Fed-Up Hospitals Defy Windows Patching Rules

bingbong writes "According to Network World: 'Amid growing worries that Windows-based medical systems will endanger patients if Microsoft-issued security patches are not applied, hospitals are rebelling against restrictions from device manufacturers that have delayed or prevented such updates. Device makers such as GE Medical Systems, Philips Medical Systems and Agfa say it typically takes months to test Microsoft patches because they could break the medical systems to which they're applied. In some instances, vendors won't authorize patch updates at all.' This is the typical patch vs. crash problem. Unfortunately, the stakes here could be human lives."

GE Medical Systems

[Ryan Stortz]

My father works for GEMS as a Field Service Engineer; he repairs and installs X-Ray Machines, CAT Scanners, and Mamography machines. As far as I know, GEMS doesn't run Windows on any of it's boxes (other than Engineer Laptops). Most of their older systems are UltraSPARC/SunOS boxes. The newer ones are Intel Xeon/Red Hat rigs with their own custom window manager. Heh, he's even called me in a few times to help him with some Linux problems.

It makes sense to me, GEMS and the Hospitals aren't going to risk $500,000 to $2,000,000 machines because of Microsoft's poor track record. Not to mention, a bug in the software can bring down the system for hours, until someone can come in and fix the problem. My Dad has problems all the time with doctors breathing down his neck. Most the time they have a full schedule, and when a x-ray tube blows it can take up to 4 or 5 hours to replace. Not including shipping from Wisconsin or France.

FUD

[TexNex]

I used to do IT work for a hospital chain in Austin and there were no devices that could "kill" a patient if windows crashed. Windows was only on the workstations ant there were multiple workstations in the area so if one crashed the user could go to another one. If Phillips & GE are planning on using embeded XP as an OS for their medical machines then they are the ones putting the patient at risk.

Re:Stop playing solitaire on my dialysis machine

[Stargoat]

Hospitals have to be able to afford the staff to work on the PCs just like other businesses.

I heard of a hospital that bought some Systemax PCs (I'm still nursing the same model). These POS PCs had a tendancy to have a network failure every few weeks that required unplugging the power cable and the network cable to bring the PC back onto the network.

After this was realized, the hospital went nuts, and demanded (and got) new PCs. But this is the kind of crap hospitals, just like everyone else, have to put up with.

Re:Stop playing solitaire on my dialysis machine

[banzai51]

This is not insightful. Windows servers run applications that replace the clipboard seen in every patient's room. The data exists on different platforms, but it is presented through Windows servers. This is where the backlash is comming from. Patients still can be cared for if these systems go down, but it is inconvienent to say the least. Vendors not keeping up to date and on top of the latest security releases is inexcusable. They only write their software on the Windows platform so they should keep up and stop writing shoddy 16 bit software.

Remember Therac-25

[xmas2003]

One of the first (and most tragic) cases of software screwups in medical equipment was the Therac-25 medical linear accelerator used to treat cancer here is one of many writeups on it [computingcases.org] but in summary, it took a couple of years and caused several deaths before it was pulled from the market ... and software is much more complex these days, plus there are tons of interactions.

I.e. while one can build a simple manometer [komar.org] the reality is that blood pressure devices used today probably have all sorts of interdependancies that can cause a ripple effect, so one should be pretty darn careful before just applying patches licky-split ... in a work discussion earlier today, we talked about how one of the recent Microsoft security patches broke one of our applications.

Re:Why do they need patching?

[blueZhift]

Let me tell you, stuff gets inside hospital networks like nobody's business! The problem is that while the outer firewall is secure, there are all sorts of ways for things to get in via individual workstations. This is especially true since many hospitals, like mine, have standardized on IE. I was literally in the process of patching a Windows 2K based acquisition PC when it got hit with Sasser! Lucky for me the patch just barely beat the infection, so I didn't have to rebuild the machine.

Because the inside of the hospital network is so insecure, I've actually set up my own firewall around my test and development machines. One solution would be to totally cut off the hospital from the internet, but that wouldn't be very practical and would piss off a lot of doctors to boot!

Re:Why in the hell...

[Ryan Stortz]

No, most machines (from GE atleast) listen for incoming SSH sessions. This is so it's main tech guys can connect (from Wisconsin) and fix the problem. It saves the Hospitals money, they don't have to call in a field service guy for $150+ an hour. The tech guys can even find a faulty board, order it, have it shipped to the hospital, and have a guy swing by the next day and replace it without alot of wait.

You missed the point...

[daveschroeder]

They *are* worried about malicious activities (e.g., worms, breakins, etc.), because that's the whole reason they're talking about patching.

The whole point is that a hardware firewall mitigates the need to patch for those reasons, and leaves the OS in a state that is supported by the vendors for use with the specialized equipment and software.

I work in a top hospital, and we're not patching.

[Anonymous Coward]

I work in one of the top hospitals in the US (Top 100 Wired, top 25 in a lot of the US News and World Report rankings, etc) as the principal technology architect, and I can say that people are idiots for going nuts and patching immediately.

Our CIO, who's pretty well respected among his peers, asked us last week on deployment schedules for this. We pushed back and said, if we deploy now, we'll run into a host of issues. Over the weekend we did some cursory testing against most of our Patient care apps (a lot are web based) such as Cerner Millennium and GE's CentricityWeb. We're far ahead in the CPOE game for healthcare, so our devices are used for input of labs and orders.

Most of the biomed equipment we have doesn't run Windows. Personally, if you do your environment right, then you shouldn't have to worry about viruses and stability.

Healthcare doesn't function like the rest of the business world. It's a completely different animal.

Security AND Stability

[for_usenet]

I work with MRI scanners, so I know about these issues very well, and here's an example from my own experience:

An old colleague of mine got funding to start his own reasearch group, meaning he got his own MRI scanner. He asked me to consult on some software that would extract the data from the console of a Siemens scanner (at the time, the console was based on an OLD version SunOS, whose native compilers did not even conform to standard ANSI C) and send it directly to another computer running software that we use for data analysis. The dialect of C was a little strange, but within a week, I was able to get the software together, and my colleague was able to do the type of experiments he wanted to. And his scanner hummed along. This was back in 2001.

Fast-forward to the present. His console has since been "upgraded" to Windows XP system, and in the times I've spoken to him, he's had nothing but bad things to say about the stability of the "upgraded" system. And it's not that he had a choice, as support for his previous system was phased out. So now patients, doctors and reasearchers in his group are at the mercy of the moods of an XP system. And mind you - this system is not even on a publicly accessible network. It is on its own dedicated, private network, and its stability still can't be maintained, even by the support staff of the scanner manufacturer.

When it comes down to it, Windows still does not have the stability (never mind the security issues to cut it in really "mission-critical" situations). Maybe in cases where you need your e-commerce site up, running, and handling 1000s of transaction per second. But NOT when peoples' lives are involved.

Re:GE Medical Systems

[djh101010]

Sorry, Ryan, but you're not correct. I worked for GEMS for 12 years, in software engineering. There _are_ Windows systems embedded into some of these scanners. Most of them do trivial things and are being phased out in favor of *nix systems, but there _are_ Windows-based medical devices.

It's quite a quandry. If you don't patch the 'doze boxes, (and if you don't have a firewall...) it's possible that someone could infect that system. The problem is, GE (and obviously the other device manufacturers) test the hell out of that specific OS build and patch set. When Windows Update breaks things (which happens more than never), the system is now in a state which GE didn't test, and may in fact break the functionality of the scanner. At this point, the FE has no choice but to re-load the PC from the GE-supplied media(which doesn't have the latest patch that the hospital just installed).

The solution? It's pretty simple, stop using Windows in critical situations. I was trying to make that point 10 through 5 years ago there, and was involved in some of the very first Linux tests, prototypes, and production implementations there. The current generation of scanners is mostly linux/intel based, although there is still a lot of SGI/Irix at the top-end where heavy image processing is done. The fix for this problem, is to avoid this problem, and that's really the only sensible approach.

So, yes, they do have 'doze systems embedded in some of these scanners, but it's getting better. The hospital gets to choose between complying with HIPPA and patching the systems, or installing an unsupported patch which might break the scanner. Not a good place to be in, but then again, people shouldn't be reading their email or surfing the web from the MRI scanner's console, and the hospital _should_ have a firewall blocking the slammer/whichever ports.

Re:Stop playing solitaire on my dialysis machine

[musicon]

Being someone who works at Kodak, all of their systems that I'm aware of (old and new) run on some type of commodity OS, whether that be Windows, Solaris, and we still support (and sell!) systems running a now-non-supported Motorola UNIX, SunOS, and other esoteric stuff.

Re:Stop playing solitaire on my dialysis machine

[Anonymous Coward]

No, seriously, you know if they were running OS/2 they wouldn't have these problems. Why do you think banks run OS/2?

Re:windows update and hipaa

[bearl]

The article on informIT.com is 3 months shy of being 2 years old.

SP4 solved any lingering questions about HIPAA and auto-update, but auto-update was always an option, and the act of disabling it made the system HIPAA compliant anyway.

Ongoing questions about what "due diligence" means have yet to be decided. We're still waiting for the first lawsuits based solely on a medical office selecting Windows in the first place.

yes...

[drmike0099]

The article mentions one thing that needs to be emphasized, which is where the FDA guy states that they're not going back to the dark ages where systems don't talk to anything else. For years, every device was on its own proprietary network (if it was on a network at all), and talked to itself and absolutely nothing else. This was bad.

In only the last couple of years (because medical IT is very behind the rest of the IT industry in a lot of ways) these devices have moved rapidly to using commodity protocols and network infrastructures, driven by hospitals' needs to do all of this more cheaply, and not have a lot of chaos.

Also, they want to provide some value add on top of the monitoring systems. For instance, it's nice to be standing by the patient's bed and see the monitoring data. It's even better to be able to export that data to another system so that it's more useful, or display it on a website so MDs can see it. All of this requires networking capability, and Microsoft (like it or not) is considered a leader in the field for server software, and has a large division [microsoft.com] providing solutions to healthcare.

Overall, the more advanced features you want a clinical system to provide, the more that system needs to integrate with other systems. Companies have given up reinventing the wheel on this every time, and are basing what they do on standard software and protocols. Microsoft is one of those. We try to avoid it whenever possible, however in most instances the decision for one product over another is based on clinical value, and not IT preference.

Learn from the aviation industry.

[Anonymous Coward]

If something on an aircraft gets certified, that's the way it stays. It doesn't get changed without all the appropriate signatures. Naturally, stuff doesn't change very fast. The result is that although the plane you're flying on may not have all the latest bells and whistles, it sure is reliable.

I agree with the many posters who think that being able to surf the internet on a cat scan is nuts. Clearly, the certification standards need fixing.

Re:Stop playing solitaire on my dialysis machine

[YU Nicks NE Way]

Actually, there were a string of deaths due to an OS crash in a radiation therapy machine -- patients, already weak from chemo, were given several times the radiation dosage that they were prescribed. Unsurprisingly, some of them died [monash.edu.au]

So, yes, these machines -- and, specifically, radiation therapy machines that crash -- can kill.

Re:Stop playing solitaire on my dialysis machine

[Pieroxy]

That was due to a bug in the software running the machine, not a trojan/virus/computer crash.

There is always an operator operating these machines, hence if the control machine (running win2k) was to go crazy, I hope the operator would shut down the actual radiation machine.

What you are describing is something else: The machine would act normally, but would deliver the wrong dosage.

These are different problems.

Re:Stop with the security through obscurity crap

[rewt66]

It isn't "security through obscurity". It's "guaranteed worst-case response time through using a real real-time (not just multi-tasking) OS". Windows is multi-tasking, but it isn't a hard real-time kernel. AFAIK, Linux isn't either.

Sure, you can modify the Linux kernel. But if you do, you don't have a million man-hours on your modifications.

The distinction about "off the shelf" is between that and "roll your own". Off the shelf would include vxWorks, Green Hills, and pDos and OS-9 (if they are still around), and probably a few others.

I'm most familiar with vxWorks, so I'll talk about that one. If you don't need, say, TCP/IP, you can simply take it out. Your memory footprint just went down. Don't need memory management? Don't put it in. Don't need disk support? Remove it. Need to initialize something before the kernel starts time-slicing? They've got a standard hook for that - no hacks needed. Want to run on a PowerPC chip? Supported. Motorola ColdFire? Ditto. MIPS? Ditto.

Back to quality: The core code of an embedded OS has been beat to death in that environment, and proven rock-solid. No "if the wrong interrupt comes at just the wrong time, it goes off into an extended thrashing session for several seconds". Their customers simply won't put up with the kind of semi-broken behavior that Windows exhibits all too frequently.

Re:Stop playing solitaire on my dialysis machine

[Omega1045]

Part of the problem is that the vendors chose Windows as a development platform.

Uh, no. Do you work in the health care industry? I do as a software developer for a vendor. Don't throw the blame on us. We actually changed to Windows off of other systems because hospitals started putting PCs with Windows into their various departments. The backend for the software I work on actually runs in Unix, and we have hospitals that are thinking of going to NT only, which means we have to try to port our code to it or loose that customer.

Re:Why in the hell...

[Auckerman]

Two lines coming out of the main router. Line one goes straight to a NAT which is then on a seperate physical network. Line two another NAT, which is also on it's on physical network. Hell, have a NAT on every floor if they need to, peoples lives are at stake, they can set up as many seperate networks as needed to make sure a device will never be cracked. Regardless of OS on the device, this is basic network set up.

There is no simple solution

[djh101010]

Why don't they design their software, so that it doesn't break when patches are applied?

You don't seriously believe that Microsoft gives anyone advance notice of what the patch is going to break, do you? Have you seen the ambiguous and undetailed language that goes with the WinXP SP2 patch? There's nothing actionable in there, certainly nothing testable. Until GE gets it and tests it, and authorizes it for the build, it's an astonishingly risky thing to install it.

21cfr11 mandates that only the tested configuration can be used, and if the hospital choses to violate that federal statute, they are not just at risk of screwing up their scanner, but they're technically in violation of federal statute.

I'm not defending Microsoft here, nor am I saying it's smart to have Windows in scanners, but it's there (less now than 5 years ago, but still there). The penalty for using it is that it's quite likely that some piece of malware _will_ find its way into the scanner. They're more vulnerable if they don't patch, they are going into an unsupported (and unsupportable) configuration if they do patch. The only answer is to not use Windows, but until all the 'doze-based scanners are history, they're stuck with it.

Re:Stop playing solitaire on my dialysis machine

[Anonymous Coward]

Ditto, you're correct. I'll tell you they're speaking of CT scanners for one (Heart monitors too). I personally had to argue ith Kodak, GE, and Phillips over this. The back end workstations we're hit by blaster a year ago and kept crashing in the middle of a scan. The hospital CEO's had to sign legalsleaze to release liability from the manufactures if IT applied the patches to the already "broken" devices. Windows may indeed kill you...

PS I work for one of the largest Hospital management companies in the U.S. hence annonymous coward ;)~

Re:Stop playing solitaire on my dialysis machine

[Locutus]

www.macobserver.com article from 2002/10/24 [macobserver.com]

to quote:
The text of the Microsoft EULA from Windows XP Service Pack 1 and 2000 Service Pack 3 reveals the offending material:

By using these features, you explicitly authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes. Microsoft may use this information solely to improve our products or to provide customized services or technologies to you. Microsoft may disclose this information to others, but not in a form that personally identifies you.

The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.

In short, this agreement gives Microsoft permission to scan your hard drive for information, "fix" security holes or other bugs via updates to your system, and while the company is there, it would effectively have access to other data on the system, which is where the conflict comes in. Better yet, the company can even let "designated agents" do this, an even more nebulous term that leaves Windows users with even less control over who is accessing their system, and what they might do when there. All of this occurs without the user's permission.

Remember, these are the same people who faked a presentation in front of a Federal Justice and told him over and over it was fact....
IMHO, the EULA parts that I've seen are so vague Microsoft could collect anything they want without worrying about legal action against them. After all, they are masters of vague verbiage in license agreements, are they not?

LoB

Re:GE Medical Systems

[djh101010]

Well, it _isn't_ "used for every single application". The update issue is part of it - patches are done periodically and as appropriate, once they are tested. I can't say too much about the core Linux build for several reasons (haven't seen it in 2 years and shouldn't comment too much on it in any case), but suffice it to say that it's very carefully controlled and limited in it's scope. Given that a Linux vulnerability is less likely to make it's way into a hospital's IT system and through the various and unnamed security built into the scanner's systems, this is considerably less of a problem than it would be with a 'doze host.

A bigger factor was having Microsoft tell one of the higher-ups "Yes, that's a bug, no we won't fix it until the next major OS revision" one time too many. Open-source was the obvious cure to _that_ particular problem. Why Linux? Well, expertise, portability, device support, and other factors went into the selection process. I wasn't there for the end of that process, so I can't say (and wouldn't) what all went in to it at the end, but having source code and better control were huge early factors.

Re:Why do they need patching?

[Feanturi]

You might as well stay home - your doctor looks up information online.

Looking stuff up online is a fairly recent practice. Has it saved lives, or encouraged a lazy attitude towards diagnosis? I guess time will tell. Before that, they got by, and at the same time didn't have to worry about the issues raised by this article. Just because something has a big "PROGRESS" label on it, doesn't mean it's a good thing for anyone.

Re:Stop playing solitaire on my dialysis machine

[c0rN_g0aT]

You make a good point because none of our staff can attach the special diagnostic machine to one of these clinical devices and actually see the firmware . It may be Windows in there but if it is, its a damn good Windows. My point is there is no Hospital in this country where a persons life is at risk becuse of computer systems crashing. If there is, then that Hospital is not in copliance with JACHO standards and will eventually be shut down. We are required by the state to have backup procedures and they are quite extensive. As for the "clinical devices" they are all like Microwaves ovens or DVD players you just turn it on and it works, they are never patched or updated and they don't get viruses. All they need is 110Vac. All of the critical life support devices are like this. We have PC controlled feature rich stuff but there is always a backup for them that has passed the test of time. We actually have good old shoot an X-ray through you into a piece of film machines that have no computing capability what so ever. They are controlled by dials and switches.

Medical devices running on Windows...

[goldragon]

I am a biomedical engineer at a USN&WR top 20 hospital, working in the cardiology-related departments. We do have medical devices, including patient monitors, that run in Windows OS's. One is the Witt Biomedical [wittbiomedical.com] monitors we have in our adult cardiac cath lab. The software was originally written to run on MS-DOS and really only runs on Windows 2000 to provide a GUI for the nurses to point-n-click. It uses Windows file sharing but doesn't even utilize print services. The whole thing should have been rewritten about ten years ago but Witt already has over 25% market share and is trying to compete with the big dogs like GEMS (GE Medical Systems) and Siemens. The old Siemens Cathcor monitors we used to have ran on *nix but the brand spankin' new GEMS Combolab [gehealthcare.com] we got for our pediatric cath lab runs on Windows XP for the nursing stations and Windows 2003 for the servers. The Siemens Axiom Artis [siemens.com] x-ray angiography systems in our adult cath lab runs a mix of OS's, such as Windows NT (soon to be XP) on the Host-PC, Vertex on the Real Time PC, Neutrino on the Real Time Controller (the truly patient critical part), and Windows CE on touch panels and displays. Siemens will tell you all about their "revolutionary OS" called Syngo that will, to paraphrase, "provide one user interface for all imaging modalities" but it's really just running on top of Windows NT/XP. The intravascular ultrasound machine that we have, a Boston Scientific Galaxy [bostonscientific.com] runs on Windows NT. Even the Kodak laser printer we have for printing on x-ray film has a DICOM server running Windows NT. All of this runs on the hospital's open network and has been disconnected for either being actively infected with a virus or for not being patched.

Now a lot of our stuff is not Windows based. Most of it I don't know what OS it does run on (perhaps proprietary information) but I can say it doesn't appear to be Windows. Philips Intellivue MP90 [philips.com] networked patient monitors, Datascope CS 100 [datascope.com] intra-aortic ballon pumps, and Worldheart Novacor [worldheart.com] left ventricular assist sytem (think artifical heart) all have their own software. Some systems that use 3D modeling, like the Endocardial Solutions Ensite 3000 [endocardial.com] use SGI workstations and software.

Many of the CT and MRI scanners I see, patient monitors we put in, anesthesia carts we employ use non-Windows operating systems, not because Windows is considered unstable or insecure, but because medical IT is so far behind due to the years it takes to get FDA approval on new equipment. Many new systems do use Windows because it's easy to work with and easily networked. For instance, one cool new system (the company and name I don't know) allows an anesthesiologist (who monitors 3-4 CRNA's in as many OR's) to see blood gas waveforms and other vital signs on one of those little clear screens three inches in front of your eye. It uses Wi-Fi to transmit the data to a Windows embedded device in the doctor's fanny pack. It goes without saying that we have incredible signal strength on our wireless network all over the OR area; you wouldn't want a dropped connection there! All of our clinical workstations and every office computer is Windows NT or XP.

I cou

Customers demanding Windows-based solutions

[argent]

You even get this in embedded systems, where the vendor is supplying the entire system and the customer's never going to interact with the OS directly, and still the customer demands this or that particular OS. And these days that's generally Windows. It's nuts. It's like demanding you use a bubble sort instead of a shell sort. Five years ago you had customers telling you that they're glad you're not using this newfangled Windows stuff, now they're pushing Windows on you...

Re:Stop playing solitaire on my dialysis machine

[kikta]

You can disable any type of back-communication to Microsoft from Windows XP in less than five minutes. And you can prove it in less than 10 minutes.

Dude, you have no idea what an unverified binary does. You don't. Period. End of story.

I'm all for cutting through bullshit, but don't provide your own. Go read a book or take a class on basic security before you spout off.