Medical Devices Rendered Defective by a Computer Virus
May 12, 2009. By Gordon Gibb | |
According to a report from CBS News the Conficker Internet virus has infected important computerized medical devices.
Rodney Joffe is the senior vice president for Neustar and a founder of the Conficker Working Group. In recent weeks Joffe has told a panel at the House Energy and Commerce Committee that he, together with another Conficker researcher had identified at least 300 critical medical devices from a single manufacturer that had been infected with the Conficker virus.
According to the report, the devices in question were connected to a LAN and found at, or near intensive care (ICU) stations. These devices allowed doctors to view and manipulate MRI scans. The thought of such a device infected with a nasty computer virus more than just boggles the mind. It is unthinkable.
And yet it is happening and is poised to grow even bigger given the push to computerize hospital records and interconnect hospitals and doctor's offices.
Implantable medical devices such as heart defibrillators that allow doctors to adjust settings by way of computer are another worry. What if the computer is connected to the Internet? One would assume that such an integral piece of equipment would not be connected to the Internet for obvious reasons.
However, if the computer in question is part of a LAN where other computers in the building have Internet access then the defibrillator computer does, indeed have indirect Internet access.
Could the medical device be hacked from afar? And does that constitute a defective medical device, if the device can be accessed from afar?
Joffe told CBS News that the medical devices he found in the hospital setting "…should have never, ever been connected to the Internet."
Worse, he said were the government regulations that prevented the hospitals in question from fixing the problems in a timely manner. Under current regulations, affected hospitals would have to wait 90 days before the systems could be modified to facilitate the removal of the infections, together with other vulnerabilities.
That's 3 months. Three months that the hospital would either have to do without the equipment (and anything connected to it via a LAN network), or continue using the equipment knowing that it has been compromised in some fashion.
"The open Internet, one of its great values is it allows you to connect fairly cheaply and fairly easily to other computers," Joffe said. He added, however, that "the Internet was never designed to do the things it's doing today."
In an unrelated but equally troublesome issue, it was revealed that Chinese and Russian spies had infiltrated US electrical grids. The so-called 'smart grids,' which interconnect many of the nation's utility grids via the Internet, are open to any hacker who can get around whatever protections have been built into them.
The Homeland Security Department was recently given Congressional authority to exercise greater influence over public utilities in order to mitigate potential hacks into the smart grid system.
The concern has even greater import within the health care field. The widespread move to electronic record-keeping and the computerization of all things medical—including medical devices—poses an even bigger question: how secure are these networks and systems from unsavory hackers, and what does that mean to an individual now walking down the street with a potential computer virus in his pacemaker?
A computer virus could make an otherwise viable medical device—a defective medical device. It has been known since last year that pacemakers and defibrillators can be hacked. Similarly, it was discovered in 2003 that signals from GSM phones could interfere with pacemakers. A study published that year in Physics in Medicine and Biology found that some pacemakers were prone to confusing signals from mobile phones for the heart's own electrical signals, causing the pacemakers to fail.
At the time, it was determined that the addition of a ceramic filter would resolve the defective medical device problem. What could be brought to bear to protect medical devices of all stripes from computer viruses given the tremendous interconnectivity prevalent today is another matter.