Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fed-Up Hospitals Defy Windows Patching Rules

Posted by ryuzaki0 on from the er dept.

bingbong writes "According to Network World: 'Amid growing worries that Windows-based medical systems will endanger patients if Microsoft-issued security patches are not applied, hospitals are rebelling against restrictions from device manufacturers that have delayed or prevented such updates. Device makers such as GE Medical Systems, Philips Medical Systems and Agfa say it typically takes months to test Microsoft patches because they could break the medical systems to which they're applied. In some instances, vendors won't authorize patch updates at all.' This is the typical patch vs. crash problem. Unfortunately, the stakes here could be human lives."

30 of 705 comments (clear)

  1. Stop playing solitaire on my dialysis machine by Anonymous Coward · · Score: 5, Insightful

    Why is hospital equipment running windows? Anyone that knows anything about embedded systems with high quality requirements know that you stay away from large OSes. Even Linux is avoided unless you need tcp/ip and if you don't then its better to have a small maybe even off the shelf OS. The Key is to limit the testing requirements and limit changes, which are goofy to test a life support system just to have the latest and greatest IE 6 or 7 that you shouldn't even, have hooked to a wide-open Internet anyway.

    1. Re:Stop playing solitaire on my dialysis machine by dekemoose · · Score: 5, Insightful

      They are running Windows for the same reason that they are connected to a network, some pinhead PHB somewhere is trying to save a buck. It's probably cheaper for them to develop on a Windows platform rather then on a proper embedded paltform. Just like its cheaper for them to put these devices on a shared network, rather than having them properly firewalled off onto their own secured environment. Follow the $$$.

    2. Re:Stop playing solitaire on my dialysis machine by mattOzan · · Score: 5, Insightful
      I find it hard to believe they are talking about life support machinery. No specific piece of equipment is ever mentioned, just the generic "medical devices." I'm thinking they are speaking more of hospital informatics systems, like Stentor and EpicCare. When a doctor can't read a patient's medical chart because the workstation is PWNED, or can't send an X-ray up to surgery because the router's been hijacked, that is definitely a problem; but it is somewhat less of a problem than your ventilator quiting because of a BSOD.

      Sounds like a tech-challenged reporter reporting wide-eyed about crashing "medical devices" which she doesn't really understand.

    3. Re:Stop playing solitaire on my dialysis machine by mhaisley · · Score: 3, Insightful

      Umm...if the radiation therapy machine crashes, someone could die... Ever have your computer crash, and have your sound card remain on with a steady tone, or similar behavior? Now imagine the same thing happening while shooting radiation into a patient.

      Another example, is the IV pumps, most of these run windows2k, But, I've worked on a couple that run CE a small problem here, can do one of multiple things...increase drug flow, decrease drug flow, or stop drug flow, none of these are good...oh we gave him 7 days worth of morphine in 7 minutes...

      Most of these problems would be noticed before some one dies...but it could happen, especially with the health care system becoming even tighter budgeted.

    4. Re:Stop playing solitaire on my dialysis machine by Short+Circuit · · Score: 4, Insightful

      Crashes would be a problem.

      If it crashes, how do you know if the radiation dose was administered or not? Was it the whole dose? was it just part of the dose? Did the machine even turn off?

      Those are awfully important questions for the doctors and radiation techs. Even moreso for the cancer patient that has to go through a battery of tests to determine the effect of a software glitch.

      --
      tasks(723) drafts(105) languages(484) examples(29106)
    5. Re:Stop playing solitaire on my dialysis machine by caswelmo · · Score: 3, Insightful

      IANAD but I have many friends that are doctors. Aside from some specialities such as Anastesia (sp?), some Surgeons, or Dermatology, most doctors really don't make what they're worth. They go through pure hell for at least 7 years. They get paid nothing for the first 4, and $40,000 a year after that until they finish residency. I have heard many a doctor say that there is no way they would do it all over again. If they had only known what it would be like, they would run away screaming.

      Health care is expensive because we feel like it's worth it. Every new cure or treatment or test costs more money, not less. Improvement increases costs & we'd rather live longer than not so we're willing to pay the premium for improvement.

      My point? Doctors are underpaid, especially primary care physicians. They should be paid a premium because they are doing such an important job and have to go through hell to get there. Regardless of whether they do it for the money or "love of life", they deserve to be compensated. So please don't rag on doctors for high health care costs.

      The real evil lies in the insurance industry.

    6. Re:Stop playing solitaire on my dialysis machine by MindStalker · · Score: 5, Insightful

      But the point is still the same, you should run a machine with only enough code to do the job. Extra cruft is just risking "bugs" which could cost lives.

    7. Re:Stop playing solitaire on my dialysis machine by FunnyBunny · · Score: 4, Insightful

      Very honestly, most of these machines couldn't "kill omeone".

      Hmm, a pain pump that doesn't correctly meter the morphine could easily kill someone.

      I mean, if the radiation therapy machine crashes, nobody dies.

      Wow, you mean if the control computer crashes leaving the shutter to the Cobalt source open nobody could die? How about gamma knife overexposing the brain stem, cooking the brain stem couldn't possibly kill someone. How about a faulty homing cycle where the radiation head homes to the patient table, even if a patient is there.

      Do me a favor, don't work on human critical systems.

    8. Re:Stop playing solitaire on my dialysis machine by FFFish · · Score: 5, Insightful

      Don't be silly. The system should be based on an OS that is proven hard-core stable and real-time, like QNX, Microware OS-9/9k, etc.

      There are a ton of good OSes out there for specialty applications and, surprise!, most of them don't involve Linux! Linux is not the be-all and end-all of OSes.

      For human-life-critical applications, you should be using something that is demonstrably proven.

      --

      --
      Don't like it? Respond with words, not karma.
    9. Re:Stop playing solitaire on my dialysis machine by CyberGarp · · Score: 4, Insightful

      This happened to me in a hospital:

      I was admitted for severe breathing difficulties and chest pain. This put me on the heart attack route. Turned out to be a rare form of asthma. While I set in a bed on oxygen, I looked up to watch my heart monitor flat-line. The crash cart crew runs in with all the resucitation equipment and my heart monitor starts beating again. They give me weird looks and examine me up an down to see that I'm doing great on the oxygen. This happens a second time. About 10 minutes later the hospital IS staff show up and examine it, and he says, "Aha, yours is set on the network to show the guy next door."

      He leaves and I hear the crash cart go whizzing by my door.

      Networked critical care systems are a bad idea--except to report a central monitoring station. Windows is an even worse idea. Why this kind of crap is tolerated is beyond me.

      Shawn
      --

      I used to wonder what was so holy about a silent night, now I have a child.
    10. Re:Stop playing solitaire on my dialysis machine by Valar · · Score: 4, Insightful

      This is a very precise process. We are talking exposures MUCH less than a second. By the time a human operator can respond to the malfunction it is already too late. If the exposures were long enough that a human could administer them, then they would. No point in paying for a computer _and_ a tech, right?

      --

      ====
      Crudely Drawn Games
    11. Re:Stop playing solitaire on my dialysis machine by danheskett · · Score: 4, Insightful

      Because the alternative is alot worse, that's why.

      Imagine you are a small hospital, one with a 10 bed ICU. You have 10 patients. Can you afford to have someone near enough to each heart monitor to hear when it has an irregular heartbeart? Can you even detect a slightly altered heart-rate just by a casual listen/look every now and then? What about all the other funny intrumentation? Of course not. It would take one RN/CNA/Med. Tech per ICU patient per shift. In 3 shifts that's 30 full-time employees for a 10-bed ICU just to make sure nothing bad is happening on the monitor. That's a big staff. All the sudden you are spending $2M a year on just nurses/assistants for your 10-bed ICU. At best you can recoup $500k of that, maybe $1M if you have a really good ratio of paying/insured/uninsured/unpaying patients.

      Imagine you are not a 10-bed ICU, but rather, a 750-bed ICU. Do the math.

      Whats worses is that in your case it wasn't even likely a networking related problem, so much as it was likely that a the inputs from one machine were improperly patched through to a display and monitoring unit. (I've seen the same mistake before.. when you have a patch panel it's an easy mistake to wire jack 3 to jack 5 and vice versa).

      It's not acceptable, but in reality, it's a cost of progress. The alternative to network'd equipment like this is worse care. Systems must be designed to be resliant, and some manufactuerer's are doing a bad job. But, by and large, medical technology is amoung the most robust in the entire computer industry. I've seen machines that run 24-hrs a day for years on end. Machines with duty cycles in the thousands of hours.
      Networked care systems are coming, and many are here and work very well. Many many many more lives have been saved than damaged or lost by this type of technology. We need better systems, better platforms, etc - but throwing out the whole thing is absurd at this point in time.

    12. Re:Stop playing solitaire on my dialysis machine by dvdeug · · Score: 3, Insightful

      I guess the operator is just looking at it from behind the console,

      What do you expect the operator to see? Radiation is invisible; you could easily not tell if the machine was still spitting out radiation or not. You can also overload on radiation quickly; by the time the operator notices what's going on, it may be too late.

      Just as importantly, there should always be multiple lines of protection. Trusting the operator to handle the problems when the machine screws up is a bad thing; the operator may have stepped out for a smoke break, be thinking about her golf game, or have a stroke. It may be one in a million, but with half a million people needing four or five sessions every year, that's several needless deaths a year.

    13. Re:Stop playing solitaire on my dialysis machine by oliphaunt · · Score: 3, Insightful

      Part of the problem is that the vendors chose Windows as a development platform.

      um, no. ALL of the blame rests on the software developer. If you all weren't so goddamn lazy and quick to grab dollars at the expense of careful design and reliable architecture, you wouldn't be using windows at all.

      The backend for the software I work on actually runs in Unix, and we have hospitals that are thinking of going to NT only [...]

      When you get back to 1997, would you call me and tell me to invest in eBay and Yahoo? Tell me to sell in february 2000 while you're at it. And then tell your company that they're fools for thinking that fat-client software has a future in 2004 when everything that's successful now has a web interface.

      [...]which means we have to try to port our code to it or loose that customer.

      bullshit. Why would their client envronment have any impact on your archtecture for an embedded system? If the customer needs a GUI frontend to your device, do it with Apache. I think there is a version available for QNX, which is the OS you would use (once again) if you weren't so GODDAMN LAZY. Instead, you create a mess, comfortable in your knowledge that you will always have a future cleaning up after yourself.

      repeat after me: there is no excuse for using Windows in any embedded system.

      Again: there is NO EXCUSE for using Windows in any embedded system.

      --




      Humpty Dumpty was pushed.
    14. Re:Stop playing solitaire on my dialysis machine by danheskett · · Score: 3, Insightful

      Point 1: She does not use outlook. It was uninstalled from her box. Guess what microsoft installed over the weekend? Outlook.
      An utter lie. Provide documentation, and you'd probably have a good case.

      On top of that, I am sure MS didn't hack her machine to install Outlook. Was it part of another update? How was it uninstalled? Your story doesn't add up. More details, and I will poke more holes.

      Point 2: She does not use MIE. If it could be uninstalled, it would be. Guess what microsoft updated over the weekend. MIE
      She does components of MSIE. But that's irrelevant. The question is, how did Microsoft update her copy of MSIE. Are you suggesting they targted her?

      Of course not. I'll tell you what happened. She has automatic updates turned on. The system updated itself according to predefined behaviour.

      She probably would switch operating systems, if she could. There are no viable alternatives. So she can't.
      That's provably false. But what you are going to say is "no, she can't switch because she needs X, which only Windows has". And I am going to say "that's like complaining that The Backstreet Boys have a monopoly on Backstreet Boys albums". And you are going to say "That's not a good analogy" and I am going to say "Yes, it is. Your roomates compliant is that there isn't a 100% compatible knock-off of Windows, which is an absurd standard that has never applied in any industry before, and doesn't apply now either".

    15. Re:Stop playing solitaire on my dialysis machine by Anonymous Coward · · Score: 5, Insightful

      They are not usually using Windows for embedded systems. They are using Windows on workstations.

      I am a clinical doctor who programs in a couple of dozen languages and environments and follow the advancement in software solutions closely. I have been involved with clinical informatics only recently for the past couple of years though. Allow me to explain you some of the realities of the current health industry software. I admit I haven't sat down and structured the text well but I tried to put in as many issues as I could think of the moment.

      The doctors want Windows or Macs. They want a familiar set up compared to what they use at home. It is very difficult to get doctors learn a completely different paradigm. There have been documented cases where nearly all the doctors in certain institutions rose up in arms because the developers thought they knew better and tried to force a solution onto them.

      Most of the current set ups are almost always heterogeneous. We buy software from multiple vendors and bridge them together. This is because there are no completely integrated solutions as yet. GE and a few others are trying to close this gap but it is a VERY difficult one. Hospital information needs are not standard as your usual business information needs. The data processing here is often very simple but the volume and complexity of the data is overwhelming. It is not simple as Customers and Invoices. Clinical Medicine deals a lot with relatively abstract data with complex relationships. Most doctors know these relationships intuitively but there isn't enough published literature for a software developer to draw from. Clinical software is extremely expensive to build since the requirements are hard to establish. A lot of iterations are needed to fit the software to a given practice (This never gets completed usually and people settle for close enough).

      Doctors themselves understand their needs best. A few doctors, while they don't hold CS degrees, practice design patterns or do EJB, do quite well to put together MS Access databases to solve their problems where professional software developers have not yet tread. Many times, they distribute these to their colleagues freely (Open Source if you will). Few even sell them. They may not be the best designed tools but they work. Mac's FileMaker and Linux's Total Rekall? don't exactly come close. Windows tools also have a larger number of books available to learn from.

      Platform and tool costs are trivial, developer costs are not. A study in Human Computer Interactions is very essential here. Rich user interfaces are always preferred. Non-windows platforms don't have sufficiently advanced RAD tools. I really wanted Kylix to succeed. But I don't see any momentum behind it anymore. Veteran's Affairs Hospitals have built a remarkably physician friendly system. They are rightly proud of their constantly iterative development. They used Delphi but now that the system is stable (for user experience stand point) they are looking for other platforms. They looked at .NET. I heard they were trying Java now. Personally I am not sure it is the right choice for the client but we shall see.

      The loss of work hours because the software does not fit the workflow at a given hospital is far far greater than losses due to worms and viruses.

      The software should be as intuitive to use as possible. Should not require reading manuals. Hospitals always look whether the given software will slow the physician down in any way because physician time is very expensive and they rather have them seeing patients and generating revenue.

      There is a case for cross-platform tools at the moment too. It is a case of mobility. Most doctors like to be able to review a patient's case online and advice on the phone when necessary. Many vendors provide web pages and applets for this but they often end up very unergonomic. But since the need is often information retrieval rather than data entry, they are accepted in the absence of the better alt

  2. Why do they need patching? by Anonymous Coward · · Score: 5, Insightful

    Why are they even accessible on the internet? Seems like these should be in a secure private network unlikely to be attacked.

    1. Re:Why do they need patching? by AKAImBatman · · Score: 5, Insightful

      Why are they even accessible on the internet? Seems like these should be in a secure private network unlikely to be attacked.

      Who said they're on the internet? Consider the following scenario:

      The Hospital PCs are connected to a primary server that backs up all data and managed the PCs.

      The Primary Server has a leased line or occasional dial-up to transfer data to a state-wide backup and update site.

      The backup and update site has firewalled internet access for a VPN to GE, and troubleshooting purposes.

      GE communicates with customers via internet email. One clerk in a backroom opens an attachment with an RPC worm. Within a half-hour the entire chain is compromised.

      Any question on why having a monosystem Windows network is a bad thing? Even ONE Unix server in there would help break the chain.

      --
      Javascript + Nintendo DSi = DSiCade
    2. Re:Why do they need patching? by nojomofo · · Score: 3, Insightful

      Uhhh.... Do you think that all doctors know absolutely everything about the human body? Don't you think that they need references, too? And don't you think that maybe, just maybe, it's much easier to have up-to-date online references than book references? Why do you assume that the only thing that hospitals need internet for is surfing? You might as well stay home - your doctor looks up information online.

      Maybe they also have billing systems that interact directly with insurance providers so that people don't have to use typewriters and carbon copies anymore. Jesus, there's more to the internet than porn and email. Deal with it.

  3. FDA? by gtrubetskoy · · Score: 4, Insightful
    ...when the FDA eight years ago began allowing off-the-shelf software in medical devices, it didn't foresee the kinds of security issues, such as computer worms, that plague networks.

    OK.... We now have the Food and Drug Administration in charge of computer security?

  4. Why is this a problem? by ameoba · · Score: 3, Insightful

    Why are these things on any sort of publicly accessable network? They should, at least, be on a private network that's physically separate from everything they don't absolutely need to talk to & firewalled all to hell.

    --
    my sig's at the bottom of the page.
  5. Doesn't have to be a issue by bs_testability · · Score: 5, Insightful

    Medical machines responsible for human life should never need to be patched. The software was tested at one point and should be controlled to stay at that test point until it is to be retested. For machines running windows this means they should be segregated from other parts of yoru network and should be airgap firewalled from the rest of the world. Intenet worms and email trojans shouldn't be relevant.

  6. Re:Why in the hell... by pclminion · · Score: 5, Insightful
    put these devices and systems behind something as simple as a $50 hardware NAT firewall, especially for a device that costs hundreds of thousands - or millions - of dollars?

    How is a firewall going to stop an insider from exploiting the network? Does working in a hospital magically transform a person into a paragon of morality?

  7. Can't say I'd blame Microsoft this time around. by Rude+Turnip · · Score: 5, Insightful

    I'm not a big fan of Microsoft, but I don't think the quality (or lack thereof) of their products is the issue here. I've read from their EULAs that their products are not suited towards critical applications (ie nuke facilities, life support). My point is that although a EULA is not a legally-binding contact, the fact that MS is stating in public Windows shouldn't be used in critical applications should tell you something. The bottom line is that if GE, Philips or Agfa build a medical system, they should be responsible for that product from the software up to the hardware. The fact that *they don't have control* over one of the components in their products (the underlying OS) is negligent, IMO.

    I would get laughed out of court if I tried to blame a critical problem with a report I wrote on my secretary, and the same should happen with these companies if somebody's loved one dies from their irresponsibility.

    --
    Bill Clinton: Pimp we can believe in. - The Shirt!!!
  8. If it ain't broke, why fix it? by TommydCat · · Score: 3, Insightful
    Does the heart-lung machine have an internet addressable IP? Could it wind up as a spam zombie?

    Survery says... Beeep! Beeep! Beeep!

    What "security" or other risk with a turnkey standalone system? I'd rather risk the remote chance of someone breaking into my room to run CAT-5 to my vitals monitor rather than a BSOD (possible REAL death in this case) because Service Pack x broke some obscure function and failed to alarm the nurse when my heart stopped.

    Do the morons at the hospitals run Windows Update on the defibrillators?

    The manufacturers have tested and retested and regression tested everything that goes into those medical devices (or they say, anyway), so why deviate from a known good combination without a compelling reason?

    --
    This comment does not necessarily represent the views and opinions of the author.
  9. Everyone's asking why aren't they firewalled... by foxtrot · · Score: 5, Insightful

    Firewalls won't help. If it runs Windows, some idiot's going to bring in a CD full of pictures from his latest vacation and the CD's going to be infected with MyDoom or (heck, probably and...) Sobig or any number of other nasties. Or it's going to be something he wants to print on the nice laser printer at the office.... there's a hundred ways to get infected just by clueless users.

    Pretty soon, the internal network's either too busy generating random traffic to do anything else-- and even if the Big Iron of the business, the dialysis machines and heart-lung devices and all those wonderful things that better damned well not break work fine, you've still got the terminal the nurse sits in front of that keeps track of when to issue you your shot that keeps you alive spending half its time rebooting because it's got Sasser.

    This is not a problem a firewall can solve, and it's pretty darned big: You can't go throwing software around willy-nilly to solve this problem (even though the real problem is that the users _are_ throwing software around willy-nilly), so you can't just go "oooh! A next-day patch from Microsoft, let's hope their two hours worth of QA before it walked out the door was good enough!".

    -JDF

  10. Re:Stop with the security through obscurity crap by LWATCDR · · Score: 4, Insightful

    "Why, exactly? Because nobody would know how to hack your tiny little proprietary OS? That's crap and you know it."

    The reason it the smaller the OS the less you have to test it. The whole KISS thing. Keep it simple stupid.

    On a standalone ebedded system you do not need support for TrueType fonts, every printer and USB device known to man, or even video playback. On an Embeded device you often only need a few functions but those functions have to work. If you have ever programmed under windows you will find all sorts of APIs just do not work or do not work the way they are documented. Windows programers just program around these issues. You should always use the smallest OS that you can get away with for the device you are using. Linux is a good option for very flexable embedded devices. I would tend to stay clear of X and use nano-x myself.
    There are many off the shelf ebeded OSs the most popular I can think of is QNX. For life critcal systems I would go for QNX over windows any day.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  11. Just one of the many enourmous problems by Zed2K · · Score: 3, Insightful

    This is just one of the many huge problems inside hospitals these days. Many people do not realize how often just a simple name and patient number gets assigned to the wrong person. Records get swapped with someone else or a gender or age gets changed. All these life threatening mistakes are human error. The problem is that the transcriptionists get paid per word. Not whether they word is correct and the document they transcribe is correct. It's also all about money and internal politics. They choose systems not based on whether its a good match for the hospital and the patients but based upon which board member is in bed with which company. They'll spend 10s of millions of dollars on a new system just because some higher up gets a kick back or has a golfing buddy. Then the system turns out to be total crap and they start the process all over. All the while they raise their cost of doing business and push it off to the patient.

    Knowing what I know there is no way in hell I will ever go to a hospital unless I'm already dead. Cause they'll kill you just sitting in the waiting area.

  12. Many non-obvious apps can be critical by gosand · · Score: 3, Insightful
    I'm not a big fan of Microsoft, but I don't think the quality (or lack thereof) of their products is the issue here. I've read from their EULAs that their products are not suited towards critical applications (ie nuke facilities, life support). My point is that although a EULA is not a legally-binding contact, the fact that MS is stating in public Windows shouldn't be used in critical applications should tell you something.

    But there are a lot of applications that are not themselves critical, but could play a part. I work for a company that does materials management software for hospitals. This stuff is tweaked for efficiency, and hospitals rely on it. It runs on Windows only. Doesn't sound quite like the importance of a pacemaker, right? Well let's say the hospital gets hit by a virus. Yes, it happens, even with firewalls. Now their materials system is fubar, and they are used to it having the right supplies on hand at the right times. If it is low on something, it reorders it automatically. Now they are screwed, and they don't have something that they really need. Someone could die.

    Hospitals have to operate on razor thin margins, and they can't stock millions upon millions of dollars of everything. They look to lower their on-hands inventory as much as possible.

    There is all kinds of software in the hospitals that can go horribly wrong, not just the obvious stuff.

    --

    My beliefs do not require that you agree with them.

  13. Oh come on! by marshac · · Score: 3, Insightful

    Seriously, is the REAL problem the OS? I think the REAL problem is insecure networks. Lets think for a second about all of the Windows/IE vulnerabilities in the past several months... how many of them matter if you're not connected to a network? Windows 2000/XP in my experience has been quite good, and when properly maintained (ie: no junk installed), provides a very stable platform. No one should be "surfing the web" from the deliberation machine, nor can I really see why it would need a serious network interface.... Let alone access anything on the internet! I think what hospitals REALLY need are security experts to take a good long hard look at their network and decide what SHOULD, and what SHOULDN'T be on the LAN... and if some level of network connectivity is needed (ie: the ability to monitor equipment from across the hospital), this should be on a totally separate VLAN with NO access to the internet.... Internal routing only, no exceptions. Computers connected to this LAN wouldn't have removable media bays, so the threat of worms, etc should be mitigated by general inaccessibility.

    I know everyone on Slashdot would LOVE to blame the OS, but really... the fault is not with the OS as much as it is the networking admins, and even more likely, the administration for not providing the NAs with the support they need to make a properly secure network.