25 Jul 2012

U.S. Medical Devices Plagued by Malware; Hospitals under Botnet Threat


The U.S. is doing a poor job of monitoring the security and privacy of medical devices, according to a multi-year study by six researchers associated with Harvard Medical School's Beth Israel Deaconess Medical Center and the Department of Computer Science at the University of Massachusetts at Amherst, as reported by computerworld.com.

It appears that the fault lies on the one hand with the national databases used to report and track down various security incidents affecting medical devices and, on the other, with medical personnel’s inability to diagnose software-related issues.

"Our review of recalls and adverse events from federal government databases reveals sharp inconsistencies with databases at individual providers in respect to security and privacy risks," the study shows. "We believe the inconsistency between databases is due to lack of a meaningful and convenient reporting mechanism, but we also believe that clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer."

The researchers tested the MAUDE database’s efficiency in fixing submitted bugs by actually filing a report for an alleged vulnerability in an automated external defibrillator. "The report processing took nine months. As the time from discovery of a conventional computer security vulnerability to the global exploitation of the flaw is often measured in hours, a nine-month processing delay may not be an effective strategy for ensuring the safety of software-related medical devices."

The study also points to online browsing and USB flash memory drives as the main causes of infection. “The most prevalent malware converted the medical devices into becoming nodes of 'botnet' criminal networks. Organized crime rents out botnets for others to distribute spam anonymously and for mounting targeted attacks on information infrastructure," added the authors of the study.

Security issues improperly dealt with resulted in “unavailability of care” for various patients in extreme cases. This situation calls for a re-assessment of the U.S. strategy for security information collection and sharing and for manufacturers and regulators’ to take a closer look at the security and privacy risks posed by various medical devices.