Medical Device Panel Reports Rising Malware in Hospital Equipment

Health information technology (health IT) is a sector that has the medtech industry buzzing lately. The topic of medical device security was covered by a few panels at the recent AdvaMed 2012 meeting in Boston, Mass. On Oct. 11, a medical device panel convened at the National Institute of Standards and Technology in Washington, D.C., to discuss the rising issue of device and equipment security in hospitals.

Kevin Fu, an expert on medical device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, took part in the panel discussion. The malware problem at hospitals, Fu noted, is rising nationwide.

Mark Olson, chief information security officer at Beth Israel Deaconess Medical Center in Boston, was also on the panel. He said that at his hospital, 664 pieces of medical equipment are running an older Windows operating system that manufacturers will not modify or allow the hospital to change—even to add antivirus software. Beth Israel and the manufacturer disagree over whether any updates or changes will affect the software’s regulatory approval from the U.S. Food and Drug Administration (FDA).

The computers at Beth Israel are frequently infected with malware, and one or two have to be taken offline each week for cleaning, said Olson.

“I find this mind-boggling,” Fu said. “Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow operating system updates or security patches.”

Windows, the operating system most often targeted by hackers, is the most commonly used system in hospitals. Hospital equipment is increasingly interconnected internally in hospitals, leaving hospitals wide open to debilitating attacks. No patient injuries have been reported as yet.

At the meeting, Olson described an incident of malware slowing down fetal monitors used on women with high-risk pregnancies being treated in the intensive-care ward.

“It’s not unusual for those devices, for reasons we don’t fully understand, to become compromised to the point where they can’t record and track the data,” Olson said during the meeting, referring to high-risk pregnancy monitors. “Fortunately, we have a fallback model because they are high-risk [patients]. They are in an intensive care unit—there’s someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction.”

Olson later told the Massachusetts Institute of Technology publication Technology Review that the manufacturer, Philips, replaced the computer systems at fault in the monitors several months ago. The new systems, based on Windows XP, have better protections and the problem has been solved.

At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices.

Olson told the panel that infections have stricken many kinds of equipment, raising fears that someday a patient could be harmed.

“We also worry about situations where blood gas analyzers, compounders, radiology equipment, nuclear-medical delivery systems, could become compromised to where they can’t be used, or they become compromised to the point where their values are adjusted without the software knowing,” he said. He explained that when a machine becomes clogged with malware, it could in theory “miss a couple of readings off of a sensor [and] erroneously report a value, which now can cause harm.”

In September this year, the Government Accountability Office issued a report on computerized medical device security, and urged the FDA to address the potential problem. The report focused on implanted defibrillators and insulin pumps in particular, which the GAO considers most at risk, though no actual hacks (of any device) have been reported yet.

Fu, however, said that these two types of devices are a mere “drop in the bucket” when it comes to vulnerable devices. “These are life-saving devices. Patients are overwhelmingly safer with them than without them. But cracks are showing.”

The Office of the National Coordinator (ONC) for Heath IT has published a five-year plan—the Federal Health IT Strategic Plan—for developing and maintaining a cloud of interconnected medical data. The ONC accepted input from federal advisory committees and from public commentary when constructing the plan. One of the stated goals of the plan, intended to be implemented between 2011 and 2015, focuses on government efforts to update its approach to privacy and security issues related to health IT.

Robert Jarrin, senior director of government affairs at software company Qualcomm, said on a health IT panel at AdvaMed that the ONC is constructing a data cloud more than focusing on security. Actual security measures have to come from the FDA before a really dangerous breach of security occurs.

Brian Fitzgerald, deputy division director of electrical and software engineering at the FDA’s Center for Devices and Radiological Health, sat on both an AdvaMed panel on medical device hacking and the panel at the National Institute of Standards and Technology. At AdvaMed, he said that it is now routine for the FDA to ask manufacturers what they have done for their products with regard to security. For the FDA, malware and hacking risks now fall under the category of “foreseeable,” and the agency is therefore taking the issue more seriously than ever before.