High-risk medical technology has been found to be infected by computer viruses and malware, health and security experts stated. The warnings were given as part of a panel discussion in Washington DC, as reported by Technology Review from the Massachusetts Institute of Technology.
Here is one example of how the systems can be affected by viruses an malware in medical field: Beth Israel Deaconess Medical Center in Boston, MA is said to be deleting viruses from up to two machines a week. Experts fear that the cyber security risks could result in growing virus infections that could potentially become so severe that it may result in putting a patient in danger. Vulnerabilities are mostly due to outdated computer systems, majority of which are running an old version of Windows, which translates into unpatched issue and equipment affected by weaknesses which later releases of Windows fix.
According to the source article, Kevin Fu, a leading expert in medical technology, explained that the machines were not updated because of fears that doing so would mean they were in breach of regulations put in place by the US Food and Drug Administration (FDA). (And between you and me, nobody wants to mess with FDA). The FDA approve the use of technology by testing safety rather than security – meaning any potential exposure to cyberthreats is not considered. Conventional malware is on the loose in hospitals because of medical devices using unpatched operating systems.
There are also fears, the participants of the panel in Washington, DC agreed, that medical devices could even end up being part of botnets – large networks of hijacked computers. An example of being a part of the viral system is for the infected machine to send out spam email, most of the time unbeknownst to the machine’s user. When a manufacturer refuses to perform security patches or OS updates, medical devices could be struck down by slow performance related to being infected .
There is no sufficient evidence to support the theory that medical machines are being targeted by criminals, yet. (“Yet” is being a key word here…) According to Mr. Fu, potential issues are more likely to be “collateral damage” from typical malware designed to infect user’s desktop PCs.
An IT community, however, must be vigilant and work in conjunction with hardware and software manufacturers, medical device users, lawmakers, and regulation enforcement agencies to find the most optimal solutions for the medical networks comprised Medical Devices, PCs, Servers other components commonly used in healthcare field, to be safe, secure, and compliant with regulations such as FDA or HIPAA – by design, not as an afterthought.
U.S. Government Accountability Office (GAO) recommends that FDA develop and implement a plan expanding its focus on information security risks.
- FDA: Reminder from FDA: Cybersecurity for Networked Medical Devices is a Shared Responsibility
- GAO: Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices– overview
- View Fill 89 page report (PDF): http://www.gao.gov/assets/650/647767.pdf
- MIT: Computer Viruses Are “Rampant” on Medical Devices in Hospitals