Time lags involved in fixing viruses and other computer infections have caused delays and disruption in radiology departments already under pressure to cut waiting times and meet high demand for their services. The problem is compounded by the fact that many medical scanners now run on Windows operating systems and are connected to hospital computer networks to enable images to be stored and shared. This means that, unless patches are promptly applied, a scanner running on Windows and connected to such a network can be infected by viruses and worms designed to attack Microsoft software. Investigations by EHI have discovered, however, that not all manufacturers have a clear policy about how and when new security patches should be applied to their medical imaging devices, and in some cases will not allow hospitals to apply security patches themselves. 
Medical scanners hit by viruses and worms can be put out of action for weeks while manufacturers decide how the problem can be fixed and whether patches to prevent future problems can be applied, an investigation by E-Health Insider has found.
Unable to stop re-infection
"They had to get clearance from Toshiba HQ in Europe before they could take any action. During this time we could not use the scanner" — Stephen Buckle, information services manager |
"Unfortunately we also had one ultrasound scanner which was also affected. It was a Toshiba Aplio, which was running Windows 2000 as its core OS. The scanner was affected by the worm and we had to disable it from the network, to stop it re-spreading the virus to other PCs etc. When the engineer came on site we were able to use the virus removal tools to remove the worm, but we were not allowed to apply the security patch to stop re-infection.
"It took Toshiba three weeks to get the go ahead to apply the MS security patch; apparently they had to get clearance from Toshiba HQ in Europe before they could take any action. During this time we could not use the scanner as we could not store the images on our PACS [picture archiving and communication system] archive. Fortunately for us our other PACS devices were not affected as most of the PACS/Device server are UNIX based."
He said about 90% of the work was redirected to other scanners but there were delays and some patients needing routine scans had to wait a little longer.
A radiologist at a major Scottish hospital, who asked not to be named, told us: "We have three Siemens Antares US scanners. These are Windows based platforms, and when we purchased them we connected them to our eFilm PACS, and stopped hard copying images.
"After a week or two, the machines were struck by one of the notorious worms during a worldwide outbreak. The machine probably went on to infect other devices in the hospital, and was disconnected from the network by IT. While it continued to function, it took two to three months before Siemens came up with a patch and we could reconnect. That was two to three months of studies that never got archived, and had to be filmed.
In fairness, our correspondent also reported that an infection on an eFilm PACS archive device at a neighbouring hospital was fixed reasonably quickly with MS patches.
Improved service soon
"Siemens are aware of customer concerns in this area, particularly as clinical hospital networks grow, and are responding by putting in resources" — Spokesperson for Siemens |
A Siemens spokesperson said: “The current process is that within Siemens there is a central technical investigation team to address IT security issues. The task is to scan the web and other Siemens internal Competence Centres for information about current security vulnerabilities that could be influencing our products. Using a defined escalation process the product relevance of this information is evaluated and, if necessary, the product divisions are informed. The relevant product divisions evaluate these potential security vulnerabilities and their respective hotfixes.
“This process timescale is usually two weeks from the first notification that a threat exists to the release of a validated version from the Product group. The service organisations in the respective countries would then be responsible for implementing these as quickly as possible.
“However, Siemens Medical Solutions is currently developing a Virus Protection Service, targeted to be released by autumn this year. It will include quick technical support in case of infection, continuous on-line provision of updates that are tested and validated. Siemens are aware of customer concerns in this area, particularly as clinical hospital networks grow, and are responding by putting in resources to provide a benchmark service.”
A spokesperson for Toshiba told EHI: "Validating all imaging system software, including software patches, is required as part of good manufacturing process. Toshiba delivers all software updates after validation to customers, and tests them on the installed medical imaging system."
When asked what the usual time period between a patch being released and it being applied to Toshiba devices, the company replied: "The time period is dependent on the degree of the effects. If necessary, Toshiba contacts customers to notify and provide them immediately."
Rogue installations
"We carefully monitor Microsoft’s alerts to new vulnerabilities and issue patches as needed" — Spokesperson for Kodak |
Fuji’s PACS development department confirmed that all OS patches and updates had to be run through their R&D labs before deployment, but that they tried to be flexible: "Fuji always works with the hospital IT department to deploy a co-managed anti-virus strategy. In most cases the hospital owns their own network, and network security is part of that."
One instance, according to Fuji, "happened where anti-virus software has been allowed to fall behind in updates by the network owner. Luckily there were no serious performance effects, and no loss of data as a result."
Kodak told EHI that virus infections were usually only caused by e-mail attachments being opened or rogue sites installing software, which they say cannot be done from their clients. "Worms are a different story and we carefully monitor Microsoft’s alerts to new vulnerabilities and issue patches as needed."
EHI was prompted to investigate the issue by a letter from the Food and Drug Administration, the regulator for medical devices in the US, which asked hospitals to report undue delays in fixing computer infections affecting radiology equipment.
So far, no similar request appears to have been circulated by the UK’s Medicines and Healthcare products Regulatory Agency, but the responses from hospitals received by EHI following a posting on a PACS discussion forum suggest that action may be needed. EHI contacted the MHRA for comment, but did not receive a response.
Preventive measures needed "Our PACS provider … did give us a choice of which anti-virus software was compatible with our PACS. There was still a question of the software affecting performance" — Radiographer
While past infections have been solved eventually, the threat of viruses remains and problems in obtaining permission to protect equipment proactively were also reported.
One radiographer told us: "I was recently asked by our IT manager to request anti-virus software be activated on our PACS and CR [computed radiography]. Our CR suppliers were not keen as the CR equipment is fed by the network and therefore all viruses would, in theory, be carried by the hospital network. They do download patches as virus alerts are produced but it is ‘as and when’ and not preventive.
"Our PACS provider was still not enthusiastic but did give us a choice of which anti-virus software was compatible with our PACS. There was still a question of the software affecting performance. So far we have not taken this any further."
The National Programme for IT, which is responsible for the national PACS roll-out planned for England, commented: "The responsibility for virus protection and the security of the PACS systems lies with the local service providers. We insist that it must be operated under normal procedures, including running with anti-virus software, which must not affect its functionality, and we would not accept a situation where it could be removed."