While doing some research the other day I came across a pretty good article from last year. "Rx for patching mired in red tape"
digs into problems surrounding medical devices that get infected by
computer viruses and worms. The story raises lots of interesting
issues. so let's dig in.

The epidemic of Windows-based worms and viruses in the past year has
put hospital IT administrators on a state of high alert to protect
patient-care systems that have become reliant on Microsoft operating
systems.

First, I know this problem didn't start in the past year. The trend
to move embedded devices to Windows has certainly increased the impact
of maliscous software. And of course, Microsoft makes such an
attractive target for hackers because of its near defacto status on
personal computers. What struck me when I first read this was, "where
are the biomedical engineers?" The vast majority of medical device type
systems are under the care and feeding of the Biomed department, not IT.

The challenge they face in securihg these medical systems is that
it's not simply a matter of applying software patches. Healthcare IT
professionals say medical device makers prohibit them from changing the
system and even from running anti-virus software in some cases. These
IT administrators say manuractures often are slow to supply software
patch updates and routinely claim the... FDA requires approval of
patch-base changes.

It is federal law and not medical device vendors who keep
customers from modifying FDA regulated medical devices. Should a
hospital make a change that resulted in an adverse event, the hospital
will assume all the risk associated with that modification. The lack of
vendor responsiveness is a whole other issue.

Device vendors come from a traditional where embedded
devices were like black boxes -- they were standalone (with RS232
serial output at best) and interactivity was limited to the buttons and
knobs on the outside of the box. Everything that happened inside the
box coiuld not be known by the user. In the good old days, engineers
even wrote the operating system for their medical devices. As the
market advanced, customers demanded connectivity beyond serial output.

However, the FDA says it has no such rules and is looking for medical device makers and customers to work out their differences.