New White Paper Offers Recommendations For Defending Medical Information Systems Against Malicious Software

Rosslyn, VA, February 4, 2004 -- The Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC) has issued a white paper, "Defending Medical Information Systems Against Malicious Software," which provides a guide for vendors and users on how to protect Medical Information Systems (MedIS) against viruses, Trojan horses, denial of service attacks, Internet worms, and related forms of so-called "malicious software." The full text is available at http://www.nema.org/medical/SPC.

Dr. Wolfgang Leetz of Siemens Medical Solutions, immediate past chair of the SPC, observed that "Medical information systems of today rely on commonly available computing platforms and thus are as vulnerable to attack by malicious software as are many office PCs. Basically, system vulnerabilities depend on the kind of physical and logical access granted to users and on the kind of software they run."

John Moehrke of GE Medical Systems, a member of the SPC, will deliver a presentation on the paper at the HIMSS 2004 Conference in Orlando, Florida, on Tuesday, February 24, 11:30 AM-12:00 PM, in the IHE Theatre.

Following the SPC lead, vendors and users should cooperate if they are to meet the new challenges of safeguarding the security and privacy of patient data in healthcare. In line with recommendations in the white paper, vendors should consider taking the following actions:

• Ensure system integrity using hardware protection, like ROM and locked cabinets.


• Perform checksum calculations to ensure integrity of files.


• Use digital signatures to further ensure the integrity of files and their origin.


• Perform system profiles to verify complete directory structures.


• Use manufacturing scans to avoid delivering virus-infected products.


• Implement defensive system design using developmental tools that help eliminate flaws.


• Support programming languages that provide protection against some forms of attack.


• Choose operating systems and hardware that provide security features.


• Restrict network service to the minimum required for proper use of the system.


• Follow security-focused engineering practices, such as software audits and peer reviews.


• Host virus checkers where their use does not otherwise interfere with system operation.


• Behave defensively by offering security-relevant updates and technical assistance.


• Respect the regulatory and technological requirements and restrictions imposed on MedIS, as compared to standard office computers.

Likewise, the white paper suggests that users should think about implementing the following strategies:

• Use technical network defenses such as denial of service detection and response.


• Perform connection authentication before connecting to other equipment.


• Use firewalls to control outsider access to internal services.


• Use network virus scanners to check incoming and outgoing data.


• Perform audit logging of system activities and user actions and regularly analyze the data collected to detect malicious behavior.


• Install Intrusion Detection Systems (IDSs).


• Establish Demilitarized Zones (DMZs) in which to locate firewalls, IDSs, proxyservers, and related security appliances to strengthen the isolation of private intranetworks from a public network.


• Practice monoculture avoidance and MedIS diversity to reduce the number of vulnerable systems per attack.


• Behave defensively by preparing privacy and security administrative policies and procedures, and train users on their security duties and responsibilities.


• Plan to safely and securely respond to disasters.


• Restrict physical access whenever possible.


• Review all connections to other equipment and reduce them to the minimum.


• Establish a mechanism for secure remote access for servicing.


• Maintain close contact with MedIS vendors to enable timely notice of security-relevant updates and patches.


• Implement the Defense in Depth concept by duplicating controls at multiple locations.

"The SPC offers rational solutions that can be implemented by both MedIS vendors and its users to effectively protect such systems while respecting regulatory and technological requirements and restrictions," said Dr. David Gobuty of Kodak''s Health Imaging Group, the current SPC chair. To join the SPC, contact the secretary, Stephen Vastagh of NEMA, at the email address below.

The white paper was approved by NEMA, COCIR (Coordination Committee of the [European] Radiological and Electromedical Industry), and JIRA (Japan Industries Association of Radiological Systems).