BY MARK LANTERMAN
As the Internet of Things continues to expand into every area of our lives, so too do our concerns about its secure use. The convenience of internet connectivity cannot be denied—the benefits of instant communication have made our society what it is today. From our washing machines to our smartphones, connectivity has spawned an unprecedented ease of use for consumers. But when the Internet of Things includes our personal medical devices, health and safety issues are paramount.
In recent years, the security of medical devices has been increasingly scrutinized. Can a hack actually be perpetrated and if so, how?What are the potential risks if you’re the victim of a hack? These issues have understandably raised a lot of concerns for patients and their families. Recent reports surrounding Medtronic’s insulin pumps highlight the growing demand for a focus on patient security, even when no harm from the potential threat has yet been reported.
In the FDA’s official alert, the primary concern was that “due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings.”1 No patches or solutions are available to remediate this security vulnerability, so ultimately the recommendation is for patients to upgrade to a newer, more secure device.
Earlier this year, Medtronic was also the subject of an FDA alert regarding vulnerabilities discovered in a number of its implantable cardiac devices, clinic programmers, and home monitors. The concern with these devices was that without encryption, authentication, or authorization, unauthorized access becomes a significant risk. In spite of the devices’ lack of basic security features, the FDA recommended that health providers encourage patients to continue using the monitors, noting, “The benefits of remote wireless monitoring of an implantable device outweigh the practical risk of an unauthorized user exploiting these devices’ vulnerabilities.”2 Whether it’s a cardiac device or an insulin pump, it would seem that discontinuing their use pose a far greater risk than the potential for a cyber attack. These devices have allowed health care practitioners to treat patients with incredible ease.
In the medical device field as in any tech sector, it remains true that when we gain convenience, we lose security. Any sort of internet connectivity makes us vulnerable to potential threats. But where medical devices are concerned, overestimating the risk can pose dangers in itself. In regard to the cardiac device vulnerabilities, I would posit that—like the St. Jude cardiac device issues that were in the media a few years ago—an attack would most likely require close proximity to the victim over an extended period of time. Likewise, an attack on a WiFi-connected insulin pump would also require close proximity.
That said, it is imperative that medical device companies acknowledge their responsibility to provide the most secure devices to patients. There is a growing impatience with any organization that refuses to implement basic security measures in its products, especially organizations responsible for the safe production of medical devices. Responding to security vulnerabilities and public concern is only the tip of the iceberg. If an organization develops a strong internal culture of security, that will be evident in its products. Medical device manufacturers must move beyond system patches, fixes, and recalls to establish thorough testing protocols and procedures that take cybersecurity concerns into account from the design phase to production. While there is no such thing as perfect security, organizations are expected to implement basic cybersecurity safeguards (such as authentication and encryption) while also standing ready to respond to future vulnerabilities or patient concerns.
Progress in the cybersecurity sphere requires the active participation of all involved parties—including government agencies, organizations, manufacturers, health professionals, and patients. As patients continue to push for the best security measures and force organizations to respond to concerns, a new degree of cybersecurity awareness and understanding is becoming evident within medical settings. s
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 https://www.fda.gov/news-events/press-announcements/fda-warns-patients-and-health-care-providers-about-potential-cybersecurity-concerns-certain
2 https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-affecting-medtronic-implantable-cardiac-devices-programmers-and-home