Concerns are rising about the risk of malware infecting computerized medical equipment, Technology Review reports.
Experts discussed such concerns last week during a meeting of a medical device panel for the National Institute of Standards and Technology Information Security & Privacy Board.
Medical Device Vulnerabilities
Although no patient harm related to malware has been reported, experts say that hospital medical equipment is vulnerable to security issues because:
- Many systems run on variants of Windows, which is a common target for hackers;
- Devices often are linked in an internal network that is connected to the Internet, making them vulnerable to infections from laptops or other devices brought into hospitals; and
- Some device manufacturers will not allow hospitals to add antivirus software to their medical equipment because of disagreements about whether such modifications could violate FDA regulations.
Kevin Fu -- a member of the medical device panel and a computer scientist at the University of Michigan and the University of Massachusetts-Amherst -- said, "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."
FDA Official's Response
During the meeting, Brian Fitzgerald, a deputy director at FDA, said that visits to hospitals around the country indicate that many of them are struggling with malware issues.
He said that FDA is reviewing its regulatory stance on medical device software, adding, "This will have to be a gradual process, because it involves changing the culture, changing the technology, bringing in new staff and making a systematic approach" to address the issues (Talbot, Technology Review, 10/17).