Medical-device security isn't tracked well, research shows
"We believe the inconsistency between databases is due to lack of a meaningful and convenient reporting mechanism, but we also believe that clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer," the study points out. "Time pressure, lack of incentives, lack of federal safe harbor policies, and lack of clear actionable guidance further reduce the probability of incident reporting by clinicians and information technology staff."
Fu said he he's been in contact with professionals at clinics and hospitals where individuals are "essentially afraid of reporting issues on paper for liability issues." He notes the U.S. may want to consider looking at the kinds of "safe harbor" laws that have helped other industries, such as aviation, in identifying safety issues.
The MAUDE database showed no events related to privacy and security, in spite of about 1,000 possible product problems, the study said. As if to test MAUDE's effectiveness, one of the study's co-authors submitted a software vulnerability report for an automated external defibrillator on July 19, 2011, and found by Jan. 19, 2012, the report had not yet been processed into MAUDE. By April of this year, MAUDE did finally contain the submitted report.
"The report processing took nine months. As the time from discovery of a conventional computer security vulnerability to the global exploitation of the flaw is often measured in hours, a nine-month processing delay may not be an effective strategy for ensuring the safety of software-related medical devices," the study says.
The study says there has not yet been any major known and sustained vicious attack on medical devices intended to harm patients in the U.S. But there have been many instances of malware infecting PCs used to operate medical equipment, sometimes even turning medical devices into botnets that are often used by remote command-and-control operators for things such as spam relays. Vendors of the equipment are getting blamed.
"Common causes of infections include use of the Internet and USB flash memory drives from vendors who are paradoxically updating software on medical devices," the study notes. "In one instance, a factory-installed device arrived already infected by malware. All detected malware pertained to conventional compute viruses rather than malware customized for medical devices. The most prevalent malware converted the medical devices into becoming nodes of 'botnet' criminal networks. Organized crime rents out botnets for others to distribute spam anonymously and for mounting targeted attacks on information infrastructure."
In contrast to the lack of consistency and clarity the researchers found in the three databases, one other database they looked at showed how serious malware infections can be in hospitals.
- Google I/O 2013's Coolest Products and Services
- 10 Star Trek Technologies That are Almost Here
- 19 Generations of Computer Programmers
- 25 Must-Have Technologies for SMBs
- A walking tour: 33 questions to ask about your company's security
- 15 social media scams
- The 7 elements of a successful security awareness program
With the promise of big data (solving the unsolvable problems, informing better decision making, creating new products and services, discovering patterns and acting on them, etc.) on the horizon, what has really changed? Does this mean that everything we know and do with not-so-big data should be tossed?
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Case Study: Hospital Turns to Email Archiving Solution to Ensure Regulatory Compliances
- Read this case study to learn how a cloud-based email archiving solution enabled the hospital to meet government mandates and helps avoid thousands...
- Case Study: In-the-Cloud Email Service Replaces Three Point Products
- Read this case study for more information on a comprehensive in-the-cloud email service to help replace three point products.
- Case Study: Simplifying the Transition to Exchange 2010 with Email Management Solutions
- Read this case study to learn how a cloud-based email management solution greatly simplified the company's transition to Exchange 2010.
- Intelligent Systems: A Prescription for Health Care Transformation
- Facing an onslaught of regulatory changes and market pressures, health care providers are grappling with how to transform existing services as part of...
- The Importance of Network Time Synchronization
- Your network is time stamping files, email, transactions, etc., while your server logs are recording the transactions in case you need that information.... All Healthcare IT White Papers
- Becoming An Analytics Driven Organization
- Join us on Tuesday, June 18, 2013, 11:00 AM EDT and learn how your agency can create an analytics culture that will enable...
- 3 Reasons Why Sepaton is the World's Fastest Backup Solution
- Leading analyst, Storage Switzerland learns how Sepaton backs up and deduplicates massive data volumes while maintaining the industry's fastest performance - all in...
- Enterprise File Sharing: All You Need to Know
- Security. Scalability. Control. These are just some of the many benefits of enterprise cloud file-sharing that you'll discover in this KnowledgeVault, packed with...
- Bridging HTTP and FTP with FileXpress Internet Server
- What if you could take an FTP server on your internal network, and allow external users (partners or customers) to securely access it...
- MFT and FileXpress - An Overview
- Business users and applications exchange files on a regular basis. File transfer is a core part of the flow of business activity. All Healthcare IT Webcasts