By INGA SHUGALO
While the healthcare IoT demand forecasts are more than generous, anticipating the market to hit $158.07B by 2022, there is still a certain delay in IoT adoption across the industry. Connected medical devices, especially those that are directly involved in patient care, are adopted cautiously due to potential security vulnerabilities and risks to patient safety.
One of the reasons behind the hesitant adoption of healthcare IoT in cardiology is preexisting concerns about the security of implantable medical devices, such as pacemakers.
The recent pacemaker crisis revealed the vulnerabilities in pacemaker software across several major vendors. If exploited, software vulnerabilities would allow hackers to take over the device and control it fully. The crisis led to device recalls, certain features disabled, and even remote updates cut off completely to avoid unacceptable health risks.
This series of events led to a cautious attitude toward the emerging cardiology IoT. Since we can’t be sure that all exploits and vulnerabilities are eliminated in less advanced systems, are we really ready to take a step forward to more elaborate healthcare software solutions at this point?
The fact of the matter is, cardiology is already taking these steps. The new generation of pacemakers has embedded sensors to monitor a patient’s blood temperature, sinus node rate, breathing, and other vitals. This data is used to flexibly alter the heart rate, slowing or speeding it depending on a patient’s current activity level. They also inherited remote control from their predecessors. Practically, next-gen pacemakers are IoT devices.
Accordingly, the industry can either stigmatize the security concerns or choose to adopt a new perspective, seeing the pacemaker crisis as an opportunity to create a solid platform for unbiased adoption of upcoming connected cardiac devices.
The Pacemaker Crisis: Fast Facts
In 2017, FDA recalled approximately 465K pacemakers made by Abbott due to their potential security issues. In particular, the devices were identified as vulnerable to hacking, which could increase their activity or reduce battery life. Tampering with such insecure pacemakers would quicken the battery drainage and pose an indirect risk for the patients’ health and safety.
That same year, security researchers Billy Rios of Whitescope and Jonathan Butts of QED Secure Solutions uncovered vulnerabilities in one of Medtronic’s cardiac device programmers. They found vulnerabilities which would allow unauthorized users to get access to the programmer’s settings and tweak the functionality, taking control over the pacemakers. If any hackers were to exploit these vulnerabilities, they could disrupt the patient’s heart rhythms, hurting or even killing people.
The researchers notified Medtronic about their findings, warning them about potential patient safety threats. However, the vendor didn’t address the issue fully until 2018, when Billy Rios and Jonathan Butts demonstrated their discovery during the Black Hat security conference speech. The demonstration resonated with the audience and also drew the attention of DHS, FDA, and NCCIC. The regulators started collaborating with Medtronic to assist them in mitigating data security and patient safety threats in their devices.
However, security assurance seems to be still far from completion, as the attention of manufacturers and government agencies spreads to other cardiac devices. The 2019 FDA safety communication lists a wide range of Medtronic’s products that are still considered vulnerable.
The list features implantable cardioverter defibrillators (ICDs), cardiac resynchronization therapy defibrillators (CRT-Ds), device programmers, and monitors. Due to the lack of encryption, authentication, and authorization in the Conexus wireless telemetry protocol used in these devices, unauthorized users may be able to access and control them. The FDA also states that Medtronic is on the way to implementing additional security updates to ensure both PHI and patient health safety.
Turning Gaps into Gains: The Action Plan
Following the pacemaker crisis, cardiac IoT security assurance activities must be prioritized.
First, the regulators, providers and manufacturers must reach a consensus. All parties should make an effort to come up with standardized practices for securing IoT development and maintenance. In particular, they should define the obligatory protocols for remote configuration, data transfer, and updates to ensure the following security measures:
Identity validation and role-based access allow securing cardiac devices against unauthorized access. Only verified users, messages and services will be able to interact with protected device.
To ensure integrity, security testing should be held throughout the stages of development, upon implementation, and after each major update. Moreover, the manufacturers can issue specific certificates to validate data transactions, making sure they can’t be intercepted or altered.
Encrypted data transfer is also an essential measure for assuring the safety of cardiac devices. All inbound and outbound data flows, such as monitored vitals and patients’ current health status information, will be transmitted privately, making it much more difficult for hackers to access and modify data.
While the older cardiac devices may be too low-power, low-memory or low-capability to support all the basic security measures, vendors and regulators can work together to get rid of the vulnerabilities and exploits with certain workarounds.
For example, Medtronic significantly limited the range for the remote control and configuration of their pacemakers, programmers, and monitors. So while the vulnerabilities may still be in place, unauthorized users can only access them while physically near the active devices.
Fortunately, there have been no malicious activities or attacks in which hackers tampered with pacemakers, programmers, or other cardiac devices so far. However, the possibility itself is critical enough to prioritize the security assurance of connected cardiology devices.
The security crisis associated with cardiac devices might have hindered their adoption, yet it also pointed to a critical gap in policy-making and technology testing on the whole. While some measures are underway, fully bridging this gap will require a more coordinated effort from both regulators and manufacturers.
Inga Shugalo is a Healthcare Industry Analyst at Itransition, a custom software development company headquartered in Denver, Colorado. She focuses on Healthcare IT, highlighting the industry challenges and technology solutions that tackle them.