As providers work to update their HIPAA policies and procedures, there’s another area of concern to consider: the hacking of implantable medical devices. In August of last year, the Government Accountability Office, the “congressional watchdog,” released a report ...identifying information security issues associated with medical devices and advising the FDA to ramp-up its efforts to address these issues. These devices include implantable defibrillators, insulin pumps, pacemakers, and other devices used to monitor and transmit a patient’s medical status. Specifically, the GAO considered intentional threats to such devices, including hackers obtaining unauthorized access, or using malware, viruses, or worms to interfere with the functioning of the device. Although there have been no documented incidents thus far, the GAO cited several demonstrations in controlled settings showing that hacking of these devices is a real threat. In one demonstration, the researchers were able to remotely deliver commands to a defibrillator. Other demonstrations revealed that hackers could prevent insulin pumps from operating properly or manipulate the amount of insulin to be dispensed. Unfortunately, the GAO report also acknowledged that efforts to address the security issues associated with these devices could adversely affect the performance of the devices. For one, pacemakers cannot be made immune to all electrical signals because the device must be able to detect the signals naturally generated by the patient’s heart to determine irregularity in pulse. Further, adding encryption – a security feature of which most providers are aware – could drain a device’s battery, which can only be replaced by surgery. The FDA has stated that, in the future, the agency will consider information security risks resulting from intentional threats when reviewing new devices submitted by manufacturers.
For now, much of this discussion probably relates to the potential to hack life-critical devices rather than any real and immediate threat. Nevertheless, it also highlights how dependent many of us are on our high-tech devices, some putting their very lives under the control of them. Unfortunately, even the potential to hack these devices could serve as an impetus for some to attempt to do so. I am glad that the GAO issued its report. It will cause the manufacturers of these devices to endeavor to make them unhackable. Unfortunately, this probably is impossible given the history of hacking any device controlled by software and with the ability to communicate externally. As noted above, battery life is critical for these devices and making them more complex may impair this function. It's one thing to have an intelligent device on your wrist or in your pocket. It's another to have it embedded in your chest and in control of your destiny.