Slashdot Mirror
Fed-Up Hospitals Defy Windows Patching Rules
bingbong writes "According to Network World: 'Amid growing worries that Windows-based medical systems will
endanger patients if Microsoft-issued
security patches are not applied, hospitals
are rebelling against restrictions from device manufacturers that have
delayed or prevented such updates. Device makers such as GE Medical Systems,
Philips Medical Systems and Agfa say it typically takes months to test Microsoft patches because they could break the medical systems to which they're applied. In some instances, vendors won't authorize patch updates at all.' This is the typical patch vs. crash problem. Unfortunately, the stakes here could be human lives."
...do they not just put these devices and systems behind something as simple as a $50 hardware NAT firewall, especially for a device that costs hundreds of thousands - or millions - of dollars? (Or better yet, why does the vendor not integrate such protection if they're relying on network-connected Windows systems for device control/interaction?)
The norm is that these devices may need to connect *out* to something else, but don't necessarily need any inbound connections, so a hardware firewall, or even a host-based software firewall, would work perfectly in most instances; those that do need externally initiated inbound communication can *still* set up the necessary rules to allow such communication to take place. And yes, it is just this simple. (I did RTFA, and noted that some vendors actually recommend this, but that, startlingly, "there have been several instances in which viruses originated from medical instruments straight from the vendors"!)
I work for a hospital,and I have to say that our network may be 'stable' but it really sucks. We run Windows2000 Pro with many problems, and frequent crashing. If one of our secondary databases crashes, as they seem to do often, we have to wait a day or two until we can get a reboot of the system because the main database runs on the same server. Productivity really goes down the tubes sometimes to allow for the 'stable' network.
Boxing Equipment Reviews
Having spent 10 years working in the Medical Device/Biotech domain, I can tell you that the FDA really does govern these things. Unfortunately, their internal understanding of computer systems in general is frighteningly scarce. Essentially, the only body of legislation they have to go by is a small portion of a CFR (Code of Federal Regulations: 21CFR Part11) that was released in 1997, and the enforcement guidance documents that followed it. The Code is extremely ambiguous and realistically lumps "electronic documents" and "electronic signatures" together. The compliance issues resulting from the vague document and its (mis)interpretation and enforcement were enough for me to change industries. My heart goes out to all of the people still battling this.
Part of the problem is that the vendors chose Windows as a development platform.
I'm a rabid Linux user, but if I were designing equipment that held human lives in its anthropomorphic hands, I'd build it as an entirely atomic OS built from Linux or a BSD variant. And communications would be data-only, over a serial port. No network.
In high school, a nurse from St Mary's (here in Grand Rapids, MI) was showing us screenshots of their radiation therapy machine. I recognized CDE...she didn't know what version of UNIX it ran, though.
tasks(723) drafts(105) languages(484) examples(29106)
All computer systems involved in patient care (and paper tracking as well) are forced to go through governmental processes for design, documentation and testing. These regulations add weeks, if not months, to system changes, regardless of change scope.
Case in point is the drug study setup. Setting up data entry screens and processes can take up to 6 months for a given trial, and that trial may only run 3 months for the study metrics. If any of these processes are documented incorrectly, and entire trial can be dropped and the drug denied.
This, in the hospital realm, is all about CYA. If a piece of equipment is not certified to this extent, the hospital can be held more liable for patient injuries if said equipment falters.
On the other hand, if it just malfunctions...
-- Will quantum computers run imaginary-time operating systems?
Speaking of a radiation therapy machine with software bugs.....
/. a while back: An Investigation of the Therac-25 Accidents
This was posted to
I develop an enterprise-level hospital app at a large corporation for a living, and I had the same questions when I started.
Hospital hardware surely does run embedded systems. However, most parts of the hospital are probably kiosks running a web-based app that controls bed management, scheduling, the financial parts, etc.
They are running windows for the same reason they are using IBM Websphere for the app server instead of Apache Tomcat: liability. What happens when a patient dies because of a server crash? Who do you blame? Oh, we'll blame Microsoft or IBM for our own bugs. You don't have that luxury if you're using Tomcat and Linux. Yes, it's dirty, sleazy and nasty, but I have no control over it.
'When the going gets weird, the weird turn pro.' -HST
Thanks for the link but wow. So, when Microsoft was collecting data from users MS Word documents( over the internet, behind the users back, and databasing it ) they were doing so without provisions and protections in their OS EULA? And they got away with just being able to say they won't do it again and that they've deleted the database....
,etc business. After all, they are already a convicted felon. Hearing Bill Gates or Steve Balmer/etc saying 'trust me, we won't do xxxxxx' is meaning less. IMHO.
One thing of interest in that article is how the Microsoft exec specifically states the EULA of the SP and not the original EULA. This would be fine as long as the SP EULA states that it replaces completely the original EULA the user has been operating under and I don't know that it doesn't.
I do know of quite a few people who refuse to upgrade to WinXP because of the EULA and the fact that Microsoft can legally update anything on the OS without the user/admin/etc knowing should be cause to exclude them from any financial, healthcare, public service
Sure seems like all of these businesses would be on the high road to replace MS Windows ASAP with something they can have more control over...
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
I doubt YOU have any customers to deal with, especially with your "my way or the highway" attitude. Get back to being laid off [...]
I work for a GPO. It's my job to write contracts for health care companies. It's a staggeringly boring occupation, but I do get to spend a lot of time thinking about what would happen if someone died because of a failure in a piece of equipment bought through one of my contracts.*
I see a lot of EULA-style documents. You might be surprised how many software companies have simply taken the EULA from Windows98 and adopted it as their own license agreement. You might also be surprised how many suppliers are willing to offer code escrow or source code access to customers. I've certainly seen some things I never would have expected.
But you know what surprises me the most? That some vendors don't seem to care that their slipshod implementation could result in harm to a patient. For example, I recently spoke with a sales rep from a large point-of-care software vendor. He was very very excited to tell me all about the features his web-enabled software offered, like giving me REALTIME! ACCESS! TO! PATIENT! DIAGNOSTICS! but when I asked him about security, his answer was "well, that's the customer's responsibility." The base functionality required for this app is to take a bunch of data from a handheld device over serial port, dump it into a networked database, and then provide reports from that database into a web frontend for multiple users, with a user administration tool tacked on as an afterthought. What did his application run on? IIS, and it requires IE on the client desktop. Do they SSL-encrypt traffic on the network? Of course not. Do they send patient name and ID number in cleartext along with their REALTIME!!! test results? Well, the data wouldn't be much good if you don't know who it belongs to, now would it?
tinfoil-hat concerns aside, healthcare organizations are now required to comply with HIPAA, and if they fail to do so, people can go to jail. If the blood lab at one of my customers' hospitals buys this software, and someone is able to plug a laptop into their network and intercept data sent by their crappy IIS application, that's a clear HIPAA breach - but who is responsible for it? It's my job to make sure my customers aren't going to federal prison as a result of a poorly informed software purchase... you can bet that they're not buying the software.
see, you assume that the customer is always right. In fact, the customer is often wrong, either because they are ignorant, or because they are receiving some kind of incentive (read: bribe) from at least one vendor in order to influence their decisions. When you use Windows in healthcare, the "customer is always right" attitude could land your customer in federal prison.
*(what happens? Somebody gets sued. Usually, the dead patient's family sues the doctor and/or the hospital, and potentially the vendor, and also potentially my company. If the contract is written well, the vendor is obligated to step in and indemnify the doctor, our customer, and us against any claims. The funny thing is that vendors running on windows are NEVER NEVER NEVER willing to volunteer this indemnification- I always have to fight for it, and sometimes we just can't get it. If there's an alternative vendor who will indemnify, they usually end up winning the business, because this is such an important concern for the health care providers...)
Humpty Dumpty was pushed.