IoT Medical Devices: A Prescription for Disaster
Tom Spring reports:
Late last month, TrapX Labs’ security team spotted an uptick in the prevalence of a new more virulent strain of malware targeting hospitals and their IoT equipment. Researchers discovered attackers targeting unpatched medical equipment running Windows XP and Windows 7 with variations of attacks such as the Conficker worm, long thought obsolete. The malware, TrapX said, now has an enhanced ability to laterally move within a network and target specific types of medical devices that have a strong likelihood of connecting to backend medical record systems.
But patching or ridding devices of malware is also complicated, for reasons many members of the public may not realize:
The logical fix for infected IoT gear is to scrub the equipment of the malware and add security software. But that’s rarely an option. In many cases, when hospitals become aware of malware infection on MRI machines, ultrasound equipment and drug pumps their hands are tied by Federal Drug Administration rules that prevent changes in equipment software. “The FDA has strict rules and regulations about medical devices and what updates, firmware or patches can be applied to those systems,” Chon said. “When an MRI machine gets approved by the FDA it’s considered a diagnostic equipment or a treatment. FDA rules state any changes made to that system have to go back through the FDA certification process,” he said.
Read more on Threatpost.