You can unplug the ethernet cable, however. Or at least firewall it.

josteink · on May 13, 2017

This is what we did 10 years ago when I worked in a hospital.

We knew these devices were insecure by default. Some even shipped with a network enabled MS SQL Server with a blank sa-password. Quite literally a free root-kit.

Scientists and doctors working on these machines were forced to use portable storage (floppies, ZIP-drives or CD-RWs).

It was cumbersome, but no network was a strict policy, and it was there for a reason.

i336_ · on May 13, 2017

That's refreshing to hear that whoever had the authority in that situation also had a brain.

I wonder how tricky it would have been to set up a MAC- and plug-location-based VLAN to isolate those devices onto, with a very very carefully locked down machine sitting between the devices and the rest of the network. Deep packet inspecting firewall, copious logging, antivirus turned up to 11, the works.

I ask because I'm curious how well a theoretical setup like the above would have worked out for the described scenario - I'm sure there are similar environments where it may be impossible to get having no network approved by management.