Hacked Health: Security Concerns With Connected Medical Devices
The Internet of Things promises wireless connectivity among many of the appliances and devices within the home and beyond, from thermostats that can be adjusted via smartphone apps to umbrellas with built-in Bluetooth connectivity that can alert you when it is left behind. However, the integration of Internet connectivity into everyday objects is not simply limited to gadgets within the home; medical devices too have tapped into this technology for remote access to information, patient monitoring, and device activity. Thanks to their built-in Internet connectivity, devices like insulin pumps or implantable cardioverter defibrillators can now be controlled and adjusted with an Internet connection. As well, the devices can gather and submit data to electronic records for enhanced patient care. In recent years, concerns over security and data breaches have led government agencies to consider a stronger regulatory role in ensuring that connected medical devices are not at risk of being “hacked” for unauthorized use and access.
Significant security concerns regarding connected medical devices were brought to the medical community's attention when two noted experts, Jay Radcliffe and Barnaby Jack, discovered that certain insulin pumps with a wireless connection had serious security flaws that would allow them to be hacked via unauthorized remote control.1 This could include a deliberate manipulation in the amount of insulin pumped by the device that may cause serious harm for the patient. Prompted by these findings, in April 2012 the United States Government Accountability Office issued a report on information security and connected medical devices – specifically, Medtronic's implantable cardioverter defibrillator and insulin pump that Radcliffe and Jack were able to manipulate. The GAO found no actual known incidents of “hacked” medical devices reported to the Food and Drug Administration (FDA) by patients, but still recommended that the FDA develop and implement a plan expanding its focus on information security risks.2 Medtronic responded with a statement that although the security risk for these devices is low, the company has addressed device security in the design development process by implementing measures to safeguard patient safety and will continue to review the security of the devices.3