Forwarded from: William Knowles <wk@private> http://www.nwfusion.com/news/2004/080904patchfights.html By Ellen Messmer Network World 08/09/04 Amid growing worries that Windows-based medical systems will endanger patients if Microsoft-issued security patches are not applied, hospitals are rebelling against restrictions from device manufacturers that have delayed or prevented such updates. Moreover, the U.S. Food and Drug Administration (FDA) is encouraging the aggrieved hospitals to file written complaints against the manufacturers, which could result in devices losing their government seal of approval. If hospitals encounter a patch-related issue "that may lead to death or serious injury, they must file a report," says John Murray, the FDA's software and electronic records compliance expert. Murray acknowledges that healthcare organizations might be reluctant to do this "because they don't want the manufacturer mad at them." Device makers such as GE Medical Systems, Philips Medical Systems and Agfa say it typically takes months to test Microsoft patches because they could break the medical systems to which they're applied. In some instances, vendors won't authorize patch updates at all. Angry hospital IT executives who say they can't ignore the risks from computer worms and hackers getting into unpatched Windows-based devices are taking matters into their own hands by applying the patches themselves. "When Microsoft recommends we apply a critical patch, the vendors have come back and said 'We won't support you,'" says Dave McClain, information systems security manager at Community Health Network in Indianapolis. So the hospital has gone ahead and applied critical Microsoft patches to vulnerable patient-care systems when vendors wouldn't, McClain says. The hospital views the failure to apply patches as a possible violation of the federal Health Insurance Portability and Accountability Act (HIPAA ). "We have HIPAA regulatory issues, and you can't hold us back from compliance," he says. Other hospitals make the same contentions. The North Carolina Healthcare Information and Communications Alliance (NCHICA), a 250-member technology advocacy group for regional hospitals, clinics, pharmacies and legal firms, earlier this year sent a letter to the FDA's enforcement division asking the FDA to provide "more guidance" on patching. The problem, NCHICA wrote, is that "security flaws can result in systems that do not function as intended and/or allow unauthorized modification to data. Systems compromised in these ways may represent a significant risk to patient safety." "Security of the systems is the primary focus of the letter," says Holt Anderson, executive director of NCHICA. Without the operating systems properly maintained in terms of patching, "there is no way to secure devices that are connected to a LAN or wireless facility," he says. The FDA's Murray says the medical industry faces a serious problem because the "quality of some of these off-the-shelf software products is on the low side," alluding to the perennial stream of security notifications from Microsoft and other software vendors. He adds that when the FDA eight years ago began allowing off-the-shelf software in medical devices, it didn't foresee the kinds of security issues, such as computer worms, that plague networks. The FDA doesn't have a comprehensive response to the problem. "But we're not going to go back to a time of non-networked medical devices that used to be stand-alone," Murray says. The problem is that computer worms that target Microsoft-based computers, including MS-Blaster and Sasser, have increasingly struck hospital networks, where unpatched Windows-based patient-care systems have become infected. Some manufacturers, including Philips, contend that hospitals must do a better job of applying security defenses to protect medical devices by buying intrusion-prevention systems (IPS ) and internal firewalls. However, hospital IT professionals respond that it's not that unusual for medical-device manufacturers to be the origin of worms that get in their networks. There have been several instances in which viruses originated from medical instruments straight from the vendors, says Bill Bailey, enterprise architect at ProHealth Care, a Milwaukee healthcare provider. Medical equipment arrived with computer viruses on it or service technicians introduced the viruses while maintaining the equipment, he says. Bailey says he wants device manufacturers to consider including host-based IPSs on Windows-based patient systems. In addition, he would like to see Microsoft involved in helping tailor its operating system and applications for the medical industry. "The medical-device manufacturers don't understand the systems, whether Microsoft or Unix," Bailey says. "They leave them in an untouchable state for a long time. The idea of periodic changes is hard for them." Although Bailey says he's not in favor of filing complaints with the FDA, which could escalate into legal conflict, he does want to see the FDA apply pressure on the manufacturers. The FDA shows signs of doing just that. This June during a Web-based conference with the 47-member University HealthSystem Consortium to discuss the issue of security patching, the FDA's deputy director in the medical-device division of the Office of Science and Engineering Laboratories urged hospitals to file complaints about medical devices. [...] *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Wed Aug 11 2004 - 01:36:17 PDT