Skip to comments.When medical-device equipment gets sick
Posted on 07/19/2008 5:56:23 AM PDT by ShadowAce
You may never think of hospitals quite the same way again, but it turns out that quite a lot of patient-care medical equipment sold these days is based on Windows. And this Windows-based equipment, whether it be cancer-care, EKG or ultrasound machines, is prone to getting hit by computer worms and viruses like any other Microsoft-based machine sitting on a corporate LAN.
Hospital IT administrators want to ensure this equipment is kept up to date on security software patches in order to prevent infestation by worms that may invade hospital LANs. But as our story on this describes, patching medical devices is not always an option-in spite of what the salesmen selling it might say.
Though it's a sensitive topic for any medical-equipment manufacturer, Nick Mankovich, director of product IT security at Philips Medical Systems, spoke to us about security issues with candor and insight. We hope to hear more from others in the industry who can be so straightforward.
Medical-device manufacturers such as Philips Medical Systems typically prohibit hospital IT administrations from applying software updates on their own to medical equipment regulated by the Food and Drug Administration (FDA). Many devices aren't allowed to run anti-virus software either since this might slow down the medical application.
"Picture yourself in an emergency room doing a CRT on a trauma patient," Mankovich says. A virus scanner could slow down the CRT machine and alter its output -- something no one wants. Mankovich said if any Philips equipment gets infected by worms or viruses, Philips sends a service team out to clean it up.
Steve Wexler, chief biomedical engineer at the Dept. of Veterans Affairs Health Administration division, who is charge of quality assurance for medical equipment used at the VA hospital, agrees IT administrators should not try to alter FDA-regulated medical equipment based on commercial operating systems.
Wexler has faced the fact that some of this equipment will never be patched because patching it would disrupt sensitive medical applications. But he also knows unpatched equipment sitting on LANs is going to be vulnerable to computer worms and viruses. As a response to this situation, Wexler worked with network engineers at VA to craft a plan for securing the VA hospitals' networks.
This plan, which VA is seeking to implement, is described in a document entitled the "Dept. of Veterans Affairs Medical Device Isolation Architecture Guide" (927K PDF). The VA is making it available for public reading, knowing it may help other hospitals think of ways of their own to cope with a tough situation.
Network professionals are asking the question why the medical industry is increasingly dependent on Microsoft's operating systems and Web applications when Microsoft has had a poor track record in terms of software bugs and fixes. The short answer is cost-savings. It's cheaper than writing your own OS or applications.
Elizabeth Spangler, information assurance manager at Anteon Corp, a Dept. of Defense contractor assisting the Army with medical-device equipment in its hospitals, suggested the medical industry might want to look at alternate approaches to improve security.
One of them, she says, would be using "hardened" operating systems, such as those detailed by the National Security Agency at www.nsa.gov, and make changes to the OS such as disabling guest accounts or ensuring strong passwords. She suggests medical-device manufacturers consider disabling all unnecessary services and ports and remove default Microsoft programs such as Outlook Express.
Spangler also notes that the National Institute for Standards and Technology (NIST) has a program for medical vendors to have their systems accredited under the National Information Assurance Partnership (NIAP) test regimen.
Spangler is also in favor of the approach championed by Wexler at the VA, that hospitals that want the benefit of networked medical devices on high-speed LANs must build adequate security defenses. Problems will always exist. "Microsoft is Microsoft," she notes. "And service packs and bug fixes, like all software, is a given."
I was at the Emergency room about a year ago and we’re in the curtained off area and I’m hearing a “crisis” of some sort occurring in the next space. One nurse, then another, then a dr, finally a guy comes down from somewhere, then I hear the windows boot up sound and everyone goes “Aww, there it is, thanks”.
Scary on a few levels.
yeah—it’s all fun and games, with peopleon both sides poking fun at the others’ OS, but we tend to forget (sometimes) that when an OS fails, it can have serious consequences.
Can’t they keep these systems in isolation, away from any networks? Can’t the updates be delivered manually, directly shipped from the manufacturer?
Images could be retrieved and saved on a peripheral ring of secondary computers, couldn’t they?
Because generally people are idiots when it comes to keeping systems free from the nasties.
Also, even in "isolation" a black hat could make it into the same room and upload anything onto the machines.
Yes, yes, and yes. That's how it's done in my experience, or at least, that's how it's supposed to be done. I don't know what the VA is doing having these systems on non-private networks where worms/viruses could get to them.
Two things about computer systems (being based on firm binary logic as they are), I could never understand why they haven’t been rectified yet:
Computer OS crashes, and isolation of critical system components, away from unauthorised intrusion.
I smell conspiracy!
Oh don’t get me started on this. I will say that Steve and Elizabeth have taken things a long way and are doing a great job and are the right people to do so. They wrestle with these issues daily and have asked the same questions many have posted here. Often the issue has to do with infighting between Biomed Equipment specialists and IT personel. The Biomed side has a high degree of medical and electronics training, and understands equipment applications and uses. The IT side is predominately software and network trained with little or no medical background. It’s often like mixing oil and water.
Well, yeah, most of the time but, during football season, you have to log on to ESPN to keep track of the scores. :-)
I couldn’t get that to run on my system...
To really scare you: some radiology work has been outsourced to India because the files can be sent over wire there just as easily, and it's way cheaper to pay in rice and fishheads.
Cant they keep these systems in isolation, away from any networks?
No problemw with that, really. Why can't they move the files from the machine's computers to a secondary ring of peripheral computers over a one-way, read-only method? From the secondary, it could be made available to anyone with authorisation, to examine. Atleast that way, the critical system is kept secured.
I work at a hospital in the IT department, and this is ALL true. The primary reason Windows runs on all of these computers is because of software vendors, and 3rd party companies that use software that requires Windows. Almost all of the applications out there that are involved with the medical field run a GUI and are Windows based. Scary isn't it? Hell, we are REQUIRED to use Internet Explorer where I work because one of our patient care apps is web based and WILL NOT WORK if another browser attempts to use it.(I tried the firefox user agent switcher addon to no avail). I once asked a rep from the company why they require us to use an inherently insecure web browser and he just looked at me as if he were dumbfounded.
I have long advocated that no computer that deals with patient information should ever have access to the internet, but it falls on deaf ears. One time I found a keylogger on a registration computer that was there as a result of a spyware 'infection'. That's very scary. Our firewall would have blocked any outbound traffic from the key logger had it been the type that 'calls home', but it was disturbing to see.
There is this Chinese software called SopCast [ http://www.sopcast.com/ ] that provides television streams [illegal] from servers based in China. It's quite popular in colleges among students, and I wouldn't be surprised if this thing did more than just relay video streams.
It would be a safe bet to assume that this is popular in hospitals, too.
This brings a whole new meaning to Blue Screen of DEATH.
Geez, talk about the Blue Screen of Death! I didn't realize they were literal.
I can't believe the FDA will even permit Windows in a life critical device in the first place. In the manufacturing world where we build and use dangerous equipment that could maim or kill a person, we would never entrust the safety of even the equipment, let alone an individual, to a programmable device, except one whose hardware has been specifically designed for the purpose.
I am responsible for some of the small animal scanners at UW-Madison. We get several MS error reports weekly, but nobody’s life is on the line. What is scary is that the producers normally have the tech know-how to program in assembly, but they retard the software by putting it on operating systems. Just my small experience.