DATA SECURITY AND PRIVACY IN MEDICAL DEVICES

Medical devices have seen quantum leaps in terms of functionality, intelligence, and usefulness in the last decade. Improved design, better and cheaper production materials, and more sophisticated software, and have all contributed to this improvement. However, perhaps the biggest recent development that has greatly enhanced the ability and uses of medical devices, is the use of technology to connect medical devices (including those implanted in humans) to the internet, to hospital systems, and to other devices. This makes it possible to make these devices smarter, to control them remotely if required, to monitor their activity and functioning, and to pause or alter their operation without having to remove them from the human body.

However, like all devices that come with internet connectivity, these connected medical devices come with one major potential harm – the vulnerability to hacking, malware, and/or viruses. Potentially, this could create havoc for health care providers and patients, as third-parties may be able to break into and dictate the functioning of medical devices such as drips or other implanted devices. This problem is not new either. Since 2012, the Food and Drug Administration of the USA (the “FDA”) has been increasing security infrastructure standards for all connected medical devices, and has been constantly warning manufacturers of potential threats.

Sure enough, a short while ago, the first major medical device manufacturer in the USA suffered from the threat of security breaches. On August, 30, 2017, the FDA announced the recall of approximately 465,000 pacemakers manufactured by Abbot (previously St. Jude Medical), due to the fear of security vulnerabilities being exploited by hackers. As per the FDA, if the vulnerabilities were left unremedied, hackers could reprogram the pacemakers to alter the heart rate of the patient and/or to drain the batteries quickly. Both scenarios could have potentially catastrophic effects.

Fortunately for Abbot, the vulnerabilities could be fixed via a firmware update that could be installed by health care providers in just 3 minutes. The pacemakers did not need to be removed from the patients’ bodies, as the update could be installed wirelessly. Further, Abbot was able to report that there had been no incidents of a security breach/hack before the firmware update was rolled out. Yet, this should not detract from the seriousness of the situation and the extent of the harm that could have been suffered by both the manufacturer and the patients. In light of this, we find it pertinent to take a deeper look at the different minds of medical devices available today, and the potential harm that can be caused through them if the current security infrastructure is not in place.

Medical Devices and Their Potential Harms

Medical devices, apart from being controlled remotely, are also great repositories of data. In order to be able to automatically adjust their own functionality, alert users/controllers at times of low battery, and to be able to provide efficient statistics as to the health of a patient, they have to constantly collect, monitor and analyse data from the patient’s body. This means that they contain sensitive personal information regarding patients’ medical conditions, bringing in the important aspect of data privacy.

Medical devices have been used for a variety of purposes – from diagnosis of multiple diseases, to studying patient’s conditions during treatment of diseases, and to ensuring patient adherence to a prescribed treatment plan. Perhaps, given the wide range of uses for connected medical devices, it will be easier to understand the problems that they may face, by taking a few examples:

  1. OpenAPS – Closed loop insulin delivery – This software, which can be used along with standard medical devices, allows patients to track data from their CGM (continuous glucose monitor), and use it to control/trigger their insulin pump whenever glucose levels demand the same. The patients PII is not owned by any third party here, but if hacked, this system could not only give hackers access to this information, but could also allow hackers to alter the trigger mechanism/program that controls when insulin is released to
  2. Activity trackers during cancer treatment – These devices are used to gather lifestyle data regarding patients, during their treatment from various forms of cancer. These are wearable devices (like many other activity trackers/smart watches), but they track the patient’s energy levels, fatigue, and appetite automatically. The data generated via these devices is usually accessible and analysed by doctors and other health care providers. In a disease where the treatment is actively changed depending on the patient’s reaction to the ongoing medication/therapy, such a device is extremely important. Additionally, it aids doctors to keep track of a patient’s lifestyle, to ensure that patients are taking care of themselves appropriately. Thus, this device places data privacy and security restrictions on doctors etc., with respect to the PII that they hold. Additionally, there is a responsibility on the manufacturers of such devices to ensure that the security infrastructure of the device is strong enough to protect it against hacks/malware. If hacked, not only will the critical data regarding a patient’s current condition be available to the hacker, but they can also alter the functioning of the device to change the readings. This could potentially prevent a cancer patient from receiving the correct follow-on treatment, which is critical to their health.
  • Connected inhalers – Devices like Propeller’s Breezhaler connect wirelessly to a digital platform available on the patient’s mobile phones and with the doctors as well. This helps in tracking the usage of the inhaler, sending reminders to the patient in case of sporadic usage, and ensuring patient adherence to a treatment plan. If such systems are hacked, patients and doctors could stop receiving accurate data regarding inhaler usage, potentially leading to non-adherence to treatment plans and a worsening of existing breathing problems.
  1. Parkinson’s – Pfizer and IBM have collaborated on Project Blue Sky, a planned clinical trial involving the use of a system of sensors, mobile devices, and machine learning to provide round-the-clock monitoring of the symptoms, development and progression of Parkinson’s in patients. Though more research oriented, such a system could potentially be extremely important in discovering a cure for Parkinson’s.

The above are only a few examples of connected medical devices available today. Yet some common themes run through all of them – (a) they all record and store sensitive personal information regarding patients in order to function; (b) they are all accessible remotely; and (c) this makes them vulnerable to hacking/malware etc. Considering the nature of the information stored on the devices, it becomes even more important for the manufacturers to ensure data security of the devices, and for the doctors/other entities storing and analysing the data to ensure its privacy and non-disclosure. No data security infrastructure is fool proof or completely protected from hackers. However, increased standards and more robust protection techniques could help in ensuring that these devices remain protected in the near future.

Author: Madhav Rangrass is an Associate with NovoJuris Legal.

 

Advertisements