From smartphones to thermostats, watches to vehicles, the modern world is increasingly connected to the Internet—the so-called Internet of Things [1]. What is now becoming clear—painfully so for users of Ashley Madison, a popular dating website—is that anything connected to the Internet can be infiltrated, or hacked [2]. This may mean a state’s secrets are stolen by another, a spouse’s infidelity is exposed, or personal information is leaked online. If all these other devices are susceptible, does that mean medical devices with wireless capabilities are as well?
This outside infiltration of medical devices, known as “medjacking,” is a threat to the medical device community and, more importantly, patients who rely on them [3]. The Internet of Things, at its core, seeks to connect everyday devices to the internet, the benefits of which are innumerable—software updates, real-time communication and monitoring, remote control, etc. And while the benefits of modern technology are impressive, so too are the efforts of those with more malicious intentions.
This past month, the Food and Drug Administration recommended that medical institutions halt usage of Hospira’s Symbiq infusion pump, a device used to infuse a treatment directly to patients. While there have been no reports of hacking of the device, a security expert demonstrated the ability to infiltrate the device and administer both an insufficient and lethal dose of the drug.
For the millions of Americans who use devices with wireless capability—including pacemakers, insulin pumps, and cochlear implants—the fear of device failure pales in comparison to unsolicited control from an outside party. In the computer world, there exists ‘ransomware’ that, upon infection, can take personal files and information hostage [5]. To get this information back, victims must pay the creators of the software a lump sum of money. In theory, the same could happen with infected medical devices. Instead of losing access to treasured pictures or important documents, medical treatment could be withheld until payment is received, potentially causing patients to pay in both dollars and their health.
Dr. David G. Armstrong, a professor of surgery at The University of Arizona, has been tapped to participate in the Cybersecurity Standard for Connected Diabetes Devices Steering Committee. Armstrong is joined by another UA professor on the committee, Hsinchun Chen, representing the university as the director of the Artificial Intelligence Lab. The committee includes representatives from industry as well as engineers, academicians, and representatives from the Food and Drug Administration, the Department of Homeland Security, and other government agencies. The committee will examine how the safety of diabetes devices can be ensured while maintaining the innovative spirit that lead to their creation [6].
It’s clear that, for patients and physicians alike, having a device that can communicate analytics, treatment, etc., directly between the two parties is a boon. What is also clear, however, is that these devices, like other technology, are susceptible to hacking and subsequent abuse. For companies seeking to add their medical devices to the ever-expanding Internet of Things, cybersecurity must become critically important to prevent the malicious acts seen in other technologies.
- http://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand/
- http://arstechnica.com/security/2015/08/ashley-madison-hack-is-not-only-real-its-worse-than-we-thought/
- http://www.cbsnews.com/news/u-s-officials-warn-medical-devices-are-vulnerable-to-hacking/
- http://ww2.kqed.org/futureofyou/2015/08/03/millions-of-americans-use-medical-devices-that-are-vulnerable-to-hacking/
- http://www.trendmicro.com/vinfo/us/security/definition/Ransomware
- http://uanews.org/story/ua-surgeon-takes-on-medjacking
Laeth George is a first-year medical student at The University of Arizona College of Medicine – Phoenix. He graduated from The University of Arizona in 2015 with a Bachelor of Science in Physiology. He is passionate about spreading scientific knowledge and ideas to others. More specifically, Laeth is interested in advances in understanding disease pathology and innovations in medical therapies. If you have comments, questions, or recommendations, please feel free to contact him at laethgeorge[at]email.arizona.edu.