Confickered! Medical devices and digital medical records are getting hacked

May 8, 2009 by MassDevice

A computer virus called Conficker infected medical devices at dozens of hospitals worldwide, aided by FDA red tape, and hackers demand a $10 million ransom for hijacked personal medical data.

President Barack Obama's $20 billion push to bring medical records and devices into the 21st century has great potential rewards.

But a pair of recent developments highlight its risks as well.

A computer virus called Conficker infected hundreds of MRI devices around the world, including at dozens of U.S. hospitals.

The virus, which has yet to harm patients but poses a substantial threat to hospitals, causes the imaging machines to ask for instructions over the Internet, presumably from the hackers who created Conficker.

More than 300 devices, which the manufacturer says are not designed to connect to the web at all, have been compromised. An unpatched version of Microsoft's operating system used in embedded devices created the vulnerability.

And FDA red tape may have exacerbated the problem. Normally, a simple patch installation would eliminate the vulnerability. But the Food & Drug Administration requires 90 days of notice before such actions.

Thousands of other machines in hospitals — ranging from personal computers to sensitive medical devices — have contracted the virus and contacted other computers over the Internet for instructions.

The good news is that the malware designers likely have little idea how a complicated medical device like an MRI works. The bad news is that just might not matter, if they can successfully hijack patient records.

The Wall Street Journal's Health Blog reports that hackers claiming to have tapped a Virginia medical records database are demanding a $10 million ransom.

If the ransom is not paid the hackers threatened to sell the records.

The data are part of a program to track frequently abused drugs such as OxyContin and Vicodin. Officials at the Virginia Health Dept. are investigating, but they're also fighting "technical difficulties which affect computer and email systems," according to the journal.

It's not clear if the ransom demand is a bluff or whether hackers truly broke into the datatbase. Officials said "an unauthorized message was posted" on the prescription program's website, but added that they were "not aware of any evidence indicating any personal information may be at risk."