"I find this mind-boggling," said embedded medical device security guru Kevin Fu. Running an old OS, perhaps as old as Windows 95 to protect critical medical apps, may be the reason why these systems can be infected by worms that are 5 – 10 years old, but manufacturers are also a big part of the problem. Fu told Technology Review, "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."
Here’s a scary thought gleaned from the same article, considering a system “new” when it’s been upgraded to be “based on Windows XP.” One expert said it would take “more than 200 firewalls” to protect a hospital’s software-controlled equipment. For starters, it seems like the medical equipment could be taken off the Internet, such as was done after the “Conficker worm caused problems with a Philips obstetrical care workstation, a GE radiology workstation, and nuclear medical applications that ‘could not be patched due to [regulatory] restrictions’.”
The FDA put out guidelines in 2009, but malware problems are “rarely reported to state or federal regulators.” When talking about the 664 pieces of medical equipment running on old OS at Beth Israel Deaconess Medical Center in Boston, FDA deputy director Brian Fitzgerald said it is a common problem. The FDA is reviewing the “regulatory stance on software,” but Fitzgerald said it would be a “gradual process.”
More than a year ago, security researcher Jay Radcliffe showed how “an attacker with a powerful antenna could be up to a half mile away from a victim yet launch a wireless hack to remotely control an insulin pump and potentially kill the victim.” Then there was a jammer developed to protect pacemakers from lethal hacks via wireless attacks. When the feds were pressed to protect wireless medical devices from hackers, we wondered if a person could be killed by code. It’s a bit of sick continuing saga when sloppy code allows each wireless hack of medical devices to potentially murder more people at one time. Add in the medical equipment infected with malware and it's just flipping peachy.