Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/19/2012
09:48 AM
50%
50%

Malware Threatens Medical Device Security

Hospitals must contend with older operating systems that lack the latest security patches, and cope with the convergence of medical devices, EHRs, and mobile apps.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Malware increasingly is infecting hospital systems and the software that runs in-patient monitoring devices, according to government panelists cited in MIT Technology Review. Despite concerns, however, there is no public evidence that patients have been harmed.

At the recent session sponsored by the National Institute of Standards and Technology's Information Security & Privacy Board in Washington, D.C., the article said, panelists blamed much of the security vulnerability on hospitals' use of older Microsoft operating systems that have not been updated with security patches. In some cases, hospitals have been unable to modify the systems or even add anti-virus software because the software manufacturers were unsure whether such modifications would violate FDA regulations.

The FDA in 2009 issued guidance urging hospitals and medical device manufacturers to work together to eliminate security risks. But in September, the Government Accountability Office issued a report warning that implantable medical devices could be vulnerable to hacking, posing a safety threat, and asked the FDA to address the issue.

There's also evidence that malware interferes with other kinds of devices. For example, malware slowed down fetal monitors in an ICU at Beth Israel Deaconess Medical Center in Boston, according to the MIT Technology Review piece.

The FDA is now reviewing its regulations. But the article quotes Brian Fitzgerald, an FDA deputy director, as saying that the regulatory review would be gradual, "because it involves changing the culture, changing the technology, bringing in new staff, and making a systematic approach to this."

[ Looking for a PACS platform to replace an outdated system? See 9 Must-See Picture Archiving/Communication Systems. ]

Medical device software increasingly is interconnected with electronic health records systems in hospitals, which themselves are vulnerable to attack. And the issue has been complicated by the widespread adoption of smartphones and other mobile devices, some of them personal devices that clinicians bring from home.

Ken Kleinberg, a health IT consultant with the Advisory Board Co., told InformationWeek Healthcare that the operating systems of these mobile devices have more robust security features than the legacy Windows systems found in many hospitals. But he agrees that hospitals need strong "bring your own device" (BYOD) security policies, including mobile application management tools. "It's not just that you're going to control the configuration on the device, you're also going to control what application can be loaded on that device," he said.

For example, a hospital can give doctors a list of the applications that it has vetted, noted Kleinberg. If a doctor wants to use a document reader, for instance, the hospital might suggest one. If he wants to use a dosing calculator, it might suggest three apps and make them available on its application server.

The operating systems that hospitals use are an even bigger challenge, he said, partly because computer manufacturers upgrade their OS so often. "You used to be able to go for a long time on an operating system, but those time frames are shortened now, and the releases are coming faster," Kleinberg noted. "Now we've got [Microsoft] Windows 8, which came relatively soon after Windows 7. And you've got these new mobile platforms now--mobility is taking off and people want to support it. How long can healthcare organizations hang out on this older stuff? They're probably waiting for the right time to upgrade, but there is no right time."

On the other hand, he pointed out, upgrading to a new operating system is very expensive. First, Microsoft licenses cost a lot of money, and some organizations are looking at alternatives to Microsoft. Also, a new OS might require new computers capable of running it. Much of the software and interfaces already in use must also be upgraded. And from an operational standpoint, "It's a big effort to make these migrations," he said.

Nevertheless, there is no alternative to upgrading, said Kleinberg. "Organizations have to do it, and there's even more reason to do it now. Because if you really want people to use these applications, you have to run them on the devices that clinicians are willing to carry and utilize. That's why BYOD is something that organizations may want to push back on, but they have to embrace it."

Besides BYOD, the other major driver for hospitals to upgrade their computer OS is the prospect that the FDA will tighten its regulations on medical devices, he said. Moreover, other agencies, including the FCC, might also weigh in with new rules "to help monitor the convergence of EHRs and devices and applications."

InformationWeek Healthcare brought together eight top IT execs to discuss BYOD, Meaningful Use, accountable care, and other contentious issues. Also in the new, all-digital CIO Roundtable issue: Why use IT systems to help cut medical costs if physicians ignore the cost of the care they provide? (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lifesciencesnow
50%
50%
lifesciencesnow,
User Rank: Apprentice
10/31/2012 | 1:57:33 PM
re: Malware Threatens Medical Device Security
Medical Device security will be a key element in the development of technology in health care...read more on this topic and the potential risks associated with the security of medical devices: http://lifesciencesnow.com/201...
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
10/30/2012 | 3:18:59 AM
re: Malware Threatens Medical Device Security
@AustinIT: While I agree that updates should be performed, I don't know if I'd recommend having automatic updates turned on in an organization that relies so heavily on security. There has been countless occasions where updates have 0-day security flaws and have been susceptible to attacks, most notably one of the recent Java updates. It seems a balanced update policy is needed; one where systems are maintained through updates, but only after the update has been verified and tested. Another solution is to use a system like Citrix that allows easy management of systems where only thin devices are needed and the majority of the system can be maintained centrally.

Jay Simmons
InformationWeek Contributor
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
10/25/2012 | 2:21:59 PM
re: Malware Threatens Medical Device Security
This is a huge problem for the medical field. Many of the computer systems in use are dedicated to running specialized equipment. Or, they just haven't been updated because of a perceived lack of need.

I have seen countless instances - when starting with a new client - where the clinic is still on XP SP2 and IE6 with Windows Updates having been turned off! This was done because they didn't trust the updates to not break their applications.

Now that everything is getting networked and interfaces to EMR's are rapidly rolling out, I think this will be a huge problem to get all these legacy systems either updated or replaced in order to better secure the computing environment.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.