National Institute of Standards and Technology Conference Panel Sees Computer Viruses Infecting Medical Equipment

Hacking of medical devices, like a pacemaker, and malware infecting systems used by healthcare physicians is being discussed from a security standpoint. (Photo: Shutterstock.com)

Computers and smartphones aren’t the only technology susceptible to malware. Experts are saying computerize medical equipment is being targeted through systems connected to the Internet as well — and the effect could have deadly consequences.

Technology Review reported Kevin Fu, a medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, saying that although no injuries as a result of computer viruses infecting medical equipment have been reported yet, they are beginning to hamper patient-monitoring equipment.

The National Institute of Standards and Technology Information Security & Privacy Advisory Board panel discussed the potential consequences this malware could have on patients, how it is getting into the system and what can be done about it.

An example of a malware compromised system provided by Mark Olson, chief information security officer at Beth Israel Deaconess Medical Center, is fetal monitors on women experiencing a high-risk pregnancy.

“It’s not unusual for those devices, for reasons we don’t fully understand, to become compromised to the point where they can’t record and track the data,” Olson said, according to Technology Review. “Fortunately, we have a fallback model because they are high-risk [patients]. They are in an IC unit—there’s someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction.”

Another issue is hacking of devices. Tech Crunch reported at a separate conference a demonstration that hacked into a pacemaker and subjected the patient to electric shock. Not only that, but a tech expert said it is possible to spread a virus through the system distributing the shocks to other nearby pacemaker users, which would result essentially in a “mass murder.”

Here’s more from Tech Crunch on that scenario:

At the BreakPoint security conference in Melbourne [Barnaby] Jack [from IOActive] demonstrated that he could reverse engineer a pacemaker to deliver fatal shocks from within 30 feet and rewrite the devices onboard software (firmware). The pacemaker also contained a “secret function” that could activate other cardiac devices within a 30 foot-plus vicinity.

“The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or ICD [implantable cardioverter-defibrillators] and then each would subsequently infect all others in range.”

Technology Review stated that hacking of medical devices was discussed at NIST as well, although no reported instances have occurred yet either.

But reporting of issues is a problem in an of itself. According to Technology Review, reporting is not required unless there is harm to a patient and medical centers may not see the point as there might not be a solution to the problem anyway. Panel participants discussed regulatory issues that prevents some from installing virus protection and making other updates to systems as well.

Read more details of what was discussed regarding medical malware in Technology Review’s full article here.

Featured image via Shutterstock.com.

(H/T: Gizmodo)