 |
 |
 |
 |
 |
 |
Security Threats Highlight Rift Between
Hospital I.T. and Vendors
by J. Eric Smith
Threats to the security of hospital information technology have moved to the forefront of IT Manager concerns. In fact, in some cases, dedicated security officer positions have been created. This role is expected to become even more vital as a result of an unexpected source of security threats: medical equipment vendors.
Major software vendors release patches rapidly, sometimes more than one per week. Unfortunately, medical equipment vendors are way behind the curve in approving these patches for use on their systems. As a result, hospital systems are left vulnerable and I.T. staff is caught in a quandary: do you patch your systems and invalidate the support of your vendor, or do you forgo patching your systems and leave them open to possible exploitation?
Increasingly, Hospital I.T. is choosing to do the former, patching the system; arguing that pro-active actions are more legally defensible than maintaining the status quo. Regulatory agencies agree, with HIPAA spelling out dire consequences for negligence but acknowledging "best effort" attempts, it's hard to argue this is the wrong approach.
Hackers routinely dissect recently-released patches, using the information to craft viruses and worms; specifically targeting the vulnerability the very patch is designed to address. Industry-wide surveys show more than 50 percent of all companies are at a minimum of 30 days out in applying security patches. With such low levels of compliance, malicious hackers are assured a target-rich environment. All the security patches and updates available are useless if they are not, or cannot be, applied in a timely manner.
Hospitals are showing their dissatisfaction with equipment vendors and doing their own testing and deployment. Oddly enough, vendors by and large have yet to respond to these threats in a time-sensitive manner, stubbornly clinging to an archaic patching and testing schedule designed on a pre-Internet timeline. Still, some vendors are threatening to invalidate support contracts with hospitals who install unapproved patches, claiming some patches interfere with vendor software or hardware.
Fortunately, despite the resistance, vendors will be forced to step up internal testing and patch approval efforts. If not done voluntarily, hospital advocacy organizations and the Federal Drug Administration are prepared to back legislation forcing vendor compliance. Non-compliance with FDA rules could result in a vendor losing its certification to sell medical equipment, a blow no vendor could sustain.
In the meantime, hospitals should pro-actively review all support agreements with existing equipment vendors and identify the efficiency of each vendor's patch level. I.T. administrators should pay close attention to the timeframe between patch release and vendor patch approval, escalating issues with vendors when necessary in order to keep threats to a minimum. Most importantly, a multilayered, compartmentalized approach to security must be implemented in order to minimize exposure as well as avoid any damage from potential exploits. Now is the time to prepare--threats are only going to increase in frequency and severity.
