Smart System Protection

28 February 2007 (Last Updated February 28th, 2007 18:30)

Equipment breakdowns, misdiagnosis, untreated patients – all worrying consequences of an infected IT system. Russell Bourke of HIMSS explains why protecting against electronic viruses is just as important as curing human ones.

Like the mechanised world, the medical device industry has for many years moved towards the integration of smart technology to improve patient care, safety, quality and value. Better described as an information appliance, a basic requirement of a smart device is the ability to communicate through an interface with a human, another device or a combination thereof.

However, the use of microprocessors to manage information, respond to events, generate alerts and communicate across a man-machine interface or console designed for human interaction is pervasive, valuable, vulnerable and potentially at risk of attack by writers of malicious code.

RISK ASSESSMENT

Security firm McAfee is forecasting an explosion of activity in virus and worm attacks targeting mobile devices, PDAs, data-enabled phones or smart phones, wireless pagers and handheld text messaging devices. The threat is real; the first known attack on mobile devices appeared in 2000, and by 2005 this had grown to 142 known viruses. Crossover, a virus designed to erase files and capable of jumping from a PC to a mobile device, is seen as a more evolved and dangerous level of threat.

"Medical device manufacturers have the misconception that they cannot install security patches without prior FDA approval."

Consider the growth of malware, coded to attack PCs over a period of 20 years, with tens of thousands of known signatures on file. Current estimates of more than 200 viruses, worms or malware targeting mobile devices are said to be conservative, as reported by an expert at a leading security services organisation. Firms specializing in security solutions using sophisticated analytic techniques project a huge upswing in malware activity targeting these devices.

Damage estimates for the 2004 My Doom virus had a $5.25bn impact; this virus replicated and propagated across the computing environment at a rate of up to 12,000 systems per hour. McAfee’s Avert Labs reports that uptake of the 2004 I Love You virus by millions of personal computers occurred in just a few hours, with about 50% of those machines running some form of internet security at the time of penetration.

Data-enabled phones, smart phones and mobile devices could be affected too. Avert Labs predicts that the damage caused by malware running on mobile devices and targeting multiple operating systems presents a global penetration potential of millions of smart phones.

WirelessRecycling.com, citing 2006 Environmental Protection Agency estimates, confirms that the average life span of a cell phone is 18 months, with about 130 million US cell phones decommissioned every year. The trend is toward converged technologies on smart phones that provide communication capability and personal information management (PIM) on one device.

However, most of these devices do not carry any sort of mobile protection security. Smart phones are capable of interfacing with biomedical devices, are ubiquitous across many healthcare delivery systems and are absolutely capable of carrying viruses and worms to a new host.

SMART DEVICE PROTECTION

Protecting hospital smart devices from viruses and worms requires reactive, proactive and pre-emptive measures to secure information systems. It is vital to take a proactive approach with policy and procedure strategies. Take an organisation that is IT infrastructure dependent for its day-to-day business affairs: recent studies have shown that there are viruses and worms capable of crossing the mobile phone to PC barrier. Once the virus has crossed over and interfaces with a networked computer, it
could, for example, be spread to 5,000 nodes within the organisation.

"Current estimates of more than 200 viruses,worms or malware targeting mobile devices are said to be conservative."

Convergence between diagnostic imaging and treatment devices and the average PC operating system is rapidly growing. Even as little as five years ago, many diagnostics were using special operating systems, so the likelihood of a virus being spread from PCs was close to zero. Now, the convergence with Microsoft operating systems means the chances of worms and security flaws can expose the systems to infiltration.

Procedures should be written to protect a business across the open systems interconnection (OSI) layers, from the very raw physical layer all the way up to the application and presentation layers – for example, a policy which prevents employees from carrying and using mobile phones in a place of business, or prevents downloading or uploading from a PC workstation to a mobile device from home, which eliminates a major potential security threat.

When conducting a threat assessment, companies should look for opportunities to protect the IT infrastructure and aggregate the threat across the layers of the OSI model. It is also advisable to run an application that monitors what clients are doing on your network, so you can see who has linked what device to the network.

Rapid response teams are essential, as first responders can mitigate threats. Manufacturers also need to be on board, working with providers to ensure optimal levels of security. They can help to be the first point of observation. Looking for threats and setting up a notification system will allow the rapid response teams to go to work.

Companies should also consider employing experts to handle, quarantine and remove malware. It is important to understand the nature and intent behind a threat or assault, reporting emerging threats across the industry. A further method of protection is for device manufacturers to include ways to track and protect against viruses.

INDUSTRY GUIDANCE

Hospitals and Health Networks magazine reported that Oregon Health & Science University (OHSU) in Portland, Oregon had discovered medical devices on campus compromised by computer viruses. While this incident did not immediately present a threat to the delivery of medical services and patient care, the potential threat existed.

OHSU employs an information security incident response team (ISIRT) across multiple layers of the healthcare delivery system. Despite its tremendous effort to maintain the security and integrity of its data, the organisation is aware of issues surrounding data protection in medical devices.

In a landmark whitepaper, University Health System Consortium Medical Device Security (2005) further explored the questions of responsibility and accountability of medical device security, stating: "Medical device manufacturers have misconceptions that they cannot install security patches without prior FDA approval, this creates confusion within the industry. The question emerges, who should own medical device security?"

One solution from the provider community stipulates contract language that clearly defines medical device vendor security responsibilities. This trend is likely to continue as more providers adopt practices that improve the security of medical devices. The hope for the future is that the industry will see collaboration among providers, medical device manufacturers, vendors and regulators, working together to develop medical device security standards.