Despite the Hollywood scenarios you’ve seen, an Internet-connected pacemaker can’t be hacked to kill you. But a ransomware attack on your hospital could endanger patients. Two medical device experts explain cybersecurity, safety and privacy risks to tech journalists. [Transcript | Video]
4 takeaways:
➀ Regulation of connected medical devices is fractured. Medical devices, such as pacemakers and insulin pumps, are well-regulated by the FDA. Still, there are many other connected devices that transmit sensitive data about the human body that aren’t well regulated, explained Seth Carmody, vice president of regulatory strategy at MedCrypt, which provides cybersecurity and safety for healthcare technologies. A patchwork of agencies, including the Food and Drug Administration, Federal Communications Commission, Office of the National Coordinator for Health Information Technology and the Office for Civil Rights, all have various regulatory authorities.
➁ Information security is hard, and healthcare cybersecurity is even harder. The FDA was designed to provide doctors and patients with a reasonable assurance of the safety and efficacy of medicines, and later medical devices, but the agency had to “try to retrofit that pill model to accommodate software,” noted Carmody, a former FDA cybersecurity official.
Society needs to address security for the range of devices that collect patient data and transmit it over the Internet, but the question is how much we are willing to pay in unpopular infrastructure spending to reduce risk, Carmody said, adding that the FDA didn’t get the $5 million it requested for cybersecurity this year. Watchdogs are supposed to alleviate the information asymmetry for consumers, but “the fact of the matter is that the technology debt accumulates in the consumer, accumulates for us, whether we’re wearing our smart watches or running a hospital system.”
➂ Bluetooth technology introduced new security challenges. Medtronic, which manufactures pacemakers and other medical devices, has been working on a “zero trust model to the outside world,” explained Kyle Erickson, who has been working on closing vulnerabilities introduced by Bluetooth chips and SD cards in medical devices.
“We learned and we improved definitely the hardware architecture on this product, so it’s a lot more difficult to even do any reconnaissance or any reverse engineering,” he said. But implants designed now might be in a patient’s body for 10 to 12 years and are manufactured to last 20. “We’re trying to future-proof around that. That’s very difficult.”
➃ Hollywood dramatizations have spurred risk reduction efforts, even when they’re wrong. Current devices use a chip of the same generation as gaming devices. “That’s a Nintendo in your chest today,” Erickson said. “We’re upgrading that, obviously, in our next foundational platforms. …We will be doing more improved authentication, authorization, encryption.” But Erickson noted, “The push from the regulators, the push from frankly the public, even a little bit of the push from Hollywood, has made us have this need for this responsibility.” Erickson said they take threats seriously, even when they’re portrayed in shows and movies from “Homeland” to “The Gray Man” in ways that are not entirely accurate. (A montage of Hollywood’s taken on medical cybersecurity is on Slide 15 of the PowerPoint.)
This program was sponsored by Arnold Ventures and Medtronic. NPF is solely responsible for the content.
