The Conficker Working Group discovered several hundred medical devices that had been infected with the Conficker worm and set about alerting the affected hospitals to the problem. The disinfection process should have been straightforward, but the tangle of regulations that govern medical facilities prevented the hospitals from making changes to the devices for three months. Regulations mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove infections and vulnerabilities. The problem underscores again the dangers of connecting specialty devices to the public Internet, which experts have warned against for years.
Source: https://threatpost.com/compliance-demands-prevented-repair-virus-infected-medical-devices-050409/72628/