Medical devices often use commercial PCs and have wireless connections that make them vulnerable to malware, or require software updates for security, but the U.S. may not be doing an adequate job tracking these risks, researchers indicated in a study published today.
The study represents a multi-year look at how medical equipment manufacturers and their customers, such as hospitals, have made public information about device recalls or other equipment issues in the three major databases established or used by the U.S. Food and Drug Administration (FDA). The study, co-published by six researchers associated with Harvard Medical School's Beth Israel Deaconess Medical Center and the Department of Computer Science at the University of Massachusetts at Amherst, casts grave doubt on how well the U.S. is tracking security and privacy issues in software used to operate medical devices.
Meanwhile, the study notes, medical devices are known to be increasingly compromised by malware, even turning them into botnets.
Medical devices used in hospitals are "doing good things for people," says Kevin Fu, associate professor of computer science at the University of Massachusetts at Amherst, one of the study's co-authors. Patients shouldn't panic or become afraid. But he said the researchers undertook the study, which in part is sponsored by the National Science Foundation, because incidents in hospitals related to malware are known to be occurring.
The three major medical-device recall and safety-alert databases used in the U.S. are where medical and IT professionals would expect to find publicly searchable information on security they want, "but what bothered us the most is the databases don't appear to capture security and privacy issues." He adds, "It's probably fair to say they weren't designed to do that."
The researchers combed through three databases — the U.S. Food and Drug Administration's (FDA) public, searchable database called "Medical and Radiation Emitting Device Recalls," as well as the "Manufacturer and User Facility Device Experience" (MAUDE) database that manufacturer and hospitals and physicians are supposed to use to report "adverse events" of all kinds, and lastly, the FDA Enforcement reports about "safety alerts" and recalls.
"Our review of recalls and adverse events from federal government databases reveals sharp inconsistencies with databases at individual providers in respect to security and privacy risks," the study says. "Recalls related to software may increase security risks because of unprotected update and correction mechanisms." The co-authors of the study, all medical professionals or academic researchers in computer science, include Daniel Kramer, Matthew Baker, Benjamin Ransford, Andres Molina-Markham, Quinn Stewart, Fu, and Matthew Reynolds.
Their analysis shows software-related updates as a major factor in recalls, though reporting was inconsistent and the security ramifications of a software-related recall were not usually identified.
"We believe the inconsistency between databases is due to lack of a meaningful and convenient reporting mechanism, but we also believe that clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer," the study points out. "Time pressure, lack of incentives, lack of federal safe harbor policies, and lack of clear actionable guidance further reduce the probability of incident reporting by clinicians and information technology staff."
Fu said he he's been in contact with professionals at clinics and hospitals where individuals are "essentially afraid of reporting issues on paper for liability issues." He notes the U.S. may want to consider looking at the kinds of "safe harbor" laws that have helped other industries, such as aviation, in identifying safety issues.
The MAUDE database showed no events related to privacy and security, in spite of about 1,000 possible product problems, the study said. As if to test MAUDE's effectiveness, one of the study's co-authors submitted a software vulnerability report for an automated external defibrillator on July 19, 2011, and found by Jan. 19, 2012, the report had not yet been processed into MAUDE. By April of this year, MAUDE did finally contain the submitted report.
"The report processing took nine months. As the time from discovery of a conventional computer security vulnerability to the global exploitation of the flaw is often measured in hours, a nine-month processing delay may not be an effective strategy for ensuring the safety of software-related medical devices," the study says.
The study says there has not yet been any major known and sustained vicious attack on medical devices intended to harm patients in the U.S. But there have been many instances of malware infecting PCs used to operate medical equipment, sometimes even turning medical devices into botnets that are often used by remote command-and-control operators for things such as spam relays. Vendors of the equipment are getting blamed.
"Common causes of infections include use of the Internet and USB flash memory drives from vendors who are paradoxically updating software on medical devices," the study notes. "In one instance, a factory-installed device arrived already infected by malware. All detected malware pertained to conventional compute viruses rather than malware customized for medical devices. The most prevalent malware converted the medical devices into becoming nodes of 'botnet' criminal networks. Organized crime rents out botnets for others to distribute spam anonymously and for mounting targeted attacks on information infrastructure."
In contrast to the lack of consistency and clarity the researchers found in the three databases, one other database they looked at showed how serious malware infections can be in hospitals.
The Department of Veterans' Affairs, in its Field Security Office in the Office of Information Security, collects statistics on the prevalence of malicious software infections in its 156 medical centers. "Between January 2009 and December 2011, the VA detected 142 separate instances of malware infections affecting 207 medical devices found in radiation oncology, radiology, clinical lab, GI lab, ophthalmology imaging, cardiology imaging, pharmacy, sleep lab, cardiac catheterization lab, pulmonary, dental, audiology, dictation, and neurology," the report says.
The result of malware infections? "A common outcome was the unavailability of care because of computer outages. In one extreme instance, a computer virus infection in a catheterization lab required transport of patients to a different hospital."
In conclusion, the report's authors said the U.S. should re-think its strategy for collecting and sharing security-related information for medical devices and that manufacturers, along with regulators, should re-evaluate "security and privacy elements of their devices and systems." The report concluded: "Without an understanding of security and privacy, it will be difficult for patients and clinicians to establish confidence in device safety and effectiveness."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.