Privacy Concerns: Can Your Medical Device Be Hacked?

"System Code" Courtesy of Yuri Samoilov : License: (CC BY 2.0)

Medical information is usually viewed as a private affair. But due to the proliferation of technologically advanced devices–heart monitors, X-ray devices, and even fitness trackers–the ability to gain access to a person’s sensitive health information may be easier than most realize. Unsecured devices could lead to disastrous consequences, as any alteration to a patient’s device could be a life or death situation. Medical device hacking may be the largest cybersecurity threat faced by Americans in the coming years. This gigantic security concern is quietly lurking in citizens’ insulin pumps and pacemakers.

Despite having federal and state guidelines to protect and secure individually identifiable health information, accessing a person’s most detailed medical information may be as simple as pressing a few buttons. New Food and Drug Administration (FDA) guidelines issued at the end of 2016 may be able to combat easy access to medical devices, but only with cooperation from device manufacturers. There are also no current plans for enforcement of these guidelines by the FDA, as they are non-binding recommendations. Read on to learn about the security concerns presented by medical devices.


What is a Medical Device?

A medical device, as defined by the FDA, is “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory” that is used “in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.” Such devices are regulated by the FDA and may be utilized for animals as well as humans. Tongue depressors, bedpans, x-ray machines, and complex programmable pacemakers with microchip technology all fall under the broad definition of a medical device. Moreover, surgical lasers, wheelchairs, and even sutures and orthopedic pins are classified as medical devices. If the primary intended use of a product is achieved via a chemical reaction or metabolized by the body, then it will usually fall under the definition of a “drug.” The U.S. is the global leader in the medical device market, with a total market size of roughly $148 billion in 2016. The Department of Commerce determined that U.S. exports of medical devices in specific categories exceeded $44 billion in 2015. Research and development in this sector are also more than twice the average for all U.S. manufacturers.


Medical Privacy Laws

A person’s medical history is a deeply personal collection of information. Highly sensitive material ranging from mental health treatment and sexual history to genetic disorders and diseases can be contained in an individual’s medical file. Numerous laws have been passed in the U.S. on federal and state levels to ensure that Americans’ health information remains confidential and secure. The most comprehensive law ever passed in the field of medical privacy is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The act required the Secretary of the Department of Health and Human Services to develop regulations to protect the privacy and security of certain medical information. Under HIPAA, the government established national standards to protect individuals’ medical records and give patients control over who can access personal health information. Essentially, without direct patient authorization, specific entities are limited on the uses and disclosures of individuals’ medical records.

“Paper files of medical records” Courtesy of Newtown grafitti : License: (CC BY 2.0)

In 2000, the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) came into effect; the guidance comprehensively explains answers to questions about the privacy requirements of HIPAA. Generally, the Privacy Rule permits that incidental uses and disclosures are permissible only if they are a by-product of a reasonable or permissible disclosure. The rule requires covered entities to take reasonable steps to limit the use or disclosure of protected health information. It applies to health plans, health care clearing houses, and any health care provider who transmits health information in electronic form. Individually identifiable health information is information that relates to: an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for health care for the individual.

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) also established national security standards for certain health information held or transferred in electronic form. The Security Rule particularly addressed technical and non-technical safeguards that covered entities must utilize to protect individuals’ electronic protected health information (e-PHI). Entities covered by the Security Rule must ensure the confidentiality and integrity of all e-PHI being received or transmitted, as well as protect against any reasonably anticipated threats to the security or integrity of such information. Under the intricacies of HIPAA’s Privacy Rule and Security Rule, the U.S. government has clearly gone to great lengths to protect citizens’ medical records from improper use or disclosure by entities without direct patient authorization. Certain medical devices utilized today may contain information regarding a person’s medical condition that is as detailed as their medical records–what ailments a person is being treated for, or what dosage of medicine a person takes daily. Therefore, protecting these devices from unwanted intrusion and hacking should be of the utmost importance to ensure patient health and privacy.


Medical Device Security and Privacy Concerns

The FDA has been warning hospitals and health providers for years that medical devices and hospitals are vulnerable to hackers. In early 2016, the Hollywood Presbyterian Medical Center in California fell victim to a ransomware attack, which infects a computer and then encrypts files until someone pays to have it unlocked. The attackers in California held patients’ medical data hostage until the ransom was paid, roughly $17,000 in bitcoin. Ransomware also hit other hospitals around the country.

One of the largest consumer concerns regarding medical devices is that individuals can do little to protect their devices themselves. It’s up to the manufacturers of a device’s hardware and software to employ proper security measures. Another issue plaguing medical devices is that most of the laws protecting medical privacy fall under the Health and Human Services’ umbrella; however, regulating medical devices falls in part under FDA jurisdiction. The disconnect explains how the interactions between medical device regulations and privacy laws lead to administrative issues. In a cybersecurity briefing, the U.S. government warned that pacemakers were easy targets for hackers.

Furthermore, in October 2016, Johnson & Johnson notified 114,000 diabetic patients that a hacker could potentially exploit one of its insulin pumps. The pump could be attacked by either disabling the device or altering the dosage of insulin. Some medical infusion pumps in hospitals are even connected wirelessly because it makes monitoring dosages easier. Patients in the hospital could potentially have their pumps controlled remotely by a hacker, which is relatively simple to do.


While the threat to medical devices has been common knowledge for the past few years, few people have attempted to rectify the glaring holes in the current system. Security researchers have managed to remotely control medical devices including pacemakers, insulin pumps, and defibrillators. Thus, it is quite possible that hackers may start setting their sights on specific medical devices, not just entire hospital systems. U.S. officials began investigating flaws in pacemakers in August 2016, when a batch ran out of battery three months earlier than anticipated. While that particular batch simply had a rare defect that caused them to fail, the months of investigation culminated in the FDA releasing 30 pages of guidance regarding medical devices’ security flaws.


New FDA Guidelines

The FDA first issued a guidance in October 2014 that contained recommendations for manufacturers to build medical devices with cybersecurity protections. These guidelines were expanded in December 2016; however, the recommendations to manufacturers were non-binding, making the document not legally enforceable and not a particularly strong stance on securing future medical devices. As part of the new recommendations issued, the FDA encourages manufacturers to swap information with each other and consistently deploy software patches and updates to fix any security vulnerabilities. Moreover, the agency has asked manufacturers to adhere to a checklist created by the National Institute of Standards and Technology. Early product development that focuses on protecting medical devices from hackers is of the utmost importance. The FDA also suggested that manufacturers join the Information Sharing and Analysis Organization to share details about detected security risks and attacks when necessary.


Conclusion

Researchers saw a rise in the occurrences of cyberattacks on a global scale in 2016. Technological advances in medical devices certainly encourage more effective health treatment, but the increasing reliance on vulnerable software potentially puts the health of citizens at risk. Thus, implementing a structured and comprehensive plan to manage cybersecurity risks is critical. While the new FDA guidelines are a respectable start to ensuring medical devices are free from cybersecurity threats, making the recommendations mandatory as opposed to voluntary may be the only way to keep individuals’ medical information safe from prying eyes. Many contend that while the recommendations could be more stringent, this is just the first step in a long road to addressing cybersecurity in the medical field. For now, the onus remains on the manufacturers to patch detected vulnerabilities in their devices and software and develop devices safe for consumers.

Nicole is a third-year law student at the University of Kentucky College of Law. She graduated in 2011 from Northeastern University with Bachelor’s in Environmental Science. When she isn’t imbibing copious amounts of caffeine, you can find her with her nose in a book or experimenting in the kitchen. Contact Nicole at Staff@LawStreetMedia.com.