Control system cyber incidents have injured and killed people in medical applications

Control system cyber security is often thought of as affecting the electric grid or energy systems. However, control system cyber security is much more than just the electric grid. When reading the blog, think not just medical devices, but any control system application in any industry. The issues identified below - inappropriate software, unanticipated interactions, and lack of appropriate training - have been the root cause of numerous control system cyber incidents in multiple industries (my database now contains more than 900 actual control system cyber incidents).

Recently, I went to the hospital for X-rays. While making small talk with the X-ray technician, I mentioned that certain mis-programmed X-ray machines had resulted in serious injury and deaths. In the 1985-87 time frame, the Therac 25 X-ray therapy machine sometimes gave its patients radiation doses that were hundreds of times greater than normal due to numerous programming and other system errors.  The root cause(s) were not identified for several years while the Therac 25 system remained in use overdosing patients. The excessive radiation dosage resulted in 3 serious injuries and 3 deaths. What surprised me wasn’t that the X-ray technician was unaware of this X-ray issue but that he was aware of CT (Computed Tomography) scanning machines that had caused serious injuries.

In the 2009 time frame, the FDA found approximately 400 overdoses received by patients at five hospitals in California and one in Alabama. The overdoses all were from GE and Toshiba CT scanners and appear to have stemmed from the inappropriate use of a safety feature. GE scanners have a feature called automatic exposure control. It automatically adjusts the radiation dose according to a person's size and the body part being scanned, rather than using a fixed, predetermined radiation level. Its intent is to lower radiation doses. But when used in combination with certain machine settings that govern image clarity, its effect was to significantly raise the dose of radiation delivered to a patient. GE claims that the feature was designed for procedures that scan multiple body parts of varying thickness. It's of limited usefulness for brain perfusion scans, which target only the brain. Hospital officials claim that GE trainers never properly explained the feature and that manuals do not point out that the feature is not designed for use in brain perfusion scans. The over-exposures, whether due to the automatic exposure control or other reasons, were not especially difficult to prevent. The radiation dose each patient was receiving was visible on the scanner console during the scan. An entire sea of numbers is displayed on-screen during a CT scan; it's certainly possible that one could get lost. But not checking the on-screen radiation dosage indicates a certain complacency about this one particular number: the radiation dose. The dosage was right in front of the operator's eyes. But no one thought to look; instead, they placed their trust in the machines. The FDA suggests that the simplest way to prevent this from happening again is for scanner manufacturers to include an obvious indication on the screen of a higher than normal radiation dose, one that's difficult for the operator to ignore, such as a pop-up warning or sound. And it also calls on scanner operators to check the display panel both before and during a scan, to ensure that the expected dose of radiation is the actual dose the patient receives.

Perhaps the most disturbing aspect is that after going undetected for 18 months, the overdoses were discovered not through safety checks or routine scanner calibrations, but because of one patient whose hair fell out and contacted the hospital about it. If eight-fold radiation overdoses are only detected because a patient's hair falls out, how many smaller overdoses routinely occur during other CT scans but go undetected? The FDA recognized this possibility as early as October 2009: "This situation may reflect more widespread problems with CT quality assurance programs and may not be isolated to this particular facility or this imaging procedure (CT brain perfusion). If patient doses are higher than the expected level, but not high enough to produce obvious signs of radiation injury, the problem may go undetected and unreported, putting patients at increased risk for long-term radiation effects."

It should be obvious that the cause of these X-ray and CT scan overdoses are not unique to medical devices. Unintended system interactions have occurred in pipelines, nuclear plants, electric grids, transportation systems, etc.  It should also be evident that safety and security still need to be better coordinated. There is a need to provide appropriate control system cyber security training and understand potential unintended system interactions.

Joe Weiss