Electronic healthcare devices may be vulnerable to malware

18 octobre 2012

Hospitals rely on medical technology to improve patient care and provide a faster experience, but malware could make devices inoperable.

At a recent discussion involving members of the National Institute of Standards & Technology (NIST) and the Information Security & Privacy Advisory Board, a panel of government experts talked about how healthcare computers in the United States may be vulnerable to infections, Technology Review reported.

Experts find malware on hospital computers
Because many devices are connected to a hospital's network, it is becoming more difficult to prevent the download of malware. According to the source, hospital IT departments eliminate spam by taking the infected computer offline and cleaning it, which can be a time-consuming process. Some facilities have reported deleting malware from up to two computers a week. Despite the urgency of the matter, hospitals cannot take action to prevent hacker attacks because of U.S. Food and Drug Administration rules - the FDA is responsible for testing and approving medical technology.

Most manufacturers have a fear of being in breach of regulations, which is why they do not offer updates, install antivirus software or patch network security issues. As a result, many health service computers still run on older versions of Windows, according to Technology Review.

Patient safety
One of the main concerns for medical device malware is patient safety. Although there have been no reported deaths or injuries linked to harmful downloads, the problem has become too big to ignore, the source reported.
Kevin Fu, a medical device and computer security scientist at UMass Amherst and the University of Michigan, told the news source that malware may slow down computers and cause a doctor to miss a reading, which could affect a person's life.

Some hospitals, like Beth Israel Deaconess Medical Center in Boston, have a "fallback model," in which an employee watches a screen to determine if any reports are inaccurate. However, if he or she steps away for a second, something may go wrong, the source reported.

According to Gov Info Security, the FDA is looking for ways to monitor security threats. Currently the administration requires manufacturers to report issues only if a device caused a patient harm, but it is considering updates. The FDA is also debating connecting with federal agencies to track new viruses for data protection, said Brian Fitzgerald, the deputy director of the FDA's division of electrical and software engineering. 

-McAfee Cloud Security