Global trade groups say healthcare IT must bolster virus protection

Software viruses could potentially bring a hospital's electronic information system to its knees, leaving doctors unable to access vital patient data. Vendors and users of healthcare IT must work together to shore up their defenses, according to representatives of the medical devices business.

A new white paper offers a clear explanation of differing software threats, outlines potential vulnerabilities, and suggests practical defense strategies. The comprehensive document has been produced by a trade-based international security and privacy committee, whose members come from the U.S. National Electrical Manufacturers' Association (NEMA), European Coordination Committee of the Radiological and Electromedical Industry (COCIR), and Japanese Industries Association of Radiological Systems (JIRA). It can be downloaded at www.nema.org/medical/spc.

The paper's recommendations should be heeded by both producers and users of medical IT systems, who share responsibility for protecting patient data, according to committee vice chair Dr. Wolfgang Leetz, a representative of Siemens Medical Solutions.

"We as vendors are ready to support users of IT systems in many ways," Leetz told delegates at this September's joint EuroPACS/Management in Radiology meeting in Trieste, Italy. "But users cannot rely on vendors and technology alone. Users must introduce and enforce effective procedures in their organization as well."

Malicious software increasingly combines a number of different attacking elements to maximize the chance of evading IT defenses. IT vendors must ensure that their systems detect each and every security breach, whenever and wherever it occurs.

Technical solutions include checksum calculations, which indicate whether a file has been modified, and system profiles that can verify the integrity of entire directories. But virus scanning software, which matches known virus patterns to data stored on computer hardware, can itself cause problems when used on medical IT equipment, Leetz said. Software may try to "fix" normal image data by mistake or shut down an entire system on the basis of a false alert.

IT vendors should turn off any autofix function and ensure that new security patches don't cause more problems than they solve, he said.

"It is our obligation to offer security updates and technical assistance, but any upgrades to protect against published software vulnerabilities need to be tested carefully before they are distributed to our customers," he said.

Hospitals and healthcare institutions have roles to play as well. The easiest solution to preventing malicious software attack is to restrict physical access to medical imaging scanners, workstations, and portable media drives, according to Leetz. Connections between medical IT systems and other networks or equipment should be minimized, particularly when using wireless hardware. Typical network defenses healthcare providers should consider include firewalls, activity-logging software, strong user-authentication, and demilitarized zones.

Users should not only identify and bolster IT defenses. They should also predict the possible consequences of a malware attack and establish a disaster recovery strategy, Leetz said. Use of multiple measures and different IT systems should reduce the impact of any incursion.

"The best approach is to implement a defense in depth philosophy," he said. "That means don't use one tool at one place, use different tools and different mechanisms at different locations in the network. In this way, if an attacker gets through one network security measure, there are additional measures to help thwart the attack."