WattsUpDoc detects medical-device malware
Many medical devices utilize wireless technology. While there’s plenty of evidence that it’s possible to seize control of medical implants from a distance... there’s just no evidence that’s ever happened, Businessweek explains.
Medical hacking entered the public eye in 2011, when hackers began showing it was possible. Jay Radcliffe, a computer security expert working for IBM, delivered a presentation at a hacking conference showing that he could take control of an insulin pump and manipulate the amount of insulin it provided, potentially killing the user.
- In June, Department of Homeland Security reported that it found security holes in 300 medical devices being made by 40 different companies.
- Earlier this summer, the U.S. Food and Drug Administration warned about malware and potential shortcomings in medical devices. The agency said it was developing guidance on how manufacturers should address them.
- Last week, the nonprofit Center for Internet Security, which advises government agencies and private companies, said it’s working on its own set of guidelines for medical devices.
Considering the varying rates of technical innovation among hackers, medical companies, and regulators, it’s likely that the healthcare industry will stay at least a half-step behind.
In addition to implants, hospital devices -- such as pregnancy monitors and picture-storage systems for MRIs -- are also vulnerable to infection since they’re connected to the internet.
But here’s good news! Researchers from the medical-device security team at University of Michigan have figured out a way to spot malware on hospital equipment -- by noting subtle changes in their power consumption, Technology Review reports.
WattsUpDoc [pdf] could give hospital IT a quick way to spot equipment with dangerous vulnerabilities and take them offline -- even if the exact virus isn't identified. The key is getting a very detailed profile of normal usage and being able to detect changes while avoiding false alarms.
They tested the device on deliberately infected compounders (for mixing drugs). The device detected abnormal activity more than 94 percent of the time if it had been trained to recognize that malware, and between 84 and 91 percent with previously unseen malware. It could be commercialized in a year.