Cyber security is on everyone’s mind. President Obama signed an executive order in February aimed at increasing protection of our nation’s critical infrastructure, while HHS released its new HIPAA mega rule in January (effective in March) in an effort to strengthen the security of electronic health records. As providers work to update their HIPAA policies and procedures, there’s another area of concern to consider: the hacking of implantable medical devices.
In August of last year, the Government Accountability Office, the “congressional watchdog,” released a report identifying information security issues associated with medical devices and advising the FDA to ramp-up its efforts to address these issues. These devices include implantable defibrillators, insulin pumps, pacemakers, and other devices used to monitor and transmit a patient’s medical status. Specifically, the GAO considered intentional threats to such devices, including hackers obtaining unauthorized access, or using malware, viruses, or worms to interfere with the functioning of the device. Although there have been no documented incidents thus far, the GAO cited several demonstrations in controlled settings showing that hacking of these devices is a real threat. In one demonstration, the researchers were able to remotely deliver commands to a defibrillator. Other demonstrations revealed that hackers could prevent insulin pumps from operating properly or manipulate the amount of insulin to be dispensed.
Unfortunately, the GAO report also acknowledged that efforts to address the security issues associated with these devices could adversely affect the performance of the devices. For one, pacemakers cannot be made immune to all electrical signals because the device must be able to detect the signals naturally generated by the patient’s heart to determine irregularity in pulse. Further, adding encryption – a security feature of which most providers are aware – could drain a device’s battery, which can only be replaced by surgery.
Our Insight. Your Advantage. The FDA has stated that, in the future, the agency will consider information security risks resulting from intentional threats when reviewing new devices submitted by manufacturers. The FDA officials also stated that they were currently planning to review its approach to evaluating software used in medical devices. In the meantime, the GAO has recommended the commissioner of the FDA develop a comprehensive plan to address this issue, including increased focus on manufacturer identification of security issues.
While there may be security issues associated with implantable medical devices, the benefits of these devices should not be forgotten. However, it is frightening to imagine a scenario where the security issues identified in the GAO report are realized. Hopefully such events are confined only to movie screens.
To read the full GAO report, click here.