Panel: Malware Infecting Health IT Systems
Hospital computer systems and equipment are becoming infected with malware that slow down operating software and present the risk of rendering systems temporarily inoperable, according to a panel of health IT experts cited in an MIT Technology Review article.
While there have not been reports of malware causing patient harm, the threat is increasing due in part to the rise in provider use of Internet-accessible and mobile medical devices and systems, the article stated.
The malware panel discussion took place during a session sponsored by the National Institute of Standards and Technology’s Information Security and Privacy Board in Washington D.C.
Panelists said that problems can occur when software-controlled medical equipment connected to the Internet through internal hospital networks become infected with malware, usually due to software not receiving proper security updates.
Oftentimes it is not even possible to update or modify the equipment with added security features, exacerbating the problem, panelists said.
At Beth Israel Deaconess Medical Center in Boston, for example, 664 pieces of medical equipment are running on older Windows operating systems that manufacturers will not modify or allow the hospital to change—even to add antivirus software, according to the article. Manufacturers worry the changes could violate US Food and Drug Administration (FDA) regulations.
Because of this limitation, computers are frequently infected with malware at Beth Israel and one or two have to be taken offline for cleaning each week, said Beth Israel’s chief information security officer Mark Olson during the discussion.
Olson said during the meeting that malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in their intensive-care ward. Backup systems prevented any patient harm in the incident, but Olson said the incident was alarming. Since then the infected computer systems were replaced at Beth Israel with new systems equipped with security protections that would prevent the problem from reoccurring.
Regulators have begun to notice the malware problem as well. In September, the Government Accountability Office (GAO) issued a report warning that computerized medical devices could be vulnerable to hacking and pose a safety threat. The GAO asked the FDA to address the issue through better oversight of the industry.