Re: Risk Management
I agree, to a point, but people are going to want to set the blame path, and it lies with the manufacturer of the MRI machine, or CT scanner, or whatever, and then quite clearly to me, with Microsoft. They put together a piece of equipment with potential vulnerabilities. Did the hospitals' risk assessments say "The MRI scanner is running code written by Microsoft which will probably have security holes revealed one day so it should be replaced within 5 years. Maybe 6. Maybe 4. Maybe 10."?
The problem is that software "goes bad" - because the world around it changes. And to my mind at least, the problem is that a home operating system like XP, or 7 or 8 or even 10 is NOT suitable for life-critical systems like CT scanners etc. It's a question of using the right tool for the job. Windows computers cost peanuts compared to medical equipment, and people want the latest features, so something like Windows XP was ideal. It more or less did the job, it was flexible, and by the time it was unsupported by Microsoft, many of the machines were at end of life anyway. It was a simple matter to replace the computer with a new one running Windows 10 or whatever. In 15 years' time, Windows 10 will be obsolete, and those computers will definitely need to be replaced. But medical equipment costs a LOT more, and should therefore last longer. It's no use building a piece of hardware that'll last 25 years if the software goes out of date and can no longer be updated in 5 or 10 years.
The point I'm trying to make is that systems like that need a different OS to run under. One that is really locked down, much less flexible and therefore MUCH more secure. In other words an OS that will still be usable in 25 years. Our problem is that Microsoft thinks their OS is suitable for everything, when it quite plainly is not. And people think that progress can be made by sticking to what they use at home and in the office.
Seriously, the hospitals need to do a proper risk assessment, one involving keeping equipment going for more than a few years. Maybe this will be a wakeup call to persuade the manufacturers of machinery needing embedded systems to rethink their OS choice.
Would you fly on a plane where the systems were all running Windows?