The National Institute of Standards and Technology held meetings last fall for its Information Security & Privacy Board. During these meetings, experts expressed concern over the volume of malware on medical devices. One cause for the infestations is that medical device manufacturers won’t allow hospitals to use solutions like virus protection software or scans. Another cause is that manufacturers often run old operating systems out of concern that upgrades may violate FDA regulations.
Malware can infect machines ranging from expensive diagnostic imaging devices to compounders that prepare intravenous nutrition and drugs. If a machine like a blood gas analyzer gave a false reading because of malware, then a patient could experience serious harm. The U.S. Government Accountability Office (GAO) has specifically warned that devices like patient insulin pumps and internal defibrillators could malfunction because of malware vulnerabilities. However, the board points out that any network-connected medical device could be vulnerable to infection.
Real-Life Medical Malware Scenarios
MIT Technology Review cited an example of medical device malware proliferation from Boston’s Beth Israel Deaconess Medical Center. In this facility, IT has identified 664 medical devices running on old Windows operating systems because of manufacturers’ restrictions. Beth Israel’s chief information security officer, Mark Olson, says that at least one or two machines are taken out of commission weekly to be cleansed of malware.
Malware can render patient monitoring devices and software systems temporarily inoperable, and experts fear that patient injury is only a matter of time. In one intensive care unit that treated women with high-risk pregnancies, for example, malware clogged up fetal heart rate monitors and caused them to work significantly more slowly. If someone hadn’t been present to catch the issue, then doctors wouldn’t have known if the babies or their mothers were in distress.
In 2009, the Conficker worm infected an obstetrical care workstation, a radiology workstation and several nuclear medicine applications at Beth Israel. The systems were shut down, cleaned and isolated from the network before anyone was injured. However, unless manufacturers and regulators begin to seriously address the problem, most experts agree that patient injury or even fatality is inevitable.
Analysts say that most medical device malware infections are linked to botnets. Hackers use malware to gain control of large numbers of computers, which then form botnets, or armies of compromised computers. Hackers can then use these “zombie computers” to wage large-scale distributed denial-of-service (DDOS) attacks against any kind of network.
Why the Problem Isn’t Getting Better Quickly
Although regulators have known about these issues for some time, device manufacturers, hospitals and the FDA have made little progress for a number of different reasons:
- Economic pressures. Medical device manufacturers face pressures just like any other business to develop products quickly and get them to market fast. Testing for quality, reliability and safety can slow down that process.
- Underreporting. Many hospital staff and medical providers don’t report malware problems to manufacturers or to state and federal regulators. Experts say that staff members feel that they have no recourse for fixing the problem, so they don’t bother reporting it.
- Sluggish FDA response. While the FDA has begun to review its software policies, the pace of the process has been slow. Changing policy means new culture, new technology, new staff and new approaches, and changing management takes time.
- Inconsistent manufacturer policies. The FDA has issued some guidance saying that software updates don’t always require regulatory review. However, to avoid liability, many manufacturers hesitate to skirt the process. While some manufacturers will provide patches and security guidance, other manufacturers supply nothing. Hospitals prefer to firewall non-secure devices, but IT departments can’t maintain hundreds of firewalls on every hospital network.
Mark Olsen has suggested a number of solutions that manufacturers can implement into medical devices. He suggests that manufacturers include antivirus software and allow OS patches for all devices. He also suggests adding logging capabilities and support for Microsoft Active Directory. Security solutions should be flexible enough to accommodate any hospital security model, and “phone home” services that bypass firewalls should be eliminated by manufacturers. Finally, Olson asks that manufacturers implement off-the-shelf operating systems because they allow hospitals to save money, and they ensure that machines aren’t riddled with unnecessary programs.