Posted on 07/19/2008 5:56:23 AM PDT by ShadowAce
You may never think of hospitals quite the same way again, but it turns out that quite a lot of patient-care medical equipment sold these days is based on Windows. And this Windows-based equipment, whether it be cancer-care, EKG or ultrasound machines, is prone to getting hit by computer worms and viruses like any other Microsoft-based machine sitting on a corporate LAN.
Hospital IT administrators want to ensure this equipment is kept up to date on security software patches in order to prevent infestation by worms that may invade hospital LANs. But as our story on this describes, patching medical devices is not always an option-in spite of what the salesmen selling it might say.
Though it's a sensitive topic for any medical-equipment manufacturer, Nick Mankovich, director of product IT security at Philips Medical Systems, spoke to us about security issues with candor and insight. We hope to hear more from others in the industry who can be so straightforward.
Medical-device manufacturers such as Philips Medical Systems typically prohibit hospital IT administrations from applying software updates on their own to medical equipment regulated by the Food and Drug Administration (FDA). Many devices aren't allowed to run anti-virus software either since this might slow down the medical application.
"Picture yourself in an emergency room doing a CRT on a trauma patient," Mankovich says. A virus scanner could slow down the CRT machine and alter its output -- something no one wants. Mankovich said if any Philips equipment gets infected by worms or viruses, Philips sends a service team out to clean it up.
Steve Wexler, chief biomedical engineer at the Dept. of Veterans Affairs Health Administration division, who is charge of quality assurance for medical equipment used at the VA hospital, agrees IT administrators should not try to alter FDA-regulated medical equipment based on commercial operating systems.
Wexler has faced the fact that some of this equipment will never be patched because patching it would disrupt sensitive medical applications. But he also knows unpatched equipment sitting on LANs is going to be vulnerable to computer worms and viruses. As a response to this situation, Wexler worked with network engineers at VA to craft a plan for securing the VA hospitals' networks.
This plan, which VA is seeking to implement, is described in a document entitled the "Dept. of Veterans Affairs Medical Device Isolation Architecture Guide" (927K PDF). The VA is making it available for public reading, knowing it may help other hospitals think of ways of their own to cope with a tough situation.
Network professionals are asking the question why the medical industry is increasingly dependent on Microsoft's operating systems and Web applications when Microsoft has had a poor track record in terms of software bugs and fixes. The short answer is cost-savings. It's cheaper than writing your own OS or applications.
Elizabeth Spangler, information assurance manager at Anteon Corp, a Dept. of Defense contractor assisting the Army with medical-device equipment in its hospitals, suggested the medical industry might want to look at alternate approaches to improve security.
One of them, she says, would be using "hardened" operating systems, such as those detailed by the National Security Agency at www.nsa.gov, and make changes to the OS such as disabling guest accounts or ensuring strong passwords. She suggests medical-device manufacturers consider disabling all unnecessary services and ports and remove default Microsoft programs such as Outlook Express.
Spangler also notes that the National Institute for Standards and Technology (NIST) has a program for medical vendors to have their systems accredited under the National Information Assurance Partnership (NIAP) test regimen.
Spangler is also in favor of the approach championed by Wexler at the VA, that hospitals that want the benefit of networked medical devices on high-speed LANs must build adequate security defenses. Problems will always exist. "Microsoft is Microsoft," she notes. "And service packs and bug fixes, like all software, is a given."
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.