The epidemic of Windows-based worms and viruses in the past year has put hospital IT administrators on a state of high alert to protect patient-care systems that have become reliant on Microsoft operating systems.

The challenge they face in securing these medical systems is that it's not simply a matter of applying software patches. Healthcare IT professionals say medical device makers prohibit them from changing the systems and even from running anti-virus software in some cases. These IT administrators say manufacturers often are slow to supply software patch updates and routinely claim the Food and Drug Administration (FDA) requires approval of patch-base changes. However, the FDA says it has no such rules and is looking for medical device makers and customers to work out their differences.

"We're on the verge here," says John Murray, the FDA's software and electronic records compliance expert. "Something bad could happen," he says, referring to a patient being harmed as a result of worm-infected medical gear malfunctioning simply because it didn't get the needed security patch update in time.

Blaster, Sasser and other attacks on the 'Net over the past year haven't left hospital networks untouched. ECRI, the Plymouth Meeting, Pa., technical advisory and information services firm for the medical industry, says it has gotten reports of computer worms invading hospital networks and forcing IT staffs to take patient-care equipment offline.

"Medical devices have been impacted where staff has to walk data over from a printout" rather than viewing it from a screen at bedside, says Jim Keller, director of ECRI's Health Devices Group. "We have no case of anyone injured yet."

Hospitals, particularly the more modern ones that rely on networks for quickly sharing medical imaging and patient health data, have the most to lose in the battle against fast-moving Internet worms. Many IT administrators say the biggest medical-device manufacturers - GE Healthcare, Philips Medical Systems and Siemens Medical Solutions - haven't decided on the patch-management process on equipment over which they demand control. (Of these three, only GE Healthcare responded to our questions.)

Getting hit

Healthcare IT administrators say a crisis is brewing.

At North Shore Medical Center, Windows-based ultrasound machines have been hit by worms and Trojans that include Sasser, msblast and backdoor.hackdefender, says Barbara Corning-Davis, enterprise clinical imaging manager at the healthcare organization that is part of Partners Healthcare System in Boston.

"The [Philips Medical Systems ultrasound] machines are constantly being infected with viruses," she says. "This has become a major issue for the hospital IS departments across [our organization and affiliated outfits]."

The portion of the Philips ultrasound machines that takes patient exams was not affected by Sasser, but the processing workstation was, Corning-Davis says. So patient exams were captured and stored as images but weren't routable across the hospital network until virus and worm outbreaks were cleaned up. "This resulted in some additional time per exam, walking down the hall vs. processing in the same room," she says.

North Shore has seen the same situation occur with GE Medical Systems' fluoroscopic-imaging equipment and Agfa computer-radiology equipment running on Windows NT, she adds.

With the Philips gear, the healthcare organization's IT staff applied Windows-based security patches on its own, after failing to get a timely response from Philips, she says.

"Philips told us they would turn patches around within seven days of being released by Microsoft, but they have not met this, sometimes being behind a year or more," Corning-Davis says. While North Shore might be taking some legal risk in installing patches on its own, the hospital decided that eliminating security risks to patient-care systems was more important.