Luis Louro - Fotolia
A new malware detection tool designed to improve medical device security is currently in beta testing at two major U.S. hospitals.
A team of researchers at the University of Michigan in 2013 designed a malware detection tool, dubbed WattsUpDoc, to enhance embedded system security in hospitals. The team of researchers eventually went on to form Virta Labs, a startup based in Ann Arbor, Mich., to market their product. Benjamin Ranford and Denis Foo Kune, CTO and CEO of Virta Labs, respectively, presented the finished product at the 2015 RSA conference. Their goal was to create a product that would work on legacy systems and medical devices in hospitals and improve the embedded system security.
Hospital computers and medical equipment are unique environments in that they are more or less disconnected from networks, according to Virta Labs. They often run old versions of operating systems, since updating the devices is a hassle and could introduce more threats. The U.S. Food and Drug Administration only recently advised hospitals to be vigilant in reporting cybersecurity issues and improve medical device security.
"Right now there's no antivirus product you can buy for an internet of things (IOT) device or an embedded system," Kevin Fu, chief scientist and co-founder at Virta Labs, said. "It just doesn't exist. And yet malware is still getting in."
WattsUpDoc is a hardware tool that acts as bridge from the embedded system to the power outlet. By measuring the power consumption, WattsUpDoc is able to detect tiny changes in flow that could mean a device is running malware. Its detection rates are similar to those of conventional malware-detection systems on PCs. And WattsUpDoc is not connected to a network, so it is not open to infection. It also does not require updates.
"You can think of it like how people recognize when they get a common cold: Are you running more slowly? Do you feel groggy? It's not like a dialog box pops up, 'Warning you're infected,'" Fu explained. "It's a little more subjective like, 'You seem to have symptoms of malware. Let's check again in an hour. Yeah it appears to be getting worse; you should go see a doctor.'"
Kevin FuChief scientist and co-founder, Virta Labs
These alienated devices, such as medication measurement tools, are rarely infected on purpose. Malware, carried through the sneakernet, infects embedded systems with no gain to the malware designer. But such an infection can interfere with the performance and calibration of a device, and render it useless.
"The goal here is to protect devices that are collateral damage and are getting infected with generic malware," Shane S. Clark, PhD student at the University of Massachusetts Amherst and one of the collaborators on the project, said at the 2013 USENIX conference. "And in that case, I don't think it's worth the malware developer's time to circumvent this specific technique."
Fu said that malware that specifically targets medical equipment may not be a problem yet, but hospitals and medical device manufacturers should still prepare for the threat.
The federal government also agrees. "All medical devices carry a certain amount of risk," according to a statement by the FDA, which points out that the benefits of such devices usually outweigh the risks. "While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase health care providers' ability to treat patients."
According to Fu, the most common infection vector is the "good old USB drive." Hospitals have reported cases where contractors who are maintaining or updating medical device software are the ones inadvertently infecting the systems they are there to protect.
"The most prevalent kind of malware getting into hospitals is a piece of malware that has no idea it's even in a hospital," said Fu. "That's really what WattsUpDoc was designed to detect -- the common case."
The main risks of infection are damage to the integrity of the device and unavailability of the device. If the integrity of the device is lost, a clinician can no longer trust the readings coming out of it. Availability refers to cases when malware infecting a device causes the device to stop operating. Either case renders the machine useless. These are the risks and consequences that Fu's team intended on mitigating with their project.
The long term downside to this is that old software allows for more malware. Fu said that technology in modern hospitals still runs OSes as old as Windows 95.
"In fact you'll find some malware that's really rare except in hospitals, because the medical equipment runs on such ancient operating systems," Fu explained.
The FDA issued warnings to manufacturers imploring them to keep software up to date, but these for the most part have been ignored. Manufacturers are only now beginning to understand the importance of updates.
"We can try to delude ourselves into thinking that a device on a network is not connected," Fu said. "In reality it gets connected anyway -- it's just connected through sneakernet."
Security expert Gary McGraw asks who's in charge of medical device security