Medical Device Security – The Human Factor
In a February 2017 article Securing Our Medical Devices Yitaek Hwang reported on issues regarding protecting medical devices against cyberattacks and intrusions. Mr. Hwang discussed potential defenses against intrusions, a worst-case scenario where a hacker causes physical harm, and the absence of sufficient healthcare cybersecurity expertise and excellence. These are exceptional areas for discussion, and unfortunately, little has changed in the four years since the publication of this discussion. An important area that was not covered in Mr. Hwang’s article concerns responsibility for protecting the privacy and security of remote medical devices. This article explores those concerns and considerations for the future as the Medical Internet of Things (MIoT) grows and proliferates.
Remote Medical Devices Have an Achille’s Heal
Remote implantable or wearable medical devices include a wide range of products and functionality. These range from pacemakers to an artificial pancreas to medical dispensers and vital signs monitoring. The devices often operate with very low power and limited memory and are connected to the MIoT via mobile wireless, Bluetooth wireless, or WiFi. Some of these connections use home Internet connectivity to remain active. The risks associated with compromised remote medical devices range from the interception of highly sought-after Personally Identifiable Information (PII) that can contribute to identity theft, to a ransomware attack on someone’s pacemaker. These are real – and gravely serious – threats. In addition, a compromised medical device can provide an entry point for cyber thieves into the broader medical networks with which they are interconnected.
The Government will Protect Us from Cybercrime
So, who is responsible for protecting patients using remote medical devices? The first subject that may come to mind is HIPAA (the Health Insurance Portability and Privacy Act). The title of Theodos and Sittig’s paper, Health Information Privacy Laws in the Digital Age: HIPAA Doesn’t Apply, addresses this contention. HIPAA requires Covered Entities (CE) – medical providers that create Protected Health Information (PHI) – to ensure the protection of that information. In addition, Business Associates (BA) are organizations that handle PHI, like billing services, management companies, or even VoIP service providers. They are also required to attest to the protection of PHI. What happens to the data once it is “in the cloud?” That is not covered by HIPAA.
Remote medical devices are actually regulated by the U.S. Food and Drug Administration. The United States’ consumer medical service market, the world’s largest, is forecast to be worth more than $600 billion in 2025. The worldwide number of wearables, ingestible, and implantable medical devices is anticipated to exceed 1 billion units in 2021! Many of these remote medical sensors fall outside of the narrow definitions used by the FDA for classifying digital specimens – the data generated by remote medical devices are therefore not covered by the FDA.
What about the doctors that prescribe the use of these medical devices, or their information technology teams? There may be some degree of coverage under HIPAA, but they are not responsible for the performance of the software and hardware in the device.
Lastly, what about the patient? Does the patient have any responsibility for the privacy and security of their devices and the data they generate? Many patients may be unaware that they are responsible for installing a fresh battery or updating the software/firmware in their device. If the device connects via the home Internet router, how secure is that connection? Has the residential user changed the username from Admin, and is “password” still the password? No government mandate requires patients to protect their data and devices.
So, Who Really NEEDS to be Responsible?
Because the Medical Internet of Things is so important and brings so many benefits to patients, especially in a time of social distancing, the security and privacy of remote medical devices must be well understood. A research study is currently underway to explore the perceptions of three groups regarding who they believe is responsible: doctors, medical IT staff, and device manufacturers. The results of this study will hopefully assist the healthcare community, patients, regulators, and lawmakers in determining how to protect the privacy and security of all concerned.