- Worst of the lot: PCConnection and PCMall
- 10 ways the Chinese Internet is different
- Hacker writes rootkit for Cisco's routers
- Cisco loses $2 million order to Nortel
- Enterasys, Extreme hooking up?
BitTorrent blocking; SQL injection attack. Listen now!
Hacker writes Cisco rootkit; Microsoft launches online telescope. Listen now!
Discover how Wait-Time Analysis, a new approach to application and database performance optimization, allows IT professionals to fine-tune applications based on service levels. With this management tool you will find all root causes of problems impacting customers and identify the resources that will resolve that problem. Learn more today.
Get the latest on storage technologies that allow IT professionals to better cope with new IT demands. Learn how storage technologies can help you successfully tackle e-Discover, regulatory compliance, green data center initiatives and the data explosion. Get all the details now.
IT professionals like the idea of consolidating hundreds of servers into only a few, but it takes a lot more to cost effectively consolidate and virtualize servers. Watch this six-chapter webcast, "Reduce Complexity and Cost - Windows Server Consolidation with Virtualization" to learn how to effectively consolidate your Windows environment. One of the themes explored includes the characteristics of an orchestrated data center, which includes: Resource management, dynamic provisioning, job management, policy management, accounting and auditing and real-time availability. Learn more about orchestration and much more today. Register below to learn more and be entered to win an Archos 605 Portable Media Player.
it's ture, at least for the time being, people living in china cann't access to blogspot, wikipedia(the...- someone_who_s_in_china
Amid growing worries that Windows-based medical systems will endanger patients if Microsoft-issued security patches are not applied, hospitals are rebelling against restrictions from device manufacturers that have delayed or prevented such updates.
Moreover, the U.S. Food and Drug Administration (FDA) is encouraging the aggrieved hospitals to file written complaints against the manufacturers, which could result in devices losing their government seal of approval.
If hospitals encounter a patch-related issue "that may lead to death or serious injury, they must file a report," says John Murray, the FDA's software and electronic records compliance expert. Murray acknowledges that healthcare organizations might be reluctant to do this "because they don't want the manufacturer mad at them."
Device makers such as GE Medical Systems, Philips Medical Systems and Agfa say it typically takes months to test Microsoft patches because they could break the medical systems to which they're applied. In some instances, vendors won't authorize patch updates at all.
Angry hospital IT executives who say they can't ignore the risks from computer worms and hackers getting into unpatched Windows-based devices are taking matters into their own hands by applying the patches themselves.
"When Microsoft recommends we apply a critical patch, the vendors have come back and said 'We won't support you,'" says Dave McClain, information systems security manager at Community Health Network in Indianapolis.
So the hospital has gone ahead and applied critical Microsoft patches to vulnerable patient-care systems when vendors wouldn't, McClain says. The hospital views the failure to apply patches as a possible violation of the federal Health Insurance Portability and Accountability Act (HIPAA ). "We have HIPAA regulatory issues, and you can't hold us back from compliance," he says.
| What the doctor ordered Several efforts are underway to cure hospitals’ software patching ills. |
||||||
|
Other hospitals make the same contentions.
The North Carolina Healthcare Information and Communications Alliance (NCHICA), a 250-member technology advocacy group for regional hospitals, clinics, pharmacies and legal firms, earlier this year sent a letter to the FDA's enforcement division asking the FDA to provide "more guidance" on patching. The problem, NCHICA wrote, is that "security flaws can result in systems that do not function as intended and/or allow unauthorized modification to data. Systems compromised in these ways may represent a significant risk to patient safety."
"Security of the systems is the primary focus of the letter," says Holt Anderson, executive director of NCHICA. Without the operating systems properly maintained in terms of patching, "there is no way to secure devices that are connected to a LAN or wireless facility," he says.
The FDA's Murray says the medical industry faces a serious problem because the "quality of some of these off-the-shelf software products is on the low side," alluding to the perennial stream of security notifications from Microsoft and other software vendors.
He adds that when the FDA eight years ago began allowing off-the-shelf software in medical devices, it didn't foresee the kinds of security issues, such as computer worms, that plague networks.
The FDA doesn't have a comprehensive response to the problem. "But we're not going to go back to a time of non-networked medical devices that used to be stand-alone," Murray says.
The problem is that computer worms that target Microsoft-based computers, including MS-Blaster and Sasser, have increasingly struck hospital networks, where unpatched Windows-based patient-care systems have become infected. Some manufacturers, including Philips, contend that hospitals must do a better job of applying security defenses to protect medical devices by buying intrusion-prevention systems (IPS ) and internal firewalls.
However, hospital IT professionals respond that it's not that unusual for medical-device manufacturers to be the origin of worms that get in their networks.
There have been several instances in which viruses originated from medical instruments straight from the vendors, says Bill Bailey, enterprise architect at ProHealth Care, a Milwaukee healthcare provider. Medical equipment arrived with computer viruses on it or service technicians introduced the viruses while maintaining the equipment, he says.
Bailey says he wants device manufacturers to consider including host-based IPSs on Windows-based patient systems. In addition, he would like to see Microsoft involved in helping tailor its operating system and applications for the medical industry.
"The medical-device manufacturers don't understand the systems, whether Microsoft or Unix," Bailey says. "They leave them in an untouchable state for a long time. The idea of periodic changes is hard for them."
Although Bailey says he's not in favor of filing complaints with the FDA, which could escalate into legal conflict, he does want to see the FDA apply pressure on the manufacturers.
The FDA shows signs of doing just that. This June during a Web-based conference with the 47-member University HealthSystem Consortium to discuss the issue of security patching, the FDA's deputy director in the medical-device division of the Office of Science and Engineering Laboratories urged hospitals to file complaints about medical devices.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com The Industry Standard IDG List Services |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
