Be it a defibrillator or a MRI scanner, patients become increasingly more vulnerable to hackers each day…
According to the New England Journal of Medicine (NEJM) April 1, 2010 article, “Improving the Security and Privacy of Implantable Medical Devices,”
“…medical devices vary widely with regard to security features, because no specific security guidance or requirements have ” been promulgated by the FDA. In the past, the agency has not viewed itself as a key contributor to the security of medical devices, noting that “the software engineering community, not the FDA, will dictate the solutions.” According to a 2009 report from the Government Accountability Office, the FDA has yet to develop a policy framework for the privacy and security of personal health information.”
Clearly as wireless connectivity becomes more widespread access to device controllers and software becomes even easier. Quoting the MD&DI’s “DeviceTalk” site summary of the NEJM article:
“Hackers could manipulate the technology to:
- Extract data
- Reprogram the devices
- Flood the devices with information to block incoming communication
- Drain a device’s batteries”
As U.S. federal law stands now, medical device manufacturers hold the sole legal responsibility for remaining alert to, aware of, and ready to act on security breeches. This responsibility is dictated by HIPPA (the Health Insurance Portability and Accountability Act) although no guidelines for device controller or systems software are in place.
The authors of the above NEJM article, Drs. W. H. Maisel and T. Kohno, are urging the FDA to change its position on regulating devices systems software and for manufacturing companies’ software engineers to include security features during the design phase.
Read more…NEJM Article Authors: William H. Maisel, M.D., M.P.H. – Medical Device Safety Institute, Beth Israel Deaconess Medical Center, Boston; and Tadayoshi Kohno, Ph.D. – Department of Computer Science and Engineering, University of Washington, Seattle.“