Security experts sound medical device malware alarm

October 19, 2012 by Nancy Owano report

(—Speakers at a government gathering revealed more reasons for nervous patients to get out their worry beads over future hospital stays. Besides staph infections, wrong-side surgeries and inaccurate dosages, there is a serious problem with medical devices and malware that can harm their performance. Malware, too, can be turned into life or death enablers inside U.S. hospitals nationwide. According to health and security experts at a government panel in Washington, at the National Institute of Standards and Technology Information Security and Privacy Advisory Board, there is a lot of medical equipment running old operating systems.

They run without updates and present easy targets for malware. Considering the range of today's computerized that are put to use in hospitals, including fetal monitors for at risk pregnant women to other types of monitors in intensive-care wards, the implications are serious.

Kevin Fu, a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, whose research is focused on medical devices and computer system security, was one of the panel participants. He is sounding an alarm about devices in hospitals where thousands of network-connected devices used for patient care are vulnerable to infection.

In September, the put out a warning that computerized medical devices could be vulnerable to hacking and asked the FDA to address the issue. The GAO report focused mostly on wireless devices, namely implanted defibrillators and .

Fu said those were only two of many devices vulnerable to infection. A 's chief information security officer confirmed Fu's reason for alarm, identifying a wide variety of devices that pose malware risks, ranging from drug compounders to high-end devices to blood gas analyzers to nuclear-medical delivery systems. In looking for remedies, hospitals find no easy answers. Many pieces of equipment are hooked up to Windows systems, but the reason goes beyond Windows per se. They run on old versions of Windows that go without updates and patches. Medical devices connected to internal networks connected to the Internet are open for malware; laptops, tablets, or smartphones brought into the hospital can be sources. Often the malware is associated with botnets, said the security officer. Another problem identified was manufacturers that do not allow their equipment to undergo OS updates or security patches. In one example cited, a medical center had 664 pieces of medical equipment running on older Windows operating systems that manufacturers did not allow to be modified, even for antivirus software. Reasons involved questions and concerns over whether modifications would require regulatory review. An FDA deputy director at the conference said, however, that FDA is reviewing its regulatory stance on software.

Meanwhile, a security gathering in Australia this week generated wide publicity when Barnaby Jack, Director of Security Research for IOActive, showed how pacemakers can be a vehicle for murdering an individual or large numbers of people, if a hacker were to upload malicious software to a central server that would spread lethal shocks to everybody using a company's pacemakers.

Speaking at the BreakPoint security conference in Melbourne, he said today's pacemakers have evolved to a wireless control mechanism that can be activated from a distance. Jack demonstrated how he could force the pacemaker to deliver an 830-volt shock directly to a person's heart, by using a laptop. Several different vendors' pacemakers are vulnerable; he was able to use a laptop to access every wireless pacemaker and implantable cardioverter-defibrillators within a 30-foot radius. The exploit weakness has to do with the programming of the wireless transmitters used for delivering instructions to the devices. Jack staged the demo not only to raise awareness that such attacks were possible but to encourage manufacturers to review the of their code rather than just focusing on safety mechanisms.

Explore further: After insulin pump hacking, lawmakers seek review

Related Stories

After insulin pump hacking, lawmakers seek review

August 20, 2011

(AP) -- Two lawmakers are requesting a review of the government's security standards for wireless medical devices after a diabetic discovered how to remotely reprogram his and other people's insulin pumps.

NIST updates guidance on network attacks and malware

July 26, 2012

Detecting and stopping malicious attacks on computer networks is a central focus of computer security these days. The National Institute of Standards and Technology (NIST) is asking for comments on two updated guides on malicious ...

Conficker worm hits hospital devices

April 30, 2009

A computer worm that has alarmed security experts around the world has crawled into hundreds of medical devices at dozens of hospitals in the United States and other countries, according to technologists monitoring the threat.

NIST updates guidelines for mobile device security

July 11, 2012

The National Institute of Standards and Technology (NIST) has released a proposed update to its guidelines for securing mobile devices—such as smart phones and tablets—that are used by the federal government. NIST ...

Recommended for you

A not-quite-random walk demystifies the algorithm

December 15, 2017

The algorithm is having a cultural moment. Originally a math and computer science term, algorithms are now used to account for everything from military drone strikes and financial market forecasts to Google search results.

US faces moment of truth on 'net neutrality'

December 14, 2017

The acrimonious battle over "net neutrality" in America comes to a head Thursday with a US agency set to vote to roll back rules enacted two years earlier aimed at preventing a "two-speed" internet.

FCC votes along party lines to end 'net neutrality' (Update)

December 14, 2017

The Federal Communications Commission repealed the Obama-era "net neutrality" rules Thursday, giving internet service providers like Verizon, Comcast and AT&T a free hand to slow or block websites and apps as they see fit ...

The wet road to fast and stable batteries

December 14, 2017

An international team of scientists—including several researchers from the U.S. Department of Energy's (DOE) Argonne National Laboratory—has discovered an anode battery material with superfast charging and stable operation ...


Adjust slider to filter visible comments by rank

Display comments: newest first

4 / 5 (2) Oct 19, 2012
thousands of network-connected devices used for patient care are vulnerable to infection

Why are they network connected? If they never update the system anyway, is there any need for internet access? If network access were really needed, why not just create a LAN in the hospital, and then keep THAT disconnected from the internet.
1 / 5 (1) Oct 19, 2012
this a case where they ought to start thinking about an os that was designed for medical equipment, mobile phonees have os's created for them (and they're certainly less important), i seriously cannot see why it is not done for medical devices, also another target for malware is cash machines i can't remember how often i have seen them crash and low and behold a windows 95-xp desktop shows up makes you wonder if someone has tried making a card to crash it and then flush all the cash out, the manfacturers for both class of devices are just lazy

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.