Medical Devices, Malware & Mayhem

There were two IT security stories that caught my eye this week having to do with the subject of medical devices. The first, which is causing a small maelstrom in the IT security community, is about professor Mark Gasson from the University of Reading, who the BBC said with breathless hyperbole, was "the first man in the world to become infected with a computer virus."

What Dr. Gasson did, reported the BBC, was to implant an RFID security chip in his hand that opens security doors and activates his mobile phone.  He then deliberately infected the chip with a virus that was then able to be passed on to another device that was known to be susceptible to the virus.

Okay, that's nice. A proof of concept demonstration of an RFID-related risk that medical device manufacturers should put on their list to consider which other manufacturers of RFID systems already are aware of (but probably not enough).

However, the BBC story, which got a lot of play in the UK and European press, also provoked a lot of flack from IT security companies which said that the risk Dr. Gasson demonstrated was minimal and that the story was nothing more than scare-mongering for the sake of generating personal publicity.

The flack was so intense that BBC reporter Rory Cellan-Jones ended up writing a defense of the story in his blog, and asked Dr. Gasson to respond to all the criticism being sent his (their) way.

In essence, Dr. Gasson said that at Reading University, he and his colleagues "are exploring from a multi-disciplinary perspective the potential and risks of implanted devices. The research here has used a vulnerability in the technology to allow an engineered computer virus to propagate via an implant."

Dr. Gasson cited a couple of IEEE papers -  one in IEEE Pervasive Computing and the other in IEEE Spectrum - as reasons why his is useful research to pursue. He also said that he will be presenting a paper, "Human Enhancement: Could you become infected with a computer virus?" at the June 2010 IEEE International Symposium on Technology and Society (ISTAS ’10) conference.

I must admit I am a bit surprised by the firestorm over this story. Seems innocent enough, if over-hyped. Researchers, after all, have been looking at the security issues with wireless implantable medical devices for the past several years.

Anyway, while that little firestorm over the BBC story was happening, there was a story that appeared in InformationWeek about the US Department of Veterans Affairs reporting that over the past 14 months, more than 122 medical devices (which the VA defines as "any device that is used in patient healthcare for diagnoses, treatment, monitoring, or has gone through the Food and Drug Administration’s (FDA) premarket review process") have been compromised by malware.

In other words, devices such as MRIs, CT scanners, EKG machines, audiology machines, and the like.

The VA has 50,000 such devices and has been working through a process since at least 2004 to secure all of them - hopefully by the end of this year.

The major issue, the VA says, is that "... because their [the devices] operation must be certified, the application of operating system patches and malware protection updates is tightly restricted."

As a result, it may take awhile after a device has been found infected to get it properly cleaned. The VA tries to automatically firewall off compromised devices to try to keep any infection from spreading.

Both stories indicate that security of medical devices of all kinds is a priority, and will likely remain so for many years to come.