Computer scientists have found a way to detect malware lurking on medical devices by measuring their power usage over time.
The computer that reads images from a CT scanner. The machine that mixes liquid medications in the correct dosage. Even the laptops at your doctor’s office that can pull up your medical records—all of these devices are networked, and like any other computer, they can be infected by viruses and malware.
The technology, called WattsUpDoc, monitors power usage in a medical device system. Minor fluctuations in the system’s power consumption can indicate that malware is running in the background, stealing additional resources.
After a series of training sessions, WattsUpDoc was able to spot malware it had been trained to detect with 95 to 99 percent accuracy and malware it hadn’t been trained for with 85 to 90 percent accuracy. This is about as accurate as commercial malware scanning software for personal computers.
“A big part of the problem is that there are a lot of medical devices out there that run Windows or other consumer operating systems, so they become infected with the same sorts of malware that you run on your own computer,” explained Clark in an interview with Healthline. “One single medical system often comprises multiple devices. For example, with MRI, the machine that takes the images is not the one that you view them on.”
Although many of these computers are running standard operating systems, they don’t run standard software, making many anti-virus programs incompatible. Strict requirements for medical devices also make device manufacturers wary of allowing any third-party software to be installed on their machines.
“Some manufacturers explicitly forbid device owners to install OS security updates or antivirus software, under the impression that they cannot certify a device’s safety if the software configuration changes,” Clark writes in his paper.
Clark isn’t the only one who’s concerned. The Food and Drug Administration (FDA) issued a
WattsUpDoc won’t catch malware designed to avoid altering power consumption, but it could catch most garden-variety malware. For now, at least, that may be all the medical industry needs.
“So far, we’re not aware of any malware specifically targeting medical devices,” says Clark. “There have been cases where malware has gotten onto devices containing patient data. Some of that malware is designed to do things like steal credit card data or log keystrokes, but we haven’t seen anything so far where stealing patient data was the goal.”
But stealing confidential patient data isn’t the only problem medical malware could cause. Malware also disrupts a computer’s normal functioning, making it slow down or even crash. While it’s annoying to lose a document when a personal computer crashes at home, having a medical device fail in the middle of surgery could be disastrous.
“The main concern is the safety and effectiveness of the device,” Clark adds. “If it’s freezing or restarting, will you be able to provide care to the patient? If the computer freezes in the middle of a procedure or is drawing power or resources, that’s a really big deal.”
How often are failures like this happening? No one knows for sure. “The FDA doesn’t have a post-market surveillance system to deal with things like that,” Clark says. “We don’t have a clear picture of how often this is happening. That’s one of the things we’re hoping to improve—to get a reliable system to say this system has a virus rather than it’s malfunctioning for unknown reasons.”
One thing we do know is that medical devices are being networked far faster than security measures are evolving to keep up with them. A new search engine called Shodan, developed in 2009, can run searches for any unsecured networked device. Healthline ran searches on “hospital” and “medical” and found over 4,000 completely unsecured devices on medical networks worldwide, mostly in the United States, South Korea, and Japan.
John Matherly, creator and CEO of Shodan, is intrigued by WattsUpDoc but has his concerns. “The device is only as good as the training it receives, and by the nature of the solution, it will take some time to get it right,” he explains. “Especially since every hospital will have different [types of computers], operating systems, and power usage profiles. Even in their lab environment with a training set chosen by the researchers and a well-understood piece of hardware, the researchers had false negatives and false positives.”
Matherly sees a slew of other potential complications as well. “I don’t know how the system would deal with power fluctuations, power outages, hardware replacements, software upgrades—what if the software starts using less CPU because the vendor made improvements?—and a myriad of other changes that most businesses go through,” he says.
Clark understands these challenges but is optimistic for WattsUpDoc’s future development. “Our main goal is to get in touch with healthcare providers and device manufacturers and gathering a lot of data and understanding what works best and how to make it a reality,” he says.