The Conficker Working Group several months ago discovered several hundred medical devices that had been infected with the Conficker worm and set about alerting the affected hospitals to the problem. The disinfection process should have been straightforward, but the tangle of regulations that govern medical facilities prevented the hospitals from making changes to the devices for three months.
Cnet News is reporting that the hospitals had no choice but to wait:
Rodney Joffe, one of the founders of an unofficial organization known as the Conficker Working Group, said that government regulations prevented hospital staff from carrying out the repairs.
Joffe, who also is the senior vice president for the telecom clearinghouse Neustar, told a panel of the House Energy and Commerce Committee that over the last three weeks, he and another Conficker researcher identified at least 300 critical medical devices from a single manufacturer that have been infected with the computer virus…
Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.
The problem underscores again the dangers of connecting specialty devices to the public Internet, which experts have warned against for years.