11.09.12
Malware Increasingly Found inin Hospital Equipment
Health information technology (IT) is a sector that has the medtech industry buzzing lately. On Oct. 11, a medical device panel convened at the National Institute of Standards and Technology in Washington, D.C., to discuss the issue of device and equipment security in hospitals.
Kevin Fu, an expert on medical device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, took part in the panel discussion. The malware problem at hospitals, Fu noted, is rising nationwide. Malware, short for malicious software, includes computer viruses, worms, trojan horses, spyware, adware, and such programs.
Mark Olson, chief information security officer at Beth Israel Deaconess Medical Center in Boston, also participated. He said 664 pieces of hospital medical equipment are running an older Microsoft Windows operating system that manufacturers will not modify or allow the hospital to change—even to add antivirus software. Beth Israel and the manufacturer disagree about how any updates or changes would affect the software’s regulatory approval from the U.S. Food and Drug Administration (FDA). The computers at Beth Israel are frequently infected with malware, and one or two have to be taken offline each week for cleaning, said Olson.
“I find this mind-boggling,” Fu said. “Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow operating system updates or security patches.”
Windows is the most commonly used system in hospitals and also the one usually targeted by hackers. Hospital equipment increasingly is interconnected internally, leaving it wide open to debilitating attacks. No patient injuries have been reported yet.
At the meeting, Olson described an incident of malware slowing down fetal monitors used on women with high-risk pregnancies being treated in the intensive-care ward.
“It’s not unusual for those devices, for reasons we don’t fully understand, to become compromised to the point where they can’t record and track the data,” Olson said during the meeting, referring to high-risk pregnancy monitors. “Fortunately, we have a fallback model because they are high-risk [patients]. They are in an intensive care unit—there’s someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction.”
Olson later told the Massachusetts Institute of Technology publication Technology Review that the manufacturer Philips replaced the computer systems at fault in the monitors several months ago. The new systems, based on Windows XP, have better protections and the problem has been solved.
At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices. Olson said the problem is a patient-safety issue.
In September, the Government Accountability Office issued a report on computerized medical device security and urged the FDA to address the issue.
Health information technology (IT) is a sector that has the medtech industry buzzing lately. On Oct. 11, a medical device panel convened at the National Institute of Standards and Technology in Washington, D.C., to discuss the issue of device and equipment security in hospitals.
Kevin Fu, an expert on medical device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, took part in the panel discussion. The malware problem at hospitals, Fu noted, is rising nationwide. Malware, short for malicious software, includes computer viruses, worms, trojan horses, spyware, adware, and such programs.
Mark Olson, chief information security officer at Beth Israel Deaconess Medical Center in Boston, also participated. He said 664 pieces of hospital medical equipment are running an older Microsoft Windows operating system that manufacturers will not modify or allow the hospital to change—even to add antivirus software. Beth Israel and the manufacturer disagree about how any updates or changes would affect the software’s regulatory approval from the U.S. Food and Drug Administration (FDA). The computers at Beth Israel are frequently infected with malware, and one or two have to be taken offline each week for cleaning, said Olson.
“I find this mind-boggling,” Fu said. “Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow operating system updates or security patches.”
Windows is the most commonly used system in hospitals and also the one usually targeted by hackers. Hospital equipment increasingly is interconnected internally, leaving it wide open to debilitating attacks. No patient injuries have been reported yet.
At the meeting, Olson described an incident of malware slowing down fetal monitors used on women with high-risk pregnancies being treated in the intensive-care ward.
“It’s not unusual for those devices, for reasons we don’t fully understand, to become compromised to the point where they can’t record and track the data,” Olson said during the meeting, referring to high-risk pregnancy monitors. “Fortunately, we have a fallback model because they are high-risk [patients]. They are in an intensive care unit—there’s someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction.”
Olson later told the Massachusetts Institute of Technology publication Technology Review that the manufacturer Philips replaced the computer systems at fault in the monitors several months ago. The new systems, based on Windows XP, have better protections and the problem has been solved.
At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices. Olson said the problem is a patient-safety issue.
In September, the Government Accountability Office issued a report on computerized medical device security and urged the FDA to address the issue.