Evolving technologies pose challenge for medical device security

portrait
Eric Johnson (Vanderbilt University)

It is the ultimate invasion of privacy: An unscrupulous hacker gains access to a network of interconnected medical devices and then, with a few quick keystrokes, remotely delivers a fatal electric shock to some unsuspecting victim’s pacemaker. This may sound like the plot of a spy novel, but such a scenario, at least from a technological standpoint, is not out of the realm of possibility.

As today’s health care industry relies increasingly on devices and systems that collect and share data between one another, cybersecurity breaches have become a troubling new reality. In fact, just last month, two device manufacturers—St. Jude Medical and Johnson & Johnson—issued separate warnings that their respective cardiac implants and insulin pumps were vulnerable to hackers.

While other industries, like the financial sector, have made cybersecurity a priority for 20 years or more, health care has been relatively late to the game and is now behind the curve in addressing such threats, according to M. Eric Johnson, dean of Vanderbilt Owen Graduate School of Management and Bruce D. Henderson Professor of Management.

“Health care is behind for several reasons,” he said. “It’s a very fragmented industry—you have countless clinical operations, and many of them are quite small and don’t invest in information security. And then at the other end of the spectrum, there are these hospitals that are, in effect, high-tech islands. They have these amazing surgical robots and other technology, but only in the last five years has there been a push to build a more integrated IT backbone with security.”

Johnson, who studies information technology’s impact on the extended enterprise, has co-written a new article examining the chronology of medical device security. Published in the October 2016 issue of Communications of the ACM, “A Brief Chronology of Medical Device Security” is the result of an interdisciplinary project, known as Trustworthy Health and Wellness (THaW), which is funded by the National Science Foundation. A.J. Burns, assistant professor of computer science at the University of Texas–Tyler, and Peter Honeyman, research professor of computer science and engineering at the University of Michigan–Ann Arbor, collaborated on the article.

“We’re now seeing medical device security in the news regularly,” Johnson said. “What my colleagues and I wondered was: [rquote]How did it get to this point? And what are the policy issues that have been governing it over that time?”[/rquote]

In the article Johnson and his co-authors identify four major inflection points that span the evolution of medical devices and their security: (1) “Complex Systems and Accidental Failures” (1980s–present), (2) “Implantable Medical Devices” (2000–present), (3) “Unauthorized Parties and Medical Devices” (2006–present), and (4) “Cybersecurity of Medical Devices” (2012–present). The authors also lay out a timeline of important legislation aimed at regulating and/or enhancing security and privacy in the health sector. In the end, they arrive at several conclusions:

  • The future of medical device security will be defined by the steps that the health sector takes today.
  • Security trade-offs characterize the design and deployment of medical devices.
  • Discussions of cybersecurity and medical devices often are distorted by misinformation and frightening language.

With regard to the latter, the authors wrote, “We must resist the temptation to sensationalize the issues related to cybersecurity in the health sector, and instead apply sober, rational, systematic approaches to understanding and mitigating security risks.”

What then should be the appropriate course of action for health care professionals and their patients? Is there one risk they should be concerned about above all others? Johnson and his co-authors offer a clear answer in that regard.

“It is safe to say that patients’ reluctance to accept medically indicated devices due to concerns about security poses a greater threat to their health than any threat stemming from medical device security,” they wrote.

In other words, the biggest danger to patients’ health is not the security threats themselves but rather the irrational decisions that might result from these perceived threats. While users of medical devices may be vulnerable to hackers in theory, there is not enough of a risk, according to the authors, to discourage use of the devices altogether. A hijacked pacemaker makes for an interesting plot twist in a novel, but it is not very likely to happen in real life.

“Unless you’re the president of some country,” Johnson said, “or someone with a lot of enemies, I wouldn’t worry about being personally targeted.”