As the healthcare industry continues to embrace the Internet of Things, cybersecurity may present unprecedented health and privacy risks to patients. Wireless-enabled medical devices are increasingly common. For some patients, this means that their hearts are, quite literally, connected to the Internet of Things. For others, mobile medical apps and wearable products are collecting personal health data that may be inadequately protected.
The medical device industry came under fire this year when a Senator from California sent a letter to the top five U.S. medical device manufacturers expressing “serious concerns that the cybersecurity vulnerabilities in medical devices are putting the health and safety of patients in California and across the country at risk.” Senator Barbara Boxer (D-CA) wrote her letter in response to findings from an independent security researcher who discovered certain vulnerabilities in drug infusion pumps used in hospitals. The researcher discovered that the device software was vulnerable to infiltration that had the potential to manipulate the pump’s drug dosage levels. Unfortunately, this is not the first time this risk has been demonstrated. For instance, similar studies have revealed the vulnerabilities of wireless-enabled pacemakers and defibrillators, which in some cases have led to embarrassing public disclosures by companies seeking to profit from such vulnerabilities.
This month, two other lawmakers questioned the U.S. Food and Drug Administration (FDA) on its plans to address cybersecurity vulnerabilities in networked medical devices. Diana DeGette (D-CO) and Susan W. Brooks (R-IN) urged the agency to consider the vulnerability of the 10 to 15 million devices in circulation that are connected to the internet, hospital networks, and to other medical devices.
While there is no evidence that medical devices have been the targets of cyber-attacks, other IoT devices are increasingly becoming attractive targets. The consequences of such an attack on medical devices could be dire. These threats are credible enough that during his tenure as Vice President, Dick Cheney was ordered to disable the wireless functionality of his pacemaker due to fears it might be hacked in an assassination attempt. As more medical device manufacturers create products that are wireless-enabled, data security for these devices is an increasing concern. Historically, device manufacturers have had to create products that are able to perform under various conditions, such as power outages. Going forward, resistance to cyber-attacks is likely to be an additional hurdle that device manufacturers will need to clear before marketing their products.
This year FDA issued draft guidance addressing Postmarket Management of Cybersecurity in Medical Devices. FDA encourages manufacturers to use a proactive and risk-based approach in the post-market phase for medical devices, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity. FDA has also identified cybersecurity enhancement in medical devices as a Science Priority for FY 2017. Medical device manufacturers are likely to face increasing scrutiny from FDA regarding the cybersecurity measures of connected devices.
“But what about my fitness tracker?” you may ask. The explosive growth of wearable wellness products and mobile medical apps has created another avenue for cyber-threats. These products raise serious privacy and security concerns. Wearable products and medical apps collect a plethora of sensitive health information about its users, such as location, pregnancy, gender information, and ovulation information. Despite these issues, for the time being, many of these products may fall into a regulatory no-mans-land. Per its recent guidance, FDA does not intend to regulate low-risk general wellness products. Additionally, FDA’s current guidance suggests that many mobile medical apps will fall outside of FDA’s jurisdiction as they will not meet the definition of “medical device.” Other mobile medical apps may meet the definition of “medical device” but pose lower risk to the public, and therefore FDA does not intend to regulate these products as “medical devices.” HIPAA is unlikely to apply to these products as they are not offered by “covered entities.” FDA’s stance on this may change and these products are still subject to regulation by the Federal Trade Commission (FTC), however, for the time-being consumers will need to carefully consider the cybersecurity strength of the manufacturers from which they are purchasing these products.
Given the growth of the healthcare industry and the constantly evolving nature of cyber-threats, these issues are not likely to disappear any time soon. Manufacturers will need to be vigilant to keep up with the constantly evolving cybersecurity threats and assess vulnerabilities when designing and developing products.