Fed up hospitals defy patching rules

Amid growing worries that Windows-based medical systems will endanger patients if Microsoft-issued security patches are not applied, hospitals are rebelling against restrictions from device manufacturers that have delayed or prevented such updates.

Amid growing worries that Windows-based medical systems will endanger patients if Microsoft-issued security patches are not applied, hospitals are rebelling against restrictions from device manufacturers that have delayed or prevented such updates.

Moreover, the U.S. Food and Drug Administration (FDA) is encouraging the aggrieved hospitals to file written complaints against the manufacturers, which could result in devices losing their government seal of approval.

If hospitals encounter a patch-related issue “that may lead to death or serious injury, they must file a report,” says John Murray, the FDA’s software and electronic records compliance expert. Murray acknowledges that healthcare organizations might be reluctant to do this “because they don’t want the manufacturer mad at them.”

Device makers such as GE Medical Systems, Philips Medical Systems and Agfa say it typically takes months to test Microsoft patches because they could break the medical systems to which they’re applied. In some instances, vendors won’t authorize patch updates at all.

Angry hospital IT executives who say they can’t ignore the risks from computer worms and hackers getting into unpatched Windows-based devices are taking matters into their own hands by applying the patches themselves.

“When Microsoft recommends we apply a critical patch, the vendors have come back and said ‘We won’t support you,'” says Dave McClain, information systems security manager at Community Health Network in Indianapolis.

So the hospital has gone ahead and applied critical Microsoft patches to vulnerable patient-care systems when vendors wouldn’t, McClain says. The hospital views the failure to apply patches as a possible violation of the federal Health Insurance Portability and Accountability Act (HIPAA ). “We have HIPAA regulatory issues, and you can’t hold us back from compliance,” he says.

Other hospitals make the same contentions.

The North Carolina Healthcare Information and Communications Alliance (NCHICA), a 250-member technology advocacy group for regional hospitals, clinics, pharmacies and legal firms, earlier this year sent a letter to the FDA’s enforcement division asking the FDA to provide “more guidance” on patching. The problem, NCHICA wrote, is that “security flaws can result in systems that do not function as intended and/or allow unauthorized modification to data. Systems compromised in these ways may represent a significant risk to patient safety.”

“Security of the systems is the primary focus of the letter,” says Holt Anderson, executive director of NCHICA. Without the operating systems properly maintained in terms of patching, “there is no way to secure devices that are connected to a LAN or wireless facility,” he says.

The FDA’s Murray says the medical industry faces a serious problem because the “quality of some of these off-the-shelf software products is on the low side,” alluding to the perennial stream of security notifications from Microsoft and other software vendors.

He adds that when the FDA eight years ago began allowing off-the-shelf software in medical devices, it didn’t foresee the kinds of security issues, such as computer worms, that plague networks.

The FDA doesn’t have a comprehensive response to the problem. “But we’re not going to go back to a time of non-networked medical devices that used to be stand-alone,” Murray says.

The problem is that computer worms that target Microsoft-based computers, including MS-Blaster and Sasser, have increasingly struck hospital networks, where unpatched Windows-based patient-care systems have become infected. Some manufacturers, including Philips, contend that hospitals must do a better job of applying security defenses to protect medical devices by buying intrusion-prevention systems (IPS ) and internal firewalls.

However, hospital IT professionals respond that it’s not that unusual for medical-device manufacturers to be the origin of worms that get in their networks.

There have been several instances in which viruses originated from medical instruments straight from the vendors, says Bill Bailey, enterprise architect at ProHealth Care, a Milwaukee healthcare provider. Medical equipment arrived with computer viruses on it or service technicians introduced the viruses while maintaining the equipment, he says.

Bailey says he wants device manufacturers to consider including host-based IPSs on Windows-based patient systems. In addition, he would like to see Microsoft involved in helping tailor its operating system and applications for the medical industry.

“The medical-device manufacturers don’t understand the systems, whether Microsoft or Unix,” Bailey says. “They leave them in an untouchable state for a long time. The idea of periodic changes is hard for them.”

Although Bailey says he’s not in favor of filing complaints with the FDA, which could escalate into legal conflict, he does want to see the FDA apply pressure on the manufacturers.

The FDA shows signs of doing just that. This June during a Web-based conference with the 47-member University HealthSystem Consortium  to discuss the issue of security patching, the FDA’s deputy director in the medical-device division of the Office of Science and Engineering Laboratories urged hospitals to file complaints about medical devices.

“Deputy Director Brian Fitzgerald said if you have a vendor that won’t patch, notify us,” says Joe Bajek, director of IT at the Health Sciences Center, a teaching hospital in Denver. The FDA indicated it might regard patching failure as a “product abandonment,” which might mean yanking vendor certifications.

Bajek says filing a complaint with the FDA would involve internal discussions with his company’s legal, purchasing and biomedical groups to determine which vendors are the worst offenders. But he’s open to the idea, and at any rate, “we can say to vendors, if you don’t have a strategy, we’re going to the FDA.”

Pressure on device vendors to patch also is coming from the U.S. Air Force, which operates 78 hospitals. While the Air Force can’t solve the patch issue single-handedly, it is drawing attention to the security issues by not allowing certain medical equipment on the Air Force network unless it’s patched. Under an equipment evaluation program that results in a vendor earning a “Certificate of Networthiness,” the Air Force has started to require that medical picture archiving systems based on Windows, Sun Solaris and accompanying databases undergo evaluation based on tools from the Defense Information Systems Agency and vendors that include Internet Security Systems before allowing the equipment onto the Air Force network.

“These medical images are going across from base to base, and there’s concern about security,” says Tom Lewis, program manager of medical picture archiving systems at the Air Force Medical Support Agency at Fort Detrick, Md. “This is the same network used by the war fighter.” The Air Force wants to ensure that medical devices don’t become the means to compromise military operations in any way.

The Air Force medical-device evaluation program requires vendor technicians updating patches to have security clearances and requires vendors to agree to apply patches if possible after CERT and other security bulletins are issued. Still, ultimately there are no guarantees because software updates potentially can break medical systems.

“It’s not possible to make a guarantee,” says Tim Artz, Agfa’s global government program director, who adds that he has not yet seen a device from Agfa that couldn’t handle a security patch.

Agfa, a major supplier of medical picture archiving systems to the Air Force, last month became the first to earn the equipment certification. Other vendors, including Eastman Kodak’s Health Imaging Group, also plan to submit equipment for testing, particularly because it’s a requirement for the next large Air Force medical-equipment contract.

Artz says the Certificate of Networthiness program helps the Air Force unify under the banner of one security regimen rather than requiring medical-device testing at each base, as was the case before. Artz says he hopes to see similar unified programs in the Army and Navy.

The U.S. Department of Veterans Affairs this week at its annual IT Conference in Austin is expected to detail how medical-device manufacturers will be able to more securely access the VA network to perform security patches to medical equipment. The approach will entail use of a Cisco-based gateway-to-gateway VPN using two-factor authentication by means of RSA Security’s SecurID token hardware.

The medical-device manufacturers emphasize that they are as eager as their customers to resolve problems associated with patching.

One step they hope to take would be to issue industry guidelines later this fall under the auspices of the National Electrical Manufacturers Association’s Joint Privacy and Security Committee for International Medical Informatics. The document, now in draft form, will be called “Patching Off-the-Shelf Software Used in Medical Information Systems.”

James Keese, chief privacy/security officer at Eastman Kodak’s Health Imaging Group, says the standards document will address a range of safety issues in patching medical devices. But the bottom-line problem, he says, is that “patches from Microsoft have had an impact on medical applications.”

When that happens, the manufacturer is left in the situation where the medical device simply can’t be updated with a security patch because this might cause the device to malfunction – also a threat to patient safety.