Skip Links

Medical-device security isn't tracked well, research shows

Federal databases inconsistent, while hospital equipment hit with malware

By , Network World
July 19, 2012 04:56 PM ET

Network World - Medical devices often use commercial PCs and have wireless connections that make them vulnerable to malware, or require software updates for security, but the U.S. may not be doing an adequate job tracking these risks, researchers indicated in a study published today.

Medical firm avoids Exchange nightmare with outside help

The study represents a multi-year look at how medical equipment manufacturers and their customers, such as hospitals, have made public information about device recalls or other equipment issues in the three major databases established or used by the U.S. Food and Drug Administration (FDA). The study, co-published by six researchers associated with Harvard Medical School's Beth Israel Deaconess Medical Center and the Department of Computer Science at the University of Massachusetts at Amherst, casts grave doubt on how well the U.S. is tracking security and privacy issues in software used to operate medical devices.

Meanwhile, the study notes, medical devices are known to be increasingly compromised by malware, even turning them into botnets.

Medical devices used in hospitals are "doing good things for people," says Kevin Fu, associate professor of computer science at the University of Massachusetts at Amherst, one of the study's co-authors. Patients shouldn't panic or become afraid. But he said the researchers undertook the study, which in part is sponsored by the National Science Foundation, because incidents in hospitals related to malware are known to be occurring.

Kevin Fu; Daniel Kramer

The three major medical-device recall and safety-alert databases used in the U.S. are where medical and IT professionals would expect to find publicly searchable information on security they want, "but what bothered us the most is the databases don't appear to capture security and privacy issues." He adds, "It's probably fair to say they weren't designed to do that."

The researchers combed through three databases — the U.S. Food and Drug Administration's (FDA) public, searchable database called "Medical and Radiation Emitting Device Recalls," as well as the "Manufacturer and User Facility Device Experience" (MAUDE) database that manufacturer and hospitals and physicians are supposed to use to report "adverse events" of all kinds, and lastly, the FDA Enforcement reports about "safety alerts" and recalls.

"Our review of recalls and adverse events from federal government databases reveals sharp inconsistencies with databases at individual providers in respect to security and privacy risks," the study says. "Recalls related to software may increase security risks because of unprotected update and correction mechanisms." The co-authors of the study, all medical professionals or academic researchers in computer science, include Daniel Kramer, Matthew Baker, Benjamin Ransford, Andres Molina-Markham, Quinn Stewart, Fu, and Matthew Reynolds.

Their analysis shows software-related updates as a major factor in recalls, though reporting was inconsistent and the security ramifications of a software-related recall were not usually identified.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News