Dr. John Halamka, Chief Information Officer for Beth Israel Deaconess Medical Center, records his experiences with infrastructure, applications, policies, management and governance.
Although these devices appear to be "appliances" that you simply plug into the network and use for patient care, they are actually sophisticated computers, often running outdated versions of operating systems and applications that are not resilient against purposeful attacks.
For example, we have devices from a major manufacturer that internally use Windows NT as the operating system and Apache 1.0 as the web server. Patches are no longer available for these old versions of software and they cannot be updated to protect them from malware. Instead, we build hardware firewalls around the devices, creating "zero day" protection which mitigates risk by preventing internet-based attacks from reaching the devices.
In the past, manufacturers have claimed they cannot upgrade or patch software to enhance security because changing the device would trigger a new FDA 501k approval process.
Hence they have left the protection of the devices to the CIOs who manage hospital technology infrastructure.