Your Medical Device May Be A Computer. Treat It Like One!

We all know about Food and Drug Administration (FDA) food recalls. Remember the ban on romaine lettuce from Arizona? That was finally tracked down to a contaminated irrigation pipe. Quite a bit of tainted lettuce was eaten or discarded before that happened.

Medical Device Security

The FDA is in charge of more than just food. It also regulates and recalls medical devices. It is little appreciated that many medical devices nowadays either are essentially computers or contain subassemblies that are computers. So, they have all the issues that computers do: bugs, hardware failures, and cybersecurity risks.

What Are Some Examples of Medical Device Error?

Some medical devices, like bone screws, get recalled because they break before their intended end-of-life. Or because their sterile packaging does not protect them until the product’s expiration date. There are many others like this.

With medical devices involving computers, the reasons for recall are countless. Below are just a few:

  • One recall was due to a device that was intended to generate radiation for cancer treatment giving too high a dose without warning.
  • Another included anesthesia carts that go into failure mode and shut off the flow of anesthetics and oxygen unexpectedly.
  • Still another, automated blood testing equipment, was giving false results.
  • IV infusion pumps were giving the wrong dose or shutting off unexpectedly.
  • Implantable insulin pumps were delivering the wrong dosage.

Any of these could have results that are fatal.

Why Is Security An Issue?

Many medical devices are part of the “internet of things” (IoT) and communicate with each other or medical records systems via wires or wireless technology. Unfortunately, this means they are potentially “hackable.”

An intruder could say, cause an anesthesia cart to stop delivering an oxygen/anesthetic mixture and deliver only the anesthetic gas. This could kill the patient, while at the same time displaying results on the monitor that would indicate to the anesthesiologist that there was nothing wrong.

An implantable insulin pump could be wirelessly told to deliver a fatal overdose of insulin. Any device that is connected to a medical records system could be hacked to deliver false data. The possibilities are literally endless. And they are scary.

What Is the FDA Doing About Safety and Security?

The FDA has a plan in place to dramatically improve its current surveillance of medical device problems. Obviously, this will involve a lot of infrastructure and database development and will involve all the usual privacy and security issues.

The FDA has in place a system of post-marketing surveillance that is designed to provide early warnings when problems arise in medical devices. Of course, there will be a wide learning curve. Checking the incoming data for indications of device problems is potentially an ideal application for artificial intelligence (AI).

The FDA has also issued guidance on cybersecurity to manufacturers of medical devices. That advice will strike cybersecurity experts as behind the curve:

  • Give different users different levels of authority
  • Require strong passwords
  • Make sure users are notified of software and firmware patches
  • Many similar recommendations

So far, none of them address one of the most fundamental security flaws that repeatedly show up in software: elevation of privilege. Once a hacker has control of processes in the operating system (and even the most primitive devices have analogues of them), the hacker can create a Super-user who has control of the entire system and can bypass any security measures that are in place.

The software industry as a whole has no solution to this, because the concept of user privilege is fundamental to almost any operating system. The only way around it is to have “locked down” systems in which changes can be made only by the physical replacement of a chip. But that defeats all the advantages of the IoT and connectivity in general.

Medical Devices For Consumers: What’s Good Enough?

Medical device makers whose target market is medical professionals have focused on “more” –more accuracy, more graphics, better resolution, more connectivity, and so on – all of which translates into more expense.

With an increasing focus on costs in healthcare and with more devices aimed at consumers, the market will begin to ask, “What is good enough?”

Consumer-oriented blood glucose meters for diabetics are not as accurate as those designed for use in hospitals –but they are faster, far easier to use, and the newest designs do not require a fingerstick. Instead, they are read from a sensor stuck to the skin. Some newer hearing aids can be adjusted with a smartphone app, sparing the patient a visit to the audiologist.

The Holy Grail of consumer-focused medical devices might be this: an implantable device that will capture data on all critical physiological parameters and transmit warnings to the patient’s physician when something is out of line, or, in a real emergency, summon an ambulance. Smartphones can already broadcast locations to emergency medical services, adding the capability to transmit the patient’s physiological data.

This means that paramedics would arrive knowing what is wrong (heart attack, trouble breathing, severe blood loss) rather than having to assess the situation from a standstill. Of course, if the machine malfunctions or is hacked, it could send the wrong data to paramedics. Those dangers do exist and are very real. The hope for medical professionals is that we will find solutions to these problems so that medical devices can be counted on for accuracy and are oblivious to hackers.

Before we get to that place, we will need to find ways to ensure that our systems and medical devices are much more secure than they are at present, or we will widen the possibilities for disasters.