Security is one of the paramount features to consider with medical devices. Because medical devices commonly use standard PC’s running mainstream operating systems they are often at risk to security vulnerabilities and require frequent updates of the software.
Wireless connections pose a similar threat by exposing medical devices to potential malware and researchers have conducted a study that indicates the US may not be doing an adequate job of tracking these vulnerabilities and risks.
The study was published by six researchers associated with Harvard Medical School’s Beth Israel Deaconess Medical Center and the Department of Computer Science at the University of Massachusetts at Amherst. The results indicate the need for increased security tracking.
“The researchers combed through three databases the U.S. Food and Drug Administration’s (FDA) public, searchable database called ‘Medical and Radiation Emitting Device Recalls,’ as well as the ‘Manufacturer and User Facility Device Experience’ (MAUDE) database that manufacturer and hospitals and physicians are supposed to use to report ‘adverse events’ of all kinds, and lastly, the FDA Enforcement reports about “safety alerts” and recalls.”
The authors further discussed that the databases were probably not designed to capture security and privacy issues well since they all differed in what data was actually captured.
“Our review of recalls and adverse events from federal government databases reveals sharp inconsistencies with databases at individual providers in respect to security and privacy risks. Recalls related to software may increase security risks because of unprotected update and correction mechanisms.”
Some of these inconsistencies were explained by basic motivational forces, as the coauthors reported that, “time pressure, lack of incentives, lack of federal safe harbor policies, and lack of clear actionable guidance further reduce the probability of incident reporting by clinicians and information technology staff.”
They also discovered that malware is a problem that is increasing in severity to the point that botnets are sometimes created out of the devices. While the study notes that there has not been an instance of a major specifically targeted attack on medical devices to harm patients, they have been many known instances where malware has infected a PC and turned it into a botnet.
That PC effectively becomes a tool to send out massive amounts of spam, slowing the systems down.
“Common causes of infections include use of the Internet and USB flash memory drives from vendors who are paradoxically updating software on medical devices. In one instance, a factory-installed device arrived already infected by malware. All detected malware pertained to conventional compute viruses rather than malware customized for medical devices. The most prevalent malware converted the medical devices into becoming nodes of ‘botnet’ criminal networks. Organized crime rents out botnets for others to distribute spam anonymously and for mounting targeted attacks on information infrastructure.”
While various other points and summations were made, the study essentially boiled down to the notion that, “without an understanding of security and privacy, it will be difficult for patients and clinicians to establish confidence in device safety and effectiveness.”
Therefore, there is an increased need for medical device manufacturers and regulators to ensure that their devices are secure from malware. The United States, the report also concluded, should “re-think its strategy for collecting and sharing security-related information for medical devices.”
Source: PC Advisor