Worm Your Way Out of This One

Right now one anonymous manufacturer may be gearing up for some unwelcome postmarket legwork. Experts have recently identified at least 300 medical devices from one unnamed manufacturer that have fallen prey to the Conflicker Internet worm. Used in hospitals to manipulate high-intensity scans such as CT and MRI, the infected unidentified products pose a serious security threat. Although no patients have been harmed as a result of the malware, the infected devices were obtaining instructions over the Internet, despite the fact that they were not supposed to be connected to the Internet at all. This action could result in the obtaining and leaking of confidential patient records or disruption of other devices connected on the same network. Researchers suspect that many other devices, not just the one from the unidentified manufacturer, could also be infected.The devices that have been identified as infected with the worm were vulnerable because they were running an unpatched version of Microsoft's operating system that is used in embedded devices. "As far as we understand, this system is controlled by, and must be patched by, the manufacturer because it is a custom device," Rodney Joffe, founder of an unofficial organization known as the Conflicker Working Group, recently told Medtech Pulse. "The raw patch is provided by Microsoft. In the case of the already infected machines, the infections need to be removed. This is likely a complicated process, and must be carried out by the manufacturer because it is custom software wrapped on top of Microsoft‘s operating system."And, although installing the Microsoft patch could serve as a quick fix, the manufacturer arrived at an impasse: FDA requires that manufacturers give a 90-day notice before machines are patched. During this 90-day interim, the devices could be manipulated by the worm to carry out illegal and disruptive actions. "It is clear that, in some cases, there is a disconnect between government rules meant to protect consumers and today's cyber threats, which sometimes result in delaying and hindering the ability to fix problems, such as in the case with medical devices," Joffe said in his May 1 testimony to the Committe on Energy and Commerce's subcommitee on Communications, Technology, and the Internet.The Conflicker worm once again brings up the rising importance of integrating security components into medical devices, since, unfortunately, the world just isn't what it used to be.