It is the ultimate invasion of privacy: An unscrupulous hacker gains access to a network of interconnected medical devices and then, with a few quick keystrokes, remotely delivers a fatal electric shock to some unsuspecting victim鈥檚 pacemaker. This may sound like the plot of a spy novel, but such a scenario, at least from a technological standpoint, is not out of the realm of possibility.
As today鈥檚 health care industry relies increasingly on devices and systems that collect and share data between one another, cybersecurity breaches have become a troubling new reality. In fact, just last month, two device manufacturers鈥擲t. Jude Medical and Johnson & Johnson鈥攊ssued separate warnings that their respective cardiac implants and insulin pumps were vulnerable to hackers.
While other industries, like the financial sector, have made cybersecurity a priority for 20 years or more, health care has been relatively late to the game and is now behind the curve in addressing such threats, according to , dean of and Bruce D. Henderson Professor of Management.
鈥淗ealth care is behind for several reasons,鈥 he said. 鈥淚t鈥檚 a very fragmented industry鈥攜ou have countless clinical operations, and many of them are quite small and don鈥檛 invest in information security. And then at the other end of the spectrum, there are these hospitals that are, in effect, high-tech islands. They have these amazing surgical robots and other technology, but only in the last five years has there been a push to build a more integrated IT backbone with security.”
Johnson, who studies information technology鈥檚 impact on the extended enterprise, has co-written a new article examining the chronology of medical device security. Published in the October 2016 issue of Communications of the ACM, is the result of an interdisciplinary project, known as (THaW), which is funded by the National Science Foundation. A.J. Burns, assistant professor of computer science at the University of Texas鈥揟yler, and Peter Honeyman, research professor of computer science and engineering at the University of Michigan鈥揂nn Arbor, collaborated on the article.
鈥淲e鈥檙e now seeing medical device security in the news regularly,鈥 Johnson said. 鈥淲hat my colleagues and I wondered was: [rquote]How did it get to this point? And what are the policy issues that have been governing it over that time?鈥漑/rquote]
In the article Johnson and his co-authors identify four major inflection points that span the evolution of medical devices and their security: (1) 鈥淐omplex Systems and Accidental Failures鈥 (1980s鈥損resent), (2) 鈥淚mplantable Medical Devices鈥 (2000鈥損resent), (3) 鈥淯nauthorized Parties and Medical Devices鈥 (2006鈥損resent), and (4) 鈥淐ybersecurity of Medical Devices鈥 (2012鈥損resent). The authors also lay out a timeline of important legislation aimed at regulating and/or enhancing security and privacy in the health sector. In the end, they arrive at several conclusions:
- The future of medical device security will be defined by the steps that the health sector takes today.
- Security trade-offs characterize the design and deployment of medical devices.
- Discussions of cybersecurity and medical devices often are distorted by misinformation and frightening language.
With regard to the latter, the authors wrote, 鈥淲e must resist the temptation to sensationalize the issues related to cybersecurity in the health sector, and instead apply sober, rational, systematic approaches to understanding and mitigating security risks.鈥
What then should be the appropriate course of action for health care professionals and their patients? Is there one risk they should be concerned about above all others? Johnson and his co-authors offer a clear answer in that regard.
鈥淚t is safe to say that patients鈥 reluctance to accept medically indicated devices due to concerns about security poses a greater threat to their health than any threat stemming from medical device security,鈥 they wrote.
In other words, the biggest danger to patients鈥 health is not the security threats themselves but rather the irrational decisions that might result from these perceived threats. While users of medical devices may be vulnerable to hackers in theory, there is not enough of a risk, according to the authors, to discourage use of the devices altogether. A hijacked pacemaker makes for an interesting plot twist in a novel, but it is not very likely to happen in real life.
鈥淯nless you鈥檙e the president of some country,鈥 Johnson said, 鈥渙r someone with a lot of enemies, I wouldn鈥檛 worry about being personally targeted.鈥