People visiting medical facilities these days may face delays and run down their mobile phone batteries while they wait.
Sometimes they’ll spot an appealing USB port in their doctor’s office or exam room and plug in. That’s a major cause for concern among administrators and privacy advocates; those USB ports are designed to deliver software upgrades and to upload or download patient data. Plugging in could expose medical information or cause a malfunction in a medical device.
This security threat, in fact, ranks among the ECRI Institutes’s Top 10 Health Technology Hazards for 2016.
“If you’re desperate and your phone is almost dead, you may plug in anywhere,” warned Brad Bonnette, a project officer in ECRI’s Health Devices Engineering Group. He said the threat with USB ports not only come from patients and their visitors. Medical professionals also do it.
Glitches caused by mobile phones plugged into medical or diagnostic devices can prevent patients from receiving therapy, alter device performance or cause a monitor or alarm to stop working. If confidential patient information is transferred, it could constitute a serious violation of privacy regulations.
The entire health system’s information systems also could be at risk if data gets into the wrong hands. A 2015 story in The Telegraph discussed a “killer” USB stick that could destroy entire systems upon insertion.
The Threat is Real
Last year, the U.S. Food and Drug Administration issued a recall on the Spacelabs ARKON anesthesia delivery system because of a software defect. In the recall, the FDA noted that plugging a cell phone or other device into one of the four USB ports on the machine could stop it from working.
Bonnette told Healthline he has heard about two cases where USB ports in medical equipment have been inappropriately used. In one case, an anesthesiologist monitoring a patient charged a phone on the device. In another case, a monitor kept rebooting and malfunctioned because of unauthorized USB port use.
“We don’t have complete confidence that all these devices are safe when a phone is plugged into them,” Bonnette said.
Just because there are not more reported cases of malfunctions and breaches does not mean they do not exist, Bonnette said.
“This has such a large potential for things that do not get reported typically,” he said.
Bonnette advised against the temptation to plug into a medical port, even if the odds seem slim something will happen.
“It’ll probably be fine, but why take the chance?” Bonnette added.
Preventing USB Pitfalls
ECRI has called for facilities to enact policies on appropriate use of USB ports. People should be made aware that plugging their personal devices into medical equipment USB ports is not acceptable and potentially dangerous to the medical system, the patient and the individual.
"USB ports present a significant risk to any system that stores sensitive data or provides health or safety related services. Not only can they be easily used to plant malware or steal information, but they can also be used to intentionally or unintentionally destroy a system,” Vince Crisler, a partner with the cyber security firm Fortalice Solutions, told Healthline.
Crisler had advice for medical facilities as well as visitors and patients.
“From a company perspective USB ports should be disabled or very closely monitored at all times,” he said. “From a user perspective, every time you connect one of your devices to an unknown USB port you are putting your security at risk.”
Medical Device Security Under Scrutiny
A 2014 report from the SANS Institute found that 94 percent of healthcare organizations have experienced a cyber attack, which includes attacks on medical devices and infrastructure.
According to a 2015 study in Medical Devices, USB sticks can be used as part of inadvertent data corruption, viruses, or leaks, not just intentional breaches.
"Common causes of [computer virus] infections include use of the internet and USB flash memory drives from vendors who are paradoxically updating software on medical devices," authors of a 2012 study in PLoS ONE stated.
In 2013, the FDA issued draft guidelines to medical device makers requiring them to include security protections in any new device coming to market. They also emphasized the scope of the cyber security issues for existing systems.
What Can Be Done?
In addition to more awareness about inappropriate USB use, other controls may be able to boost security.
Cory Bowline, who works for the security firm Red Canary, told Healthline that he has seen hospitals set up safeguards that can identify every time a USB is plugged into a computer. It records specific information related to the session.
“Though this approach will not prevent any threat to the equipment, it can be extremely useful for identifying which employees might be putting the organization at risk or just ignoring organizational policy,” he said.