by David Talbot, Technology Review
The National Institute of Standards and Technology’s Information Security & Privacy Advisory Board has found that computerized hospital equipment is increasingly vulnerable to malware infections. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable…
Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals. The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.
In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says. ……….
At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices.
Often the malware is associated with botnets, and once it lodges inside a computer, it tries to contact command-and-control servers for instructions, according to Beth Israel Deaconess Medical Center’s Mark Olson. However, malware problems on hospital devices are rarely reported to state or federal regulators because hospitals believe there is little recourse, according to Olson and Fu. “Many CTOs are not aware of how to protect their own products with restrictive firewalls,” says Beth Israel CIO John Halamka. ……………….
Fu says that medical devices need to stop using insecure, unsupported operating systems. ”More hospitals and manufacturers need to speak up about the importance of medical-device security,” he said after the meeting. “Executives at a few leading manufacturers are beginning to commit engineering resources to get security right, but there are thousands of software-based medical devices out there.” Article