Windows security flaws raise concerns about imaging devices

Imaging vendors long ago stepped back from proprietary computing platforms and embraced the PC revolution with its cheaper, faster, and more robust chips. PCs and their components became the standard for not only scanners of all kinds but also networking systems. But the advantages of off-the-shelf technology can also be a liability.

Three widespread computer worms that attacked Windows-based systems last August and the continuing, albeit sporadic, launch of soft weapons onto the Internet illustrate the vulnerabilities of medical applications.

Some of these vulnerabilities can be patched, until long-term fixes are put in place. But these are ad hoc solutions to problems that demand a comprehensive and articulated policy, according to Michael A. Nielsen, a clinical engineer with the U.S. Air Force's Medical Logistics Office.

"The application of software patches on medical devices requires a risk assessment to balance network risk versus the medicolegal risk of altering an FDA-regulated medical device," he said during a presentation at the Symposium for Computer Applications in Radiology meeting in May.

Nielsen, who said he appeared at the SCAR meeting to sound the alarm and raise awareness of this problem, advised the healthcare technology community to work with OEMs and the FDA to develop a working model for software maintenance and validation. Medical device vendors and users need a policy that addresses the vulnerabilities associated with software fixes, detailing how these fixes should be handled and what security standards apply to the makers of this equipment. The lack of such a policy creates confusion and risk, which is being made greater by the increasing complexity of networked environments and the growing reliance on Windows-based systems.

Development of such a policy would be the first in a one-two punch aimed at reducing the risk posed by computer viruses and worms. The second would be an industry-created watchdog group, a computer emergency response team, that would assess dangers immediately after vulnerabilities were uncovered. This team would ensure that, once a patch was validated, it would be made available globally for customer downloads. One way to do so would be through a Web site dedicated to handling these threats.

"Vulnerability assessments and security patch response need to be part of the overall device life cycle of medical devices platforms," Nielsen said. "Failure to recognize the need for this puts the healthcare community at undue risk for catastrophic failure."