Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

When medical-device equipment gets sick
NetworkWorld ^ | 19 July 2008 | Ellen Messmer

Posted on 07/19/2008 5:56:23 AM PDT by ShadowAce

You may never think of hospitals quite the same way again, but it turns out that quite a lot of patient-care medical equipment sold these days is based on Windows. And this Windows-based equipment, whether it be cancer-care, EKG or ultrasound machines, is prone to getting hit by computer worms and viruses like any other Microsoft-based machine sitting on a corporate LAN.

Hospital IT administrators want to ensure this equipment is kept up to date on security software patches in order to prevent infestation by worms that may invade hospital LANs. But as our story on this describes, patching medical devices is not always an option-in spite of what the salesmen selling it might say.

Though it's a sensitive topic for any medical-equipment manufacturer, Nick Mankovich, director of product IT security at Philips Medical Systems, spoke to us about security issues with candor and insight. We hope to hear more from others in the industry who can be so straightforward.

Medical-device manufacturers such as Philips Medical Systems typically prohibit hospital IT administrations from applying software updates on their own to medical equipment regulated by the Food and Drug Administration (FDA). Many devices aren't allowed to run anti-virus software either since this might slow down the medical application.

"Picture yourself in an emergency room doing a CRT on a trauma patient," Mankovich says. A virus scanner could slow down the CRT machine and alter its output -- something no one wants. Mankovich said if any Philips equipment gets infected by worms or viruses, Philips sends a service team out to clean it up.

Steve Wexler, chief biomedical engineer at the Dept. of Veterans Affairs Health Administration division, who is charge of quality assurance for medical equipment used at the VA hospital, agrees IT administrators should not try to alter FDA-regulated medical equipment based on commercial operating systems.

Wexler has faced the fact that some of this equipment will never be patched because patching it would disrupt sensitive medical applications. But he also knows unpatched equipment sitting on LANs is going to be vulnerable to computer worms and viruses. As a response to this situation, Wexler worked with network engineers at VA to craft a plan for securing the VA hospitals' networks.

This plan, which VA is seeking to implement, is described in a document entitled the "Dept. of Veterans Affairs Medical Device Isolation Architecture Guide" (927K PDF). The VA is making it available for public reading, knowing it may help other hospitals think of ways of their own to cope with a tough situation.

Network professionals are asking the question why the medical industry is increasingly dependent on Microsoft's operating systems and Web applications when Microsoft has had a poor track record in terms of software bugs and fixes. The short answer is cost-savings. It's cheaper than writing your own OS or applications.

Elizabeth Spangler, information assurance manager at Anteon Corp, a Dept. of Defense contractor assisting the Army with medical-device equipment in its hospitals, suggested the medical industry might want to look at alternate approaches to improve security.

One of them, she says, would be using "hardened" operating systems, such as those detailed by the National Security Agency at www.nsa.gov, and make changes to the OS such as disabling guest accounts or ensuring strong passwords. She suggests medical-device manufacturers consider disabling all unnecessary services and ports and remove default Microsoft programs such as Outlook Express.

Spangler also notes that the National Institute for Standards and Technology (NIST) has a program for medical vendors to have their systems accredited under the National Information Assurance Partnership (NIAP) test regimen.

Spangler is also in favor of the approach championed by Wexler at the VA, that hospitals that want the benefit of networked medical devices on high-speed LANs must build adequate security defenses. Problems will always exist. "Microsoft is Microsoft," she notes. "And service packs and bug fixes, like all software, is a given."


TOPICS: Computers/Internet
KEYWORDS: healthcare; medical; microsoft; windows

1 posted on 07/19/2008 5:56:24 AM PDT by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

2 posted on 07/19/2008 5:56:45 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I was at the Emergency room about a year ago and we’re in the curtained off area and I’m hearing a “crisis” of some sort occurring in the next space. One nurse, then another, then a dr, finally a guy comes down from somewhere, then I hear the windows boot up sound and everyone goes “Aww, there it is, thanks”.

Scary on a few levels.


3 posted on 07/19/2008 6:10:15 AM PDT by Malsua
[ Post Reply | Private Reply | To 1 | View Replies]

To: Malsua

yeah—it’s all fun and games, with peopleon both sides poking fun at the others’ OS, but we tend to forget (sometimes) that when an OS fails, it can have serious consequences.


4 posted on 07/19/2008 6:12:08 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce

Can’t they keep these systems in isolation, away from any networks? Can’t the updates be delivered manually, directly shipped from the manufacturer?

Images could be retrieved and saved on a peripheral ring of secondary computers, couldn’t they?

Because generally people are idiots when it comes to keeping systems free from the nasties.


5 posted on 07/19/2008 6:18:41 AM PDT by CarrotAndStick (The articles posted by me needn't necessarily reflect my opinion.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: CarrotAndStick
I guess they could--but a lot of the attraction some of these devices hold is the ability to network in with other hospitals/doctors.

Also, even in "isolation" a black hat could make it into the same room and upload anything onto the machines.

6 posted on 07/19/2008 6:22:21 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 5 | View Replies]

To: CarrotAndStick
Can’t they keep these systems in isolation, away from any networks? Can’t the updates be delivered manually, directly shipped from the manufacturer? Images could be retrieved and saved on a peripheral ring of secondary computers, couldn’t they?

Yes, yes, and yes. That's how it's done in my experience, or at least, that's how it's supposed to be done. I don't know what the VA is doing having these systems on non-private networks where worms/viruses could get to them.

7 posted on 07/19/2008 6:30:52 AM PDT by Dr. Frank fan
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce

Two things about computer systems (being based on firm binary logic as they are), I could never understand why they haven’t been rectified yet:

Computer OS crashes, and isolation of critical system components, away from unauthorised intrusion.

I smell conspiracy!

:^)


8 posted on 07/19/2008 6:33:32 AM PDT by CarrotAndStick (The articles posted by me needn't necessarily reflect my opinion.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: ShadowAce

Oh don’t get me started on this. I will say that Steve and Elizabeth have taken things a long way and are doing a great job and are the right people to do so. They wrestle with these issues daily and have asked the same questions many have posted here. Often the issue has to do with infighting between Biomed Equipment specialists and IT personel. The Biomed side has a high degree of medical and electronics training, and understands equipment applications and uses. The IT side is predominately software and network trained with little or no medical background. It’s often like mixing oil and water.


9 posted on 07/19/2008 6:54:01 AM PDT by docman57 (Retired but still on Duty)
[ Post Reply | Private Reply | To 1 | View Replies]

To: CarrotAndStick
Can’t they keep these systems in isolation, away from any networks?

Well, yeah, most of the time but, during football season, you have to log on to ESPN to keep track of the scores. :-)

10 posted on 07/19/2008 6:54:13 AM PDT by Polybius
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce; Swordmaker; Ernest_at_the_Beach

11 posted on 07/19/2008 7:10:49 AM PDT by martin_fierro (< |:)~)
[ Post Reply | Private Reply | To 1 | View Replies]

To: martin_fierro

I couldn’t get that to run on my system...


12 posted on 07/19/2008 7:29:26 AM PDT by Gondring (I'll give up my right to die when hell freezes over my dead body!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: CarrotAndStick
Could they? Probably. Will they? No. If a heart scan is done, the files are sent over the wire to radiology and to cardiology for review. They used to use video tape and hand-carry it to the offices, but things have changed.

To really scare you: some radiology work has been outsourced to India because the files can be sent over wire there just as easily, and it's way cheaper to pay in rice and fishheads.

Can’t they keep these systems in isolation, away from any networks?

13 posted on 07/19/2008 7:35:33 AM PDT by Salo
[ Post Reply | Private Reply | To 5 | View Replies]

To: Salo
If a heart scan is done, the files are sent over the wire to radiology and to cardiology for review.

No problemw with that, really. Why can't they move the files from the machine's computers to a secondary ring of peripheral computers over a one-way, read-only method? From the secondary, it could be made available to anyone with authorisation, to examine. Atleast that way, the critical system is kept secured.

14 posted on 07/19/2008 7:46:37 AM PDT by CarrotAndStick (The articles posted by me needn't necessarily reflect my opinion.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: ShadowAce
"it turns out that quite a lot of patient-care medical equipment sold these days is based on Windows. And this Windows-based equipment, whether it be cancer-care, EKG or ultrasound machines, is prone to getting hit by computer worms and viruses like any other Microsoft-based machine sitting on a corporate LAN."

I work at a hospital in the IT department, and this is ALL true. The primary reason Windows runs on all of these computers is because of software vendors, and 3rd party companies that use software that requires Windows. Almost all of the applications out there that are involved with the medical field run a GUI and are Windows based. Scary isn't it? Hell, we are REQUIRED to use Internet Explorer where I work because one of our patient care apps is web based and WILL NOT WORK if another browser attempts to use it.(I tried the firefox user agent switcher addon to no avail). I once asked a rep from the company why they require us to use an inherently insecure web browser and he just looked at me as if he were dumbfounded.

I have long advocated that no computer that deals with patient information should ever have access to the internet, but it falls on deaf ears. One time I found a keylogger on a registration computer that was there as a result of a spyware 'infection'. That's very scary. Our firewall would have blocked any outbound traffic from the key logger had it been the type that 'calls home', but it was disturbing to see.

15 posted on 07/19/2008 8:18:06 AM PDT by KoRn (CTHULHU '08 - I won't settle for a lesser evil any longer!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Polybius; KoRn
Well, yeah, most of the time but, during football season, you have to log on to ESPN to keep track of the scores. :-)

There is this Chinese software called SopCast [ http://www.sopcast.com/ ] that provides television streams [illegal] from servers based in China. It's quite popular in colleges among students, and I wouldn't be surprised if this thing did more than just relay video streams.

It would be a safe bet to assume that this is popular in hospitals, too.

16 posted on 07/19/2008 9:29:37 AM PDT by CarrotAndStick (The articles posted by me needn't necessarily reflect my opinion.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: ShadowAce

This brings a whole new meaning to Blue Screen of DEATH.


17 posted on 07/19/2008 9:37:09 AM PDT by Bob
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
You may never think of hospitals quite the same way again, but it turns out that quite a lot of patient-care medical equipment sold these days is based on Windows

Geez, talk about the Blue Screen of Death! I didn't realize they were literal.

18 posted on 07/19/2008 10:08:22 AM PDT by Still Thinking (Typical white person)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
Medical-device manufacturers such as Philips Medical Systems typically prohibit hospital IT administrations from applying software updates on their own to medical equipment regulated by the Food and Drug Administration (FDA).

I can't believe the FDA will even permit Windows in a life critical device in the first place. In the manufacturing world where we build and use dangerous equipment that could maim or kill a person, we would never entrust the safety of even the equipment, let alone an individual, to a programmable device, except one whose hardware has been specifically designed for the purpose.

19 posted on 07/19/2008 10:11:48 AM PDT by Still Thinking (Typical white person)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I am responsible for some of the small animal scanners at UW-Madison. We get several MS error reports weekly, but nobody’s life is on the line. What is scary is that the producers normally have the tech know-how to program in assembly, but they retard the software by putting it on operating systems. Just my small experience.


20 posted on 07/19/2008 12:40:53 PM PDT by militem (Looking for a decent candidate for Congress)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
Could be worse, like overwhelming radiation exposure.
21 posted on 07/20/2008 1:05:27 AM PDT by amchugh (large and largely disgruntled)
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson