Healthcare News & Insights

Viruses attacking medical devices are rampant, warns government panel

Many medical devices run computer software, and therefore are vulnerable to the same malware attacks as other computing devices. And the threat to patient safety is rapidly growing, said participants in a recent government panel. 

Medical devices are becoming increasingly inter-connected, which exposes them to malware threats. For example, monitoring devices connect to a hospital’s network to transmit data for doctors to see. That hospital network in turn is connected to the Internet, where viruses and other threats can enter via PCs or other devices.

Many medical devices also run versions of Windows, which is frequently attacked — and the software run is often an old, unpatched version due to manufacturer demands and federal rules. In a recent panel discussion at the National Institute of Standards and Technology Information Security & Privacy Advisory Board, officials from Beth Israel Deaconess Medical Center in Boston complained about running 664 pieces of medical equipment with old versions of Windows — however, manufacturers won’t allow the software to be updated or even for antivirus software to be installed because of fears that modifying those devices would run afoul of FDA rules.

As a result, hospital officials said, one or two machines get infected with malware each week and must taken offline to be cleaned.

If those threats aren’t caught, they could cause a number of patient safety issues — for example, incorrect or incomplete data could be recorded, affecting treatment.

Security researchers have also discovered ways that medical devices could be tampered with by cyber attackers. Barnaby Jack of security vendor IOActive, for example, recently unveiled a potentially deadly attack that can be carried out by exploiting vulnerabilities in wirless transmitters used in pacemakers and implantable defibrillators. Jack demonstrated how to hack a pacemaker and reprogram its firmware, allowing the attacker to deliver a powerful electric shock to the victim.

The panel discussion and this new demonstration come several weeks after a study was published claiming the FDA doesn’t do enough to track medical device security.

Without sharing public information about those threats, it’s more difficult to discover and correct them, researchers said. They recommended that the FDA create an easier reporting mechanism for medical device security problems, as well as add “safe harbor” provisions that prevent providers from being held liable after reporting issues.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.