MRI malware

Silent Epidemic: Do Software Errors Already Affect Patient Outcomes?

In-brief: Software- and hardware related failures already may already affect patient outcomes, experts say, but nobody is measuring it.

Medical errors linked to the failure of medical device hardware and software may already impair patient health, but little is known about the problem, because it is rarely measured. That, according to experts who spoke in the shadows of the Black Hat computer security conference on Tuesday.

Speaking on a panel focused on medical device security in Las Vegas on Tuesday, a group of leading medical device and information security experts said that software errors that affect patient care almost certainly occur, but more needs to be done to identify and measure them if care delivery organizations hope to improve patient outcomes.

“I believe there has already been patient harm,” said Dr. Dale Nordenberg, the co-founder and Executive Director of the Medical Device Innovation, Safety & Security Consortium.

Nordenberg told Security Ledger that discrete interactions that patients have with medical devices each day in healthcare settings in the U.S. numbers in the millions -or more. In the course of a year, that might add up to billions of interactions between patients and medical hardware and software, making errors and malfunctions that affect patient care in some way an almost certainty.

Only rarely do such incidents warrant notice. In May the Food and Drug Administration published an alert about an incident in which antivirus software caused a medical diagnostic computer to fail in the middle of a cardiac procedure, denying physicians access to data and potentially endangering patient safety. Recent news reports have also underscored the fragile nature of many clinical networks. Widespread infections of ransomware have crippled clinical networks and forced clinical staff to cancel patient appointments, delay procedures and fall back to paper record keeping.

Despite such incidents, there is no official effort to track the link between software or hardware failures, malicious software infections or user-related errors and patient outcomes.

“In medicine, outcomes drive decisions about what to do, and we don’t have data that’s clear enough to design intervention programs,” Nordenberg told the audience at the event at The House of Blues at The Mandalay Bay casino in Las Vegas. Codenomicon, a security mini-conference was sponsored by the firm Synopsys.*

The problems facing the medical field and health delivery organizations are manifold, the experts agreed. Security firms have documented the poor state of security in the software that runs medical devices, including critical and remotely exploitable security holes. Billy Rios (@xssniper), a founder of the firm WhiteScope said that HDOs and the medical industry do a poor job of sharing information about threats with each other. Josh Corman of The Atlantic Council noted that the federal government currently does not provide funding for security assessments of medical environments, nor does it directly support the hiring of dedicated staff to help secure healthcare environments. Further, reimbursement for medical care is tied to procedures and meaningful use of technology, driving up interactions and interventions.

Michael McNeil the Global Product Security and Services Officer at Philips Healthcares said that manufacturers like Philips have improved the security of hardware and software in recent years. Philips, for example, had developed systems to receive reports from independent security researchers and patch security holes – an improvement.

But Corman noted that healthcare organizations have decades of investment in medical devices and won’t be parting with the older and possibly insecure technology anytime soon. “We can’t sell them the new secure stuff until we get them to abandon the old, insecure stuff that’s running Windows XP,” said Corman. “And there’s no budget for that.”

Most important: hospitals and healthcare organizations often lack systems and processes for assessing cyber risks. The consequences are easy to see. The SamSam malware propagated on healthcare networks by exploiting a known vulnerability within the JBOSS application server software. Many healthcare organizations had not patched that vulnerability and may have been unaware that a particular medical software system or device relied on JBOSS and exposed their environment to SamSam infections, Corman said.

[Read more Security Ledger coverage of medical devices.]

Kevin Fu of the firm Virta Laboratories said the real danger of ransomware and similar, disruptive malware isn’t the loss of patient data, but the possibility that patients may not get critical care delivered when they need it.

Even as medical device makers focus on securing software and hardware, hospitals and other health delivery organizations need to focus time, energy and resources on operational security issues, the experts agreed. Nordenberg noted that hospitals, driven by federal mandates and changes in reimbursements under the Affordable Care Act, have spent years documenting medical errors and isolating factors that lead to patient readmission. A similar approach could easily be extended to monitoring and documenting errors involving medical software and hardware, he said.

“We do this all the time in public health,” he said. “You build a system by which you can measure the problem.”

(*) This story was changed to use the correct spelling of the name of the firm Synopsys. PFR 8/8/2016