The Internet of Things is no longer a faraway dream, like jet packs and cities teeming with self-driving cars. IBM predicts that the burgeoning web of hardware, software, electronics, and sensors will encompass 50 billion devices by 2020, more than 60 pieces of connected hardware for every man, woman, and child on Earth. The National Institutes of Health says 40% of IoT-linked devices will be health-related, more than any other category.
If your online privacy is violated — say a credit card account is hacked or your Facebook data is used for nefarious purposes — it will be upsetting and will likely offend your sense of privacy and propriety. But when networked medical devices are compromised, the consequences can be serious and even life-threatening. Blood analyzers, glucose meters, heart-rate monitors, pacemakers, CPAP machines, and fitness trackers are just a few of the internet-connected medical devices in wide use today. The growing volume of data these devices gather is collected and transmitted using off-the-shelf software that is widely available and, consequently, highly susceptible to tampering for commercial gain or to simply wreak havoc. It was potential for malicious hacking that prompted doctors for former Vice President Dick Cheney to order that his heart defibrillator’s wireless capability be turned off when the device was replaced in 2007. Cheney’s cardiologist was concerned that a terrorist might access the device and send the vice president’s heart a fatal shock. Was turning off the implant’s wireless feature prudent precaution, or was it paranoia? It’s hard to say. But in the decade since, the security of networked medical devices has emerged as a serious concern. In 2015, two security researchers demonstrated their ability to remotely hijack a Jeep’s dashboard functions, steering, transmission, and brakes, an event that caused great embarrassment for Jeep parent Chrysler, which subsequently recalled 1.4 million vehicles to fix the vulnerability. Most hackers, however, are motivated not by a desire to disrupt or harass, but are pursuing financial gain — looking for information they can exploit commercially. For example: Device makers can benefit greatly by accessing performance data on their competitors’ products, using the information to modify their own offerings and exploiting competing products’ shortcomings in their marketing. Information gathered in clinical trials determines the commercial potential of the drugs and devices under study. If that data is hijacked before a treatment reaches the market, sponsors can sustain potentially catastrophic losses. A company whose drugs treat common chronic conditions might learn that a competitor is developing an implantable device that would give patients a concentrated form of treatment that cuts cost by reducing the required dosage. Stolen data about the device could be manipulated to suggest that’s it’s less effective and safe than its developer claims. Networked devices can provide wide-ranging biometric patient information such as blood pressure, respiration, and blood enzyme levels. Companies that issue individual life insurance policies often purchase this information, repackaged by third parties to appear of legitimate origin, to evaluate clients for insurability and to set premiums. Hacks can affect not just patients with diagnosed medical conditions, but also healthy people using implantable birth control and even users of wearable personal fitness devices like Fitbits. These ubiquitous wearables can produce vast amounts of personal biometric data but are subject to no federal regulation. While it’s a real possibility, harming patients does not seem (at least yet) to be motivating medical device hackers. There are chilling examples of people using connected devices to harass and intimidate, such as domestic abusers using smartphone apps to turn appliances on and off, ring doorbells, change thermostat settings, and adjust the volume on sound systems. Can attacks on medical devices be far off? Another growing concern is not hacking, but accidental consequences of our increasingly connected world. Benign and even benevolent sources of radio energy such as WiFi systems and hospital networks have been found to interfere with medical devices. Regulators respond FDA has responded to these concerns with formal guidance on medical device cybersecurity specifically related to devices that use off-the-shelf software. The agency’s Center for Devices and Radiological Health declares that “a cybersecurity vulnerability exists whenever (off-the-shelf) software provides the opportunity for unauthorized access to the network or the medical device,” opening the door to “unwanted software changes that may have an effect on the safety and effectiveness of the medical device.” Because these vulnerabilities are rooted in the commercial software that underpins these devices, the CDRH advises that device makers maintain formal relationships with software vendors to ensure timely receipt of information about software problems and recommended preventive and corrective actions. Software makers frequently issue cybersecurity patches, so the CDRH recommends that device companies maintain cybersecurity maintenance plans to address compliance with 21 CFR 820, FDA Quality System regulation. While hospitals and other healthcare facilities play a central role in evaluating network security and protecting their systems, FDA emphasizes that most healthcare organizations lack the detailed design knowledge and technical resources to take primary maintenance responsibility for medical device software. That places responsibility for software maintenance on device makers, with support from user facilities, software vendors, or third parties as conditions require. A legislative remedy? Legislation pending in Washington also would formalize protections for medical device data. In 2017, Connecticut Senator Richard Blumenthal introduced the Medical Device Cybersecurity Act of 2017, citing recent high-profile ransomware attacks and large-scale privacy breaches to underscore how vulnerable medical devices are to cyberattack. The legislation is pending. Device security is becoming a more frequent topic of discussion between sponsors and contract research organizations. For its part, Premier Research actively advises customers on investigating the cybersecurity implications connected with their products, recognizing the likelihood that regulators will raise questions during the product review.