Many of the aging medical devices still in wide use at hospitals across the U.S. were built without much consideration for security controls.
Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan, spoke about medical devices’ security at the HIMSS and Healthcare IT News Privacy & Security Forum in Boston.
According to Fu, bedside devices or implants routinely carry potentially dangerous faults. “If you’re using this old software, these old operating systems, you’re vulnerable to all that malware – that garden-variety malware – that has been out in the wild for more than 10 years”.
This is not rocket science; this is basic hygiene,” he said. “This is forgetting to wash your hands before going into the operating room. Here we have medical devices where, if malware gets through the perimeter, there is very little defense.”
“In my opinion, it boils down to much more basic stuff,” said Fu. “Hackers do exist. But again, it boils down to something much more basic: ‘hand-washing.'”
Indeed, he said, the much bigger risks came from more mundane activities: the “infection vector” of a corrupted USB drive; a vendor applying software updates “and unknowingly infecting machines along the way because they’re carrying malware along with them,” or the “guy you just let in the door because you have a contract with him, and he’s spreading software throughout the hospital by accident.”