Under the current law, software used to run medical devices in hospitals, once approved, must remain static. Therefore, manufacturers will not install anti-virus software or provide updates to fix security flaws, Technology Review reports.
As is the result with most unprotected computers online, the medical devices become infected with malware. The best hospitals can do to combat it is to take infected machines offline and clean them. That however, can be a time-consuming and labor-intensive process that also makes the device unusable for that period of time.
"Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems," Kevin Fu, a medical-device and computer security scientist at UMass Amherst and the University of Michigan, told Technology Review. "There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."
The biggest concern, though, is what impact the malware has on the devices and what that means for patient safety.
In one example, malware caused a slowdown in a fetal monitor used to treat high-risk pregnant women. The infected device failed to track or record data, said Mark Olson, the chief information security officer at Beth Israel Deaconess Medical Center in Boston.
"Fortunately, we have a fallback model because they are high-risk [patients]," Olson told Technology Review. "They are in an IC unit — there's someone physically there to watch. But if [a doctor or nurse] are stepping away to another patient, there is a window of time for things to go in the wrong direction."