One can imagine a future hit man for organized crime being a hacker who can remotely manipulate the life support system of a witness in protective custody. Other medical wealthy patients could hypothetically be held ransom by extortionists who infect a pace-maker with a virus. If any of these scenarios were realized, it would be interesting to see, from a legal standpoint, which could be held liable – a hospital or a device manufacturer or both.
Clearly, medical device manufacturers manufacture their products to serve healthcare institutions and their patients and computer security embedded in their devices is generally not a part of their corporate strategy. The GAO report is a clear indication that future strategies must address the issue of medical device security.
The threat will only increase over time as medical devices become more complex, as their wireless capabilities improve and as the use of Internet monitoring becomes more pervasive. Moreover, many medical devices will not allow for software updates, so that once a vulnerability has been identified there is no way to use a software patch to protect the device from attack.
It appears that manufacturers are reluctant to allow devices to update for fear that the Food and Drug Administration might not approve of these modifications. Ultimately, the FDA will need to provide standards and guidance on the types of updates that will be allowed for medical devices.
Cyber security reform is desperately needed to protect the health and well-being of U.S. citizens. A recent speech by Secretary of Defense, Leon Panetta, warned of an escalation in cyber warfare tactics and the possibility of rogue nations infiltrating the networks associated with our critical infrastructure, like public transportation, to cause mass causalities. A recent experiment by the University of Texas at Austin demonstrated the potential to hack into a military drone and divert this unmanned bomber into the path of our own military or allies. Now we are learning about the ability to infect pace makers, and other medical devices, with destructive viruses.
The healthcare industry has been subject to Congressional legislation, like the Health Insurance Portability and Accountability Act (HIPAA), which has brought about significant improvements in computer security. It is now time that medical device manufacturers are provided with new standards to protect patients from computer viruses. The GAO has already asked the FDA to work on this important issue after it warned about implanted defibrillators and insulin pumps being susceptible to hackers. This change will only occur through Congressional legislation that includes stiff fines for non-compliance.
Hayes chairs the computer information systems program at Pace University’s Seidenberg School of Computer Science and Information Systems in New York. Hayes also manages the computer forensics laboratory at Pace, conducting research with computer science and information systems students.