Better systems needed for medical device cybersecurity, experts say
Researchers recently discovered that a medical device manufacturer’s website for ventilator software had been infected with malware. Credit: Image courtesy of Kevin Fu
Medical devices save countless lives, and increasingly functions such as data storage and wireless communication allow for individualized patient care and other advances. But after their recent study, an interdisciplinary team of medical researchers and computer scientists warn that federal regulators need to improve how they track security and privacy problems in medical devices.
Researchers from Beth Israel Deaconess Medical Center Harvard Medical School and the University of Massachusetts Amherst analyzed reports from decades of U.S. Food and Drug Administration's (FDA) databases and found that established mechanisms for evaluating device safety may not be suitable for security and privacy problems. The researchers, members of the Strategic Healthcare IT Advanced Research Projects on Security (SHARPS), report results in the current issue of the PLoS ONE journal.
Overall, they suggest a more effective reporting system for medical device cybersecurity should be established to catch security problems that otherwise could rapidly spread.
Computer scientist and medical device security expert Kevin Fu at UMass Amherst and electrophysiologist Daniel Kramer at Harvard recommend that federal surveillance strategies should "rethink how to effectively and efficiently collect data on security and privacy problems in devices that increasingly depend on computing systems susceptible to malware," to improve detection of problems that could affect millions of patients who use such devices for treatment from heart disease to diabetes.
Fu says that increasingly, wireless communication and Internet connectivity are used to control devices and transmit patients' information. But little is known about the prevalence of risks. Kramer, Fu and their colleagues set out to evaluate product recalls and adverse event reports in three comprehensive, publicly available databases maintained by the FDA: its own weekly enforcement reports of device recalls, its database of Medical and Radiation Emitting Device Recalls (MREDR) and the Manufacturer and User Facility Device Experience (MAUDE) database.
They did not find recalls or adverse events directly linked to security or privacy problems, despite a high prevalence of recalls related to software, plus fewer recalls related to patient data storage or wireless communication. While the lack of glaring security or privacy concerns through this search strategy may be reassuring, the authors also conclude that the current classification methods in these databases are not well suited to emerging types of device malfunctions.
Indeed, to test the effectiveness of the FDA's adverse event reporting mechanism for security and privacy problems, one co-author also submitted a software vulnerability report for an automated external defibrillator in July 2011. Nine months later, it was processed and made public. "As the time from discovery of a conventional computer security vulnerability to global exploitation of a flaw is often measured in hours, a nine-month processing delay may not be an effective strategy for ensuring the security of software-based medical devices," Fu and colleagues point out.
Software-related recalls may be of particular concern going forward, the experts add. Conventional malware has already infected clinical computing systems. For example, the Department of Veterans Affairs found a factory-installed device arrived already infected. And, Fu recently discovered that a medical device manufacturer's website for ventilator software had been infected with malware.
"Medical devices do a tremendous amount of good every day for many millions of people," says Daniel Chenok, chair of the U.S. National Institute of Standards and Technology's information security and privacy advisory board and vice president for technology strategy at IBM Global Business Services. He adds that the government needs to take steps to ensure that cybersecurity concerns don't make consumers think twice about whether a device is safe.
Earlier this year, Chenok wrote to Health and Human Services Secretary (HHS) Kathleen Sebelius that "lack of reported incidents also results from a lack of effective reporting mechanisms from clinical settings to the government about cybersecurity threats in medical devices." The point, he adds, is that "we really don't know what this cybersecurity problem looks like. What's the size of the issue, and how should the government best tackle it?"
The fundamental problem is vulnerabilities in medical devices, not the FDA's slow handling of them, adds Carl Gunter at the University of Illinois at Urbana-Champaign and director of the SHARPS group. "Of course, in an ideal world, devices would be free of security and privacy vulnerabilities, so it wouldn't matter if the announcement process is slow. But the technical obstacles are significant and FDA surveillance will be a key line of defense. The authors have done an important service pointing out the need to improve that system."
Journal reference: PLoS ONE
Provided by University of Massachusetts Amherst
- Problems with TGA transparency, says Australian study Mar 05, 2012 | not rated yet | 0
- After insulin pump hacking, lawmakers seek review Aug 20, 2011 | not rated yet | 0
- Computer software monitoring detects implantable cardioverter-defibrillator malfunctions sooner Mar 06, 2012 | not rated yet | 0
- NIST updates guidelines for mobile device security Jul 11, 2012 | not rated yet | 0
- Most medical devices recalled because of serious risks did not undergo clinical trials Feb 14, 2011 | not rated yet | 0
- Motion perception revisited: High Phi effect challenges established motion perception assumptions Apr 23, 2013 | 3 / 5 (2) | 2
- Anything you can do I can do better: Neuromolecular foundations of the superiority illusion (Update) Apr 02, 2013 | 4.5 / 5 (11) | 5
- The visual system as economist: Neural resource allocation in visual adaptation Mar 30, 2013 | 5 / 5 (2) | 9
- Separate lives: Neuronal and organismal lifespans decoupled Mar 27, 2013 | 4.9 / 5 (8) | 0
- Sizing things up: The evolutionary neurobiology of scale invariance Feb 28, 2013 | 4.8 / 5 (10) | 14
Classical and Quantum Mechanics via Lie algebras
Apr 15, 2011 I'd like to open a discussion thread for version 2 of the draft of my book ''Classical and Quantum Mechanics via Lie algebras'', available online at http://lanl.arxiv.org/abs/0810.1019 , and for the...
- More from Physics Forums - Independent Research
More news stories
Two out of five medical students have an unconscious bias against obese people, according to a new study by researchers at Wake Forest Baptist Medical Center. The study is published online ahead of print in the Journal of ...
Other 5 hours ago | not rated yet | 0
Nanyang Technological University's (NTU) new medical school will be pioneering the use of plastinated bodies for medical education in Singapore.
Other 14 hours ago | not rated yet | 0
A 2012 survey of internal medicine residents at Massachusetts General Hospital (MGH) – one of the nation's leading teaching hospitals – found that more than half rated the training they had received in addiction and other ...
Other May 22, 2013 | 5 / 5 (1) | 0
Early use of tracheostomy for mechanically ventilated patients not associated with improved survival
For critically ill patients receiving mechanical ventilation, early tracheostomy (within the first 4 days after admission) was not associated with an improvement in the risk of death within 30 days compared to patients who ...
Other May 21, 2013 | not rated yet | 0
The decision to limit life support in patients in the intensive care unit (ICU) appears to be significantly influenced by physician practices and/or the culture of the hospital, suggests new findings from researchers at the ...
Other May 21, 2013 | not rated yet | 0
(Medical Xpress)—Regulating the distribution of power in neurons is done by a system that makes the national electric grid look simple by comparison. Each neuron has several thousand mitochondria confined ...
5 hours ago | 4.8 / 5 (5) | 0 |
Teams of highly respected Alzheimer's researchers failed to replicate what appeared to be breakthrough results for the treatment of this brain disease when they were published last year in the journal Science.
9 hours ago | 5 / 5 (1) | 2 |
A brief visual task can predict IQ, according to a new study. This surprisingly simple exercise measures the brain's unconscious ability to filter out visual movement. The study shows that individuals whose ...
11 hours ago | 4.9 / 5 (8) | 0 |
Scientists at the National Institutes of Health report they have discovered in mouse studies that a small molecule released in the spinal cord triggers a process that is later experienced in the brain as ...
9 hours ago | 5 / 5 (2) | 0 |
Little is known about why asthma develops, how it constricts the airway or why response to treatments varies between patients. Now, a team of researchers at Weill Cornell Medical College, Columbia University Medical Center ...
9 hours ago | not rated yet | 0 |
Ethnic background plays a surprisingly large role in how diabetes develops on a cellular level, according to two new studies led by researchers at the Stanford University School of Medicine.
7 hours ago | not rated yet | 0 |