The security risks of medical devices

February 28, 2013 by MassDevice

Dr. John Halamka, Chief Information Officer for Beth Israel Deaconess Medical Center, records his experiences with infrastructure, applications, policies, management and governance.

By John D. Halamka, MD

Dr. John Halamka

Beth Israel Deaconess has been outspoken about the risks of malware on FDA 510k approved medical devices such as radiology workstations, echocardiogram machines, and patient monitors.

Although these devices appear to be "appliances" that you simply plug into the network and use for patient care, they are actually sophisticated computers, often running outdated versions of operating systems and applications that are not resilient against purposeful attacks.

Sign up to get our free newsletters delivered straight to your inbox

For example, we have devices from a major manufacturer that internally use Windows NT as the operating system and Apache 1.0 as the web server. Patches are no longer available for these old versions of software and they cannot be updated to protect them from malware. Instead, we build hardware firewalls around the devices, creating "zero day" protection which mitigates risk by preventing internet-based attacks from reaching the devices.

In the past, manufacturers have claimed they cannot upgrade or patch software to enhance security because changing the device would trigger a new FDA 501k approval process.