Consider the normal hospital or home care scenario today. A patient—your patient—is receiving different therapy intravenously. That IV fluid is being administered using a pump known as an infusion pump.
Today those infusion pumps are connected to a network of devices on a hospital’s internet network.
Now consider the ramifications of an outsider hacking into the network and controlling all of the devices on that network, as well as being able to access all of the medical records on the network and to create a serious danger to the hospital and all of the connected patients. It’s a threat that is invisible and one that you don’t really think about but the potential is there.
It’s a scenario that is more than plausible, it’s actually taken place. There have been insulin pumps hacked multiple times. Johnson & Johnson became the first company to warn their users about the potential for hacks in their insulin pumps.
Billy Rios wrote about it for Bloomberg and even the FDA has taken notice, very recently stating that they knew that there were problems with medical devices and that sufficient security in those devices was probably not in place. They said that the current regulations and the current controls were not enough.
Recently the FDA released a set of guidelines that were designed to assist in this conundrum. They are encouraging all medical device manufacturers to make their cyber-security stronger and to ensure that clients and patients could not be damaged by hacks to products.
This was in response to Executive Order 13636 and Presidential Policy Directive 21,but it was also a response to the many cyber-security experts who have written directives and voiced their concerns about the problems inherent in connected medical devices.
There are dozens of problems with IoT medical devices and their ability to be hacked, but it isn’t just medical devices that are used directly for patient treatment. Other problems have been found in devices such as x-ray machines and MRI machines that allow them to be breached and require a fix in order to ensure patient safety.
Despite actual white hat hacks and security concerns voiced by experts, many legal experts say that the harm caused or the potential to harm is pure speculation. Reed Smith partner Steven Bornian believes that no medical device will ever be completely secure and that no IoT or medical device risk may be completely eradicated. That means legislating the security for them simple is not feasible, but still that seems to be the way that governments are heading.
The FDA has, for now, focused their approach to this problem on encouraging companies to offer workarounds for the user and temporary fixes if there is a breach. They believe this may be better than trying to regulate or legislate companies to prevent the breaches entirely, which many experts say may be impossible.
That isn’t going to be a long lasting solution because even as we discuss it, things are changing. Countries are seeking the right legislation for use in protecting the data and the patients who use medical devices. Having an on-board cybersecurity specialist is going to be imperative for any company offering connected devices in the near future. Is your company ready?