Computer Viruses Are "Rampant" on Medical Devices in Hospitals

As if there weren't enough problems with hospitals as computing backwaters, now there's this:

Computer Viruses Are "Rampant" on Medical Devices in Hospitals

A meeting of government officials reveals that medical equipment is becoming riddled with malware.

Technology Review
Published by MIT
David Talbot
Wednesday, October 17, 2012

Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.

While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion.

I note the seemingly universal refrain "no injuries have been reported" once more (see this query link to similar statements regarding IT malfunctions), which is irrelevant since reporting mechanisms for medical errors are noted to be deficient.

Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals.  [I note that it should be impermissible to connect "alien" machines to a hospital's network without authorization, and that attaining that level of security protection is not difficult - ed.]  The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.

In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says.

In other words, let's run at high risk if it avoids the time and expense of FDA reviews that would ensure the equipment is safe and operates as expected with the software updates.

As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel.

It is unclear how the servers running the hospital information system, electronic health records systems, physician order entry systems etc. are immune to spread of the malware.

"I find this mind-boggling," Fu says. "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."

The worries over possible consequences for patients were described last Thursday at a meeting of a medical-device panel at the National Institute of Standards and Technology Information Security and Privacy Advisory Board, of which Fu is a member, in Washington, D.C. At the meeting, Olson described how malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards.

In its face, that is potentially catastrophic depending on the degree of "slowdown" and whether data is lost.

"It's not unusual for those devices, for reasons we don't fully understand, to become compromised to the point where they can't record and track the data," Olson said during the meeting, referring to high-risk pregnancy monitors. "Fortunately, we have a fallback model because they are high-risk [patients]. They are in an IC unit—there's someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction."

The reasons seem obvious to anyone who's had a serious malware infection on their PC.  I've only had one - a computer I bought at a fleamarket for $7 was so severely infected it was unusable for even basic tasks, and was resistant to virus removal.  I solved that problem by installing a fresh copy of the OS, immediately followed by all patches and the latest anti-malware software.

The computer systems at fault in the monitors were replaced several months ago by the manufacturer, Philips; the new systems, based on Windows XP, have better protections and the problem has been solved, Olson said in a subsequent interview.

This implies the older systems were running on Win 98 or earlier or an old version of Win NT.  Amazing.

At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices.

Olson told the panel that infections have stricken many kinds of equipment, raising fears that someday a patient could be harmed. "We also worry about situations where blood gas analyzers, compounders, radiology equipment, nuclear-medical delivery systems, could become compromised to where they can't be used, or they become compromised to the point where their values are adjusted without the software knowing," he said. He explained that when a machine becomes clogged with malware, it could in theory "miss a couple of readings off of a sensor [and] erroneously report a value, which now can cause harm."

I opine that harm could already have occurred; it just may not been recognized as such nor reported.  Disappearing data and other EHR failure modes known to have caused harm and/or deaths could be related to malware, for example.

... Malware problems on hospital devices are rarely reported to state or federal regulators, both Olson and Fu said. This is partly because hospitals believe they have little recourse. Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed. "Maybe that's a failing on our part, that we aren't trying to raise the visibility of the threat," Olson said. "But I think we all feel the threat gets higher and higher."

I note that health IT related problems are also rarely reported, with only one vendor being the exception (see my post on the FDA MAUDE voluntary reporting database here).  The reasons likely are not because "hospitals believe they have little recourse" - the real reasons may be fear, complacency and/or incompetence.

Speaking at the meeting, Brian Fitzgerald, an FDA deputy director, said that in visiting hospitals around the nation, he has found Beth Israel's problems to be widely shared. "This is a very common profile," he said. The FDA is now reviewing its regulatory stance on software, Fitzgerald told the panel. "This will have to be a gradual process, because it involves changing the culture, changing the technology, bringing in new staff, and making a systematic approach to this," he said.

Changing the culture would be nice, considering we are now entering a national rollout of complex enterprise clinical resource and workflow control systems anachronistically known as "electronic medical records."

In an interview Monday, Tam Woodrum, a software executive at the device maker GE Healthcare, said manufacturers are in a tough spot, and the problems are amplified as hospitals expect more and more interconnectedness. He added that despite the FDA's 2009 guidance, regulations make system changes difficult to accomplish: "In order to go back and update the OS, with updated software to run on the next version, it's an onerous regulatory process."

My comment is, if you can't take the heat of work in the real-world medical setting, if you cannot be part of the medical team, then get out of the clinic.  You're likely to do more harm than good.

John Halamka, Beth Israel's CIO and a Harvard Medical School professor, said he began asking manufacturers for help in isolating their devices from the networks after trouble arose in 2009: the Conficker worm caused problems with a Philips obstetrical care workstation, a GE radiology workstation, and nuclear medical applications that "could not be patched due to [regulatory] restrictions." He said, "No one was harmed, but we had to shut down the systems, clean them, and then isolate them from the Internet/local network."

He added: "Many CTOs [chief technology officers - ed.] are not aware of how to protect their own products with restrictive firewalls. All said they are working to improve security but have not yet produced the necessary enhancements."

Then why are they CTO's?  Is this the phenomenon of generic or underqualified managers rearing its head?

Fu says that medical devices need to stop using insecure, unsupported operating systems. "More hospitals and manufacturers need to speak up about the importance of medical-device security," he said after the meeting. "Executives at a few leading manufacturers are beginning to commit engineering resources to get security right, but there are thousands of software-based medical devices out there."

One can only wonder if others have done a Ford Pinto cost-benefit analysis and decided the costs of settlement from injured and dead patients is less than the cost of remediation.

-- SS