[ISN] Fed up hospitals defy patching rules

InfoSec News isn at c4i.org
Wed Aug 11 01:42:12 EDT 2004

Forwarded from: William Knowles <wk at c4i.org>


By Ellen Messmer
Network World

Amid growing worries that Windows-based medical systems will endanger 
patients if Microsoft-issued security patches are not applied, 
hospitals are rebelling against restrictions from device manufacturers 
that have delayed or prevented such updates. 

Moreover, the U.S. Food and Drug Administration (FDA) is encouraging 
the aggrieved hospitals to file written complaints against the 
manufacturers, which could result in devices losing their government 
seal of approval. 

If hospitals encounter a patch-related issue "that may lead to death 
or serious injury, they must file a report," says John Murray, the 
FDA's software and electronic records compliance expert. Murray 
acknowledges that healthcare organizations might be reluctant to do 
this "because they don't want the manufacturer mad at them." 

Device makers such as GE Medical Systems, Philips Medical Systems and 
Agfa say it typically takes months to test Microsoft patches because 
they could break the medical systems to which they're applied. In some 
instances, vendors won't authorize patch updates at all. 

Angry hospital IT executives who say they can't ignore the risks from 
computer worms and hackers getting into unpatched Windows-based 
devices are taking matters into their own hands by applying the 
patches themselves. 

"When Microsoft recommends we apply a critical patch, the vendors have 
come back and said 'We won't support you,'" says Dave McClain, 
information systems security manager at Community Health Network in 

So the hospital has gone ahead and applied critical Microsoft patches 
to vulnerable patient-care systems when vendors wouldn't, McClain 
says. The hospital views the failure to apply patches as a possible 
violation of the federal Health Insurance Portability and 
Accountability Act (HIPAA ). "We have HIPAA regulatory issues, and you 
can't hold us back from compliance," he says. 

Other hospitals make the same contentions.

The North Carolina Healthcare Information and Communications Alliance 
(NCHICA), a 250-member technology advocacy group for regional 
hospitals, clinics, pharmacies and legal firms, earlier this year sent 
a letter to the FDA's enforcement division asking the FDA to provide 
"more guidance" on patching. The problem, NCHICA wrote, is that 
"security flaws can result in systems that do not function as intended 
and/or allow unauthorized modification to data. Systems compromised in 
these ways may represent a significant risk to patient safety." 

"Security of the systems is the primary focus of the letter," says 
Holt Anderson, executive director of NCHICA. Without the operating 
systems properly maintained in terms of patching, "there is no way to 
secure devices that are connected to a LAN or wireless facility," he 

The FDA's Murray says the medical industry faces a serious problem 
because the "quality of some of these off-the-shelf software products 
is on the low side," alluding to the perennial stream of security 
notifications from Microsoft and other software vendors. 

He adds that when the FDA eight years ago began allowing off-the-shelf 
software in medical devices, it didn't foresee the kinds of security 
issues, such as computer worms, that plague networks. 

The FDA doesn't have a comprehensive response to the problem. "But 
we're not going to go back to a time of non-networked medical devices 
that used to be stand-alone," Murray says. 

The problem is that computer worms that target Microsoft-based 
computers, including MS-Blaster and Sasser, have increasingly struck 
hospital networks, where unpatched Windows-based patient-care systems 
have become infected. Some manufacturers, including Philips, contend 
that hospitals must do a better job of applying security defenses to 
protect medical devices by buying intrusion-prevention systems (IPS ) 
and internal firewalls. 

However, hospital IT professionals respond that it's not that unusual 
for medical-device manufacturers to be the origin of worms that get in 
their networks. 

There have been several instances in which viruses originated from 
medical instruments straight from the vendors, says Bill Bailey, 
enterprise architect at ProHealth Care, a Milwaukee healthcare 
provider. Medical equipment arrived with computer viruses on it or 
service technicians introduced the viruses while maintaining the 
equipment, he says. 

Bailey says he wants device manufacturers to consider including 
host-based IPSs on Windows-based patient systems. In addition, he 
would like to see Microsoft involved in helping tailor its operating 
system and applications for the medical industry. 

"The medical-device manufacturers don't understand the systems, 
whether Microsoft or Unix," Bailey says. "They leave them in an 
untouchable state for a long time. The idea of periodic changes is 
hard for them." 

Although Bailey says he's not in favor of filing complaints with the 
FDA, which could escalate into legal conflict, he does want to see the 
FDA apply pressure on the manufacturers. 

The FDA shows signs of doing just that. This June during a Web-based 
conference with the 47-member University HealthSystem Consortium  to 
discuss the issue of security patching, the FDA's deputy director in 
the medical-device division of the Office of Science and Engineering 
Laboratories urged hospitals to file complaints about medical devices. 


"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
Help C4I.org with a donation: http://www.c4i.org/contribute.html

More information about the ISN mailing list