Tuesday, October 16, 2012

Malware in hospitals? Time to come clean.

I receive phone calls from hard working clinical engineers, physicians, and IT specialists in hospitals asking what they can do about the relentless malware in their "user facilities." Some relay anecdotes as gallows humor, others are downright fed up. At some point in every call, I raise the provocative question: "So, how many voluntary MedWatch Form 3500s did you file on these security problems on medical devices that could lead to patient harm?"

In all cases, the callers cite various disincentives for reporting.  The reasons range from despair to workload to fear.  Despair because there's a feeling of hopelessness that reporting a problem would have little chance of being read (well, that's self-fulfilling).  Workload because it's unrealistic to expect a health care professional to interrupt the busy clinical workflow to file a voluntary and tedious MedWatch report on an engineering problem.  Fear because whereas there's elements of immunity for reporting "near miss" safety issues in the avionics community, there is no such immunity for voluntarily reporting a "near miss" in the medical world.  There are plenty more reasons that contribute to FUD and the classic bad-news diode, but unfortunately there are few incentives to officially report security problems other than "patients deserve better."

So...all my frustrated and overworked colleagues in healthcare delivery who wish to see safety and security improvements in medical device software for patient care: send me your security anecdotes!  Tell me about what devices are prone to infection in your user facilities.  Tell me what devices are more resistant.  Tell me what manufacturers you feel do a good job at implementing a total lifecycle management for medical device software.  I have already received database entries of malware infections in clinical settings, and this data is helping to raise awareness to the most problematic devices.  It sure would be nice to have some positive examples too.

I'm also looking for photographs of interesting security failure modes on medical devices to help illustrate the problem.   A radiology workstation with a BSOD or Windows 95 logo?  Virus warnings on a compounder? A cath lab shutdown for decontamination of malware?  If you see a malfunctioning or compromised medical device, consider sending me a photo.  Your report of medical device security problems can make a difference in improving patient outcomes!

No comments:

Post a Comment

All comments are moderated to prevent spam, so please pardon the delay while our anti-spam team looks at incoming messages.