Case Study 5-1 Vulnerabilities of Medical Devices

Medical devices that are controlled by computer softwarefrom heart monitors and pacemakers to mammogram and X-ray machinesare new targets for computer viruses and malware.* This could put patients at risk, although no injuries or deaths have been reported so far. The Food and Drug Administration (FDA) is warning the manufacturers of medical devices about the problem and is requesting them to review the parts of their security plans that are related to these devices when they seek approval from the government agency. In October 2016, Johnson & Johnson warned patients that use its insulin pumps to exercise cushion as it has learned of a security vulnerability that a hacker could exploit to overdose diabetic patients with insulin, although the risk is low.*

A Department of Veterans Affairs report has shown that 327 devices at VA hospitals have been infected by malware since 2009. In January 2010, a VA catheterization laboratory was temporarily closed due to infected computer equipment that is used to open blocked arteries. And in a case at a private Boston Hospital, computer viruses exposed sensitive patient data by sending it to outside servers. The increased applications of electronic record systems as a part of the 2009 stimulus package is adding to this risk.

In addition to privacy issues, hackers can change patients medical records and treatment plans. If the system does not have a strong login access, some patients can access a system and alter their own medications, such as those taking narcotic susbtances. Hackers could use Shodan, a search engine for locating Internet-connected devices, using terms such as radiology and X-ray.*

Manufacturers must improve the security features of these devices, making them more difficult for hackers to break into. And there needs to be close coordination between the manufacturers and healthcare providers to further enhance security. Also, hospitals and medical facilities must make sure that all the software running these devices is up to date and any updates have been installed. Finally, these devices must be blocked from Internet access.*

Answer the following questions:

What are three examples of devices that could be attacked by computer viruses?

What are the risks related to using electronic health records in hospitals and medical facilities?

What are three pieces of advice for reducing the risk associated with using these devices?