What Could Make Your Medical Devices Go Haywire?

Leigh Page


August 27, 2013

In This Article

How Bad Is the Problem?

Although malfunctioning medical devices have caused delays in patient care, no one can cite instances of patient harm. However, experts are worried that computer viruses could make devices go haywire and cause real harm. For example, a device could produce incorrect data about the patient, or an IV pump could deliver too much medication.

Also, even though no one can point to an instance of hackers breaking into medical devices, the possibility is real -- either through the Internet or through unprotected wireless networks.

"My concern is if hackers do decide to target these devices, it would be pretty easy to get in," said Matthew Neely, Director for Research, Innovation and Strategic Initiatives at SecureState, a cybersecurity firm in Cleveland. "Hackers are normally motivated by money or by intellectual property, but they could get interested in patient information."

Sensitive to Computer Viruses

It turns out medical devices are unusually susceptible to Internet viruses, much like an isolated tribe that never before was exposed to outside biological viruses. It's an apt analogy. Whereas the makers of personal computers (PCs) have had to contend with viruses for decades, medical device manufacturers are just beginning to get acquainted with them.

"The attacks that we see against medical devices are really very simple," Neely said. "They were the attacks that were successful against PCs 10 years ago." But whereas PCs have developed safeguards against them, medical devices have not, he said.

Neely said manufacturers did not anticipate the Pandora's box they were opening when they installed a network port on the back of their devices. "They have not been sophisticated about IT," he said. For example, "a device approved by the FDA years ago may still have the same operating system it originally shipped with," Neely said. One operating system found in medical devices is Windows XP, which Microsoft will stop supporting next year.

Some medical personnel who use these devices still believe they are protected from viruses because they are on internal networks not directly connected to the Internet, Neely says. But even a firewall-protected network, he said, can be contaminated by data introduced by a laptop or a flash drive.

"Medical devices were not designed to be plugged into a network," said Terry McCorkle, Western Regional Director for Cylance, a company that protects IT services, based in Irvine, California. Recently, McCorkle and fellow Cylance researcher Billy Rios caused quite a stir in the healthcare IT world when they showed that about 300 medical devices had "hard-coded" passwords -- generic passwords that service technicians use to access the device -- that could easily be broken through. Their report prompted the Department of Homeland Security to issue its alert.

McCorkle believes manufacturers should have redesigned their devices from the ground up when they added network capabilities. "You have to rethink the whole device when you plug it into a network," he said. He reported that some devices are so sensitive that even a network scanner, which technicians use to monitor networks, can cause them to turn off or crash.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.