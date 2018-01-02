Implants Raise Security Awareness
Under the pressure of increasingly sophisticated attacks, medical device cybersecurity will become an important subspecialty for clinical research organizations in years to come.
In 2007, cautious doctors replacing former Vice President Dick Cheney's heart defibrillator ordered the device’s manufacturer to disable its wireless capability. Cheney’s cardiologist was concerned that a terrorist might hack the device and send the vice president’s heart a fatal shock.
Whether turning off the implant’s wireless feature was an act of prudent precaution or paranoia is a matter of perspective, but more than a decade on, the security of networked medical devices is a serious concern for many reasons. Concerns are growing as devices are engineered to gather and report increasing amounts of data, most of it collected and transmitted using widely available, off-the-shelf software.
The biggest concern is not over malicious attacks on individual patients. The majority of hackers mining data from implantable and wearable devices are pursuing financial gain.
Hacked data can reveal commercially valuable information, such as performance data on competitors’ products. Such data can be used to exploit weaknesses in a rival’s marketing or used to modify the company’s own offerings.
Networked devices provide feedback on a wide range of patient data such as blood pressure, respiration, blood enzyme levels, and other health conditions. Insurers that issue individual life insurance policies often purchase this information — repackaged by third parties to be of apparently legitimate origin — to assess clients for insurability and to set premiums.
These hacks can include healthy people using implantable birth control and even users of the now ubiquitous wearable personal fitness devices such as Fitbits. These fitness products can produce vast amounts of personal biometric data but are subject to no federal regulation.
Another growing concern has nothing to do with hacking but is the natural result of our hyperconnected world. Benign and even benevolent sources of radio energy such as Wi-Fi systems and hospital networks have been found to interfere with medical devices.
Responding to these concerns, the FDA issued guidance on medical device cybersecurity specifically related to devices that use off-the-shelf software. The agency’s Center for Devices and Radiological Health declares that “a cybersecurity vulnerability exists whenever (off-the-shelf) software provides the opportunity for unauthorized access to the network or the medical device.”
In the FDA’s view, most of the responsibility for ensuring security lies with device makers. Still, the agency charges hospitals and health care facilities with evaluating their network security and protecting their hospital systems.
Pending federal legislation also would codify protections for medical device data. Last summer, Senator Richard Blumenthal of Connecticut introduced the Medical Device Cybersecurity Act of 2017. Blumenthal cited recent high-profile ransomware attacks and large-scale privacy breaches to underscore how vulnerable medical devices are to cyberattack.
--Joanne Emmett is vice president of medical devices at Premier Research