by Kristina Fiore
Although no such attacks have yet been reported, medical devices could be susceptible to hackers, and a thorough security analysis should be done as part of FDA approval, researchers argue.
Premarket regulatory evaluation should include a risk-based security assessment depending on the nature of the device and the perceived threat of a security compromise, said William H. Maisel, MD, MPH, of Beth Israel Deaconess Medical Center, in Boston, and Tadayoshi Kohno, PhD, of the University of Washington in Seattle.
They made their argument in a “Perspective” article in the April 1 issue of the New England Journal of Medicine.
“We think medical device security should be improved before there is a widespread incident, rather than waiting for the incident to occur and then acting,” Maisel said in an e-mail to MedPage Today. “It is very difficult to add on security after the fact.”
The authors said that in terms of security risks, medical devices are like “the drug supply of a generation ago.” They cited an intentional 1982 poisoning of Tylenol with cyanide and suggested that security concerns need to be addressed “through regulatory and scientific actions.”
Maisel said computer security specialists “see weaknesses in the current technology of many medical devices.”
Potential vulnerabilities include unauthorized device reprogramming and data extraction. Or hackers could flood a device with information so that normal communication fails to reach it. There are also tactics to prematurely drain a device’s battery and eventually reduce its lifespan by repeatedly awakening it from a sleep state.
Access is easy to obtain, the researchers said. Devices communicate constantly between patients and physicians’ offices, hospitals, and manufacturers — all of which are routes that present potential portals for security breaches.
The researchers admit that such harm would be rare but can’t be totally discounted. Hackers may be motivated by the acquisition of private information for financial gain or competitive advantage.
Sabotage can happen at the hands of a disgruntled employee, a dissatisfied customer, or a terrorist, they warned. In some cases, the sabotage may simply be done to satisfy the attacker’s ego.
In fact, the researchers said, computer hackers once sabotaged a patient-support Web site run by the Epilepsy Foundation, causing it to display flashing lights that induced seizures in some patients.
Still, no cases of hacked medical devices have been reported to date.
“Although it is reassuring that there hasn’t yet been a widespread breach of device security, examination of early Internet security incidents provides useful insights into the potential risks,” they wrote.
To guard against potential hackers, the researchers argue that as part of the premarketing regulatory evaluation, the FDA should do a risk-based security assessment that varies with the criticality of device function and the perceived threat of compromised security.
Devices with “nonessential” functions — cochlear implants, implantable heart monitors — deemed to be at low risk for a security breach may require only data validation and user authentication.
On the other hand, devices that have life-sustaining functions — insulin pumps, pacemakers — and carry an increased risk for security breaches would require additional safeguards, such as the “inclusion of redundant security features and rigorous testing and verification of security properties.”
Maisel said that ideally, security should be built into devices during the design phase.
While manufacturers “should bear the primary responsibility for ensuring that their devices are secure,” Maisel added, “we believe this would best be accomplished by convening the major stakeholders — manufacturers, regulators, computer scientists, physicians, patients — and developing security guidelines for medical devices.”
Kristina Fiore is a MedPage Today staff writer.