Dealing With End to XP SupportA Strategy for Medical Devices
Healthcare organizations using medical devices that run on the Windows XP platform, which is no longer supported, need to have short- and long-term strategies to address cybersecurity, says medical device security researcher Kevin Fu.
Microsoft no longer offers software updates for the Windows XP operating system, including new features, patches and security updates.
Medical devices that run XP tend to be external bed-side patient equipment such as alarms, monitoring systems and radiology gear, as opposed to implantable devices, says Fu, director of the security and privacy lab at University of Michigan. However, a single hospital often has hundreds of XP-based devices, while medical devices running other operating systems are far less common, he says. "XP in hospitals ... is a dominant operating system," he says.
"Having your Windows XP machines segmented away [in separate networks] is not going to be a perfect solution, but it can at least buy you a little bit of time," Fu says in an interview with Information Security Media Group (transcript below). In the longer view, healthcare organizations - especially hospitals - need to come up with a strategic effort to get off XP, he says.
In the interview, Fu also discusses:
- The security risks to manufacturers of XP medical devices and the healthcare organizations that use the products;
- Potential patient safety risks of XP-based medical devices;
- Security risks posed by other XP-based systems used in healthcare, including admissions software and electronic health records systems.
Before joining the University of Michigan last year as associate professor of electrical engineering and computer science, Fu served as an associate professor of computer science and adjunct associate professor of electrical and computer engineering at the University of Massachusetts Amherst. Fu also has served as a visiting scientist at the Food & Drug Administration, the Beth Israel Deaconess Medical Center, Microsoft Research, and MIT CSAIL. He is a current member of the NIST Information Security and Privacy Advisory Board. Fu was also recipient of a Sloan Research Fellowship, National Science Foundation Career Award, and was named MIT Technology Review TR35 Innovator of the Year. Fu earned his Ph.D. in electrical engineering and computer science at MIT for research on secure storage and web authentication.
Medical Devices Running XP
MARIANNE KOLBASUK MCGEE: What kinds of medical devices typically run XP?
KEVIN FU: I don't know of anyone who has got full statistics, but I can tell you that most of the XP devices I see tend to be the external, bedside devices. We're not talking implantable devices at this point. For instance, monitoring equipment, alarms, compounders, radiology, things of those nature.
MCGEE: Any idea how many of those devices are out there?
FU: Well, it's very difficult to estimate since no one is keeping statistics. There is no central reporting for this kind of data, but what I can tell you as I go from hospital to hospital, I will often see XP in the hundreds, and [other] operating systems in the tens or zeroes. So XP, at least at the hospitals I've been to, [is] a dominant operating system.
Stopping XP Support
MCGEE: Now that Microsoft will stop supporting XP, what does that mean for those devices from a security perspective?
FU: Effectively, there are many different stakeholders here. A few of them include the provider at the hospital, the manufacturer, and then Microsoft. So after April 8, Microsoft [stopped] releasing any more feature or security updates should a problem arise in any of the XP products. This date has been published for years, so it's well-known to anyone who has decided to use XP. Now that said, one of the challenges is going to be if a manufacturer provides updates to medical devices, they no longer have that ability. And then there is the other category; there are some manufacturers who don't usually provide updates anyway. I suppose in that case, from the provider's perspective, not too much is going to change. They are still going to be in the same unfortunate position of no updates, but now it's definitely no updates since there is nothing coming. But what this means is ... threats change very quickly in the internet. New malware is being born all the time, but now there is not going to be any kind of Microsoft update available when the problems arise.
MCGEE: What are the potential safety risks to patients if these risks are not addressed?
FU: The primary risk [is that] things are evolving. Malware is hard to understand because it changes so quickly, but I think the primary risks are going to be the unavailability to deliver patient care. So let's say you have an admission system for a patient monitor running Windows XP, and then because of a security problem that device no longer can function. It's making it more difficult to deliver quality patient care, so that can introduce safety risks when you don't have those devices you normally think are available. The other issue is one of what we call integrity.
When malware gets into a Windows XP machine, which can be a medical device, it's often a silent infection. You don't notice; there's no blinking light on the medical device saying [it's] infected. Instead what might happen, and what has happened, is the device slows down. It may begin to give false readings. So if it is a sensor device, it may start to give erroneous information to the healthcare professional. It's not the end of the world. We shouldn't be running for the hills, but this is an important layer that is no longer going to be available.
Addressing XP Devices
MCGEE: How should healthcare organizations address these XP based medical devices moving forward?
FU: There is a short-term and a long-term question there. Short-term, I think it is going to be very challenging. Long-term, nobody likes to be told, "This is a choice you made and you knew about the consequences." It was in some sense made by a system rather than an individual or a one stakeholder, but the system has encouraged the deployment of all this unmaintainable software. In the long-term, I think it's going to begin at the very beginning of manufacturing where they'd be more careful about what software they include in their products, to make sure that the lifecycle, that is, how long the software is expected to remain maintainable and in compliance, better matches with what you need from that medical device. There may be cases where you can make XP maintainable, but I haven't yet found one. It's going to be very challenging in the short-term, but in the long-term, the requirements of the medical device need to be respectful of how long that software is going to last.
Ensuring Security and Safety
MCGEE: What should the medical device makers of XP devices be doing now to ensure the security and safety of these products?
FU: I think one area where there is some hope is in the surveillance of problems. Right now, I'm not aware of any concerted effort to collect statistics on malware infections. Most of them are anecdotal. The kinds of problems that are reaching my doorstep are the kinds of things that I would hope just shouldn't be happening in the first place, but if we can get better understanding of what devices are more prevalent or appear to be having more issues than others, I think that will help us to shine the light on where is the best place to invest our effort.
Securing Networks and Devices
MCGEE: What are the most important steps that the healthcare organization should be taking to ensure XP based medical devices, and networks that connect them, are secure?
FU: I would say [that] falls into the short-term camp. I don't have any good solutions there. My approach would have been, "It's unfortunate the procurement requirements made it such that you bought a bad house. So you're going to have to figure out a way to live in it." I don't think there are any silver bullets out there.
Many hospitals make use of firewalls and what's called virtual LANs or virtual private networks. That is a stop-gap measure and it won't keep the malware out. I know of vendors who have actually accidentally infected hospitals while doing software updates. Just having your Windows XP machine segmented away is not going to be a perfect solution, but it can at least buy you a little bit of time. I think hospitals need to come up with a strategic effort to get off XP. It's not going to be a long-term solution if the systems are going to be out there indefinitely with no plans to retire; I think they are just asking for trouble.
Retiring XP Devices
MCGEE: Is your advice for healthcare organizations to plan on replacing these devices?
FU: I think they, at a minimum, need to figure out a plan [of] retirement of devices that are unmaintainable. Unfortunately, software is somewhat deceptive in that it seems like it will be maintainable for eternity, but in reality, things change. Operating systems develop flaws that were not anticipated, and so that's why most manufacturers of operating systems will build [it] into their products, using expiration dates saying, "This is how long we're going to support it." As hospitals are building their plans for how long their capital equipment will last, they need to be respectful of these dates because it really does become unmaintainable.
Other Security Risks
MCGEE: What other XP based systems tend to show up in healthcare and what are the biggest security risks for those systems moving forward?
FU: Outside of medical devices, you'll see XP in admission systems. Here at Michigan, I see that we use much more up-to-date operating systems, but I would not be surprised to see XP in places. But [with] admission systems, if they go down, it's much more difficult to bring the patients in to conduct triage. It's not going to directly harm a patient necessarily, but it can cause pain on the work flow and processes that we all depend on in order to deliver quality care. There is one problem I'm aware of. In some products, you don't even need a security problem for this to happen, security problems can exacerbate it, and that [can be] with electronic health record. They're not necessarily medical devices, but a device that is processing EHR, if it's running XP and gets infected, can perturb the data and integrity. I'm aware of some products where health records from two different patients are getting accidentally merged by some corrupted pieces of software, and if you add malware into the mix, it doesn't exactly bring much confidence.