Today’s technology behemoths are working hard on making your home smarter by utilizing and expanding the Internet of Things. Homes of the future, after detecting when you wake up, will open the curtains in your home, start your coffee maker, and turn on the lights. When your future home detects that you are walking up to your home after a long day of work, the front door will unlock, the air conditioner will turn on, and the TV will turn on your favorite episode of Game of Thrones. These luxuries will be slowly rolled out by the ever-accelerating technological advancements. Now imagine coming home one day from a stressful day at the office on a hot July evening, only to encounter that the front door is locked even though your home should have detected you are back for the evening. You use your key to enter to enter the home to find that the heating unit is blasting hot air into your home. Worse yet, the TV is on and airing re-runs of Jersey Shore, refusing to turn off. The Internet of Things in your home has been hacked.
While this situation sounds like a headache to deal with, imagine if more was at stake than losing a night of relaxation. For example, your life.
Each year, around 200,000 pacemakers are implanted in the United States into patients.[1] A patient may need an implantable cardiac device if their heartbeat is too slow (bradycardia), too fast (tachycardia), or needs coordination to treat heart failure. Simply put, pacemakers are life-saving devices. Some devices, like St. Jude Medical’s implantable cardiac device, gives doctors the ability to monitor an implanted cardiac device without seeing the patient:
In order to simplify monitoring of patients, The St. Jude Medical Merlin@home Transmitter uses a home monitor that transmits and receives RF signals used to wirelessly connect to the patient’s implanted cardiac device and read the data stored on the device. The transmitter, located in the patient’s home, sends the patient’s data to his or her physician via the Merlin.net Patient Care Network using a continuous landline, cellular, or wireless Internet connection.[2]
Unfortunately, the FDA issued a Safety Communication which stated that “As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.” While there were no reports of any patients being harmed or affected, it is staggering to note that 465,000 devices in the US are impacted. Nearly half a million lives could have been hacked.
This is not the first time such a concern has arisen. Former Vice President Dick Cheney had the wireless features of his pacemaker disabled in 2007 in order to eliminate the possibility of any kind of hacking or assassination attempts.[3]
Pacemakers are not the only implantables at risk. In 2016, Johnson & Johnson issued a notice regarding one of their insulin pump systems, notifying users of the possibility that a person could gain unauthorized access to the pump through the unencrypted radio frequency communication system.[4] Dosing a patient with too much insulin could cause hypoglycemia, or low blood sugar, which in extreme cases can be life threatening, said Brian Levy, chief medical officer with J&J’s diabetes unit.[5]`
Fortunately, a number of companies are hiring third party individuals and companies to locate and patch any potential holes in the software. These third parties are known as “White Hats,” meaning they are the good-guy hackers. When these individuals or groups locate vulnerabilities in software and technology, they notify the company. “Gray Hats” do similar work, but instead sell their discoveries to government entities such as law enforcement and intelligence agencies. “Black Hats” are the criminals.[6] They will hack in order to steal information, unless they have a more insidious agenda.
Of particular concern to physicians, risk management companies, and insurance entities is contained in the below FDA-issued recommendation:
The FDA recommends that patients and their health care providers discuss the risks and benefits of the cybersecurity vulnerabilities and the associated firmware update designed to address such vulnerabilities at their next regularly scheduled visit.[7]
Whether or not this could create a greater insurance risk for physicians remains to be seen. However, suggesting that physicians must become familiar with the programming behind increasingly complex devices is reason to remain alert.
Medical records took a huge hit the past couple of years due to the lack of thorough cyber security. That is quickly changing. However, hackers will turn their attention to something worth quite a bit more soon enough: people’s lives.
[1] American College of Cardiology (March 23, 2016) http://www.acc.org/latest-in-cardiology/articles/2016/03/23/08/09/permanent-leadless-cardiac-pacing
[2] FDA – Cyber security vulnerabilities in pacemakers https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm
[3] http://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-hacking/story?id=20621434
[4] https://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-t/johnson-johnson-letter-on-cyber-bug-in-insulin-pump-idUSKCN12414G
[5] https://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e/jj-warns-diabetic-patients-insulin-pump-vulnerable-to-hacking-idUSKCN12411L
[6] https://www.wired.com/2016/04/hacker-lexicon-white-hat-gray-hat-black-hat-hackers/
[7] https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
Copyright © 2018 Kevin Peek