Typically, the cybersecurity of control systems is believed to affect the electrical grid or power systems. It is, however, much more than just the electrical grid. When reading this note, one has to think not only of medical devices, but also of any other application of control systems in any industry. The issues identified below - inappropriate software, unforeseen interactions, and lack of proper training - have been the cause of numerous cyber incidents across multiple industries.
Recently, I went to the hospital to get x-rays. While talking with the X-ray technician, I mentioned that certain poorly programmed X-ray machines had resulted in serious injuries and deaths. [Between 1885 and 1987, the Therac 25 machine for radiographs, sometimes gave their patients doses of radiation that were hundreds of times greater than normal, this due to numerous programming and system errors. The cause (s) were not identified for several years, during which time, the Therac 25 system remained in overdose patients use. The excessive dose of radiation resulted in 3 serious injury and 3 deaths.] What surprised me was not that the X-ray technician was unaware of this X-ray problem, but that he was aware of CT scanning machines. , which similarly had caused serious injuries to certain patients:
Within the 2009 timeframe, the FDA found approximately 400 overdoses received by patients at five hospitals in California and one in Alabama. The overdoses were all from GE and Toshiba computerized tomography scanners and appear to have come from the inappropriate use of a safety feature. GE scanners have a feature called automatic exposure control, which automatically adjusts the radiation dose, according to the size of a person and the part of the body being scanned, instead of using a fixed, predetermined radiation level . Its intention is to reduce radiation doses, but when used in combination with certain adjustments of the machine that govern the clarity of the image, its effect was the opposite, significantly increasing the radiation dose delivered to the patient. GE states that the feature was designed for procedures that scan multiple body parts of variable thickness and that it is of limited utility for perfusion scans of the brain, which target only the brain. Hospital officials claim that GE instructors never correctly explained their function and that manuals did not warn about their limited use for brain perfusion scans. Overexposures, either due to automatic exposure control or other reasons, were not especially difficult to prevent. The radiation dose that each patient was receiving was visible on the scanner console during the scan. A whole sea of numbers is shown on the screen during a CT scan, it is certainly possible that this number can easily be lost on the screen. But not checking the dose of radiation on the screen indicates a certain complacency about this particular number. The dose was right in front of the eyes of the operators, but none thought of looking. Instead, they relied entirely on the machines. The FDA suggests that the simplest way to prevent this from happening again is for scanner manufacturers to include an obvious indication on the screen of a radiation dose higher than normal, so that it is difficult to ignore, such as Emergent warning or an alarm sound. In addition, it asks the scanner operators to check the display panel both before and during the scan, to make sure that the expected dose of radiation is the actual dose received by the patient.
Perhaps the most disturbing aspect is that after spending 18 months without being detected, the overdoses were discovered not through security checks or routine scan calibrations, but by a patient who after a scan began to lose the hair and He contacted the hospital. If radiation overdoses eight times greater than normal are only detected because a patient's hair falls out, how many smaller overdoses occur routinely during other CT scans but go undetected?
The FDA recognized this possibility as early as October 2009: “This situation may reflect more widespread problems with quality assurance programs for CT scanners, and cannot be isolated to this particular facility or imaging procedure ( cerebral perfusion computed tomography). If patient doses are higher than expected, but not high enough to produce obvious signs of radiation injury, the problem may go undetected and underreported, putting patients at greater risk for radiation effects from long term.
It must be evident that the cause of these X-ray overdoses and CT scans are not unique to medical devices. Interactions of unforeseen systems have occurred in the piping systems, nuclear power plants, electrical networks, transportation systems, etc. It should also be evident that security and protection must still be coordinated more effectively and that there is a need to provide cybersecurity training for the appropriate control system, and to understand possible unintended or unintended system interactions.
Source: Posted by Control Engineering HERE