Incident highlights need for anatomic pathology and clinical laboratories to protect computer and LIS systems from hackers and malware
Anatomic pathology labs and clinical laboratories that continue to run Microsoft Windows XP on their computer systems now have a real threat to address. In Australia, the computers in a hospital’s medical laboratory were infected in January with a computer virus that shut down the system. To maintain clinical services, the lab staff was forced to use paper-based methods, among other solutions.
The computer virus crippled the pathology department at the Royal Melbourne Hospital and spread throughout the hospital system by targeting computers running Microsoft Windows XP. This is a 14-year-old operating system that Microsoft no longer supports.
According to a story in iTnews, the Qbot malware first infected computers in Royal Melbourne Hospital’s pathology department in mid-January, handcuffing the pathology department. Staff was forced to develop manual workarounds to process specimens and to record and communicate results.
Hospital Clinical Pathology Department Resorts to Non Electronic Processes
“This has slowed down the process and we have reverted to old-fashioned methods with paper-based records and phoning through and faxing results,” stated Chris MacIsaac, MBBS, PhD, Royal Melbourne Hospital Divisional Director of Critical Care & Investigative Services, in a report by a local Australian news outlet.
iTnews reported that the virus had infiltrated the pathology department through an “unnamed zero-day exploit in the Windows XP computers,” unstopped by the health system’s enterprise software suite. Pulse+IT pointed out that the majority of personal computers in Royal Melbourne’s pathology department run on Windows XP, while the LIS runs on Windows Server 2003.
“The worm had infected other machines in the hospital running newer operating systems, but when it infected an XP machine, it effectively killed it,” a source told Pulse+IT. “However, the hospital also has a few PCs attached to aged medical equipment running on Windows NT that are still working fine.”
Qbot Virus Hard to Kill, Hospital Defeats Infection; No Patients Harmed
Once introduced into an operating system, the Qbot virus, which typically attacks banking systems, can steal passwords and capture user keystrokes. The malware then also adds those infected machines to a global network of compromised computers, iTnews stated.
The malware stopped Royal Melbourne Hospital staff from accessing patient medical laboratory test results and impacted food service and other services. However, the security of patient medical records was not compromised. Elective surgeries and outpatient appointments continued on schedule during the crisis, ZDNet reported.
In a January 19 statement, the hospital claimed most of the facility’s computers were now “clear of the virus” and noted that the pathology (medical laboratory) and pharmacy departments were “up and running.”
“While the virus has been disruptive to the organization, due to the tireless work of staff we have been able to minimize this disruption to our patients and ensure patient safety has been maintained,” the hospital said in a news release.
“We had one day in the last week where the virus mutated six times,” stated Melbourne Health Chairman Robert Doyle, Melbourne’s 103rd Lord Mayor, in the ZDNet article. “We are down to quite small outbreaks now, but we are trying to stop it talking across computers,” Melbourne concluded.
Melbourne Health Criticized for Using Antiquated Computers
In a blog post, blueAPACHE, an IT management, strategy, and convergence services provider in Australia, New Zealand, and North America, criticized Melbourne Health, which manages Royal Melbourne Hospital, for relying on the Windows XP operating system for services that impact patient health and operations.
“Without the regular security patches and updates from Microsoft, the operating system becomes a playground for hackers to exploit,” blueAPACHE pointed out.
blueAPACHE further noted that, with the introduction of Software as a Service (SaaS) and Desktop as a Service (DaaS) software models, it is no longer cost prohibitive to roll out upgraded technology systems.
“The excuses for not maintaining systems and inadvertently creating high-risk IT environments are simply no longer valid,” blueAPACHE stated in the blog post.
Government Pays Millions to Extend Software Support
In fact, organizations have paid Microsoft millions of dollars for continued support of outdated operating systems. ZDNet noted that the U.S. Navy agreed to pay Microsoft an estimated $9 million for three years of additional support for its Windows XP, Office 2003, Exchange 2003, and Service 2003 systems.
According to iTnews, Melbourne Health had begun a long-term upgrade of its Windows XP machines, with 2,200 of its 4,000 machines upgraded to Windows 7 prior the malware attack. Upgrades of the remaining computers now have been accelerated.
Attacks like these are an urgent reminder that hospitals, medical laboratories, and anatomic pathology groups must take the steps necessary to protect their computerized information systems from eventual intrusion by hackers and malware. Because of the potential for patient harm from hackers attacking lab computers, these steps should be taken with urgency.
—Andrea Downing Peck