Cyber security is a new spin on an old problem

September 21, 2017

When I read the headline that the FDA announced a voluntary recall of 465,000 pacemakers over safety concerns related to security vulnerabilities and the possibility of a device being hacked my first thought was, “I wonder if my Dad's pacemaker is part of this recall?”

If you haven't seen this story yet, the units in question are manufactured by Abbott (formally St. Jude Medical). Since my dad has a pacemaker, I reached out to him see if perhaps his pacemaker was part of the recall. If it was, I was very interested in his perspective. Would he consider going to a clinic to get the firmware upgrade a nuisance or a reassuring step that would boost his confidence that everyone has his safety and wellbeing in mind? Turns out, my father's pacemaker is from another manufacturer so no action required.

While this latest voluntary pacemaker recall illustrates that medical device manufacturers are taking cybersecurity seriously, there are other recent events that probably better demonstrate that the threat is real.

During the ransomware attack known as WannaCry from May of this year, it was widely reported that hospitals in the UK were disabled as they scrambled to deal with this cyber infection. This ransomware also made its way to the US and into a couple of medical devices from well-known manufacturers. Thus far, it appears that the risk was limited to some imaging functionality in a few pieces of radiology equipment. But it isn't hard to imagine that more sophisticated attacks could target specific devices that have a higher impact on direct patient safety. 

Cyber security is just tamper resistance for our electronic medical devices.

Protecting for misuse is part of any holistic hazard analysis. Addressing cybersecurity is clearly in the forefront as devices get more sophisticated in their connectivity, which is meant to help with ease of use for both practitioners and patients but also opens up vulnerabilities.

While cyber security is just the latest vulnerability in the limelight, I'm old enough to remember the Tylenol cyanide poisoning murders in the early 1980s. The country was struck with fear after seven people died over three days from ingesting Tylenol laced with cyanide. 

I was in middle school back then, but clearly remember the fear that was instilled from this terrible act. People were dying as a result of ingesting a medicine they had hoped would simply take away a headache or similar minor ailment. I don't believe the perpetrator/s were ever found, but the incident had a clear impact in our daily lives. It was the catalyst to pharmaceutical, food, and consumer product industries developing the tamper-resistant packaging we are accustomed to today. 

 Cyber security is just tamper resistance for our electronic medical devices.