[ISN] Fed up hospitals defy patching rules
isn at c4i.org
Wed Aug 11 01:42:12 EDT 2004
Forwarded from: William Knowles <wk at c4i.org>
By Ellen Messmer
Amid growing worries that Windows-based medical systems will endanger
patients if Microsoft-issued security patches are not applied,
hospitals are rebelling against restrictions from device manufacturers
that have delayed or prevented such updates.
Moreover, the U.S. Food and Drug Administration (FDA) is encouraging
the aggrieved hospitals to file written complaints against the
manufacturers, which could result in devices losing their government
seal of approval.
If hospitals encounter a patch-related issue "that may lead to death
or serious injury, they must file a report," says John Murray, the
FDA's software and electronic records compliance expert. Murray
acknowledges that healthcare organizations might be reluctant to do
this "because they don't want the manufacturer mad at them."
Device makers such as GE Medical Systems, Philips Medical Systems and
Agfa say it typically takes months to test Microsoft patches because
they could break the medical systems to which they're applied. In some
instances, vendors won't authorize patch updates at all.
Angry hospital IT executives who say they can't ignore the risks from
computer worms and hackers getting into unpatched Windows-based
devices are taking matters into their own hands by applying the
"When Microsoft recommends we apply a critical patch, the vendors have
come back and said 'We won't support you,'" says Dave McClain,
information systems security manager at Community Health Network in
So the hospital has gone ahead and applied critical Microsoft patches
to vulnerable patient-care systems when vendors wouldn't, McClain
says. The hospital views the failure to apply patches as a possible
violation of the federal Health Insurance Portability and
Accountability Act (HIPAA ). "We have HIPAA regulatory issues, and you
can't hold us back from compliance," he says.
Other hospitals make the same contentions.
The North Carolina Healthcare Information and Communications Alliance
(NCHICA), a 250-member technology advocacy group for regional
hospitals, clinics, pharmacies and legal firms, earlier this year sent
a letter to the FDA's enforcement division asking the FDA to provide
"more guidance" on patching. The problem, NCHICA wrote, is that
"security flaws can result in systems that do not function as intended
and/or allow unauthorized modification to data. Systems compromised in
these ways may represent a significant risk to patient safety."
"Security of the systems is the primary focus of the letter," says
Holt Anderson, executive director of NCHICA. Without the operating
systems properly maintained in terms of patching, "there is no way to
secure devices that are connected to a LAN or wireless facility," he
The FDA's Murray says the medical industry faces a serious problem
because the "quality of some of these off-the-shelf software products
is on the low side," alluding to the perennial stream of security
notifications from Microsoft and other software vendors.
He adds that when the FDA eight years ago began allowing off-the-shelf
software in medical devices, it didn't foresee the kinds of security
issues, such as computer worms, that plague networks.
The FDA doesn't have a comprehensive response to the problem. "But
we're not going to go back to a time of non-networked medical devices
that used to be stand-alone," Murray says.
The problem is that computer worms that target Microsoft-based
computers, including MS-Blaster and Sasser, have increasingly struck
hospital networks, where unpatched Windows-based patient-care systems
have become infected. Some manufacturers, including Philips, contend
that hospitals must do a better job of applying security defenses to
protect medical devices by buying intrusion-prevention systems (IPS )
and internal firewalls.
However, hospital IT professionals respond that it's not that unusual
for medical-device manufacturers to be the origin of worms that get in
There have been several instances in which viruses originated from
medical instruments straight from the vendors, says Bill Bailey,
enterprise architect at ProHealth Care, a Milwaukee healthcare
provider. Medical equipment arrived with computer viruses on it or
service technicians introduced the viruses while maintaining the
equipment, he says.
Bailey says he wants device manufacturers to consider including
host-based IPSs on Windows-based patient systems. In addition, he
would like to see Microsoft involved in helping tailor its operating
system and applications for the medical industry.
"The medical-device manufacturers don't understand the systems,
whether Microsoft or Unix," Bailey says. "They leave them in an
untouchable state for a long time. The idea of periodic changes is
hard for them."
Although Bailey says he's not in favor of filing complaints with the
FDA, which could escalate into legal conflict, he does want to see the
FDA apply pressure on the manufacturers.
The FDA shows signs of doing just that. This June during a Web-based
conference with the 47-member University HealthSystem Consortium to
discuss the issue of security patching, the FDA's deputy director in
the medical-device division of the Office of Science and Engineering
Laboratories urged hospitals to file complaints about medical devices.
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
Help C4I.org with a donation: http://www.c4i.org/contribute.html
More information about the ISN