Electric Therapy for Medical-Device Malware

Researchers show how to spot viruses on equipment like drug mixers and pregnancy monitors: by examining their power usage.

Thousands of medical devices are vulnerable to being compromised by common computer viruses.

Hospital rooms beep and flash with many devices that are increasingly getting infected with malware (see “Computer Viruses Are ‘Rampant’ on Medical Devices in Hospitals”). But for several reasons, these gadgets are often incompatible with commercial security software.

an implantable pacemaker
Malware practice: Kevin Fu specializes in finding vulnerabilities in electronic medical equipment. Here he holds an implantable pacemaker used in earlier security research.

Now, new technology developed by academic researchers could catch most malware on the devices just by noting subtle changes in their power consumption. This could give hospitals a quick way to spot equipment with dangerous vulnerabilities and take the machines offline. The technology could also apply to computer workstations used in industrial control settings such as power plants.

The system, dubbed WattsUpDoc, is based on work involving Kevin Fu, who heads a research group on medical-device security at the University of Michigan and has uncovered several vulnerabilities in medical equipment. The research group tested WattsUpDoc on an industrial-control workstation and on a compounder, a machine commonly used in hospitals to mix drugs. In both cases the devices ran on modified versions of the Windows operating system.

The malware detector first learned the devices’ normal power-consumption patterns. Then it was tested on machines deliberately infected with malware. It was able to detect abnormal activity more than 94 percent of the time when it had been trained to recognize that malware, and between 84 and 91 percent of the time with previously unseen malware.

The technology, which is scheduled to be presented at a conference next week, “highlights a novel way of monitoring,” says John Halamka, CIO of Beth Israel Deaconess Medical Center in Boston.

The next step, says Fu, is to do far more field testing. It is likely to be a year or more before the device could be commercialized, he adds.

The eventual goal is for the technology to alert hospital IT administrators that something is amiss, even if the exact virus is never identified. That’s important, because there are hundreds of thousands of medical devices in the field that probably won’t get changed to address their underlying vulnerabilities, says Shane Clark, a grad student at the University of Massachusetts, who works with Fu and developed the prototype. “This is about ‘We’ve got a problem right now, and it’s hard to get any weight behind policy and design changes for everything out there. So what can we do right now to improve the situation?’” Clark says.

Hospital devices such as pregnancy monitors, compounders, and picture-storage systems for MRI machines are vulnerable to infection because they are typically connected to an internal network that is, in turn, connected to the Internet. In June the U.S. Food and Drug Administration warned that malware was a growing problem and encouraged device makers to update software.

The FDA said that no known injuries had resulted from medical malware and that the computer infections were not known to be deliberately targeting medical equipment. But Clark says viruses can still inhibit medical care: “You need to mix a solution, but the compounder is running slow and keeps rebooting, or is unresponsive.”

Unfortunately, he adds, “you can’t just slap a copy of McAfee antivirus on your medical device.” That’s because even though many medical devices run Windows, they often use custom versions of the operating system that are incompatible with conventional antivirus software. And some machines can’t be loaded with these protections because their manufacturers prohibit third-party applications.

Other computer security researchers have been working on detecting malware by using power consumption as a proxy for unusual behavior (see “Tiny Changes in Energy Use Could Mean Your Computer Is Under Attack”). The key with hospital equipment is getting a very detailed profile of normal usage and being able to both detect changes and avoid false alarms.

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.