks (but I would also never let someone do something without oversight). Best way would be to go with SFTP or something like a Nextcloud share that's allowed to be opened in the network. Then you download the data from there.
Or try to get them software deployment (as they already should have) and deploy your stuff (with their it) over that.
fresh-dork@reddit
i'll drop the presigned url link here too. it fits this scenario really well.
Antique_Grapefruit_5@reddit
I like this but would really prefer to not have to allow access to all of AWS if possible. (In my best Sean Connery voice) "One IP only" (Vasily).
awful_at_internet@reddit
Bonus points if you get to see Montana.
gandraw@reddit
Trendmicro has a USB stick that automatically scans files you copy onto it for malware. It also doesn't present itself to the OS as a writable drive, instead the drive is read-only to the OS, and you can only write to it using the write-protected application that runs from it. That's a decent way to copy files to and from wildly untrusted systems.
https://www.txone.com/products/security-inspection/portable-inspector/
BmanUltima@reddit
What other I/O does it have? Ethernet?
Dismal_Yogurt3499@reddit (OP)
Sometimes they allow internet with ethernet. I don't need to access internet for anything. It's only used for webex and TeamViewer when the customer is needing remote support, and it is possible to do file transfers that way. I would expect that to be even less secure than using a USB though.
BmanUltima@reddit
Ethernet can be monitored though, and in your situation, probably should be.
Offline, air-gapped systems are hard to keep track of.
pdp10@reddit
This is not a problem I'd proactively choose to have. By default, techs are expected to be plugging things in, if they're coming on site.
That said, the best non-USB delivery method is a plain HTTP(S) link, that you could pre-provide to customers who needed to whitelist the domain, URL, or file. Ideally, both HTTPS and unencrypted HTTP, because file integrity is not an issue since any hash or signature is verified after, and some sites only allow HTTPS when they can MitM decrypt it, which could be a big problem for devices that can't have a trust anchor added to their CA database.
BoringLime@reddit
I'm confused why can't you bring your own laptop and connect it directly to the device you are supporting and not use any hospital resources. I could be wrong but most wouldn't even question it. If you need out of band, use a hotspot device.
Every IT shop is different, so there is not going to be a universal approach. But more and more places block USB drives because of the threats they can bring.
TerrorToadx@reddit
We use CD/Dvd
Adam_Kearn@reddit
It depends how to software updates need to be applied.
If you can run this within a windows environment then I would suggest using SFTP share, Azure Blob Storage with pre signed URLs for HTTPS downloading or using Azure Files and access the files via a UNC path and credentials to view the share. (I would create a read-only account for this)
If that’s not possible as the updates need to be done in a low level environment then I would recommend just getting a READ ONLY USB drive that is done on the hardware side and not software.
Skyhound555@reddit
Stuff like this is where CYA come into play and why you always need to communicate.
If you are asking for permission from their IT department and they say okay, you are pretty much in the clear. At that point, their team has taken ownership and responsibility of the risk involved.
They should be doing things like scanning the drive themselves or if they don't allow USB drives, they need to provide a solution. If they don't do anything to cover themselves, you can only cover yourself.
Find a way to document your own virus and malware scans so that a future auditor will be able to confirm that you did what was necessary to secure the method of file transfer. Ideally, each of the software updates should be attached to a ticket or work order, and you should attach the results of your scans to that ticket and you would be in the clear.
vgullotta@reddit
USB is the interface...
dhardyuk@reddit
Contact the IT provider for the site you need to visit.
Provide them with URL or SFTP details so they can retrieve the files for you.
Have them provide you with a USB containing the files for air-gapped computers.
Have them put the files on a file share for you to access from networked computers.
Simples.
randomman87@reddit
USB is fine because they usually don't hook these things up to the internet but I'd freshly wipe it before use everytime.
Can the instruments not be connected to your laptop for the update?
Dismal_Yogurt3499@reddit (OP)
I always make sure ethernet is unplugged when putting the stick in, and the only files on the drice at that time are the files needed for the updates. Wouldn't connecting my laptop be even less secure since it has so much more data on it?
tfsprad@reddit
Yes, connecting your laptop (an active, software controlled device) into their network would be much scarier. I like that you disconnect their device from their network while you do the update. That way if worse comes to worst at least only one machine is screwed, not their whole network.
randomman87@reddit
Disconnect their computer from the instrument and connect yours to run the update?
You're running a tool to push a software update to the instrument. Unless your laptop has a virus that is specially crafted for that software and instrument I don't think it matters what extra data you have on your laptop. Ask yourself, how likely is it that threat actors created a virus that they knew your laptop would get infected with and then infect this specific instrument?
You probably will have to worry in future when threat actors are throwing AI powered malware around like candy. But for now I think you're fine.
jspears357@reddit
Read only usb, scan it three ways, offer to let the customer scan it their way, or they transfer the files themselves to something they trust
Bogus1989@reddit
buy one of these:
you can put whatever size ssd you want in it. or they offer one with ssd already in it. Live stats like transfer speeds. turn "Read Only Mode" on. The smaller ones have 3 second power loss protection, and the larger ones have 10 second power loss protection.
https://www.dockcase.com/collections/usb-drive
bartonski@reddit
I remember some discussions about 15 years ago that the design of USB is inherently insecure. The microcontroller that drives USB devices can be written to, and that may be beyond the reach of virus scanners. Furthermore, USB can act in a variety of roles -- keyboards, audio input devices, storage devices (including the ability to boot). Since the keyboard is an inherently trusted device, this gives a compromised USB device as much access as the user has.
BadUSB is a thing. I suspect that it's far more prevalent than people realize.
Dry_Inspection_4583@reddit
Peer to peer over TCP/IP if proximity allows, otherwise I'd suggest rfc 2549
https://www.rfc-editor.org/rfc/rfc2549
DonL314@reddit
Like others here I am thinking DVD-R as the simple approach.
But isn't that up to the customers' IT departments? "We have this update, please make these files available on that system."
DagonNet@reddit
thumb drives are cheap enough for single-use, just throw them away after they've been in an untrusted system. more reasonably, look for one like https://www.amazon.com/EZITSOL-Protect-Physical-Endurance-Pendrive/dp/B0BFBDJXZW, that has a write-protect switch on it.
For clearer safety at customer sites, carry a USB CD-ROM and use a write-once medium for the updates.
vikramdinesh@reddit
Cloud drives for large files. Email attachments for smaller ones.
Dismal_Yogurt3499@reddit (OP)
How would I access my email on a customer computer? Internet access is blocked everywhere I go, even ethernet connections at some places.
commissar0617@reddit
if they're airgapped or vlanned off... you have no choice. USB is the only way forward.
fresh-dork@reddit
don't know, don't care.
use a presigned link for S3, send that to the customer and have them open it. now you have the file to do stuff with.
awful_at_internet@reddit
That's a weird way to reply to someone establishing solution constraints. Why bother replying at all?
mcmatt93117@reddit
Worked at a large hospital, now work for a FQHC. (county health clinic).
Full block on all USB mass storage. Full stop, no exceptions for anyone.
We have probably 20 Kingston IronKey self encrypting drives that are whitelisted by their SN and are handed out by IT when people need them. They have to fill out paperwork with what it'll be used for and all writes to it are tracked/audited.
If the device you're servicing isn't connected to the our network directly in any way whatsoever? Most likely no issue, heck we'd assume you'd bring your own upgrades with you anyway. If the device is attached to the network? Nope - send us the file, we'll put it on a USB and give it to you when you're on site. Plugging it directly into one of our machines, not just the device you're there servicing? That's doubly not happening.
As others have said, SFTP would be most likely. Give us the public IP you'll connect from, we'll whitelist it and you can send what you need over.
Desktop guys will shoot over a serial number for a non-IronKey self encrypting drive, we'll whitelist that and have them copy the files onto it (since I'm guessing a self encrypting drive isn't going to show up on whatever medical device it is - lol).
They put the files on, we remove the whitelist, hand you the drive when you're on-site.
Much rejoice!
commissar0617@reddit
I do this sort of stuff where i work in medtech.
we use USB. the vendors use usb. it exists for a reason.
-Swip3r-@reddit
For only updating via USB, work with the company. Let their IT Security scan the drive before hand if they have a policy that blocks USB's. Some places have a USB Scanner that they then allow you to plug in.
We had a vendor show up and plug in a USB for a firmware update with a surgical robot. It had a nice worm on it. A/V alerts when off. Device was unplugged and had to be wiped before allowed back on network. The time lost for surgeries for that... don't know. But it's important
Dismal_Yogurt3499@reddit (OP)
Oh wow that's exactly the type of situation I want to avoid. So as long as they give me permission then it's OK to use? And should I be asking to run the USB through one of their scanners first?
-Swip3r-@reddit
Yup - I don't know how it works there. You work with one department, they work with IT Security.
Sometimes we would work with our desktop team, have A/V installed and updated, then it connected to a GUEST network, no VPN, no way to get back in case they use cloud stuff but its off the network if it IS infected. Then once they give you the ok, you can have them send you something just to CYA. We do it all the time. It's crazy all the USB's that are out there and still have the OLD stuff still kicking around.
jeremiahfelt@reddit
The title of this post might as well be "We make lab equipment for a healthcare setting and are shockingly out of touch with the state of Healthcare IT and IT in general."
Zerowig@reddit
Healthcare here. Organized vendors plan this ahead of time. They give a download link to us (IT) and have us move the install to the PC in whatever way we want before the date the vendor is scheduled to be onsite.
TheBigBeardedGeek@reddit
What you really should first do is talk with the site's IT lead and see his preferences. The rest is technology related, but you need to figure out what they want
First as others have said, the ideal situation is to whitelist an SFTP server you run and manage, pulling the updates from there.
This is actually way better for everyone, yourself ok included, than USB. This is because you can have a generic account with read only access that you use from the customer site to download, but the read write account for you to upload with
Next is basically that but portable. Get a cheap router that has a built in USB port, and use that as basically a portable NAS. You plug an Ethernet cable from their device to the router, and then copy its updates from the USB drive there. Still way safer than booting USB.
Next as others have said, get an old optical USB drive and burn the data to CD-R. Not ideal, but still better security wise than a flash drive.
Finally of course is the drive itself.
There are also a host of other options, depending on infrastructure that you can stand up on site/in network. But you really won't know what those are without talking to your site lead
Crafty_Dog_4226@reddit
CMMC/ITAR mfg IT here. We block USB except for our Apricorn hardware encrypted drives, (DLP compliance for handling CUI.) The techs bring their drives to me, I have a Linux machine off the primary network and will transfer the firmware, etc. to one of our encrypted drives. This usually works in most circumstances. There are very few exceptions, but we understand and get hands on with our techs to maintain our compliance. Some of our controls are older than USB so it might be floppy or RS232. The old stuff can really cause headaches.
Yellowbird00@reddit
Network file shared drive or SharePoint would be my thought or like box or some other online storage.
No_Cut4338@reddit
I do this for work for medtech. Lots of hoops. Certifivates of conformance and redundancies but basically it involves buying COTS USB from known/vetted distributors then production involves three separate steps. Erasing drives, formatting drives and then finally programming drives. All steps down offline on airgapped dedicated equipment.
Finally each drive is sealed with tamper proof packaging and shipped via courier to the customer.
From there the customer is responsible for the chain of custody - basically they overnight them to field techs who handle the onsite installation.
It’s old school but it works and my customer has found it to be a simpler work around than opening up their devices, their customers network to the wide internet for both security and redundancy.
kaiserh808@reddit
The main risk with USBs is if you grab some random, unknown USB that you have no idea where it came from, and plug it into your computer.
If you're using a known-good USB to transfer software updates, and you always reuse that same USB, then the risk is minimised.
economist91@reddit
External DVD reader and burn files to a dvd-r. Impossible to write files back to it, and no need to sanitize over again. Once a disk is trusted, it's always trusted.
stuckinPA@reddit
I’m Biomed IT in a hospital. When vendors come in with a USB I scan it on a special media scanning PC. Only then do we allow the drive to be inserted.
All lab equipment is on its own VLAN. Some VLANs allow vendor access from the outside world. Others don’t. It’s up to the vendor. And if they pass out security assessment.
Occasionally, a vendor will provide access to their secure FTP site. I can download what’s necessary to the media scanner computer. Then I scan it. And copy it to my jump server. The jump server has access to my medical device VLANs. So I can copy the file from the jump server to the medical devices.
vikramdinesh@reddit
https://amzn.in/d/07gt66cg
Ultimate security.
iceph03nix@reddit
Most places I know that have USB blocking have a standard method for exceptions and policies on how to handle it.
GratefulGolfer@reddit
I'm assuming you're talking about a flash drive. USB is a connection interface. Flash drives aren't inherently unsafe. A brand new flash drive from a reputable brand with only files that you're familiar with poses no risk, unless the files themselves are malicious.
RandyGfunk@reddit
I suggest you hire a computer admin or consult with one.