This is a huge step in medical device security, and the first of its kind. Read about it here, and if you’re asking, “what’s the big deal,” read on…
Many medical devices are built on general purpose computing platforms. Holter systems, PACS, and central stations are obvious examples, but many seemingly “embedded systems” are also using general purpose computing platforms. The most common general purpose computing platform is Windows running on Intel microprocessors. There are several flavors of Windows used: XP, 2000, NT, and CE. Susceptibility to malicious code like viruses and worms is more dependent on the operating system than the microprocessor. And since more and more medical devices are getting networked, more devices are getting infected with malicious code. (Here is a good explanation of different types of malicious code.) Unfortunately, due to Windows overwhelming market dominance, the vast majority of malicious code is written to target Windows computers. Solaris, Unix and Linux are also used in medical devices — the good news is that few hackers target these platforms due to their small market share, the bad news is that there are few protective software tools available for the same reason.
How big is the threat? At HIMSS last month, John Glaser, CIO at Partners Healthcare, reported that they receive 500,000 emails per day from the Internet, of which 7 percent carry malicious code (that’s 35,000 infected emails). He also mentioned that their network is probed 20,000 a day by would be hackers looking for vulnerabilities. To make matters worse, hacker programs called scripts can be easily found and downloaded from the Internet. The hackers who use these programs are called script kiddies and use these scripts to search for and exploit computers accessible from the Internet, usually with little regard or even understanding of the potential harmful consequences.
Very few medical devices contain any software to actively protect them from malicious code. I know of only a few very recent products that include software based firewalls. Hospitals must rely on general IT security products and methods to protect their IT networks and medical device networks. When devices get infected, they frequently become inoperable.
Vendors must “repair” infected devices or systems. Repair includes “patching” the operating system to remove the vulnerability exploited by the malicious code, and removing malicious code from infected devices. One method of repair is to “remanufacture” the product by reloading the operating system and application software — this is easy for the vendor because it uses existing processes. Remanufacturing is less attractive for hospitals because it means shipping the product back to the manufacturer. Remanufacturing may simply remove the malicious code and not fix the operating vulnerability, leaving the device open to infection. Alternatively, vendors may release a software patch. Software patches usually only close the vulnerability, leaving infected devices broken. (Click here to see the current list of Microsoft patches, and here is a good introduction to patch management.)
Software patch procedures at most vendors are somewhat undeveloped and hospitals can find themselves without the use of a device for some time. You can read more about patching medical device software here. You can learn more about medical device security at the HIMSS Medical Device Security web site.
The bottom line is that vendors must provide better protection against malicious code, and develop the processes and tools to respond to attacks in a much more timely and effective manner. Siemens has thrown down the gauntlet — it will be fun to watch the responses.