October is national cyber security awareness month, says the United States Food and Drug Administration — an initiative that affects not just medical device manufacturers but also consumers and patients, as pacemakers, insulin pumps and entire hospital systems have been found vulnerable to threats lurking in the internet or from hackers outside the system.

Earlier this month, the USFDA issued a safety communication to patients and healthcare providers on a software update to address security vulnerabilities associated with Medtronic’s implantable cardiac device programmers.

The vulnerabilities could allow an unauthorised user to change the programmer’s functionality or the implanted device during device implantation procedure or follow-up visits.

Last year, Abbott recalled over five lakh pacemakers (from its St Jude Medical portfolio) on cyber security issues. Here too, the concern was of possible outside access changing the way the pacemaker worked. The flaw in the product could “theoretically” be used to pace the device too quickly or run down its batteries, a foreign media report explained.

Though the manufacturer followed up with a “firmware” update to fix the problem, these incidents expose the vulnerability of such medical devices to unauthorised users who may have a motive or not. (‘Firmware’ is specific software embedded in the hardware of a medical device - a component in the pacemaker, the USFDA explains.)

Last year also saw the online “WannaCry” ransomware attack affect the United Kingdom’s NHS. Surgeries and appointments were cancelled and ambulances diverted.

In 2016, Johnson & Johnson (J&J) told patients of a security vulnerability in an insulin pump that could be exploited by a hacker to overdose diabetic patients with insulin, reports said. The product was not connected to the internet, but the threat was if a hacker manipulated the communication between the remote that operated the insulin pump.

“Cyber security threats and vulnerabilities in today’s modern medical devices are evolving to become more apparent and more sophisticated, posing new potential risks to patients and clinical operations,” said FDA Commissioner Scott Gottlieb last week, as the regulator published guidance on the issue. The draft pre-market cyber security guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cyber security risks, from ransomware to a catastrophic attack on a health system.

“We’ve been implementing this guidance since it was finalised in 2014. Now, because of the rapidly evolving nature of cyber threats, we’re updating our guidance to make sure it reflects the current threat landscape so that manufacturers can be in the best position to proactively address cyber security concerns when they are designing and developing their devices,” the Commissioner said.

Information gap, the worry

In India, though, the concern is whether information about these product glitches and security patches even reaches the patient/consumer, a gap that was exposed in the J&J faulty implants case. Years later, patients still complain they had no idea that their debilitating pain was possibly from a faulty implant placed in them.

An Abbott spokesperson says that companies are only just “scratching the surface” of what technologies like connected devices and remote monitoring can do in healthcare. Technology advances quickly and the industry needs to be vigilant about including the latest security protection in its products and updating it as new risks are identified, the spokesperson adds.

Ram Yeleswarapu, President and Chief Executive of Take Solutions, observes that advancements in inter-connected aspects of medical devices, on the manufacturing and healthcare delivery organisations front, warrant a cohesive and concerted effort including the regulators.

“With smartphones and other devices (Apple Watch Series 4) doubling up and getting approvals by the regulator as an ECG device, it is only a matter of time that we will have several other use cases in the pipeline for approvals,” he says.

The current strategy is focussed on authentication and smart detection techniques for authorised users and mobile applications that can be downloaded and paid for on a subscription basis.

“While this is all good and promotes widespread usage and adoption of devices and applications, in the absence of a comprehensive regulatory strategy on identifying the potential risks and the risk mitigation strategies, we are collectively exposing ourselves to cyber threats,” he says, on a conversation that needs much more visibility in the Indian landscape.

Related Topics
comment COMMENT NOW