Viruses pose major threat to healthcare IT networks

October 27, 2004

Viruses could level hospital PACs and IT systems. The only way to keep an infestation from happening is for the vendors and users of these systems to work together to shore up their defenses, according to representatives of the medical devices business.

Viruses could level hospital PACs and IT systems. The only way to keep an infestation from happening is for the vendors and users of these systems to work together to shore up their defenses, according to representatives of the medical devices business.

A new white paper, produced with input from medical imaging trade groups from around the world, explains the various software threats, outlines potential vulnerabilities, and suggests practical defense strategies. The document (available at www.nema.org/medical/spc) was written by a trade-based international security and privacy committee, comprising members from the U.S. National Electrical Manufacturers Association, European Coordination Committee of the Radiological and Electromedical Industry, and Japanese Industries Association of Radiological Systems.

The committee's recommendations should be taken seriously by the producers and users of medical IT systems, who share responsibility for protecting patient data, said committee vice chair Dr. Wolfgang Leetz, an executive charged with ensuring data privacy and security for Siemens Medical Solutions. Leetz spoke to delegates at September's joint EuroPACS/Management in Radiology meeting in Trieste, Italy.

"We as vendors are ready to support users of IT systems in many ways," he said. "But users cannot rely on vendors and technology alone. Users must introduce and enforce effective procedures in their organization as well."

Increasingly, the developers of malicious software are combining elements that attack computer systems in different ways, thereby maximizing the chance that their attack will evade IT defenses. IT vendors must ensure that their systems detect every security breach, whenever and wherever it occurs, he said.

There are several ways to do so. Technical solutions include checksum calculations, which indicate whether a file has been modified. System profiles can verify the integrity of entire directories.

Ironically, the most commonly used method for defending against viral attacks, software that scans for the presence of a virus, may do more harm than good. This type of software, which matches known virus patterns to data stored on computer hardware, can itself cause problems when used on medical IT equipment, Leetz said. Software may try to "fix" normal image data or shut down an entire system on the basis of a false alert. IT vendors should turn off any autofix functions and ensure that security patches designed to cover problems don't cause more problems than they solve.

"It is our obligation to offer security updates and technical assistance, but any upgrades to protect against published software vulnerabilities need to be tested carefully before they are distributed to our customers," he said.

The easiest way to prevent malicious software attack is to restrict physical access to medical imaging scanners, workstations, and portable media drives, according to Leetz. For this to work, hospitals and healthcare institutions have to get involved. Connections between medical IT systems and other networks or equipment should be minimized, particularly when wireless hardware is used.

Typical network defenses that healthcare providers should consider installing include firewalls, activity-logging software, strong user-authentication, and demilitarized zones.

Users should not only identify and bolster IT defenses but use the possible consequences of a malicious attack as the basis for establishing a disaster recovery strategy, Leetz said. Use of multiple measures and different IT systems could reduce the impact of an incursion.

"The best approach is to implement a defense in depth philosophy," he said. "That means don't use one tool at one place-use different tools and different mechanisms at different locations in the network. In this way, if an attacker gets through one network security measure, there are additional measures to help thwart the attack."