Hospital medical devices riddled with malware

Regulatory dispute means security patching often left ignored
Tools

Hospital equipment increasingly is riddled with malware that could interfere with its operation or change readings, panelists said last week at a meeting of a medical-device panel at the National Institute of Standards and Technology Information Security and Privacy Advisory Board, according to a story at Technology Review.

Though no cases of patient harm have been attributed to it, it's a common problem, Brian Fitzgerald, a Food and Drug Administration deputy director, told the group.

The Veteran's Administration, for instance, reported 173 incidents of security breaches of medical devices from 2009-11, that disrupted glucose monitors, canceled patient appointments and shut down sleep labs.

In one example cited, it was revealed that Beth Israel Deaconess Medical Center in Boston has 664 pieces of medical equipment running on older Windows operating systems that manufactures will not allow to be modified --even to add antivirus software--because of disagreements over whether modifications would require FDA review.

Mark Olson, Beth Israel's chief information security officer, said they included fetal monitors for women with high-risk pregnancies that have been slowed by malware to the point that they become inoperable.

Olsen subsequently said the problems have been solved by the manufacturer, Phillips, with better protections on the new systems that still run on Windows XP. However, Microsoft no longer supports XP and recently warned it's more vulnerable to infection than its two successors, Vista and Windows 7, a CBS News article points out.

Hospitals, however, generally do not report these issues to authorities, making it more difficult to fully discern the extent of the problem.

In an August report, the Government Accountability Office warned that computerized medical devices could be vulnerable to hacking and asked the FDA to address the issue. That warning was focused on implanted defibrillators and insulin pumps, though those problems represent "a drop in the bucket" to the thousands of other network-connected devices that are vulnerable, according to Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst.

For instance, this week at the Breakpoint security conference in Australia, Barnaby Jack of security vendor IOActive demonstrated how a person with a laptop could deliver a fatal, 830-volt shock to a pacemaker patient from 50 feet away. The FDA reviews only the overall safety of the devices, not the security of their code, something that must change, he told the audience, according to Network World.

"There's kind of the perfect storm of disincentives to make sure the right thing doesn't happen," Fu is quoted at Kapersky Labs' ThreatPost. "No stakeholder is singularly to blame. The manufacturer who doesn't regularly issue updates isn't helpful to the hospital. Hospitals that don't report problems that could lead to patient harm are complicit. Regulators have guidance on security and say manufacturers should keep these devices up to date, but the problem is patches don't require further FDA review unless there's a safety issue. And that causes manufacturers to make decisions that aren't in the best interest of patients. It's common for manufacturers not to issue patches because they could require review."

To learn more:
- read the Technology Review article
- here's the CBS News post
- check out the GAO report
- find the Network World piece
- read the ThreatPost story

Related Articles:
Security of mobile devices a continuing concern
Halamka: Hospital policy alone can't assure mobile device security
Protect medical devices from cybercrime
FDA must focus on protecting implantable medical devices from hacking