Former vice president of the United States, Dick Cheney, was so concerned about assassination by terrorists manipulating his implanted heart defibrillator that he asked doctors to replace it with a device which had no Wi-Fi capability.
That intriguing saga, relayed in Cheney’s book Heart: An American Medical Odyssey, happened in 2007. The complexity of interconnectivity and the Internet of Things (IoT)
has come on leaps and bounds since then – and so has the magnitude of risks.
Like many industries, healthcare in North America is becoming increasingly connected and linked to the Internet of Things (IoT). Wireless medical devices – such as heart monitors, smart inhalers and connected insulin pumps – are being adopted to increase efficiency and to ramp up the collection of patient data.
But connected medical devices also come with new and more complex risks, including an evolving wave of cyber exposure
“There are three separate areas of concern when you look at a medical device that could be implanted,” said Michael O’Brien, partner, Wilson Elser, at an IoT briefing hosted by the Washington Legal Foundation. “On the one hand, you’ve got the traditional product liability concerns
around product failure; then there’s the vulnerability that can exist because a bad actor has the possible entry way to take command and control of the device; and finally, there’s the whole concern around data.
“Data generation and monetization are two of the biggest drivers behind the growth of IoT, and why so many different businesses are getting on board with it. […] But when you consider the potential for hacking and data harvesting, there are some concerns around privacy.”
In August 2017, almost 500,000 pacemakers made by healthtech firm Abbott and sold under the St Jude Medical brand were recalled by the US Food and Drug Administration (FDA) over fears they had lax cybersecurity and could be vulnerable to hacking. It was feared bad actors could penetrate the radio-controlled implantable devices to run the battery down and potentially alter the patient’s heartbeat.
“Command and control is a [serious security] aspect to [connected medical devices],” commented Courtney Stevens Young, senior staff attorney, Medmarc Insurance Group. “These devices are vulnerable to infiltration, hacking and actual manipulation. In the healthcare industry, the emphasis has been on the release of patient information and how we can protect devices against that.
“As an insurer for medical device companies, we’re really focused on product liability. We’re looking chiefly at how these devices might be vulnerable and what the worst-case scenario looks like if they are. The biggest thing is: have they (the insured / medical device company) appreciated the risk, do they understand it, and what controls do they have in place to mitigate this risk?”
Could tele-help apps become the new norm in the benefits arena?
After major Bupa breach: is your data safe from a rogue employee?