Medical Devices and Malware: The Latest Hospital-Acquired ‘Infection’

In addition to the expanding role of electronic health information, healthcare providers are using increasingly sophisticated medical devices in procedures and treatment protocols for diabetes, heart disease and many other illnesses and conditions. Similarly, the use of computer-based patient monitoring equipment has expanded exponentially in hospitals. The associated security, however, has not kept pace with these advances in electronic medical technology, and the software employed by critical medical devices and hospital equipment can be vulnerable to computer viruses and other malware.

In recent months, the potential impact of malware on medical devices—and, ultimately, patient safety—has garnered considerable attention. In May 2012, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center issued a bulletin highlighting how the portability and wireless connectivity of medical devices introduces security risks for medical information technology networks. In August 2012, the General Accounting Office (GAO) issued a report containing recommendations to the Food and Drug Administration (FDA), which regulates these devices, for mitigating security risks that could affect medical devices. In October 2012, the medical device panel at the National Institute of Standards and Technology (NIST) Information Security & Privacy Advisory Board focused on the increasing vulnerability of medical devices and hospital equipment to malware infections. Even Hollywood has taken notice. A December 2012 episode of Showtime’s Emmy-winning drama “Homeland” featured a political assassination carried out through the remote hacking of a pacemaker.

Threats

The largest looming threat related to malware is that the equipment will fail to function properly during a critical procedure. In the past year, an information security consultant conducted what were described as “ethical hacks” of an implanted insulin pump and an implanted wireless heart defibrillator to demonstrate risks to patients using wireless medical devices. Although there have been no reported accounts of actual incidents of this type, it is important to note that reporting is required by the equipment or device manufacturer only in the event of an injury. There is currently no requirement or mechanism for healthcare providers or patients to report software-related problems, which further decreases the likelihood of such reports. Other, less serious, threats include rendering equipment useless, slowing or eliminating some functionality, creating incorrect output, and spreading malicious code to other devices or systems. At the recent NIST medical-device panel, malware problems were described at Boston’s Beth Israel Deaconess Medical Center where a Conficker worm (which targets the Microsoft Windows operating system) disrupted a number of pieces of networked equipment. While no patients were harmed, the equipment had to be taken offline to have the virus removed and then isolated from the hospital’s computer network behind a firewall. These steps can be time consuming and cause unnecessary expense.

Reasons for Vulnerability

Most medical equipment and devices utilize operating systems—such as Windows and its many versions and variants—that are commonly targeted by hackers. At Beth Israel, it is estimated that more than 650 pieces of medical equipment at the facility run on older versions of the Windows operating system. The facility and the equipment operators are at odds over whether antivirus software and security patches can be installed on the equipment due to concerns over the impact of such modifications with respect to FDA regulatory compliance. To make matters worse, medical equipment and devices are often connected to the Internet. Thus, the devices are also vulnerable to viruses from laptops, thumb drives, and other devices brought into the hospital environment.

Some suggest that another reason for the vulnerability of medical devices and equipment to computer viruses is the FDA’s lack of emphasis on the issue historically. In the August 2012 GAO report, the FDA admitted “that it did not generally consider intentional information security threats in its review process” when reviewing two medical devices with known vulnerabilities. The GAO report specifically notes that the FDA did not consider any key practices for risk management; patch and vulnerability management; technical audit and accountability; and security-incident response.

Further exacerbating the vulnerability of medical devices and equipment to malware is the emphasis on the “meaningful use” of electronic medical records in patient care since the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the Affordable Care Act (ACA) in 2010. Hospitals and other healthcare providers are expected to participate in even more data-sharing activities, such as health information exchanges (HIEs), and to allow access to patient information across internal and external networks.

Healthcare providers will bear considerable responsibility for protecting equipment as interoperability plays a greater role in healthcare. However, a recent report on patient privacy and data security by the Ponemon Institute indicates that the majority of healthcare providers are not currently employing best practices to prevent malware migrating between medical devices and computer networks. Less than half of respondents to the Ponemon Institute’s survey of security practices used in healthcare settings said that they scan medical devices for viruses and malware when they are connected to their networks. Only one in five respondents said they scan devices prior to connection, and only 16 percent said they scan devices and remove applications that present a security threat. The Ponemon study was based on 324 interviews with individuals in security, administrative, privacy, compliance, finance and clinical roles at 80 hospitals and clinics.

Moving Forward

Competing interests will need to be addressed by healthcare providers, equipment manufacturers and regulatory bodies to improve security of medical devices and decrease risks to patients and those providing services and equipment. Hospitals, and more importantly their providers and patients, expect more interconnectedness and expect equipment to perform flawlessly. At the same time, pressure will increase to allow doctors, entities such as HIEs and even patients to add information to the hospital’s systems on devices that are likely to be (putting it mildly) less than fully secure. Manufacturers sometimes believe they cannot offer “patches” without approval from the FDA. Hospital IT departments sometimes feel like they are not as well funded or well supported as necessary, and must juggle demands of doctors (many of whom are not hospital employees) and also hospital legal staff expectations. Employees and independent physicians may become frustrated when equipment is unavailable, unreliable, or difficult to use.

The heightened attention placed on the problem, however, may spur progress. The FDA has launched initiatives to identify and analyze problems associated with medical devices more effectively. Although not specifically aimed at information security, these initiatives, according to the GAO report, might enhance the FDA’s efforts by providing additional data. The FDA initiatives include establishing unique device identifications for medical devices which could help in the analysis of problems related to specific devices. A second effort is the development of a new adverse reporting system that will enable greater identification and analysis of security problems with medical devices.

In November 2012, the Geneva, Switzerland-based International Electrotechnical Commission, a standards organization for electrical, electronic and related technologies, issued three new technical reports which provide guidance for the application of risk management to IT networks that incorporate medical devices. The first report provides step-by-step risk management techniques with practical applications and examples. The second report offers guidance for the disclosure and communication of medical device security needs, risks and controls. The third report provides guidance for wireless networks.

The related subject of computer malware that is not just destructive in nature, but can be used to harvest data about individuals leading to privacy/data security breaches is a subject for a separate article.

The Ponemon Institute, Traverse City, Mich., has offered recommendations to help healthcare organizations in strengthening privacy and security efforts. Key elements of these recommendations include conducting an annual privacy and security risk assessment; developing a comprehensive mobile device policy; ensuring appropriate security measures are in place before deploying cloud-based applications and services; and including rigorous privacy and security analysis when developing plans for the use of electronic health records and health information exchanges.

With the implementation of some of these recommended measures, information security for electronic medical technology as well as the software employed by critical medical devices and hospital equipment, will be increased and they will be less vulnerable to computer viruses and other malware.