Malware strikes hospital devices

Computer viruses are increasingly causing patient monitoring equipment and other hospital software systems to at least temporarily shut down, the MIT Technology Review reports. And device manufacturers are making the problem harder to fight because many resist the addition of software changes to prevent malware, citing FDA regulations.

How big is the problem? It is widespread and growing, said Kevin Fu, a medical-device security expert at the University of Massachusetts, Amherst and the University of Michigan, and Mark Olson, chief information security office at Beth Israel Deaconess Medical Center in Boston. Both spoke at a recent National Institute of Standards and Technology Information Security & Privacy Advisory Board medical-device panel meeting covered by Technology Review. While no fatalities have been reported, Olson said patient monitors, drug compounders, MRI devices and picture-archiving systems used with diagnostic equipment have all been affected at some point.

Beth Israel offers an example of how frustrating the problem can be. Fu said 664 pieces of medical equipment at his hospital use older Windows operating systems. And manufacturers won't modify the equipment. What's worse: The device makers have previously cited FDA regulations as reason to not let hospitals improve the software or add antivirus protection, though Olsen noted that the manufacture in question--Philips--has finally replaced the faulty computer systems. (Companies cite FDA guidance dating back to 2009, however, as hampering their ability to make computer system changes efficiently).

Otherwise, Olsen said the hospital must take one or two computers off line each week for cleaning because of malware infections, adding expense, reducing efficiency and perpetuating safety risks.

The FDA is reviewing its regulatory position on software and says it will work, over time, on updating its guidelines, according to the article.

- read the MIT Technology Review story