Electric Therapy for Medical-Device Malware
August 15th, 2013 by admin

Researchers show how to spot viruses on equipment like drug mixers and pregnancy monitors: by examining their power usage.

By David Talbot on August 9, 2013

 

Hospital rooms beep and flash with many devices that are increasingly getting infected with malware (see “Computer Viruses Are ‘Rampant’ on Medical Devices in Hospitals”). But for several reasons, these gadgets are often incompatible with commercial security software.

Now, new technology developed by academic researchers could catch most malware on the devices just by noting subtle changes in their power consumption. This could give hospitals a quick way to spot equipment with dangerous vulnerabilities and take the machines offline. The technology could also apply to computer workstations used in industrial control settings such as power plants.

The system, dubbed WattsUpDoc, is based on work involving Kevin Fu, who heads a research group on medical-device security at the University of Michigan and has uncovered several vulnerabilities in medical equipment. The research group tested WattsUpDoc on an industrial-control workstation and on a compounder, a machine commonly used in hospitals to mix drugs. In both cases the devices ran on modified versions of the Windows operating system.

The malware detector first learned the devices’ normal power-consumption patterns. Then it was tested on machines deliberately infected with malware. It was able to detect abnormal activity more than 94 percent of the time when it had been trained to recognize that malware, and between 84 and 91 percent of the time with previously unseen malware.

The technology, which is scheduled to be presented at a conference next week, “highlights a novel way of monitoring,” says John Halamka, CIO of Beth Israel Deaconess Medical Center in Boston.

 

The next step, says Fu, is to do far more field testing. It is likely to be a year or more before the device could be commercialized, he adds.

The eventual goal is for the technology to alert hospital IT administrators that something is amiss, even if the exact virus is never identified. That’s important, because there are hundreds of thousands of medical devices in the field that probably won’t get changed to address their underlying vulnerabilities, says Shane Clark, a grad student at the University of Massachusetts, who works with Fu and developed the prototype. “This is about ‘We’ve got a problem right now, and it’s hard to get any weight behind policy and design changes for everything out there. So what can we do right now to improve the situation?’” Clark says.

Hospital devices such as pregnancy monitors, compounders, and picture-storage systems for MRI machines are vulnerable to infection because they are typically connected to an internal network that is, in turn, connected to the Internet. In June the U.S. Food and Drug Administration warned that malware was a growing problem and encouraged device makers to update software.

The FDA said that no known injuries had resulted from medical malware and that the computer infections were not known to be deliberately targeting medical equipment. But Clark says viruses can still inhibit medical care: “You need to mix a solution, but the compounder is running slow and keeps rebooting, or is unresponsive.”

Unfortunately, he adds, “you can’t just slap a copy of McAfee antivirus on your medical device.” That’s because even though many medical devices run Windows, they often use custom versions of the operating system that are incompatible with conventional antivirus software. And some machines can’t be loaded with these protections because their manufacturers prohibit third-party applications.

Other computer security researchers have been working on detecting malware by using power consumption as a proxy for unusual behavior (see “Tiny Changes in Energy Use Could Mean Your Computer Is Under Attack”). The key with hospital equipment is getting a very detailed profile of normal usage and being able to both detect changes and avoid false alarms.