By Inhel Rekik
Ransomware such as WannaCry and Petya/Not Petya ransomware targeted vulnerabilities in the Windows operating system (OS) that many medical devices use. Thus, hardening our medical devices by applying security patches needs to be a priority for HTM departments. Also, medical device manufacturers need to limit the possibility of being impacted by malware.
Developers choose the operating system that a medical device runs based on the following criteria:
- Reliability and availability: responds quickly to events and detects failure early
- Interoperability: ability to communicate with other devices or systems, either directly or through the network
- Confidentiality and data integrity: stores data safely and protected from unauthorized access
- Power management: very important for devices that need to run on batteries such as infusion pumps and ventilators
Very few medical devices run on general purpose operating system (GPOS) since they are not capable of providing the reliability and real time availability that the majority of medical devices need. In addition, their performance can be unpredictable.
The medical devices that have a GPOS tend to be a review station, a post exam processing station, serveror gateway, such as an infusion pump manager server or a diagnostic type of medical device such as an EEG system and metabolic cart.
Patching of GPOS can be very straightforward and can be downloaded from the OS manufacturer website. However, it is usually a good idea to check with the device manufacturer before patching to avoid voiding a warranty or support contract. In reaction to WannaCry, some manufacturers gave the go ahead to healthcare delivery organizations to install available patches even though some had not been validated by them and offered support if a malfunction happened.
In contrast, an embedded Real Time Operating System (RTOS) is designed to guarantee real-time availability and reliability. These operating systems behave in a predictable manner and always complete the tasks at hand. They are always available when needed. A big number of medical devices have a RTOS assuming that it supports the other functionalities of the device. Medical devices with RTOS (such as an infusion pump) run a compiled firmware that is stored in a flash memory or any other non-volatile memory in a read-only state, rather than software stored in a hard disk in a read/write state. This offers them protection against malware. Security fixes on these devices are a little more complicated since no patching or modification of the operating system can be done. Firmware needs to be updated and manually re-installed when vulnerabilities are discovered in a certain firmware version. This can delay the release of patches since medical device manufacturers need to verify that new firmware will not interfere with the functionality of the device. Examples of RTOS are VxWorks, QNX and Windows Embedded Compact Edition (CE).
Windows CE is chosen as an OS for medical devices because it can support sophisticated user interfaces which is always a big plus for the clinical staff. It is also real time capable, detects failure instantly and is very easy to program.
Many medical devices use Microsoft Windows Embedded Standard which is a stripped down version of the standard Windows operating system that can be patched such as a hemodynamic system, some ultrasound systems and imaging systems. The patches for these systems are provided by the vendor to make sure they are validated to be used with their software. Microsoft Embedded Standard is selected for its power management capability and connectivity. This OS is a good compromise between GOPS and RTOS.
Linux has gained popularity among medical devices because it is an open source and it is used in more computing platforms than any other OS which makes it very easy to program. In addition, it tends to be generally more secure. Very few medical devices have GPOS Linux, most medical devices have embedded Linux. There is a variety of medical devices using Linux: MRI, CT scanner, patient monitors and laboratory devices. Linux and Linux embedded are patchable. While Linux kernel is an open source, the various “distributions” such as RedHat, Ubuntu and openSUSE have proprietary attributes. Patches to address vulnerabilities are released by the companies that package and market the Linux distributions at various speeds.
A few months after the WannaCry outbreak, HTM departments are still following up with some medical device manufacturers about security patches. Healthcare delivery organizations need to create an effective incident response program since malware outbreaks are becoming more sophisticated.
The health care industry needs to amp up its game when it comes to medical device security or hacked medical devices will be a part of many future headlines.
Inhel Rekik is the Clinical Engineering Manager at MedStar Georgetown University Hospital.