Software security urged for medical devices and networks

Reported by Gail Purvis, European Editor, Power Systems Design Europe



Edinburgh University scientists working on host-pathogen biology and advanced biochip technologies for infectious diseases have developed a new test using a strip with electrical sensors that show if wounds or lesions are infected with bacteria, including MRSA (methicillin-resistant staphylococcus aureus). The head of biochip research at the Division of Pathway Medicine, Dr Till Bachmann, notes that hand-held tests provide rapid results, allowing almost immediate detection of bacteria, so patients get more-effective drugs, quicker to speed up recovery. In UK hospitals, laboratory tests to confirm MRSA presence in a wound can take a full day, using conventional techniques. While infection is a health commonplace, a less publicized aspect of malware and bugs is found in both the computing software and data embedded in hospital equipment and implanted medical devices, increasingly vulnerable to software infection. Europe has as its standard the IEC 62304 for developing safety critical and high-reliability software for medical devices. But, while medical-device-software developers comply with standards, medical equipment becomes increasingly interconnected. With many systems run on Windows or variants, these unwittingly become a common target for hackers. Devices are usually connected to an internal network, that is itself connected to the internet, and accordingly are vulnerable to infections from laptops or other device that are brought into hospitals. In the US, the issue seems exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features, because such modifications could run afoul of the US Food and Drug Administration regulatory reviews. As a result, infected computers have to be taken offline for cleaning. Devices can become sufficiently compromised to a point where they can't record and track data. Vulnerable equipment ranges from intravenous-drug and nutrition compounders to picture-archiving systems associated with diagnostic equipment, and includes MRI devices. The US Government Accountability Office recently issued a warning report,, that implanted defibrillators and insulin pumps could be vulnerable to hacking, though no attacks on these devices have been reported. Compounding the issue is hospital devices are rarely reported to regulators, and such reporting is not required unless a patient is harmed, although researchers report that the FDA is now reviewing its regulatory stance on software. As the internet of things gathers pace, news is Canadian LionsGate Technologies is to use the audio jack of the smart phone/tablet/PC to run low-power diagnostic equipment, taking advantage of the host computer's superior processing. It's a really neat move to power-saving, but still is left open to the vulnerability to the host device's software security. Power Systems Design