medical device – Law Street https://legacy.lawstreetmedia.com Law and Policy for Our Generation Wed, 13 Nov 2019 21:46:22 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.8 100397344 Medical Device Privacy Concerns: Man’s Pacemaker Data Leads to Arson Arrest https://legacy.lawstreetmedia.com/blogs/technology-blog/pacemaker-arson-medical-device-privacy/ https://legacy.lawstreetmedia.com/blogs/technology-blog/pacemaker-arson-medical-device-privacy/#respond Wed, 08 Feb 2017 14:30:07 +0000 https://lawstreetmedia.com/?p=58744

It's a question that we're going to see popping up more often.

The post Medical Device Privacy Concerns: Man’s Pacemaker Data Leads to Arson Arrest appeared first on Law Street.

]]>
"Fire" courtesy of liz west; License: (CC BY 2.0)

An Ohio man named Ross Compton, 59, was charged with arson and insurance fraud, based on information police obtained from his pacemaker. While the police had a warrant to look at the data, concerns about medical device privacy are becoming more prevalent, and this Ohio case may just be the beginning.

Compton’s house burned down last year. According to his 911 call when he discovered that his house was on fire, he packed some of his items in suitcases, broke one of his house windows with a cane, threw the suitcases out of the window, and then put them in his car. While investigating the fire, the police obtained a search warrant for the data from Compton’s pacemaker. The pacemaker revealed Compton’s heart rate and cardiac rhythm on the evening of the fire. Experts who analyzed the data came to the conclusion that “…it is highly improbable Mr. Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions.”

Compton has now been arrested and charged with arson and insurance fraud. The fire caused an estimated $400,000 in damage to the house, and his cat perished. Compton claims that the charges are “utterly insane” and that “this investigation has gone way out of control.”

Concerns over medical device privacy are starting to spring up with a higher frequency, as more of us rely on high-tech devices to help manage our health and wellness. Tools like pacemakers, wearable tech like Apple watches, and the devices that hospitals use–they’re all vulnerable to privacy intrusions. Some concerns are more dire than others, for example, the hacking of medical devices, could hold individuals or entire hospitals hostage.

Generally, the use of medical devices by the police is relatively new. But it’s started to gain traction. Fitbits and other fitness trackers–though perhaps not technically medical devices–have already been used as evidence in court. In a Lancaster, Pennsylvania, case, attorneys used a Fitbit to prove that a woman had lied about being sexually assaulted, as the data from the tracker showed she was up and walking during the time that she alleged she was assaulted. Compton’s pacemaker evidence, while certainly a step further, seems like a likely path. But that doesn’t mean that there won’t be a fight over the use of this kind of data every step of the way. SC Magazine spoke to Electronic Frontier Foundation Criminal Defense Staff Attorney Stephanie Lacambra, who said:

Americans shouldn’t have to make a choice between health and privacy. We as a society value our rights to maintain privacy over personal and medical information, and compelling citizens to turn over protected health data to law enforcement erodes those rights.

Anneliese Mahoney
Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post Medical Device Privacy Concerns: Man’s Pacemaker Data Leads to Arson Arrest appeared first on Law Street.

]]>
https://legacy.lawstreetmedia.com/blogs/technology-blog/pacemaker-arson-medical-device-privacy/feed/ 0 58744
Privacy Concerns: Can Your Medical Device Be Hacked? https://legacy.lawstreetmedia.com/issues/health-science/medical-device-hacking/ https://legacy.lawstreetmedia.com/issues/health-science/medical-device-hacking/#respond Tue, 17 Jan 2017 15:13:41 +0000 https://lawstreetmedia.com/?p=58030

Medical devices are highly vulnerable to cybersecurity threats.

The post Privacy Concerns: Can Your Medical Device Be Hacked? appeared first on Law Street.

]]>
"System Code" Courtesy of Yuri Samoilov : License: (CC BY 2.0)

Medical information is usually viewed as a private affair. But due to the proliferation of technologically advanced devices–heart monitors, X-ray devices, and even fitness trackers–the ability to gain access to a person’s sensitive health information may be easier than most realize. Unsecured devices could lead to disastrous consequences, as any alteration to a patient’s device could be a life or death situation. Medical device hacking may be the largest cybersecurity threat faced by Americans in the coming years. This gigantic security concern is quietly lurking in citizens’ insulin pumps and pacemakers.

Despite having federal and state guidelines to protect and secure individually identifiable health information, accessing a person’s most detailed medical information may be as simple as pressing a few buttons. New Food and Drug Administration (FDA) guidelines issued at the end of 2016 may be able to combat easy access to medical devices, but only with cooperation from device manufacturers. There are also no current plans for enforcement of these guidelines by the FDA, as they are non-binding recommendations. Read on to learn about the security concerns presented by medical devices.


What is a Medical Device?

A medical device, as defined by the FDA, is “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory” that is used “in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.” Such devices are regulated by the FDA and may be utilized for animals as well as humans. Tongue depressors, bedpans, x-ray machines, and complex programmable pacemakers with microchip technology all fall under the broad definition of a medical device. Moreover, surgical lasers, wheelchairs, and even sutures and orthopedic pins are classified as medical devices. If the primary intended use of a product is achieved via a chemical reaction or metabolized by the body, then it will usually fall under the definition of a “drug.” The U.S. is the global leader in the medical device market, with a total market size of roughly $148 billion in 2016. The Department of Commerce determined that U.S. exports of medical devices in specific categories exceeded $44 billion in 2015. Research and development in this sector are also more than twice the average for all U.S. manufacturers.


Medical Privacy Laws

A person’s medical history is a deeply personal collection of information. Highly sensitive material ranging from mental health treatment and sexual history to genetic disorders and diseases can be contained in an individual’s medical file. Numerous laws have been passed in the U.S. on federal and state levels to ensure that Americans’ health information remains confidential and secure. The most comprehensive law ever passed in the field of medical privacy is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The act required the Secretary of the Department of Health and Human Services to develop regulations to protect the privacy and security of certain medical information. Under HIPAA, the government established national standards to protect individuals’ medical records and give patients control over who can access personal health information. Essentially, without direct patient authorization, specific entities are limited on the uses and disclosures of individuals’ medical records.

“Paper files of medical records” Courtesy of Newtown grafitti : License: (CC BY 2.0)

In 2000, the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) came into effect; the guidance comprehensively explains answers to questions about the privacy requirements of HIPAA. Generally, the Privacy Rule permits that incidental uses and disclosures are permissible only if they are a by-product of a reasonable or permissible disclosure. The rule requires covered entities to take reasonable steps to limit the use or disclosure of protected health information. It applies to health plans, health care clearing houses, and any health care provider who transmits health information in electronic form. Individually identifiable health information is information that relates to: an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for health care for the individual.

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) also established national security standards for certain health information held or transferred in electronic form. The Security Rule particularly addressed technical and non-technical safeguards that covered entities must utilize to protect individuals’ electronic protected health information (e-PHI). Entities covered by the Security Rule must ensure the confidentiality and integrity of all e-PHI being received or transmitted, as well as protect against any reasonably anticipated threats to the security or integrity of such information. Under the intricacies of HIPAA’s Privacy Rule and Security Rule, the U.S. government has clearly gone to great lengths to protect citizens’ medical records from improper use or disclosure by entities without direct patient authorization. Certain medical devices utilized today may contain information regarding a person’s medical condition that is as detailed as their medical records–what ailments a person is being treated for, or what dosage of medicine a person takes daily. Therefore, protecting these devices from unwanted intrusion and hacking should be of the utmost importance to ensure patient health and privacy.


Medical Device Security and Privacy Concerns

The FDA has been warning hospitals and health providers for years that medical devices and hospitals are vulnerable to hackers. In early 2016, the Hollywood Presbyterian Medical Center in California fell victim to a ransomware attack, which infects a computer and then encrypts files until someone pays to have it unlocked. The attackers in California held patients’ medical data hostage until the ransom was paid, roughly $17,000 in bitcoin. Ransomware also hit other hospitals around the country.

One of the largest consumer concerns regarding medical devices is that individuals can do little to protect their devices themselves. It’s up to the manufacturers of a device’s hardware and software to employ proper security measures. Another issue plaguing medical devices is that most of the laws protecting medical privacy fall under the Health and Human Services’ umbrella; however, regulating medical devices falls in part under FDA jurisdiction. The disconnect explains how the interactions between medical device regulations and privacy laws lead to administrative issues. In a cybersecurity briefing, the U.S. government warned that pacemakers were easy targets for hackers.

Furthermore, in October 2016, Johnson & Johnson notified 114,000 diabetic patients that a hacker could potentially exploit one of its insulin pumps. The pump could be attacked by either disabling the device or altering the dosage of insulin. Some medical infusion pumps in hospitals are even connected wirelessly because it makes monitoring dosages easier. Patients in the hospital could potentially have their pumps controlled remotely by a hacker, which is relatively simple to do.


While the threat to medical devices has been common knowledge for the past few years, few people have attempted to rectify the glaring holes in the current system. Security researchers have managed to remotely control medical devices including pacemakers, insulin pumps, and defibrillators. Thus, it is quite possible that hackers may start setting their sights on specific medical devices, not just entire hospital systems. U.S. officials began investigating flaws in pacemakers in August 2016, when a batch ran out of battery three months earlier than anticipated. While that particular batch simply had a rare defect that caused them to fail, the months of investigation culminated in the FDA releasing 30 pages of guidance regarding medical devices’ security flaws.


New FDA Guidelines

The FDA first issued a guidance in October 2014 that contained recommendations for manufacturers to build medical devices with cybersecurity protections. These guidelines were expanded in December 2016; however, the recommendations to manufacturers were non-binding, making the document not legally enforceable and not a particularly strong stance on securing future medical devices. As part of the new recommendations issued, the FDA encourages manufacturers to swap information with each other and consistently deploy software patches and updates to fix any security vulnerabilities. Moreover, the agency has asked manufacturers to adhere to a checklist created by the National Institute of Standards and Technology. Early product development that focuses on protecting medical devices from hackers is of the utmost importance. The FDA also suggested that manufacturers join the Information Sharing and Analysis Organization to share details about detected security risks and attacks when necessary.


Conclusion

Researchers saw a rise in the occurrences of cyberattacks on a global scale in 2016. Technological advances in medical devices certainly encourage more effective health treatment, but the increasing reliance on vulnerable software potentially puts the health of citizens at risk. Thus, implementing a structured and comprehensive plan to manage cybersecurity risks is critical. While the new FDA guidelines are a respectable start to ensuring medical devices are free from cybersecurity threats, making the recommendations mandatory as opposed to voluntary may be the only way to keep individuals’ medical information safe from prying eyes. Many contend that while the recommendations could be more stringent, this is just the first step in a long road to addressing cybersecurity in the medical field. For now, the onus remains on the manufacturers to patch detected vulnerabilities in their devices and software and develop devices safe for consumers.

Nicole Zub
Nicole is a third-year law student at the University of Kentucky College of Law. She graduated in 2011 from Northeastern University with Bachelor’s in Environmental Science. When she isn’t imbibing copious amounts of caffeine, you can find her with her nose in a book or experimenting in the kitchen. Contact Nicole at Staff@LawStreetMedia.com.

The post Privacy Concerns: Can Your Medical Device Be Hacked? appeared first on Law Street.

]]>
https://legacy.lawstreetmedia.com/issues/health-science/medical-device-hacking/feed/ 0 58030