Managing Director Brian Stites of FTI Cybersecurity answers a question that few contemplated until recently, but must be seriously considered as more life-saving devices come online. This is the second in our series for National Critical Infrastructure Security and Resilience Month (November).
oday’s pacemaker technology is light-years ahead of where it was just a few years ago. The latest iteration of the tiny devices that are implanted in the torso of patients with cardiac issues uses smart technology that offers patients wireless monitoring of device performance through a smartphone app via Bluetooth. In turn, vital cardiovascular data can be wirelessly transmitted from the smartphone to the patient’s provider, eliminating the need for traditional remote hardware, such as bedside monitors, in the patient’s home.
For the 600,000 people who receive pacemakers each year, the option of a wireless, Bluetooth-enabled model represents a huge leap forward in convenience and in maintaining a lifesaving device. As is the case with any connected device, however, these digital wonders can also be susceptible to compromise, manipulation or misuse.
Telehealth and Cybersecurity
Patients, healthcare providers, and medical device and service companies are more commonly enjoying the benefits and convenience of the burgeoning telehealth movement (essentially remote healthcare management). But it's important to be cognizant about the reliance on wireless connectivity and corresponding data security and privacy concerns. Unlike financial fraud, stolen medical information is less likely to be noticed by the victim.
While HIPAA regulation is a primary avenue for safeguarding patients’ privacy, protecting wireless medical devices carries its own sensitivities. These types of implants could be affected by other wirelessly connected devices, such as modern appliances, and especially so as the Internet of Things (IoT) proliferates and 5G offers increased connectivity and bandwidth.
To date there has not been a reported successful compromise of a pacemaker or other implantable device. However, the threat of a cybersecurity compromise remains real, and government agencies such as the U.S. Food & Drug Administration (FDA) are beginning to address the issue with fines imposed for poor cybersecurity measures in implantable devices.
Ensuring Device Integrity and Personal Safety
The FDA and U.S. Department of Homeland Security (DHS) recently formed a partnership that created a new framework for information sharing and coordination about potential or existing cybersecurity weaknesses in medical devices.
In addition, the DHS’ National Cybersecurity and Communications Integration Center (NCCIC) works with medical device manufacturers, researchers and the FDA to inform and help these agencies whenever a cybersecurity vulnerability in a medical device has been identified.
Establishing frameworks such as the above is positive development. But it would be prudent of the FDA to make their guidelines mandatory requirements and expand them to include more digital safeguards, such as software source code integrity, supply chain validation for component integrity, and data transmission and storage integrity.
Until then, those with pacemakers or other connected medical devices should have a conversation with their medical providers to understand the cyber risks associated and continue that conversation on a regular basis. New technologies are coming online that promise more insight into your health and more convenience. As with any aspect of your personal safety, you should take an active role to ensure the device that gives you insight into your health is protected and keep that insight from others.