Most readers, I suspect, will have run across news stories or other reports of nasty infections sometimes acquired by hospital patients. According to a report at Technology Review, there is another worrying category of infection proliferating in hospital environments: computer virus infections of medical equipment.
Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.
The advent of the microprocessor and Moore’s Law has meant the introduction of digital technology, often replacing electro-mechanical control systems, in everything from toasters to “fly-by-wire” aircraft. It should come as no surprise that many medical devices are now controlled by software as well. This of course means that all the problems of software, including program bugs, security vulnerabilities, and malware, are part of the package. Also, as with industrial control [SCADA] systems, the undoubted convenience of linking these devices to a network provides a convenient vector for malware infections. (The direct connection may be to an internal network, but there is often a path to the Internet lurking somewhere in the background.) In addition, hospital personnel, like workers in other fields, bring in personal laptops, USB memory sticks, and other devices, sometimes with some undesirable extras.
Another difficulty with medical equipment is also reminiscent of the SCADA case. For obvious reasons, the vendors and users of these devices place a high value on availability — the machine should be ready for use whenever it is needed. This means that scheduling downtime for, say, installing software patches is not popular. In addition, some manufacturers do not allow any modifications to their equipment or its software, even to install security fixes. This stems in part from the requirement that the devices have to be approved by the FDA; rightly or wrongly, some vendors believe that installing such fixes might require the device to be re-certified.
In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says. [Prof. Kevin Fu, associate professor of computer science at the University of Massachusetts, Amherst]
These security issues were the focus of a meeting last week of the Information Security & Privacy Advisory Board at the National Institute of Standards and Technology [NIST]. Prof. Fu was one of the attendees, as was Mark Olson, Chief Information Security Officer at Beth Israel Deaconess Medical Center in Boston MA.
At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices.
Hospitals have not, historically, had to focus very much on computer security. With today’s equipment, though, they have become security administrators whether they like it or not. As with SCADA systems and many others, there is some catching up to do.