Network World - Austin, Texas -- Security for medical equipment such as MRI machines to and pacemakers is woeful, even though these devices today connect to networks and sometimes face risks from malware or hacking, according to a panel of university researchers speaking at this week's Design Automation Conference.
Applying encryption and strong authentication to protect implantable patient devices to prevent tampering is still largely in the research phase, these experts say. But when it comes to hospital equipment that uses commercial operating systems such as Microsoft Windows, the manufacturers are too often reluctant to patch security holes, and sometimes even tell hospital staff the lie that the Food and Drug Administration (FDA) doesn't allow it. A
Kevin Fu, associate professor at the University of Michigan, said he knows of a large Boston hospital in which Windows XP is part of MRI processes and they haven't been patched since 2007. Fu said hospital staffers have told him they're not allowed to update these devices. The excuse, which is heard often, says Fu, is that medical-device manufacturers say the Food & Drug administration (FDA) won't allow updates, which isn't true. A
Updating medical gear is hard but it has to be done, said Fu. He also noted that sometimes the way that medical-device software updates are supplied is very lax in terms of security. For instance, Fu said he's seen a hospital ventilator manufacturer post a software update on its website. But when Fu visited the manufacturer's website, he got a security warning on his own computer that "visiting this site may harm your computer" because the manufacturer's site had been infected with malware and was distributing it.
"As far as I know, malware didn't get into the ventilator itself. We just know the vendor's website was distributing malware for 90 days," Fu said.
But some medical-device manufacturers aren't so timid to step up to the security challenge. Boston Scientific Corp., which makes a line of implantable cardiac medical devices, was represented on the DAC panel by Ken Hoyme, a senior fellow in the systems engineering arm of the firm.
The range of implantable cardiac devices designed by Boston Scientific do not use third-party commercial operating systems like Microsoft, said Hoyme. Nevertheless, modern approaches to networking and information sharing do mean that these implantable devices are designed for maintenance via wireless networks. A
While strong authentication and encryption are good security ideas, they are difficult to apply to implantable devices mainly because a patient might suddenly have an emergency in which access to the implantable device is needed immediately by a medical professional at any time and place. So the dilemma is that security might actually impede safety.
- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
- Slideshow: 5 ways to lock down your mobile device
- Slideshow: 10 mistakes companies make after a data breach
- How to rob a bank: A social engineering walk through
- Which smartphone is the most secure?
For the love of Jiminy Cricket, how much cybersecurity incompetence are American citizens expected to accept and excuse while also footing the $660 million bill? Online security experts say the “new and improved” Healthcare.gov site may actually be more insecure now than before it was fixed!
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Healthcare Firm Ramps Up for Claims Processing Spikes
- Huge increases in claims processing loads and stringent SLAs for Medicaid patients prompted Molina Healthcare to enhance their IT infrastructure with VCE.
- The Telemedicine Revolution: Patients Can't Wait
- How high bandwidth, low latency ethernet communications is changing the practice of medicine. Comcast Ethernet offers the robust, scalable backbone for telemedicine for...
- Escape Plan: How Integrated IT Portfolio Management Helps Organizations Clear the Chaos
- Meaningful Use, ICD-10 compliance, EMR Implementation--do you feel lost in this ever-growing jungle?
- Accelerating Speed to Market in the Highly Competitive Automotive Industry
- This White Paper discusses how an Enterprise Project Portfolio Management solution optimizes project analysis, management, reporting and risk mitigation processes to accelerate new...
- Make or Break: New Auto Products Must Go To Market On Time
- This Webcast quantifies the value of time to market for the auto industry and highlights how Primavera Enterprise Portfolio Management can help organizations. All Healthcare IT White Papers
- Video: 5 Secrets To Scaling Enterprise Apps Watch this video to learn how to successfully scale enterprise apps>>
- Collaboration 2013: Where Mobility Meets Connectivity Mobility and collaboration are quickly converging and users are demanding more capabilities. It's no longer enough to enable file sharing. This Webcast dives...
- Modernizing SAP environments with minimum risk - a path to Big Data Hear from top IDC analyst, Richard Villars, about the path you can start taking now to enable your organization to get the benefits...
- The Power of the Citrix Mobility Solution, XenMobile Does everything become a smartphone? Or does the smartphone begin to do everything? How can we afford to support BYOD? Rather, how can...
- BYOD Happens: How to Secure Mobility How to navigate the journey of securing mobility, including the BYOD corruption of IT, the top ten mobility strategies, and the mobility management...
- All Healthcare IT Webcasts
Johns Hopkins, OhioHealth, Kaiser Permanente and other top healthcare organizations each won a place on Computerworld's Best Places to Work in IT 2013 list. Honorees say the distinction helps them both recruit and retain top talent.
Want to join this elite group? Nominate your organization for our 2014 list.