Security experts sound medical device malware alarm

Oct 19, 2012 by Nancy Owano report

(Phys.org)—Speakers at a government gathering revealed more reasons for nervous patients to get out their worry beads over future hospital stays. Besides staph infections, wrong-side surgeries and inaccurate dosages, there is a serious problem with medical devices and malware that can harm their performance. Malware, too, can be turned into life or death enablers inside U.S. hospitals nationwide. According to health and security experts at a government panel in Washington, at the National Institute of Standards and Technology Information Security and Privacy Advisory Board, there is a lot of medical equipment running old operating systems.

They run without updates and present easy targets for malware. Considering the range of today's computerized that are put to use in hospitals, including fetal monitors for at risk pregnant women to other types of monitors in intensive-care wards, the implications are serious.

Kevin Fu, a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, whose research is focused on medical devices and computer system security, was one of the panel participants. He is sounding an alarm about devices in hospitals where thousands of network-connected devices used for patient care are vulnerable to infection.

In September, the put out a warning that computerized medical devices could be vulnerable to hacking and asked the FDA to address the issue. The GAO report focused mostly on wireless devices, namely implanted defibrillators and .

Fu said those were only two of many devices vulnerable to infection. A 's chief information security officer confirmed Fu's reason for alarm, identifying a wide variety of devices that pose malware risks, ranging from drug compounders to high-end devices to blood gas analyzers to nuclear-medical delivery systems. In looking for remedies, hospitals find no easy answers. Many pieces of equipment are hooked up to Windows systems, but the reason goes beyond Windows per se. They run on old versions of Windows that go without updates and patches. Medical devices connected to internal networks connected to the Internet are open for malware; laptops, tablets, or smartphones brought into the hospital can be sources. Often the malware is associated with botnets, said the security officer. Another problem identified was manufacturers that do not allow their equipment to undergo OS updates or security patches. In one example cited, a medical center had 664 pieces of medical equipment running on older Windows operating systems that manufacturers did not allow to be modified, even for antivirus software. Reasons involved questions and concerns over whether modifications would require regulatory review. An FDA deputy director at the conference said, however, that FDA is reviewing its regulatory stance on software.

Meanwhile, a security gathering in Australia this week generated wide publicity when Barnaby Jack, Director of Security Research for IOActive, showed how pacemakers can be a vehicle for murdering an individual or large numbers of people, if a hacker were to upload malicious software to a central server that would spread lethal shocks to everybody using a company's pacemakers.

Speaking at the BreakPoint security conference in Melbourne, he said today's pacemakers have evolved to a wireless control mechanism that can be activated from a distance. Jack demonstrated how he could force the pacemaker to deliver an 830-volt shock directly to a person's heart, by using a laptop. Several different vendors' pacemakers are vulnerable; he was able to use a laptop to access every wireless pacemaker and implantable cardioverter-defibrillators within a 30-foot radius. The exploit weakness has to do with the programming of the wireless transmitters used for delivering instructions to the devices. Jack staged the demo not only to raise awareness that such attacks were possible but to encourage manufacturers to review the of their code rather than just focusing on safety mechanisms.

Explore further: Body by smartphone

Related Stories

After insulin pump hacking, lawmakers seek review

Aug 20, 2011

(AP) -- Two lawmakers are requesting a review of the government's security standards for wireless medical devices after a diabetic discovered how to remotely reprogram his and other people's insulin pumps.

NIST updates guidance on network attacks and malware

Jul 26, 2012

Detecting and stopping malicious attacks on computer networks is a central focus of computer security these days. The National Institute of Standards and Technology (NIST) is asking for comments on two updated guides on malicious ...

Conficker worm hits hospital devices

Apr 30, 2009

A computer worm that has alarmed security experts around the world has crawled into hundreds of medical devices at dozens of hospitals in the United States and other countries, according to technologists monitoring the threat.

NIST updates guidelines for mobile device security

Jul 11, 2012

The National Institute of Standards and Technology (NIST) has released a proposed update to its guidelines for securing mobile devices—such as smart phones and tablets—that are used by the federal government. NIST ...

Recommended for you

Facebook's Internet.org expands in Zambia

41 minutes ago

(AP)—Facebook's Internet.org project is taking another step toward its goal of bringing the Internet to people who are not yet online with an app launching Thursday in Zambia.

Body by smartphone

19 hours ago

We love our smartphones. Since they marched out of the corporate world and into the hands of consumers about 10 years ago, we've relied more and more on our iPhone and Android devices to organize our schedules, ...

Breakthrough elastic cloud-to cloud networking

21 hours ago

Scientists from AT&T, IBM and Applied Communication Sciences (ACS) announced a proof-of-concept technology that reduces set up times for cloud-to-cloud connectivity from days to seconds. This advance is a major step forward ...

Security CTO to detail Android Fake ID flaw at Black Hat

Jul 29, 2014

Where have you heard this before: A team of security researchers discover a security flaw in Android devices. This is, however, news. This time, experts are talking about a flaw that involves a widespread ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

axemaster
4 / 5 (2) Oct 19, 2012
thousands of network-connected devices used for patient care are vulnerable to infection

Why are they network connected? If they never update the system anyway, is there any need for internet access? If network access were really needed, why not just create a LAN in the hospital, and then keep THAT disconnected from the internet.
Bowler_4007
1 / 5 (1) Oct 19, 2012
this a case where they ought to start thinking about an os that was designed for medical equipment, mobile phonees have os's created for them (and they're certainly less important), i seriously cannot see why it is not done for medical devices, also another target for malware is cash machines i can't remember how often i have seen them crash and low and behold a windows 95-xp desktop shows up makes you wonder if someone has tried making a card to crash it and then flush all the cash out, the manfacturers for both class of devices are just lazy