Medical equipment riddled with malware

Posted by Emma Woollacott

Viruses and other malware are running rampant through medical technology, security experts have warned.

Medical equipment is increasingly software-controlled and networked. Worryingly, though, many hospitals are using old computer systems that can't readily be updated. But such malware can slow machines down, with potentially dangerous results.

According to MIT's Technology Review, the Beth Israel Deaconess Medical Center in Boston alone had 664 pieces of medical equipment running on old versions of Windows  until recently.

But because of concerns over Food and Drug Administration (FDA) rules, manufacturers often won't allow them to be updated, meaning that fixes in later versions of Windows can't be implemented.

"Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems," says Kevin Fu of the University of Michigan and the University of Massachusetts, Amherst.

"There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."

The risks were discussed last week at a meeting of the National Institute of Standards and Technology Information Security & Privacy Advisory Board.

Mark Olson, chief information security officer at Beth Israel, said that malware had on one occasion slowed down the fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards.

"It's not unusual for those devices, for reasons we don't fully understand, to become compromised to the point where they can't record and track the data," he said.

"Fortunately, we have a fallback model because they are high-risk. They are in an IC unit — there's someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction."