Intensive Care Units (ICU) are places in hospitals where people with special care are placed. Those people need continuous monitoring for there condition. These units are normally equipped with high tech patient monitor machines, ECGs, and ventilators. 

 

Furthermore, ICU's normally keep higher standard of infection control to make them invulnerable to all kinds of infections due to the critical condition of it's patients.

e-Infection !

Last, week I was in Al-Amiri hospital, Kuwait. I was doing maintenance to a portable xray machine. There, I was struck with a view on all PC screens. Those PC's were running Critical Care Information system. In fact, all screens where showing a Mcfee Virus Alert. The list; as you see above, is showing multiple virus infections. 

Even though ICU was equipped with high-tech patient monitors, ventilators and looked very clean and dis-infected, but it was; actually, infected with a special infections. These infection have no direct harm to the patient but they eventually do a harm !

How does a computer virus threatens life?

In these days, patient monitoring is not done at each bed. Each patient is monitored centrally by nurses & medical staff; i.e., at the nurse station.  Thus, interruption in flow of clinical data between patient monitors and central monitoring system will definitely interrupt monitoring the vital signs of critically ill patient's .

Second; at critical care stations, physicians make electronic requests; i.e., for lab or imaging procedures. Virus infections can make those PC's slow or make them completely down by corrupting some files. In fact, delay in exam requests is definitely a life threatening . 

Third, at critical care stations, physicians write there reports, notes or prescribe patient's medication. Virus threats on those stations; again, will delay the whole process at the ICU. Delay is not a good sign of a good ICU.

On the ground..

Frankly speaking, this ICU was not the only place in Ministry of Health where I have seen such virus attacks. Many places like neonatal ICUs, Radiology Departments, Cardiology, and Nuclear Medicine had the same issue.

In 2008, one year after world-wide attacks of a well know electronic warm(special viruses). the warm(or Trojan) with different names such as (DownaDop, Conficker, etc...) have hit most of ministry's information systems in a mater of a week. Moreover, xray and ultrasound machines were also hit by this warm specially those with MS-Windows XP were badly hit. Around 6 Xray machines went totally down due to network problems.

Finally, we have to admit that hospitals in Kuwait are in trouble ! In near Future we might see a crisis due to the fact that the no. of medical equipment getting connected using TCP/IP networks is exponentially growing.

Problem and Solution !

The problem is not actually the "virus attacks", virus attacks happen every day and everywhere, the problem is lack of network security , and maintaining that ! In fact,  If you are connected to the outside world then you are at risk ! you don't have to be connected to the internet, allowing use of removable storage devices (i.e. USB sticks) is the biggest source of invulnerability.

The solution is not easy but affordable and better to start now than never.Effort to set standards for security in eHealth and for medical devices is going on. HIPAA is one example of such standards. HIPAA is a governmental act in USA to assure security and privacy of patient's health records. Some of these requirements are securing health records from viruses.

Moreover, and effort was taken by U.S department of veteran affairs to design a model for secure network of medical devices. See Excellent readings. Another effort was taken by Society of Hospital Information Mangament Systems (HiMSS) to encourage a medical device security disclosure like DICOM conformance statement. See Excellent Reading below.

In Kuwait, the gap is very huge. We should immediatly start some where. Niether we have IT team in hospital nor Biomedical Engineering departments have experience or a say in this.

Thus a very rough plan should be divided into three stages. 

• Stage 1. Putting IT security standards on our list of priorities.

• Stage 2. Forming an independent IT support team in the hospital independent from medical device vendor. If MOH claims that they don't have enough resources, IT team doesn't have to be through local staff, IT can be outsourced just like electrical maintenance or waste Management .

• Stage 3. To Include IT support, Network management , and network security in medical device RFP, and the service contract (service level agreement.)

   

Excellent Readings..

1. When medical-device gets sick. Ellen Messmer, NetworkWorld.com, 2004 [1]
2. Medical Device Isolation Architicture Guide, Department of Veterain Affairs, USA. 2004 [2]
3. Trends in Medical Device Security. HiMSS.org (Bibliography) [3]
4. Cybersecurity forMedical Devices.Scott Bolte, GE Healthcare, 2005 [4]

Agree, but....

Submitted by DoctorDalai on Thu, 05/05/2011 - 19:50.

Excellent write-up, Hussein. I'm actually looking into this from the other side...A friend's IT department wants to stop the use of CD-ROM's for outside studies because viruses could be admitted. To me patient care has to be first and foremost, but certainly all REASONABLE precautions must be taken to stop what you have described. Have you ever heard of a virus causing a nuclear medicine camera to crush a patient? That's what IT told my friend could happen.

Some of my friends in IT want to lock down the system to the point of making it unusable in the name of network security. This hurts everyone, especially the patients. I think your staged plan is a very good framework for solving the problem in an intelligent fashion.

What a virus :)

Submitted by Hussein on Fri, 05/06/2011 - 11:10.

Yeah .. many hospitals in Kuwait have same problem.. vendor not allowing them to use CDROM, USB sticks, and internet, that's why you will see two PC's and two networks on each desk ..
In Kuwait, vendor installs AntiVirus .. no regular updates, no OS patches, Direct access to the internet for remote support (no proxy) .. Hospital's think that this is enough and don't want to have their own IT team.

Regarding the (funny) virus that crushes NM patients.. I'm following up FDA adverse events and didn't here about such a case .. but frankly this might happen when some vendors use TCP/IP network to control there modality sub-systems (i.e., gantry) so far most vendors use another protocol (controled area network- CAN) to do that .. So we never no :)

Excellent Find!

Submitted by Hamad on Sun, 05/01/2011 - 11:09.

well, I shouldn't be calling this an excellent find really.... this is a disaster!

If I know one thing about the healthcare sector in Kuwait that will be our enormous ability to purchase cutting edge technology for every department, and our inability to properly run and maintain this technology.

Our hospitals are full of top of the line machines that are not being used properly and in so poorly maintained.

It's not a matter of money

Submitted by Hussein on Sat, 05/07/2011 - 06:56.

Exactly ! What you said shows that it's really not a matter of money .. however, the problem in MOH hospitals is either human resources and/or managment of those resources. In Radiology/NM I have seen decision makers divided on this issue.
1. Some of them think that MOH should provide IT support, but don't the approach to get this.
2. Some other think that no need for IT support, PACS/RIS vendors are doing enough.

For No.1.
I know you have been trying very hard to get support from Hospital IT (if existed) but they never did. So, solution is to outsource this service.. Just like Electrical Maintenance and Waste Managment.

For No.2
a. If vendor was enough then why are we are discussin this crisis.
b. IT support should be unified to all hospital departments since integeration is the ultimate goal of all info. systems.. Now, who will take care of IT infrastructure ? PACS vendor of Radiology, of PACS vendor of NM, or PACS vendor of Cardiology or HIS vendor ?
c. PACS/RIS vendors supposed to be PACS/RIS vendors not contruction, not teleradiology providers, not internet providers, not IT companies