When I was young, I used to be awed while watching “The Six Million Dollar Man.” I was amazed by the possibility of having electronic parts in our bodies—something that seemed an impossibility. A few decades later, electronic parts such as heart monitors and insulin pumps are a reality — and it could be a dangerous one.
Yes, the technology is amazing, but what we don’t often think about is what happens when you connect medical devices to the Internet through wireless or Bluetooth, making them vulnerable to malware and cyberattacks.
Take Jerome Radcliffe, for example. Jerome is a diabetic who has a Continuous Glucose Monitor (CGM) attached to his body. The device monitors blood sugar levels every five minutes and, through wireless technology, communicates to a pump that delivers insulin to his body at the right levels and times. It occurred to Jerome, who has experience in amateur radio operation, that a hacker might be able to control his insulin pump using similar methods. He was right. At a cybersecurity conference in 2011, Jerome was able to demonstrate how someone could capture simple transmissions from the device and recode them or stop them entirely.
Once a medical device is infected, things can start to go haywire. Devices can give false readings or lead to excess, or lack of, medication that could kill patients. In 2007, former Vice President Dick Cheney asked his doctors to disable his pacemaker’s wireless capabilities to prevent any possible cyberattacks. Maybe he knew something that three million other Americans with pacemakers didn’t.
While there are no known health incidents related to medical devices in humans, cybersecurity professionals have identified a number of vulnerabilities, and the U.S. Food and Drug Administration (FDA) is investigating a number of devices for cybersecurity issues.
In 2014, the FDA issued recommendations to medical device manufacturers on cybersecurity management. The guidance applies to all new premarket submissions containing software, programmable logic, and standalone software. It includes:
- Limit access to trusted users only through user authentication, automatic timed session termination, strong password parameters, and appropriate physical security.
- Ensure trusted content, including restricting software or firmware updates to authenticated code and ensuring secure data transfer to and from the device.
- Implement features that allow for security breaches to be detected, recognized, logged, timed, and acted upon during normal use.
- Develop and provide information to the user outlining actions to take upon a cybersecurity event.
- Implement features that protect critical functionality, even when the device’s security has been compromised.
- Provide methods for retention and recovery of device configuration by an authenticated user.
This is a great start, but medical device manufacturers, healthcare providers, and patients should also consider the following:
- Wireless technology can allow any external device to talk to a medical device embedded in a patient. The communication channel is necessary to provide updates or collect results from the device. However, devices should be configured to only communicate with approved sources, and additional devices should require secondary authentication.
- Wireless technology from medical devices shouldn’t broadcast their presence. Just because I’m near a device doesn’t mean I should be able to find it on a wireless network. If I can’t see the device, I can’t tinker with it.
- Medical devices collect medical-related data that someone can tap into and access. To mitigate this, devices should be encrypted by the manufacturer to protect the data collected and stored in the device.
- Medical device manufacturers should protect the software code, just like Coca Cola protects its secret formula. The code should be secure and not allow any unauthorized code to be added.
- Medical device manufacturers should vigorously test all devices, and ancillary support systems, prior to releasing them to market.
- Healthcare providers should separate the systems that support these devices on different networks to reduce the risk of a hacker accessing the device through other systems.
As the healthcare technology landscape continues to become more digitally connected, it also becomes more open to attack. It’s important that we understand the vulnerabilities so that we can make informed decisions regarding medical devices and their use. If you have a device embedded in your body, don’t be alarmed; be armed with the information you need to protect your health and security.