Search the site...

  phil mora
  • The Global Nomad
  • About
  • Contact
  • The Training Log
  • The Global Nomad
  • About
  • Contact
  • The Training Log

The Global Nomad
(Doer edition)

Follow

Cyberattacks on medical devices: a new concern

7/24/2013

0 Comments

 
Picture
Picture
Picture
Picture
Cyberattacks on medical devices: computer Connecting hospital systems and devices to the Internet allows doctors to remotely study a patient’s scans and computers to quickly share patient information. But it also creates new entry points where computer viruses can prey on electronic systems.

[Reproduced from Scientific American]
A New Cyber Concern: Hack Attacks on Medical Devices
[By Dina Fine Maron | 06.25.2013]

Computer viruses do not discriminate. Malware prowling the cybersphere for bank information and passwords does not distinguish between a home computer or a hospital machine delivering therapy to a patient. Even if a radiation therapy machine, say, is infiltrated unintentionally, malware could theoretically cause radiation doses to spike.

Medical device-makers need to protect their products from cyber attack, according to recent draft guidance the U.S. Food and Drug Administration. The FDA calls for medical device manufacturers to consider the vulnerabilities that crop up when medical devices are designed to be more thoroughly integrated into networks and connected to the Internet. It asks manufacturers to draw up security plans to protect systems from malware before submitting plans for market approval. The agency also prodded hospitals to step up future reporting of any cyber attacks.

In a recent alert the U.S. Department of Homeland Security highlighted one weakness affecting approximately 300 medical devices, including drug infusion pumps, ventilators and external defibrillators. It warns that hard-coded passwords that normally allow service technicians to gain access to myriad machines could be used to make nefarious changes if they fall into the wrong hands. “We are aware of hundreds of devices involving dozens of manufacturers that have been affected by cyber security vulnerabilities or incidents,” says William Maisel, senior official at the FDA’s Center for Devices and Radiological Health. In none of these cases were specific devices or hospitals targeted nor did cyber attacks result in patient harm, at least that the FDA is aware of. A range of medical devices run on standard software such as Windows XP and are vulnerable to common viruses that plague home and office computers. Because the number of events is on the rise, Maisel says, the FDA decided it was time to issue formal guidance about the need to act.

Connecting hospital systems and devices to the Internet allows doctors to remotely study a patient’s scans and computers to quickly share patient information. But it also creates new entry points where computer viruses can prey on electronic systems.

The Department of Veterans Affairs has been tracking medical device infections since 2009. As The Wall Street Journal first reported, there have been 327 such incidents. Those events did not result in patient harm, says Christian Houterman, manager of Clinical Informatics and Medical Technology in the Veterans Health Administration.  The incidents, however, did sometimes create headaches for patients and hefty bills for the hospital, he says.

One such incident occurred in 2010 when the Conficker computer worm infected an entire sleep lab at a VA hospital in New Jersey. All the patients had to be rescheduled, which was a challenge because many of them relied on family members to drive them to the lab. Meanwhile, to halt the infection and ensure the devices were Conficker-free, the manufacture had to reformat all the devices—at a cost to the hospital of about $40,000, says Lynette Sherrill, deputy director for health information security at the VA. With a virus like Conficker, she says, it’s not just a matter of stopping the virus from doing further damage after it may lock out users. Computer memory also has to be wiped clean of code that the virus downloads from the Internet and saves in each computer’s memory—something virus scans cannot eliminate. Conficker, a particularly pernicious virus, can also expose patient data and passwords. Attacks from malware including Conficker have occurred on medical equipment including imaging devices, eye-exam scanners and electrocardiograph stress analyzers, according to the VA records.

Because many of these machines do not have specific patient information, however, the risk of patient credit card or health information being stolen is slight. Malware such as botnets—viruses that attempt to control functions on a cadre of computers and then have them all work together to perform some illicit task—can drain energy, slow systems down and mess with their functionality. Malware can also render a device unavailable to give care. “I view it as we are in an entire village of houses with no locked doors,” says Kevin Fu, a computer scientist that focused on medical devices and cyber security at the University of Michigan. “It doesn’t take a rocket scientist to think we should have some risk mitigation strategies in place, because usually the bad guys are a couple steps ahead of the good guys.”

The presence of malware is sometimes only discovered when someone notices that the system is lethargic or there is some issue with device performance. With this new guidance the FDA is trying to kick-start the process so cyber security concerns are integrated into the planning stages of production and systems are in place to check for and respond to cyber threats. “We don’t want to wait for that point where a device is performing inappropriately,” Maisel says. “We want device-makers and hospitals to be proactive.”

Being proactive, however, can be a tall order. Just as a home computer can run into issues when downloading the latest updates, hooking hospital systems up to the latest security patches—a step named in the guidance—comes with the risk of temporarily harming the system while kinks get worked out. In the past some companies advised against getting updates to the system for just that reason. “If you break an important medical scanner because you rolled out a patch, that’s just as bad as having malware since the device is now unavailable,” says Bryan Gulachenski, interim executive director at StopBadware, a nonprofit anti-malware organization. Cyber security experts agree that a large part of this process will be manufacturers and hospitals educating themselves.

As manufacturers strive to incorporate traditional cyber-security protection techniques into medical devices including pacemakers, medical scanners and life-sustaining machinery, another balancing act needs to be struck: how to adequately protect emergency care devices while creating situations where caregivers can quickly bypass the need for pass codes to provide immediate care. “That is a very real concern. When I log into my e-mail account on a Web site, if I type my password wrong three times, it locks me out. That’s okay. That’s not okay for a medical device,” Fu says. Companies looking at this issue will need to build in flexibility for these realities, he adds.

Some companies have already been strategizing about how to create these safeguards, says Mike Ahmadi, a consultant medical device security expert. Medical device companies remain hesitant to market their products as being secure, because they do not want to invite attacks on their systems from hackers who like a challenge, he says. “I know a couple pacemakers who are doing a more than adequate job, but none are going to come forward and say we have a secure device and you should buy it for that reason.” Advertising about security, he says, can also be a matter of liability if the system is compromised.

For now, it’s a matter of managing risk. “There’s always going to be malware. It’s just like the U.S. Centers for Disease Control doesn’t try to eliminate every disease—it tries to control them. It’s the same with malware—the cat’s out of the bag and it’s out there,” Fu says. “At this point there are no meaningful controls for malware and for the most part we rely on hope; the problem is there are too many entry points to enumerate.”

  

0 Comments



Leave a Reply.

    i blog about the things I love: fitness, hacking work, tech, Experiences and anything holistic.

    Picture

    Phil Mora

    > Head of Digital  Product at Nutrien
    > I am passionate about delivering products and technologies that change people's lives
    ​> I look forward to connecting with you!

    Categories

    All
    Change Agents
    Experiences
    Fitness
    Hacking Work
    Technology

    Archives

    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    October 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    February 2013
    January 2013
    December 2012
    August 2012
    July 2012
    June 2012
    May 2012
    April 2012
    March 2012
    January 2012
    December 2011
    October 2011
    September 2011
    August 2011
    June 2011
    May 2011
    April 2011
    March 2011
    February 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    July 2010

    RSS Feed

Phil Mora . 2225 E Bayshore Road . Palo Alto, CA 94393
Phone: (415) 315-9787 . twitter
@philippemora . Instagram philippemora


Copyright © 1999-2020 Philippe Mora