Medical Device Security Raises ConcernsMalware Poses Risk to Patient Safety
"The risk is growing exponentially with the convergence of medical devices and wireless technologies," says Bakul Patel, policy adviser for The Food and Drug Administration's Center for Devices and Radiological Health. But the FDA has no information directly tying any patient safety cases to security issues for medical devices, such as heart monitors and infusion pumps, Patel says.
The Department of Veterans Affairs, however, has tracked 173 medical devices that have been infected with malware since January 2009, says Lynette Sherrill, deputy director of the VA's health information security division. To mitigate the threat, the VA has an ambitious medical device security initiative under way. For example, the department has isolated 50,000 medical devices behind nearly 3,200 virtual local area networks to improve security.
New Medical Device ConsortiumIn addition to the VA's own efforts, the department is participating in the new Medical Device Innovation, Safety and Security Consortium, which encompasses several organizations working on best practices for protecting medical devices.
Because so many medical devices are linked to computer networks, and because so many of those networks are becoming linked to others, "We have a national biomedical device network that remains largely unrecognized," says Dale Nordenberg, M.D., founder of the consortium.
"Malware and security risks are evolving very fast," Nordenberg notes. As a result, the industry needs to consider whether the security of FDA-approved devices needs to be regularly revisited, he argues.
Nordenberg was one of several speakers addressing medical device security at the recent information security conference co-sponsored by the Department of Health and Human Services' Office for Civil Rights and the National Institute of Standards and Technology. David Holtzman, health information privacy specialist at OCR, stresses that medical device security is a critical issue for security professionals that merits detailed study.
Hackers Pose a ThreatHacking of medical devices to intentionally cause harm eventually will occur, Nordenberg warns, pointing to one incident where someone hacked a website for epileptics and posted animations intended to trigger migraines and seizures. That's why the work of the consortium is critical, he contends.
The consortium will attempt to estimate the prevalence of medical device malware events and pinpoint best practices for prevention, he adds.
Meanwhile, the FDA is taking a close look at the issue of medical device security. "I can't tell you what policies we are considering or what's in the works," Patel said following his presentation at last week's conference. "But we are interested in this area." He called for the development of standards for medical device security.
The FDA has issued reminders about its cybersecurity guidance for medical devices, Patel points out.
Tricky Security IssuesOne of the challenges in protecting medical devices from malware is avoiding affecting the functionality of the devices, says Kevin Faulkner, a senior manager at Trend Micro, which sells anti-virus applications and services. For example, he advises against installing virus detection software on individual devices and advocates taking a network-based approach instead.
Because medical devices use a wide variety of operating systems, implementing a patch to take care of a virus threat can prove challenging, says Steve Abrahamson, program manager of product security at GE Healthcare, which manufactures devices. "That's why we want to test a patch before telling customers to apply it to a device" to make sure it doesn't interfere with the device's functionality, he says.
The VA is working on a patch management system that will bring together all vendor-approved patches on one server, then schedule pushing patches out to appropriate devices, says Meghan Friel, a biomedical engineer at the Veterans Health Administration.
Meanwhile, the VA is validating its new virtual local area networks for medical devices that it recently spent seven months installing to help improve security. It's also using ACLs, or access control lists, that, among other things, prevent linking devices to the Internet.
In addition, because thumb drives are a major potential source of virus infections in medical devices, "we scan portable media before it's connected to a device," Friel says.