In addition to the expanding role of electronic health information, healthcare providers are using increasingly sophisticated medical devices in procedures and treatment protocols for diabetes, heart disease and many other illnesses and conditions. Similarly, the use of computer-based patient monitoring equipment has expanded exponentially in hospitals. The associated security, however, has not kept pace with these advances in electronic medical technology, and the software employed by critical medical devices and hospital equipment can be vulnerable to computer viruses and other malware.
In recent months, the potential impact of malware on medical devices—and, ultimately, patient safety—has garnered considerable attention. In May 2012, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center issued a bulletin highlighting how the portability and wireless connectivity of medical devices introduces security risks for medical information technology networks. In August 2012, the General Accounting Office (GAO) issued a report containing recommendations to the Food and Drug Administration (FDA), which regulates these devices, for mitigating security risks that could affect medical devices. In October 2012, the medical device panel at the National Institute of Standards and Technology (NIST) Information Security & Privacy Advisory Board focused on the increasing vulnerability of medical devices and hospital equipment to malware infections. Even Hollywood has taken notice. A December 2012 episode of Showtime’s Emmy-winning drama “Homeland” featured a political assassination carried out through the remote hacking of a pacemaker.
The largest looming threat related to malware is that the equipment will fail to function properly during a critical procedure. In the past year, an information security consultant conducted what were described as “ethical hacks” of an implanted insulin pump and an implanted wireless heart defibrillator to demonstrate risks to patients using wireless medical devices. Although there have been no reported accounts of actual incidents of this type, it is important to note that reporting is required by the equipment or device manufacturer only in the event of an injury. There is currently no requirement or mechanism for healthcare providers or patients to report software-related problems, which further decreases the likelihood of such reports. Other, less serious, threats include rendering equipment useless, slowing or eliminating some functionality, creating incorrect output, and spreading malicious code to other devices or systems. At the recent NIST medical-device panel, malware problems were described at Boston’s Beth Israel Deaconess Medical Center where a Conficker worm (which targets the Microsoft Windows operating system) disrupted a number of pieces of networked equipment. While no patients were harmed, the equipment had to be taken offline to have the virus removed and then isolated from the hospital’s computer network behind a firewall. These steps can be time consuming and cause unnecessary expense.
Reasons for Vulnerability
Most medical equipment and devices utilize operating systems—such as Windows and its many versions and variants—that are commonly targeted by hackers. At Beth Israel, it is estimated that more than 650 pieces of medical equipment at the facility run on older versions of the Windows operating system. The facility and the equipment operators are at odds over whether antivirus software and security patches can be installed on the equipment due to concerns over the impact of such modifications with respect to FDA regulatory compliance. To make matters worse, medical equipment and devices are often connected to the Internet. Thus, the devices are also vulnerable to viruses from laptops, thumb drives, and other devices brought into the hospital environment.
Some suggest that another reason for the vulnerability of medical devices and equipment to computer viruses is the FDA’s lack of emphasis on the issue historically. In the August 2012 GAO report, the FDA admitted “that it did not generally consider intentional information security threats in its review process” when reviewing two medical devices with known vulnerabilities. The GAO report specifically notes that the FDA did not consider any key practices for risk management; patch and vulnerability management; technical audit and accountability; and security-incident response.
Further exacerbating the vulnerability of medical devices and equipment to malware is the emphasis on the “meaningful use” of electronic medical records in patient care since the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the Affordable Care Act (ACA) in 2010. Hospitals and other healthcare providers are expected to participate in even more data-sharing activities, such as health information exchanges (HIEs), and to allow access to patient information across internal and external networks.