Threat matrix: Malware and hacking pose dangers to medical devices

'We’re starting to attach medical devices to electronic health records, and they’re not secure.'

Many medical devices run on Microsoft Windows or Windows variants, after all. In case it's escaped your notice over the past 15 years or so, that's an OS that's especially susceptible to security issues. (So much so that Microsoft has regularly scheduled day – "Patch Tuesday," the second Tuesday of every month – dedicated to releasing updates to plug vulnerabilities.)

Infection with computer viruses is a common occurrence in households across the country. And in hospitals too.

Fu was quoted in a recent MIT Technology Review article in which he said the problem is "mind-boggling." Malware, he said, is "rampant" in hospitals thanks to devices using unpatched operating systems.

The story noted, for instance, that Boston's Beth Israel Deaconess Medical Center had nearly 700 pieces of equipment "running on older Windows operating systems that manufactures will not modify or allow the hospital to change – even to add antivirus software – because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews."

As these devices get corrupted with malware, one or two each week must be taken offline for fixing, Mark Olson, Beth Israel's chief information security officer, told MIT Technology Review.

Granted, garden-variety computer viruses aren't as sexy as a cable TV plot line in which government official is felled by terrorist hackers.

"This would make a very boring television episode – computer down! – but it does cause problems with clinical workflow, and patients can't get the care they need," said Fu. "When a medical device gets infected by malware, let's say a patient monitor, it's not available to deliver care."

Another wildcard is that malware "might make the device malfunction in mysterious ways, give the wrong readings." he said.

Luckily, it's "likely the healthcare professional would notice this, that the vitals are wildly off from what the patient is presenting, and correct it."

But of course there's always the chance that he or she won't.

2