All the technological advancements taking place within the medical system today are supposed to make it easier and more efficient for doctors, nurses, and hospital staff to monitor and assist patients. But according to a number of medical device experts that spoke at a recent meeting of the National Institute of Standards and Technology‘s Security & Privacy Advisory Board, hospital medical devices are often so infected with viruses and malware that their reliability and effectiveness is questionable at best.

Just like personal computers that are constantly at risk of becoming infected with viruses, spyware, malware, and other harmful files, medical devices that compound intravenous drugs and nutrition, for instance, or that monitor women with high-risk pregnancies, are also at risk. Because of their proprietary nature and narrowly-specified license and approval guidelines, medical devices are actually more at risk of catching computer viruses because they are often outdated, unprotected, and unable to be modified or upgraded.

“Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems,” says Kevin Fu, an expert in medical device security and computer scientist at the University of Michigan and the University of Massachusetts, Amherst. “There’s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.”

Confusion of FDA regulatory requirements putting patients at risk

This refusal by manufacturers to maintain hospital equipment with the latest anti-virus and malware protection software is largely a result of fears over how the U.S. Food and Drug Administration (FDA) will treat updated products within the regulatory paradigm. There is much confusion, in other words, about how already approved and regulated medical devices are to be properly maintained and updated with respect to the law, which is putting patients at serious risk.

“We worry about situations where blood gas analyzers, compounders, radiology equipment, nuclear-medical delivery systems, could become compromised to where they can’t be used, or they become compromised to the point where their values are adjusted without the software known,” adds Mark Olson, Chief Information Security Officer at Beth Israel Deaconess Medical Center in Boston, which has seen its own share of infected medical equipment.

In many cases, hospitals routinely have to shut down certain medical devices for days at a time in order to get them cleaned up, as well as to ensure that they have not also infected the hospital’s private intranet system. Once a particular machine is back in order, another one typically requires service as well, which creates a never-ending cycle of having to continually disinfect vital hospital equipment of potentially disastrous software bugs.

The FDA is reportedly in the process of reviewing how it handles software updates for approved medical devices, but the problem is expected to continue indefinitely until a comprehensive workaround is effectively implemented. In the meantime, patients will have to simply hope that technology staff are regularly monitoring medical devices to ensure proper functionality, and quickly addressing any problems that might arise.

The problem is also being exacerbated by clinicians who bring their own devices in to work, including tablet devices and smartphones that easily link up to the hospital network. Though it is often more convenient for doctors and nurses to use their own devices rather than official equipment, the risk of spreading technological viral infections increases as a result.

Sources for this article include:

http://www.technologyreview.com

http://www.informationweek.com

http://www.forbes.com