Malware in Medical Equipment Poses Serious Threat to Hospital Security

With multiple versions of Windows running on medical systems, hospitals are looking to prevent malware from spreading on networks and threatening patients' privacy and potentially even their lives.

Hospitals are constantly waging a war against dangerous germs, which cause accidental infections that endanger the lives and complicate the recovery of the patients they treat.

Now hospitals have to direct time and resources to battle threats from a new kind of infection, malware infections of medical equipment and computers that threaten patients' privacy and potentially even their lives.

Medical equipment in hospitals is subject to malware infections due to outdated Windows versions and a lack of security patches, according to a report in Technology Review.

Members of the National Institute of Standards and Technology (NIST) Information Security & Privacy Advisory Board discussed the issue at a medical-device panel during a meeting in Washington, D.C., on Oct. 11.

Laptops and devices brought into hospitals are infecting software-controlled medical equipment when they're connected to the Internet, Technology Review reported.

Furthermore, when systems run multiple versions of Windows, they are susceptible to hackers, according to the publication.

Perhaps the most serious threat, however, is that computerized medical devices are subject to hacking attacks, according to an August report by the U.S. Government Accountability Office, which recommended that the U.S. Food and Drug Administration expand its focus on preventing information security risks.

The Veteran's Administration has reported 173 security breaches in medical devices from 2009-2011. These breaches affected glucose monitors, canceled patient exams and caused sleep labs to close, according to FierceHealthIT.

The Technology Review article mentioned Beth Israel Deaconess Medical Center (BIDMC) in Boston as an example of how a typical hospital struggles with malware. The hospital runs 664 pieces of medical equipment that the hospital is unable to update due to FDA regulatory reviews, Kevin Fu, a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, as well as a member of the NIST panel, said according to Technology Review.

"I can't update them and the manufacturers aren't updating them, so they can become vectors for malware," Dr. John D. Halamka, CIO at BIDMC, told eWEEK. "That's the basic problem."

Manufacturers need to go through certification processes to update systems from Windows XP to Windows 7, so they're not able to be patched.

"Systems are unpatched, but the problem with malware has just exponentially increased over the last year or two," said Halamka.

Hospital networks receive millions of infected emails daily, and the level of sophistication in the malware is high, he noted.

"When you go buy a radiology workstation, an IV pump, an echocardiogram machine, you may think of them as appliances, but they all generate data and inside in fact they may be running Windows NT or Apache 1.0," said Halamka. "They may be running software systems that haven't been updated in years."

The approval process for updates along with extensive government testing could take months, he said.

The workaround is to isolate medical equipment from the network and "firewall it off" until the device is secure, said Halamka.

"What really needs to happen is there needs to be a conversation at the FDA about what's worse, the risk of change—going from Windows XP to Windows 7—or Windows 7 running malware that can result in the device simply stopping or the device can generate anomalous data, or the device could broadcast data to China," he said.

"I'd rather have a patched operating system and updated antivirus software, taking the risk that doing those patches can cause some harm because patches are much safer than somebody's malware that can probably cause data corruption," said Halamka.

"The risk I would suggest is greater than ever before, which builds a sense of urgency for ensuring that these devices are protected," said Halamka.