WASHINGTON – Chris Carroll won’t forget the first time he saw a person hack into an insulin pump and cause it to deliver a lethal dose of insulin.
Although the pump wasn’t connected to a person, Carroll, a 34-year-old from Austin, Texas, got the point from the demonstration – the danger was real.
And it hit home for him. Carroll is a Type 1 diabetic and wears a pump– a device worn by some diabetics that delivers insulin directly into their bodies.
More and more medical devices and hospital equipment are connected to either the Internet or a network, making them lucrative targets for cybercriminals or hackers trying to either harm the users or make a point about their cyber abilities. Experts also are worried about the potentially deadly consequences of unsecured systems being violated accidentally: As people become more dependent on medical devices that share information, there’s an increased chance that their codes could be scrambled, causing malfunctions.
“The health care industry is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics,” an April report from the cyber division of the FBI stated. It also said the industry “is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”
The technology magazine Wired reported in April that an information security official from Essentia Health found that drug infusion pumps – which deliver antibiotics and chemotherapy directly into patients – defibrillators, X-rays and even temperature settings on medical refrigerators that store drugs and blood can be manipulated by cyber intruders. The security official, Scott Erven, had access to a chain of health care facilities in the Midwest over a two-year span for the study, Wired reported. Erven could not be reached for comment.
Further, as hospitals move patient records to network databases, the financial incentive for hackers is huge. The FBI report noted that even partial electronic health records are selling for $50 each on the black market, compared with $1 for social security cards and credit card numbers. Electronic health records contain comprehensive patient information and allow all the patient’s health care providers to share that information. These records are attractive targets to hackers because they can be used to sell drug prescriptions.
Michael Carome, director of health research at Public Citizen, a consumer rights advocacy group in Washington, said that though the risk of private medical information leaks is hard to quantify, “It is a concern and it should be on the radar screen of public health officials and those who are responsible for security.” With the implementation of the Affordable Care Act, especially, which encourages physicians to adopt electronic health recordkeeping for their patients, greater security provisions are needed, Carome said.
The April FBI report cited research from the SANS Institute, a private company that specializes in Internet security training. SANS concluded that some systems and devices were compromised for extended periods of time, and that companies, when notified of the vulnerabilities, did not repair them. “The time to act is yesterday,” the report said.
Carroll is familiar with manufacturers’ indifference to security concerns. After he saw the insulin pump hacking demonstration, he contacted his own pump provider.
“Both of the people I talked to had no idea this was possible, and had no answer regarding plans to fix the issue. They tried the whole ‘well, even if it’s possible, no one would do it,’” he said.
So far Carroll’s pump manufacturers have been right. The Food and Drug Administration’s website states the agency is not aware of any patient injuries or deaths related to hacking intrusions.
Still, at least some users believe the risks are real. As early as 2007, former Vice President Dick Cheney had the wireless function on his heart defibrillator disabled, fearing it made him more vulnerable to a terrorist attack. Most people don’t face the same level of personal risk as a vice president. “I hold no delusions of grandeur that I’m important enough for people to go after, but I do know that some people try these types of things just for the hell of it,” Carroll said.
Typically problems with medical devices are identified by or reported to the FDA. But the exponential rate of device innovation calls into question the FDA’s capacity to monitor medical devices.
“There are so many different kinds of inventions and devices doing so many different things, the FDA really can’t legislate down to the line and code of security for every situation,” said Frank Painter, a health care technology consultant for Technology Solutions Management.
Painter said that the FDA’s general standards are sufficient, but the responsibility for ensuring device security lies with the device manufacturers. “Good designers can build good, safe secure designs in the first place, pretty simply, so if they did that it would preclude somebody from doing something bad.”
In an email, the FDA referred to an online statement noting that it allows devices to be marketed “when the probable benefits to patients outweigh the probable risks.”
But, like Painter, the FDA maintains that ultimately “manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety.”
Wanda Moebius of AdvaMed, a medical device trade association, said in an emailed statement that the “medical technology industry recognizes that all digitally controlled medical devices, like all digital systems, are vulnerable to cybersecurity threats, and we take seriously the potential consequences to patients.”
Medical technology companies are taking steps to reduce the already low risks of malicious hacking by building device security into the development process, testing potential vulnerabilities and assessing risks, Moebius said.
Painter said consumers have put pressure on vendors to think about security issues before they begin designing products.
But security breaches are less of a risk to medical device users right now than inadvertent device interference, he said.
“I think the thing we really have to worry about the most,” Painter said, “is an unsecure system being able to be violated by accident.”
