Medical-device security isn't tracked well, research shows
"We believe the inconsistency between databases is due to lack of a meaningful and convenient reporting mechanism, but we also believe that clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer," the study points out. "Time pressure, lack of incentives, lack of federal safe harbor policies, and lack of clear actionable guidance further reduce the probability of incident reporting by clinicians and information technology staff."
Fu said he he's been in contact with professionals at clinics and hospitals where individuals are "essentially afraid of reporting issues on paper for liability issues." He notes the U.S. may want to consider looking at the kinds of "safe harbor" laws that have helped other industries, such as aviation, in identifying safety issues.
The MAUDE database showed no events related to privacy and security, in spite of about 1,000 possible product problems, the study said. As if to test MAUDE's effectiveness, one of the study's co-authors submitted a software vulnerability report for an automated external defibrillator on July 19, 2011, and found by Jan. 19, 2012, the report had not yet been processed into MAUDE. By April of this year, MAUDE did finally contain the submitted report.
"The report processing took nine months. As the time from discovery of a conventional computer security vulnerability to the global exploitation of the flaw is often measured in hours, a nine-month processing delay may not be an effective strategy for ensuring the safety of software-related medical devices," the study says.
The study says there has not yet been any major known and sustained vicious attack on medical devices intended to harm patients in the U.S. But there have been many instances of malware infecting PCs used to operate medical equipment, sometimes even turning medical devices into botnets that are often used by remote command-and-control operators for things such as spam relays. Vendors of the equipment are getting blamed.
"Common causes of infections include use of the Internet and USB flash memory drives from vendors who are paradoxically updating software on medical devices," the study notes. "In one instance, a factory-installed device arrived already infected by malware. All detected malware pertained to conventional compute viruses rather than malware customized for medical devices. The most prevalent malware converted the medical devices into becoming nodes of 'botnet' criminal networks. Organized crime rents out botnets for others to distribute spam anonymously and for mounting targeted attacks on information infrastructure."
In contrast to the lack of consistency and clarity the researchers found in the three databases, one other database they looked at showed how serious malware infections can be in hospitals.
Pilot fish is trying to help a woman who runs a daycare center -- and since all she wants to do is publish a 30-page online handbook for parents, how hard will that be?
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Security, Privacy and Trust in Email Management
- This white paper discusses a SaaS-based email management solution that delivers the security, continuity and archiving capabilities your organization demands.
- The Total Cost of Email
- In this white paper, we'll explore the true costs of fragmented email management and uncover how to reduce those costs with a cloud-based...
- Balancing Security, Compliance and Cost: the Prescription for Healthcare Email Management: Move to the Cloud
- Learn how cloud-based technologies for core productivity tools such as email and collaboration can help healthcare organizations be more efficient with IT dollars...
- Email Security Checklist: Eight Steps for Healthcare Organizations
- Don't let fear of violating Healthcare Insurance Portability and Accountability Act (HIPAA) codes prevent you from using email to communicate sensitive information.
- Seven questions you must ask before choosing your patient portal solution
- By asking the right questions and connecting the right stakeholders, you can ensure that you implement a true community solution that will improve... All Healthcare IT White Papers
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their...
- DevOps with PureApplication System: Reduce cost and speed delivery with an integrated IBM Cloud solution Join this webcast to hear what ING Netherlands has been able to achieve while deploying DevOps tools from IBM Rational. An ING executive...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope...
- All Healthcare IT Webcasts