Hunting for computer viruses Image: © iStockphoto.com/Yong Hian Lim
Computer viruses do not discriminate. Malware prowling the cybersphere for bank information and passwords does not distinguish between a home computer or a hospital machine delivering therapy to a patient. Even if a radiation therapy machine, say, is infiltrated unintentionally, malware could theoretically cause radiation doses to spike.
Medical device-makers need to protect their products from cyber attack, according to recent draft guidance the U.S. Food and Drug Administration. The FDA calls for medical device manufacturers to consider the vulnerabilities that crop up when medical devices are designed to be more thoroughly integrated into networks and connected to the Internet. It asks manufacturers to draw up security plans to protect systems from malware before submitting plans for market approval. The agency also prodded hospitals to step up future reporting of any cyber attacks.
In a recent alert the U.S. Department of Homeland Security highlighted one weakness affecting approximately 300 medical devices, including drug infusion pumps, ventilators and external defibrillators. It warns that hard-coded passwords that normally allow service technicians to gain access to myriad machines could be used to make nefarious changes if they fall into the wrong hands. “We are aware of hundreds of devices involving dozens of manufacturers that have been affected by cyber security vulnerabilities or incidents,” says William Maisel, senior official at the FDA’s Center for Devices and Radiological Health. In none of these cases were specific devices or hospitals targeted nor did cyber attacks result in patient harm, at least that the FDA is aware of. A range of medical devices run on standard software such as Windows XP and are vulnerable to common viruses that plague home and office computers. Because the number of events is on the rise, Maisel says, the FDA decided it was time to issue formal guidance about the need to act.
Connecting hospital systems and devices to the Internet allows doctors to remotely study a patient’s scans and computers to quickly share patient information. But it also creates new entry points where computer viruses can prey on electronic systems.
The Department of Veterans Affairs has been tracking medical device infections since 2009. As The Wall Street Journal first reported, there have been 327 such incidents. Those events did not result in patient harm, says Christian Houterman, manager of Clinical Informatics and Medical Technology in the Veterans Health Administration. The incidents, however, did sometimes create headaches for patients and hefty bills for the hospital, he says.
One such incident occurred in 2010 when the Conficker computer worm infected an entire sleep lab at a VA hospital in New Jersey. All the patients had to be rescheduled, which was a challenge because many of them relied on family members to drive them to the lab. Meanwhile, to halt the infection and ensure the devices were Conficker-free, the manufacture had to reformat all the devices—at a cost to the hospital of about $40,000, says Lynette Sherrill, deputy director for health information security at the VA. With a virus like Conficker, she says, it’s not just a matter of stopping the virus from doing further damage after it may lock out users. Computer memory also has to be wiped clean of code that the virus downloads from the Internet and saves in each computer’s memory—something virus scans cannot eliminate. Conficker, a particularly pernicious virus, can also expose patient data and passwords. Attacks from malware including Conficker have occurred on medical equipment including imaging devices, eye-exam scanners and electrocardiograph stress analyzers, according to the VA records.
Because many of these machines do not have specific patient information, however, the risk of patient credit card or health information being stolen is slight. Malware such as botnets—viruses that attempt to control functions on a cadre of computers and then have them all work together to perform some illicit task—can drain energy, slow systems down and mess with their functionality. Malware can also render a device unavailable to give care. “I view it as we are in an entire village of houses with no locked doors,” says Kevin Fu, a computer scientist that focused on medical devices and cyber security at the University of Michigan. “It doesn’t take a rocket scientist to think we should have some risk mitigation strategies in place, because usually the bad guys are a couple steps ahead of the good guys.”