The Internet of Things promises wireless connectivity among many of the appliances and devices within the home and beyond, from thermostats that can be adjusted via smartphone apps to umbrellas with built-in Bluetooth connectivity that can alert you when it is left behind. However, the integration of Internet connectivity into everyday objects is not simply limited to gadgets within the home; medical devices too have tapped into this technology for remote access to information, patient monitoring and device activity.
Thanks to their built-in Internet connectivity, devices like insulin pumps or implantable cardioverter defibrillators (ICDs) can now be controlled and adjusted with an Internet connection. Additionally, the devices can gather and submit data to electronic records for enhanced patient care.
In recent years, concerns over security and data breaches have led government agencies to consider a stronger regulatory role in ensuring that connected medical devices are not at risk for being “hacked” for unauthorized use and access.
Significant security concerns regarding connected medical devices were brought to the medical community’s attention when two noted experts, Jay Radcliffe and Barnaby Jack, discovered that certain insulin pumps with a wireless connection had serious security flaws that would allow them to be hacked via unauthorized remote control.1 This could include a deliberate manipulation in the amount of insulin pumped by the device that may cause serious harm for the patient.
Prompted by these findings, in April 2012 the United States Government Accountability Office (GAO) issued a report on information security and connected medical devices — specifically, Medtronic’s ICD and insulin pump that Radcliffe and Jack were able to manipulate.
The GAO found no actual known incidents of “hacked” medical devices reported to the Food and Drug Administration (FDA) by patients, but still recommended that the FDA develop and implement a plan expanding its focus on information security risks.2
Medtronic responded with a statement that although the security risk for these devices is low, the company has addressed device security in the design development process by implementing measures to safeguard patient safety and will continue to review the security of the devices.3
The security flaws with these devices led Scott Erven of Essentia Health to conduct a 2-year study on devices in use at the company’s health care facilities and the potential for remote hacking. The results, published in Wired magazine, were quite surprising:
- Drug infusion pumps could be remotely accessed via unauthorized use to change dosages.
- Bluetooth-enabled defibrillators could be hacked to deliver random shocks or prevent necessary shocks.
- X-rays lacked secure access measures.
- Temperature settings on refrigerators storing blood and drugs could be reset. Electronic health records (EHRs) could be changed, leading to misdiagnosis, incorrect drug prescribing or unnecessary treatment.
- Many medical devices with web interfaces lacked password protection or had weak or universal passwords.4
In October 2014, the FDA issued their final guidance document “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff” that called for manufacturers to develop a set of cybersecurity controls to assure medical device functionality and safety during the design and development stages (a proactive, rather than reactive) measure.5
This article originally appeared on MPR