The healthcare industry is a dynamic and high-pressure field that relies heavily on information technology (IT) for patient care delivery and health record management. However the industry’s pace and missions makes maintaining a robust cybersecurity posture difficult. Specifically, Microsoft’s retirement of Windows XP (April 8, 2014) has provided difficult challenges for the healthcare industry. With increased reliance on computer-controlled medical devices and electronic record systems, the healthcare industry has dramatically increased its cybersecurity attack surface over recent years without commensurately increasing IT budgets.1
The end of life for Windows XP has been a news story throughout industries. This may be because the requirements for maintaining the confidentiality of patient information forced the healthcare industry to retire Windows XP equipment earlier than other sectors. From January 2013 until February 2014, the Windows XP installed user base dropped from 55% to 14%, while XP usage in the healthcare sector over the same period dropped from 10% to only 3%.2
Despite the progress in retiring outdated operating systems, the remaining 3% of computers and medical devices continue to deliver patient care or manage confidential patient information which leaves sensitive patient-related data and medical equipment vulnerable to cyber threats which could have cascading health consequences.
Published cybersecurity guidance provided to the healthcare sector by its two main governing bodies—the Department of Health and Human Services (HHS) and the Food and Drug Administration (FDA)—does not specifically address operating system end of life. The FDA regulates medical devices and HHS regulates the confidentiality of patient medical information, as governed by the Security Rule of the Health and Insurance Portability and Accountability Act of 1996 (HIPAA).3
In order to allow flexibility for implementing the security measures that best fit organizational needs, the HIPAA Security Rule does not specify minimum requirements for computer operating systems. In response to questions about end of life software, HHS stated that the issue of retired, unsupported operating systems should be considered during risk analysis.4 The FDA advises healthcare institutions not to update the operating systems of medical devices5 and to follow procedures and recommendations given to industrial control system (ICS) operators, because they share many of the same characteristics and threats.6
Between 2006 and 2011, 5,294 recalls and approximately 1.2 million adverse events involving medical devices were reported to the FDA. Nearly 23% of these recalls were due to computer-related failures, and 94% of those presented a medium to high risk of severe health consequences.7 In addition, although computer-related failures are tracked, cybersecurity specific failures are not. A study at the U.S. Department of Veterans Affairs (VA) showed that since 2009, malware infected at least 327 devices at VA hospitals. In that time, more than 40 viruses hit devices, including X-ray machines and lab equipment made by companies such as General Electric, Philips, and Siemens.8 Failures due to infections like these would normally not be tracked as anything more than “computer-related.” When in fact it is cyber related.
Both small and large providers may not have the flexibility to upgrade from Windows XP to a supported system, which leaves them open to threats. In addition, many hospitals rely on third-party vendors that might not have upgraded their technology to support newer operating systems. This forces providers to either accept the additional risk or expend budget to replace the unsupported systems.9
What should healthcare providers do in the mean time? As soon as possible, the providers should minimize their risks by disconnecting legacy devices from the network. Longer term solutions should focus on including cybersecurity and software lifecycle analysis early in the design phase of medical devices (perhaps matching production lifecycles of the underlying software to the production lifecycle of the device). Other guidance should consider incentives from the FDA to encourage users of computerized medical technology to report security incidents and vulnerabilities that could lead to health consequences.
This post was written by: Mike Thompson & Amanda Joyce
1 Security and Privacy for Healthcare Providers
2 Windows XP Usage Lower Across Industries
3 An Introductory Resource Guide for Implementing the Health Insurance Portability And Accountability Act (HIPAA) Security Rule
4 Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
5 Information for Healthcare Organizations about FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software”
6 Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication
7 Controlling for Cybersecurity Risks of Medical Device Software
8 Patients Put at Risk by Computer Viruses
9 How will Windows XP end of support affect health IT safety?