Security experts sound medical device malware alarm

Oct 19, 2012 by Nancy Owano report

(Phys.org)—Speakers at a government gathering revealed more reasons for nervous patients to get out their worry beads over future hospital stays. Besides staph infections, wrong-side surgeries and inaccurate dosages, there is a serious problem with medical devices and malware that can harm their performance. Malware, too, can be turned into life or death enablers inside U.S. hospitals nationwide. According to health and security experts at a government panel in Washington, at the National Institute of Standards and Technology Information Security and Privacy Advisory Board, there is a lot of medical equipment running old operating systems.

They run without updates and present easy targets for malware. Considering the range of today's computerized that are put to use in hospitals, including fetal monitors for at risk pregnant women to other types of monitors in intensive-care wards, the implications are serious.

Kevin Fu, a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, whose research is focused on medical devices and computer system security, was one of the panel participants. He is sounding an alarm about devices in hospitals where thousands of network-connected devices used for patient care are vulnerable to infection.

In September, the put out a warning that computerized medical devices could be vulnerable to hacking and asked the FDA to address the issue. The GAO report focused mostly on wireless devices, namely implanted defibrillators and .

Fu said those were only two of many devices vulnerable to infection. A 's chief information security officer confirmed Fu's reason for alarm, identifying a wide variety of devices that pose malware risks, ranging from drug compounders to high-end devices to blood gas analyzers to nuclear-medical delivery systems. In looking for remedies, hospitals find no easy answers. Many pieces of equipment are hooked up to Windows systems, but the reason goes beyond Windows per se. They run on old versions of Windows that go without updates and patches. Medical devices connected to internal networks connected to the Internet are open for malware; laptops, tablets, or smartphones brought into the hospital can be sources. Often the malware is associated with botnets, said the security officer. Another problem identified was manufacturers that do not allow their equipment to undergo OS updates or security patches. In one example cited, a medical center had 664 pieces of medical equipment running on older Windows operating systems that manufacturers did not allow to be modified, even for antivirus software. Reasons involved questions and concerns over whether modifications would require regulatory review. An FDA deputy director at the conference said, however, that FDA is reviewing its regulatory stance on software.

Meanwhile, a security gathering in Australia this week generated wide publicity when Barnaby Jack, Director of Security Research for IOActive, showed how pacemakers can be a vehicle for murdering an individual or large numbers of people, if a hacker were to upload malicious software to a central server that would spread lethal shocks to everybody using a company's pacemakers.

Speaking at the BreakPoint security conference in Melbourne, he said today's pacemakers have evolved to a wireless control mechanism that can be activated from a distance. Jack demonstrated how he could force the pacemaker to deliver an 830-volt shock directly to a person's heart, by using a laptop. Several different vendors' pacemakers are vulnerable; he was able to use a laptop to access every wireless pacemaker and implantable cardioverter-defibrillators within a 30-foot radius. The exploit weakness has to do with the programming of the wireless transmitters used for delivering instructions to the devices. Jack staged the demo not only to raise awareness that such attacks were possible but to encourage manufacturers to review the of their code rather than just focusing on safety mechanisms.

Explore further: Better non-functional security tests for software

Related Stories

After insulin pump hacking, lawmakers seek review

Aug 20, 2011

(AP) -- Two lawmakers are requesting a review of the government's security standards for wireless medical devices after a diabetic discovered how to remotely reprogram his and other people's insulin pumps.

NIST updates guidance on network attacks and malware

Jul 26, 2012

Detecting and stopping malicious attacks on computer networks is a central focus of computer security these days. The National Institute of Standards and Technology (NIST) is asking for comments on two updated guides on malicious ...

Conficker worm hits hospital devices

Apr 30, 2009

A computer worm that has alarmed security experts around the world has crawled into hundreds of medical devices at dozens of hospitals in the United States and other countries, according to technologists monitoring the threat.

NIST updates guidelines for mobile device security

Jul 11, 2012

The National Institute of Standards and Technology (NIST) has released a proposed update to its guidelines for securing mobile devices—such as smart phones and tablets—that are used by the federal government. NIST ...

Recommended for you

Better non-functional security tests for software

Sep 15, 2014

The integration of digital expert knowledge and automation of risk analyses can greatly improve software test procedures and make cloud computing more secure. This is shown by the latest results of a project ...

'Grand Theft Auto V' to hit PS4 and Xbox One

Sep 12, 2014

Rockstar Games on Friday announced that the latest installment of its crime-themed blockbuster video game "Grand Theft Auto" will hit PlayStation 4 and Xbox One consoles in November.

What's at stake with Windows 9?

Sep 12, 2014

When Microsoft presents its first public glimpse of Windows 9 - it's expected to happen late this month or early next - a lot more than just an operating system is at stake.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

axemaster
4 / 5 (2) Oct 19, 2012
thousands of network-connected devices used for patient care are vulnerable to infection

Why are they network connected? If they never update the system anyway, is there any need for internet access? If network access were really needed, why not just create a LAN in the hospital, and then keep THAT disconnected from the internet.
Bowler_4007
1 / 5 (1) Oct 19, 2012
this a case where they ought to start thinking about an os that was designed for medical equipment, mobile phonees have os's created for them (and they're certainly less important), i seriously cannot see why it is not done for medical devices, also another target for malware is cash machines i can't remember how often i have seen them crash and low and behold a windows 95-xp desktop shows up makes you wonder if someone has tried making a card to crash it and then flush all the cash out, the manfacturers for both class of devices are just lazy