Always read the label – it’s a good maxim for the modern world. While our grocery stores are stacked with offerings that seem both convenient and nutritious, we rely on organisations like the US Food and Drug Administration to ensure that labelling tells us the real story. What’s the calorie count per portion; the sodium content; are there any trans-fats, e-numbers, monosodium glutamate or preservatives? We rely on transparent labelling to make an educated decision about what we place in our bodies.
So, the FDA’s recent warning is timely, if not a little terrifying. Just after Christmas, the FDA issued a report, titled “Postmarket Management of Cybersecurity in Medical Devices,” which did not make for a pleasant festive read. The report details the threats to networked medical devices, and recommendations to securing them. Or, to be more direct: how your pacemaker, defibrillators and insulin pump can be hacked, and what should be done about it.
Many such technologies now feature wireless capabilities and cloud based networking that enables updates, monitoring and data gathering. But with this connectivity comes a new risk, as Dr. Suzanne B. Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, wrote in her accompanying blog.
“In today’s world of medical devices that are connected to a hospital’s network or even a patient’s own Internet service at home, we see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device’s performance and functionality.”
The report details some pretty powerful worst case scenarios, including one in which a researcher contacts a developer to inform them that their implantable device “can be reprogrammed by an unauthorized user,” and “If exploited, this vulnerability could result in permanent impairment, a life-threatening injury, or death.”
This certainly isn’t a case of the FDA overstating the risks or taking a disproportionate response. Back in 2015, researcher Billy Rios reported that he had found vulnerabilities in popular hospital drug infusion pumps that would allow hackers to remotely change the amount of drugs issued to a patient, potentially to the point of a lethal dose. The result was the first ever issuing of an FDA recall of medical devices due to cyber security vulnerabilities.
If anything, then, it seems that in this new case the FDA is pulling its punches. As it stands, the report doesn’t offer a huge amount of comfort for those relying on such technologies, as it recommends manufacturers notify customer within 30 days of learning of a vulnerability, and issue a patch within 60. Which seems like a pretty long time for the patient to spend wondering and worrying. And on top of all that they are classified as “nonbinding recommendations,” which means that manufacturers are not beholden to them anyway.
Marie Moe, who is in the unusual position of being a security researcher and having a pacemaker, has previously written about her frustrations with the situation. Amongst her concerns are the fact that patients are not warned in advance that they’re becoming part of the Internet of Things, or asked to give their consent. In addition, the devices are run on proprietary code and there is no transparency – in effect Moe and patients like her are asked to simply trust blindly in the manufacturers, and hope that “security through obscurity” will ensure their ongoing safety.
I’m not knocking pacemakers and the like, or their developers – it’s lifesaving stuff for those that need them. But it is big business: Persistence Market Research (PMR) valued the global cardiac pacemaker market at US $4,100 million in 2015.
Why then is healthcare so behind the curve in terms of cyber security? In 2015 alone over half a billion personal information records were stolen or lost within the US healthcare industry. Added to this only 33% of healthcare providers believed they had sufficient resources to prevent or quickly detect a data breach. Of course, the manufacturers of these medical wonders should be applauded for the progressive technology they are developing. However, they must also recognise that these new products require extensive cyber-security vulnerability testing, and secure methods of encrypting and authenticating traffic between manufacturers and patient devices. Strong partnerships must be built with the cyber industry to ensure manufacturers can keep patients at least one step ahead of hackers.
In the meantime, while so many are waking up to importance of privacy and security in their professional and private lives, it seems users of a product that will keep their heart beating must wait for the industry to catch up… or the hackers to strike to force a wake-up call. It’s time for the industry to take the lead instead of waiting for regulation to show them the way forwards – or they risk their corporate value in ways previously unseen.
Harvey Boulter, Chairman, Communication Security Group