The nation's hospitals, medical device manufacturers, Microsoft, and even the U.S. Federal Drug Administration are all rapidly searching for a solution to a security problem that has the potential to become life-threatening.
The security predicament facing the world's hospitals is that each time they take an MRI or CAT scan when malware is on the loose, a patient's life could be in danger if the machine malfunctions and gives an inaccurate reading.
"I do believe that if you let this problem carry on without starting to address it in an active way, forces will combine and it will have an ill effect on public health, possibly some death or serious injury," said John Murray, who is the software and electronics compliance expert at the FDA.
The problem that concerns Murray and others is the use of off-the-shelf operating systems, such as Microsoft Windows, within medical devices. Although using Windows enables the devices to talk to a hospital's information network, these devices, at the same time, also become just as vulnerable as any commercial computers whenever hackers are about.
Hospitals and medical device makers, such as GE Medical, Siemens and Philips Medical Systems, have been aware of the problem for the past two years. They realize that the proliferation of bugs could affect their devices, but only recent involvement by the FDA has brought any urgency into resolving the issue.
As yet, though, the main stakeholders – hospitals, medical device makers, Microsoft and the FDA – have failed to figure out a comprehensive way to fix it.
"Right now, there's a lot of finger-pointing going on," said Murray. "The user is pointing at the medical device manufacturer, who in turn is pointing at the FDA. We're engaged in a lot of non-productive discussion, and this is not going to get us to the answers we need to have."
The problem in a nutshell is that the hospitals want their existing systems patched and they want the medical device companies to be responsible for the patching, so as not to invalidate their service level agreements. But device manufacturers say they are unable to patch because of FDA regulations.
The finger-pointing from medical equipment vendors has annoyed the FDA, which is telling all the parties that they should not be afraid to find a solution to this serious problem.
"The FDA is not the big bad wolf here. We are trying to be partners to solve this problem," said Murray.
As a result, the federal agency is in the process of writing a draft guidance document for device manufacturers on the topic, but no timeframe has yet been given for its release.
Meanwhile, several device manufacturers did not return requests for interviews, but in a statement, Philips' director of product IT security Nick Mankovich said the company is aware of the issue and is working on a number of initiatives.
First, Philips has a global product security policy governing design-for-security in product creation, as well as risk assessment and security event response activities for any vulnerabilities identified in existing products.
Second, its global network of product security incident response teams collect and manage data and address any vulnerabilities affecting Philips' products and solutions.
Finally, it is pushing its customers to implement a comprehensive, multi-layered strategy (including policies, processes, and technologies) to protect information and systems from external and internal threats.
"We are deeply engaged in creating the products of tomorrow based on fundamental security principles," said Mankovich in the statement.
It is not the products of tomorrow that are the worry, though, but the devices that have been installed over the past five or six years. Microsoft, too, is well aware of the overarching problems, and a spokesperson said the company is "working to build greater resiliency and isolation technologies into our products."
The urgency of the situation has forced some healthcare organizations to take action. The Veterans Administration is leading the effort with its "Medical Device Isolation Architecture Guide," which is becoming a model for other groups.
"From the very beginning, the VA has taken the position, and still supports the position, that the patching of operating systems on medical devices by the end-user at the hospital level, without the express support of the original medical equipment manufacturer, is not an end-user option," said Steven Wexler, the chief biomedical engineer for the Veterans' Health Administration in the Department of Veterans Affairs.
Essentially the VA solution describes how to connect the devices in a virtual LAN and disable all the ports except the one that connects the device to a printer and another that connects to the hospital information network.
Another option for hospital groups is to seek out the help of a security vendor. The St. John Health System in Tulsa, OK, has turned over all its HIPAA policy compliance and device security headaches to Preventsys, a two-year old company.
Preventsys software will automatically evaluate a device, and the possible threat, and then recommend how to implement countermeasures to deal with it. It then continues to audit the device.
While admitting that most healthcare organizations are aware of this threat, Kevin Reardon, vice-president of professional services for Preventsys, acknowledged that not all the devices are getting fixed.
"If I needed an MRI scan while there was a worm floating about, would I want to be the person on that table as those tests are being done? The answer would obviously be no," he said.