Fed-Up Hospitals Defy Windows Patching Rules

bingbong writes "According to Network World: 'Amid growing worries that Windows-based medical systems will endanger patients if Microsoft-issued security patches are not applied, hospitals are rebelling against restrictions from device manufacturers that have delayed or prevented such updates. Device makers such as GE Medical Systems, Philips Medical Systems and Agfa say it typically takes months to test Microsoft patches because they could break the medical systems to which they're applied. In some instances, vendors won't authorize patch updates at all.' This is the typical patch vs. crash problem. Unfortunately, the stakes here could be human lives."

Stop playing solitaire on my dialysis machine

Why is hospital equipment running windows? Anyone that knows anything about embedded systems with high quality requirements know that you stay away from large OSes. Even Linux is avoided unless you need tcp/ip and if you don't then its better to have a small maybe even off the shelf OS. The Key is to limit the testing requirements and limit changes, which are goofy to test a life support system just to have the latest and greatest IE 6 or 7 that you shouldn't even, have hooked to a wide-open Internet anyway.

Re:Stop playing solitaire on my dialysis machine

[dekemoose]

They are running Windows for the same reason that they are connected to a network, some pinhead PHB somewhere is trying to save a buck. It's probably cheaper for them to develop on a Windows platform rather then on a proper embedded paltform. Just like its cheaper for them to put these devices on a shared network, rather than having them properly firewalled off onto their own secured environment. Follow the $$$.

Re:Stop playing solitaire on my dialysis machine

[mattOzan]

I find it hard to believe they are talking about life support machinery. No specific piece of equipment is ever mentioned, just the generic "medical devices." I'm thinking they are speaking more of hospital informatics systems, like Stentor and EpicCare. When a doctor can't read a patient's medical chart because the workstation is PWNED, or can't send an X-ray up to surgery because the router's been hijacked, that is definitely a problem; but it is somewhat less of a problem than your ventilator quiting because of a BSOD.

Sounds like a tech-challenged reporter reporting wide-eyed about crashing "medical devices" which she doesn't really understand.

Re:Stop playing solitaire on my dialysis machine

[MindStalker]

But the point is still the same, you should run a machine with only enough code to do the job. Extra cruft is just risking "bugs" which could cost lives.

Re:Stop playing solitaire on my dialysis machine

[FFFish]

Don't be silly. The system should be based on an OS that is proven hard-core stable and real-time, like QNX, Microware OS-9/9k, etc.

There are a ton of good OSes out there for specialty applications and, surprise!, most of them don't involve Linux! Linux is not the be-all and end-all of OSes.

For human-life-critical applications, you should be using something that is demonstrably proven.

Re:Stop playing solitaire on my dialysis machine

They are not usually using Windows for embedded systems. They are using Windows on workstations.

I am a clinical doctor who programs in a couple of dozen languages and environments and follow the advancement in software solutions closely. I have been involved with clinical informatics only recently for the past couple of years though. Allow me to explain you some of the realities of the current health industry software. I admit I haven't sat down and structured the text well but I tried to put in as many issues as I could think of the moment.

The doctors want Windows or Macs. They want a familiar set up compared to what they use at home. It is very difficult to get doctors learn a completely different paradigm. There have been documented cases where nearly all the doctors in certain institutions rose up in arms because the developers thought they knew better and tried to force a solution onto them.

Most of the current set ups are almost always heterogeneous. We buy software from multiple vendors and bridge them together. This is because there are no completely integrated solutions as yet. GE and a few others are trying to close this gap but it is a VERY difficult one. Hospital information needs are not standard as your usual business information needs. The data processing here is often very simple but the volume and complexity of the data is overwhelming. It is not simple as Customers and Invoices. Clinical Medicine deals a lot with relatively abstract data with complex relationships. Most doctors know these relationships intuitively but there isn't enough published literature for a software developer to draw from. Clinical software is extremely expensive to build since the requirements are hard to establish. A lot of iterations are needed to fit the software to a given practice (This never gets completed usually and people settle for close enough).

Doctors themselves understand their needs best. A few doctors, while they don't hold CS degrees, practice design patterns or do EJB, do quite well to put together MS Access databases to solve their problems where professional software developers have not yet tread. Many times, they distribute these to their colleagues freely (Open Source if you will). Few even sell them. They may not be the best designed tools but they work. Mac's FileMaker and Linux's Total Rekall? don't exactly come close. Windows tools also have a larger number of books available to learn from.

Platform and tool costs are trivial, developer costs are not. A study in Human Computer Interactions is very essential here. Rich user interfaces are always preferred. Non-windows platforms don't have sufficiently advanced RAD tools. I really wanted Kylix to succeed. But I don't see any momentum behind it anymore. Veteran's Affairs Hospitals have built a remarkably physician friendly system. They are rightly proud of their constantly iterative development. They used Delphi but now that the system is stable (for user experience stand point) they are looking for other platforms. They looked at .NET. I heard they were trying Java now. Personally I am not sure it is the right choice for the client but we shall see.

The loss of work hours because the software does not fit the workflow at a given hospital is far far greater than losses due to worms and viruses.

The software should be as intuitive to use as possible. Should not require reading manuals. Hospitals always look whether the given software will slow the physician down in any way because physician time is very expensive and they rather have them seeing patients and generating revenue.

There is a case for cross-platform tools at the moment too. It is a case of mobility. Most doctors like to be able to review a patient's case online and advice on the phone when necessary. Many vendors provide web pages and applets for this but they often end up very unergonomic. But since the need is often information retrieval rather than data entry, they are accepted in the absence of the better alt

Why do they need patching?

Why are they even accessible on the internet? Seems like these should be in a secure private network unlikely to be attacked.

Re:Why do they need patching?

[AKAImBatman]

Why are they even accessible on the internet? Seems like these should be in a secure private network unlikely to be attacked.

Who said they're on the internet? Consider the following scenario:

The Hospital PCs are connected to a primary server that backs up all data and managed the PCs.

The Primary Server has a leased line or occasional dial-up to transfer data to a state-wide backup and update site.

The backup and update site has firewalled internet access for a VPN to GE, and troubleshooting purposes.

GE communicates with customers via internet email. One clerk in a backroom opens an attachment with an RPC worm. Within a half-hour the entire chain is compromised.

Any question on why having a monosystem Windows network is a bad thing? Even ONE Unix server in there would help break the chain.

Doesn't have to be a issue

[bs_testability]

Medical machines responsible for human life should never need to be patched. The software was tested at one point and should be controlled to stay at that test point until it is to be retested. For machines running windows this means they should be segregated from other parts of yoru network and should be airgap firewalled from the rest of the world. Intenet worms and email trojans shouldn't be relevant.

Re:Why in the hell...

[pclminion]

put these devices and systems behind something as simple as a $50 hardware NAT firewall, especially for a device that costs hundreds of thousands - or millions - of dollars?

How is a firewall going to stop an insider from exploiting the network? Does working in a hospital magically transform a person into a paragon of morality?

Can't say I'd blame Microsoft this time around.

[Rude+Turnip]

I'm not a big fan of Microsoft, but I don't think the quality (or lack thereof) of their products is the issue here. I've read from their EULAs that their products are not suited towards critical applications (ie nuke facilities, life support). My point is that although a EULA is not a legally-binding contact, the fact that MS is stating in public Windows shouldn't be used in critical applications should tell you something. The bottom line is that if GE, Philips or Agfa build a medical system, they should be responsible for that product from the software up to the hardware. The fact that *they don't have control* over one of the components in their products (the underlying OS) is negligent, IMO.

I would get laughed out of court if I tried to blame a critical problem with a report I wrote on my secretary, and the same should happen with these companies if somebody's loved one dies from their irresponsibility.

Everyone's asking why aren't they firewalled...

[foxtrot]

Firewalls won't help. If it runs Windows, some idiot's going to bring in a CD full of pictures from his latest vacation and the CD's going to be infected with MyDoom or (heck, probably and...) Sobig or any number of other nasties. Or it's going to be something he wants to print on the nice laser printer at the office.... there's a hundred ways to get infected just by clueless users.

Pretty soon, the internal network's either too busy generating random traffic to do anything else-- and even if the Big Iron of the business, the dialysis machines and heart-lung devices and all those wonderful things that better damned well not break work fine, you've still got the terminal the nurse sits in front of that keeps track of when to issue you your shot that keeps you alive spending half its time rebooting because it's got Sasser.

This is not a problem a firewall can solve, and it's pretty darned big: You can't go throwing software around willy-nilly to solve this problem (even though the real problem is that the users _are_ throwing software around willy-nilly), so you can't just go "oooh! A next-day patch from Microsoft, let's hope their two hours worth of QA before it walked out the door was good enough!".

-JDF