A time-and-technology challenged FDA, proliferation of software-controlled medical devices in and outside of hospitals, and growth of hackers have resulted in medical technology that’s riddled with malware. Furthermore, lack of security built into the devices makes them ripe for hacking and malfeasance.

Scenario: a famous figure (say, a politician with an implantable defibrillator or young rock star with an insulin pump) becomes targeted by a hacker, who industriously virtually works his way into the ICD’s software and delivers the man a shock so strong it’s akin to electrocution.

Got the picture?

Welcome to the dark side of health IT and connected health. Without strong and consistently adopted security technology and policies, this scenario isn’t a wild card: it’s in the realm of possibility. This is not new-news: back in 2008, a research team figured out how to program a common pacemaker-defibrillator to transmit a “deadly 830-volt jolt,” according to Barnaby Jack, a security expert.

I had a sobering chat today with Christine Sublett, a privacy and security consultant who works with health industry stakeholders on these issues. She pointed me to the recent report from the Government Accountability Office (GAO) called FDA Should Expand Its Consideration of Information Security for Certain Types of Devices. She told me about several cases where some of the most prestigious hospitals in the U.S. have medical equipment that are infected with innumerable computer viruses because, due to FDA regulation of the devices as installed, are unable to update computer security programs per the manufacturers’ directives. According to Pierluigi Paganini, cyber-security expert, other vulnerabilities include:

  • Limited battery capacity
  • Remote access
  • Continuous use of wireless communication
  • Susceptibility to electromagnetic (e.g., cellular) or other types of unintentional interference.
  • Limited or nonexistent authentication process (such as requiring a password) and authorization procedures
  • Disabling of warning mechanisms
  • Design based on older technologies
  • Inability to update or install security patches.

The GAO found that the FDA’s focus has been on the safety of medical devices — not the security of them. Barnaby Jack believes the FDA doesn’t have the expertise to conduct security audits for every single medical device.

The GAO has analyzed risks from “unintentional threats” (e.g., airport security systems). However, the FDA hasn’t assessed “intentional threats” from adventurous hackers. The FDA categories unintentional threats in three types: via,

  • Unauthorized access, when someone directly hacks into a device to alter a signal (as envisioned above in that ICD-implanted politician)
  • Malware, when a malicious software program is embedded into a device
  • Denial-of-service attack, when, say, worms or a virus overwhelm the device making it unusable.

On industry’s side of this ledger, it can cost lots of money and years of time to incorporate security into a device that’s been FDA-approved, plus additional time-to-market.

More coverage on this issue can be found in the following media outlets:

Death by Defibrillator, NBC

Wireless Medical Devices Vulnerable to Hacking, TIME

Computer Viruses Are Rampant on Medical Devices in Hospitals, Technology Review

Jane’s Hot Points: With the proliferation of medical devices, and the emergence of mobile platforms and sensors in health, this issue will only grow exponentially as a risk to be managed in health care. With the advent of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), institutions thought security could be a challenge. The issue of security for software-enabled medical devices, with technology going mobile both in provider settings and to patients’ homes, makes HIPAA security seem like a proverbial walk in the park.

Here’s an example where the FDA must find a way to deal with this challenge immediately: to give industry and providers crystal-clear guidance on this issue that’s absolutely an accident waiting to happen.

Jane Sarasohn-Kahn is a health economist and management consultant that serves clients at the intersection of health and technology. Jane’s lens on health is best-defined by the World Health Organization: health is a state of complete physical, mental and social well-being and not merely the absence of disease or infirmity. She blogs at HEALTHPopuli.

Share on Twitter

1 Response for “The New Bioterrorism? The Hacked Medical Device”

  1. Thanks for posting this blog…….It is very helpful for us.
    It gives lots of information.

Leave a Reply

THCB BLOGGERS

FROM THE VAULT

The Power of Small Why Doctors Shouldn't Be Healers Big Data in Healthcare. Good or Evil? Depends on the Dollars. California's Proposition 46 Narrow Networking
MASTHEAD STUFF

MATTHEW HOLT
Founder & Publisher

JOHN IRVINE
Executive Editor

JONATHAN HALVORSON
Editor

JOE FLOWER
Contributing Editor

MICHAEL MILLENSON
Contributing Editor

ALEX EPSTEIN
Director of Digital Media

MICHELLE NOTEBOOM Business Development

MUNIA MITRA, MD
Clinical Medicine

Vikram Khanna
Editor-At-Large, Wellness

THCB FROM A-Z

FOLLOW US ON TWITTER
@THCBStaff

WHERE IN THE WORLD WE ARE

The Health Care Blog (THCB) is based in San Francisco. We were founded in 2004 by Matthew Holt and John Irvine.

MEDIA REQUESTS

Interview Requests + Bookings. We like to talk. E-mail us.

BLOGGING
Yes. We're looking for bloggers. Send us your posts.

STORY TIPS
Breaking health care story? Drop us an e-mail.

CROSSPOSTS

We frequently accept crossposts from smaller blogs and major U.S. and International publications. You'll need syndication rights. Email a link to your submission.

WHAT WE'RE LOOKING FOR

Op-eds. Crossposts. Columns. Great ideas for improving the health care system. Pitches for healthcare-focused startups and business.Write ups of original research. Reviews of new healthcare products and startups. Data-driven analysis of health care trends. Policy proposals. E-mail us a copy of your piece in the body of your email or as a Google Doc. No phone calls please!

THCB PRESS

Healthcare focused e-books and videos for distribution via THCB and other channels like Amazon and Smashwords. Want to get involved? Send us a note telling us what you have in mind. Proposals should be no more than one page in length.

HEALTH SYSTEM $#@!!!
If you've healthcare professional or consumer and have had a recent experience with the U.S. health care system, either for good or bad, that you want the world to know about, tell us about it. Have a good health care story you think we should know about? Send story ideas and tips to editor@thehealthcareblog.com.

REPRINTS Questions on reprints, permissions and syndication to ad_sales@thehealthcareblog.com.

WHAT WE COVER

HEALTHCARE, GENERAL

Affordable Care Act
Business of Health Care
National health policy
Life on the front lines
Practice management
Hospital managment
Health plans
Prevention
Specialty practice
Oncology
Cardiology
Geriatrics
ENT
Emergency Medicine
Radiology
Nursing
Quality, Costs
Residency
Research
Medical education
Med School
CMS
CDC
HHS
FDA
Public Health
Wellness

HIT TOPICS
Apple
Analytics
athenahealth
Electronic medical records
EPIC
Design
Accountable care organizations
Meaningful use
Interoperability
Online Communities
Open Source
Privacy
Usability
Samsung
Social media
Tips and Tricks
Wearables
Workflow
Exchanges

EVENTS

TedMed
HIMSS South x South West
Health 2.0
WHCC
AHIP
AHIMA
Log in - Powered by WordPress.