30 June, 2015 Lisa Weeks, Marketing Communications Specialist, MasterControl
|Device makers aren't doing enough to
protect their data or devices, experts agree.
The Anthem data breach should be a wake-up call to the health care industry, according to security experts. On February 5, 2015, hackers stole the social security numbers and personal information of 80 million Anthem members and employees, leaving them vulnerable to identity theft and blackmail.1 While the insurer may be one of the biggest health care companies to suffer a breach, it certainly isn't the first.
Editor’s Note: This post is an excerpt from the white paper “Five Trends Transforming the Medical Device Industry in 2015.”
In October 2014, the Department of Homeland Security investigated more than 20 suspected cases of cyberthreat in hospital equipment and medical devices, bringing some well-known health care giants under scrutiny.2 That same month, the FDA published a cybersecurity guidance for medical device makers, outlining the security measures developers should build into their products when seeking approval for a new device.
FDA Weighs In
The final guidance, titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” recommends that manufacturers consider cybersecurity risks as part of the design and development of a medical device. Manufacturers should submit documentation about the risks identified, and the controls instituted to lessen those risks. The guidance also recommends that manufacturers submit their plans for providing patches and updates to operating systems and medical software.3 By carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage system or software updates, the FDA believes manufacturers can reduce the vulnerability in their medical devices.
“Devices are becoming more interconnected and interoperable, which is great for patients and providers in so many ways,” said Joe Hage, founder and CEO of Medical Marcom and administrator of LinkedIn’s Medical Devices Group, which has more than 275,000 members. “However, it’s important to remember that increased connectivity leads to increased vulnerability and risk. There’s no getting around it.”
How Vulnerable Are Devices?
A December 2012 episode of the television show “Homeland” featured a storyline in which the Vice President of the U.S. was killed by a terrorists who hacked into his pacemaker remotely. Viewers were horrified and questioned if the plot was plausible in real life—or something dreamed up by Hollywood. Popular magazines, such as Forbes and The Atlantic, wrote articles about the vulnerabilities in internet-connected implanted medical devices. Talk radio programs were inundated with assassination-by-pacemaker-related calls. A TED talk was created. Even a real, albeit former, U.S. vice president weighed in on the topic.
During a 2013 television interview with “60 Minutes,” Dick Cheney, who served as the 46th vice president of the U.S. (2001-2009), admitted that he had his doctor disable the remote access to his pacemaker, which he had implanted in 2007, because he had legitimate concerns about the threat. (A pacemaker or defibrillator is equipped with remote control abilities for a doctor to make adjustments using a computer program.) Talking about the “Homeland” plot, Cheney said, “I found this credible. I know from the experience we had, and the necessity for adjusting my own device, that it was an accurate portrayal of what was possible.”4
Cheney was right to be concerned. New Zealand hacker and security expert Barnaby Jack developed software that allowed him to send remotely an electric shock to anyone wearing a pacemaker within a 50-foot radius. Equally unnerving was the system he developed that could manipulate any insulin pump within 300 feet to distribute too much or too little insulin, sending the diabetic into hypoglycemic shock. According to Jack, manipulating sophisticated medical equipment is not as difficult as one might think. “It does take a specialized skill, but with more and more security research concentrating on embedded devices, the skill set required is becoming more common. It probably took me around six months, from reverse engineering and finding the flaws through to developing software to exploit the vulnerabilities,” he said in a 2013 interview with Vice magazine.5
Updated Software Lowers the Risk of Cybercrime
Contributing to the risk is the fact that hospitals and other providers do not upgrade their software as often as they should because they fear falling out of FDA compliance. This means that important “everyday” medical devices, such as health and blood pressure monitors, can be manipulated to display incorrect vital signs and cause doctors to provide incorrect medical care. Frightening, yes, but most cybersecurity experts agree that hackers are more interested in stealing records that reprogramming pacemakers.
Jay Radcliffe, a security researcher who hacks into medical devices for a living, estimates that medical-identity information is worth 10 times more than credit-card information—about $5 to $10 per record—on the black market. In comparison, credit-card information is worth only 50 cents per account.6 Stolen medical information can be used to apply for credit, fake insurance claims, or to buy and resell drugs and medical equipment for profit. Breaches are expensive. Eleven days after Anthem went public with its security breach, the insurer began offering free, two-year identity repair and identity monitoring services for the current and former customers and employees whose personal information might have been accessed, costing Anthem millions.7
The Future of Medical Device Security
The proliferation of electronic medical records (EMR), networked devices, mHealth applications, and cloud-based technologies has added to the complexity of information management. In this new digitized health economy, balancing convenience, safety and privacy will be an ongoing challenge. Moreover, it is likely to be consumers more than regulators who will be calling for greater cybercrime vigilance and increased data security.
According to PricewaterhouseCoopers, U.S. consumers have expressed a clear preference for privacy over convenience regarding medical testing and imaging results, personal information about a patient’s diagnosis, and his or her drug prescriptions. Health experts worry that the fear of a data breach will have a negative impact on doctor-patient communication, which could compromise patient safety and care. Fifty-six percent of consumers said that concerns about medical data security would affect how much information they would disclose about their medical history and/or conditions; 51 percent said it would affect their decisions to participate in clinical trials.8
Putting Consumers' Minds at Ease
To put consumers’ minds at ease, device makers will be required to meet/answer a myriad of security requirements/questions: Can the device be encrypted? Is there a unique identification for users? What happens in a case of emergency? If the vendor is hosting the device, what does their system look like in terms of firewalls and other protections? Will the manufacturer provide up-to-date security patches and frequent upgrades? Of the more than 6,500 device makers in the U.S. alone, roughly 80 percent have under 50 employees and cannot afford to invest in a security expert.9
Earlier this year, the Federal Trade Commission (FTC) released a report, titled “Internet of Things: Privacy & Security in a Connected World,” to provide companies with insight into the FTC’s consumer privacy and data security expectations for the rapidly growing market of Internet-connected products, commonly called the Internet of Things (IoT). The report offers six recommendations that IoT-style devices, which include medical and clinical devices, need to maintain good security. One recommendation is to retain service providers and vendors that are capable of maintaining reasonable security.10
Cybersecurity as a Competitive Differentiatior
The FDA and FTC guidelines are consistent, suggesting that medical cybersecurity is not a feature or function to be addressed at the end of the design process. Device companies that treat it as such are likely to build devices that get their consumers’ personal data hacked, end up in the news, and eventually out of business. Conversely, device companies that take a proactive approach to cybersecurity, by budgeting for and building it into their design process, will be able to use it as a competitive differentiator.
Lisa Weeks, a marketing communications specialist at MasterControl, writes extensively about technology, the life sciences, and other regulated environments. Her two decades of marketing and advertising experience include work with McNeil Pharmaceuticals, SAP AG, SCA Mölnlycke Health Care, Crozer-Keystone Health Systems, and NovaCare Rehabilitation/Select Med.
(1) “Anthem Begins Offering Post-breach Credit Monitoring,” February 13, 2015, USA Today, http://www.usatoday.com/story/tech/2015/02/13/anthem-breach-credit-monitoring/23378961/
(2) “Cybersecurity in Medical Devices: Paranoia, or a Tangible Threat?” January 23, 2015. (http://healthworkscollective.com/nishita-pereira-gracias/288481/cybersecurity-medical-devices-paranoia-or-tangible-threat)
(3) “The FDA Takes Steps to Strengthen Cybersecurity of Medical Devices.” (http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm416809.htm) Accessed April 20, 2015.
(4) “Dick Cheney Feared Terrorists Could Shock His Heart: Gets Wireless Disabled,” (http://www.examiner.com/article/dick-cheney-feared-terrorist-could-shock-his-heart-gets-wireless-disabled) Accessed April 20, 2015.
(5) Alexander, William, “Baranaby Jack Could Hack Your Pacemaker and Make Your Heart Explode,” June 25, 2013. (http://www.vice.com/read/i-worked-out-how-to-remotely-weaponise-a-pacemaker) Accessed April 15, 2015.
(6) Appleby, Julie and Hernandez, Daniela, “Can Hackers Get Into Your Pacemaker?” The Atlantic, November 20, 2014. (http://www.theatlantic.com/health/archive/2014/11/can-hackers-get-into-your-pacemaker/382893/) Accessed April 2, 2014.
(7) “Anthem Begins Offering Post-Breach Credit Monitoring,” February 13, 2015, USA Today, http://www.usatoday.com/story/tech/2015/02/13/anthem-breach-credit-monitoring/23378961/
(8) PWC Health Research Institute, “Top Issues Consumer Survey,” 2014.
(9) http://selectusa.commerce.gov/industry-snapshots/medical-device-industry-united-states. Accessed March 31, 2015.
(10) Shah, Shahid, “Cybersecurity as A Competitive Differentiator for Medical Devices,” Med Device Online, March 24, 2015. (http://www.meddeviceonline.com/doc/cybersecurity-as-a-competitive-differentiator-for-medical-devices-0001)