The infamous Conficker worm added more cause for alarm when it had been found to have spread into hundreds of medical devices in several hospitals in the US and other countries. There have been no reports of patients being harmed as a result of malfunctioning devices, but security experts monitoring the Conficker situation worry it may pose a threat in the future.

Among the machines discovered by Marcus Sachs, director of the Internet warning system Internet Storm Center, that were infected by Conficker included MRI machines. Researchers following the worm had noticed an imaging machine used to check high-resolution images was connecting to the Internet and fetching instructions, which researchers presumed to be the creators of Conficker.

A further investigation yielded 300 similar machines all over the globe infected by Conficker. According to the manufacturer of these devices, none of the machines should be connecting to the internet. The machines were deemed vulnerable for further attacks as all of the machines were running on an unpatched Microsoft operating system for embedded devices.

While a simple installation of a patch already released by Microsoft last October would have solved the problem, the US Food and Drug Administration mandated they be given a 90-day notice before any installation and patching could occur.

Rodney Joffe, a senior vice president at NeuStar, lamented this ruling as the 90-days can prove to be crucial time wasted. In that span of time, Joffe claims, a hacker may have already mounted further attacks on other devices in the network, or perhaps have sent out numerous patients’ information.

Joffe will testify in Congress to request that such blocks preventing federal agencies from quickly dealing with cyber security threats such as Conficker be removed. The researchers have yet to discover the purpose of these infected machines to Conficker but they have seen all sorts of machines on the hospital network, from personal computers used by secretaries to machines responsible directly to the well-being of patients, access remote addresses on the Internet.

Joffe fears that this problem may only become worse and perhaps spread in other industries in fields, as the unpatched Microsoft operating system is not limited to being installed to medical devices but can be found in a wide range of products. It is feared that the Conficker virus may have already spread to other types of devices. While he believes that the authors of the worm have not created Conficker to target medical devices specifically, he fears they may still profit from sensitive data gathered from these machines.