Medical-device security isn't tracked well, research shows
"We believe the inconsistency between databases is due to lack of a meaningful and convenient reporting mechanism, but we also believe that clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer," the study points out. "Time pressure, lack of incentives, lack of federal safe harbor policies, and lack of clear actionable guidance further reduce the probability of incident reporting by clinicians and information technology staff."
Fu said he he's been in contact with professionals at clinics and hospitals where individuals are "essentially afraid of reporting issues on paper for liability issues." He notes the U.S. may want to consider looking at the kinds of "safe harbor" laws that have helped other industries, such as aviation, in identifying safety issues.
The MAUDE database showed no events related to privacy and security, in spite of about 1,000 possible product problems, the study said. As if to test MAUDE's effectiveness, one of the study's co-authors submitted a software vulnerability report for an automated external defibrillator on July 19, 2011, and found by Jan. 19, 2012, the report had not yet been processed into MAUDE. By April of this year, MAUDE did finally contain the submitted report.
"The report processing took nine months. As the time from discovery of a conventional computer security vulnerability to the global exploitation of the flaw is often measured in hours, a nine-month processing delay may not be an effective strategy for ensuring the safety of software-related medical devices," the study says.
The study says there has not yet been any major known and sustained vicious attack on medical devices intended to harm patients in the U.S. But there have been many instances of malware infecting PCs used to operate medical equipment, sometimes even turning medical devices into botnets that are often used by remote command-and-control operators for things such as spam relays. Vendors of the equipment are getting blamed.
"Common causes of infections include use of the Internet and USB flash memory drives from vendors who are paradoxically updating software on medical devices," the study notes. "In one instance, a factory-installed device arrived already infected by malware. All detected malware pertained to conventional compute viruses rather than malware customized for medical devices. The most prevalent malware converted the medical devices into becoming nodes of 'botnet' criminal networks. Organized crime rents out botnets for others to distribute spam anonymously and for mounting targeted attacks on information infrastructure."
In contrast to the lack of consistency and clarity the researchers found in the three databases, one other database they looked at showed how serious malware infections can be in hospitals.
Apple has assembled an all-star team featuring some of the world's most proficient and well-connected biosensor engineers. Is this extensive investment entirely dedicated to an iPhone app called Healthbook and an accessory called an iWatch?
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Patient Portals: A Platform for Connecting Communities of Care
- Connecting patient health data across the care continuum is essential to achieve improved care, increased access to personal health records and lowered costs.
- 3 Ways Clinicians Can Leverage a Patient Portal to Craft a Healthcare Community
- With a bevy of vendors offering patient portal solutions, it can be challenging for a hospital to know where to start. Fortunately, YourCareCommunity...
- Healthcare Firm Ramps Up for Claims Processing Spikes
- Huge increases in claims processing loads and stringent SLAs for Medicaid patients prompted Molina Healthcare to enhance their IT infrastructure with VCE.
- Why Projects Fail
- CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings
- This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find... All Healthcare IT White Papers
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Mobile Security: Containerizing Enterprise Data In this on-demand webinar, Fixmo's Lee Cocking, VP of corporate strategy, explains why Apple-ization trends like mobility and "bring-your-own-device" (BYOD) are driving the...
- Endpoint Data Management: Protecting the Perimeter of the Internet of Things Not surprisingly, "Internet of Things" (IoT) and Big Data present new challenges AND opportunities for enterprise IT. Teams need to harness, secure and...
- How to Protect Enterprise Data Yet Enable Secure Access for End Users Learn how BYOD, Big Data and the use of rogue applications and devices is putting corporate data at risk, best practices from IT...
- All Healthcare IT Webcasts