Be Afraid, Be Very, Very Afraid

The combination of medical devices and healthcare information technology (HIT) is very much upon us.  When most people think about this merger of technical fields, they are drawn to think of the way in which mobile phones are being used in medical applications, some very much in the manner of medical devices such as ultrasound imagers, cardiac and glucose monitors and even medical microscopes.

But even closer to home and at the center of the action, implantable medical devices, are now becoming more and more “wired.” We have entered an era where devices implanted into the body, once only mechanical in nature, feature software and silicon chips that provide means of sensing bodily changes in situ, self-regulating device activity, and reporting parameters to the outside world.  Pacemakers, defibrillators, insulin pumps, nerve stimulation devices, and even coming breakthroughs in orthopedic and sight-based medical technologies will extend life and make us the cyborgs we once feared but learned to love as our bodies are rescued from the aging process by man’s power over machine.

And that should make us very afraid.  Because where there is hardware and software there are problems.  You know how crazy you get when your Outlook calendar freaks out on you for no apparent reason or when a bug in your laptop, iPhone, computer, electric toothbrush causes it to act out like Sean Penn at a media convention?  Just imagine if that was, say, your heart, misremembering it had an appointment to beat every millisecond or so.  Now that is a bummer.  If you aren’t scared, you should be. To wit:

“By 2006, more than half of the medical devices had embedded software. Between 2002 and 2010 there were more than 537 recalls of these systems. The number of actual devices in service was more than 1.5 million. Yet software in medical control systems and implants is vastly different from other applications. A single error in software code, for example, can mean the difference between delivering 20 mL versus a 200 mL infusion to a patient which could be deadly. There is generally no analogous safety margin in medical vs. non-medical equipment. In addition, the many operational inputs, outputs and permutations of device behavior cannot be adequately tested, placing patients at risk.”

Oh, and one more thing.  Remember how pissed off you were when you found out that because of some damn virus from some Eurotrash hacker idiot, your Outlook sent everyone you ever knew an email about where to buy penile enlargement solutions?  Well check this out:

“The Information Security and Privacy Advisory Board was established by the Computer Security Act of 1987 and falls within the purview of the National Institute of Standards and Technology (NIST). At a Board meeting in February, 2012 experts disclosed how a lack of cyber security preparedness for millions of software-controlled medical devices puts patients at significant risk of harm.”

Yikes.

For any of you that saw the movie or read the book The Girl With the Dragon Tattoo or have seen any of the hacker movies that have become the substitute for Russian spy movies now that the Russians are our friends, you know there is a world out there of people with weird nicknames that hack computers for a living.  As it turns out, the FDA does not currently look at software and hardware security in its review of medical devices.   As a medical device entrepreneur, you may wish the FDA would get out of your business, but as a medical device recipient you may want to carry them close to your heart, literally.

The above-noted Forbes article also reported that, “Alarmingly, during the past few years several researchers have found that wireless and wearable medical devices, like pacemakers, insulin-delivery systems, and neural implants, are vulnerable to cyber-attacks. Though none have reportedly been hacked in field use yet, researchers have been hard at work finding ways to secure such medical devices before it’s too late.”  

I am quite sure that if the right people had thought of this sooner, Dick Cheney would not still be around and have the potential to hunt fellow Republicans.

A recent IEEE magazine article (publication for the uber-nerds among us), describing efforts to build solutions to this security issue, quoted one of the researchers as saying, “Breaking into an insulin pump is not difficult, and it takes only a small investment. A few research groups, including ours, have shown that medical devices can be hacked using relatively inexpensive [worth less than US $1000] off-the-shelf equipment such as a PC and a software-programmable radio.  We were able to snoop on sensitive health information and take control of the insulin pump to prevent the delivery of insulin or to deliver it when it was not needed.”

I hate that when that happens.

I am particularly concerned since, as we all know, the only people who really know how to use emerging technologies are kids.  Imagine what your cranky teenager could do with some off-the-shelf equipment from Best Buy, a hormone-induced fit and a bone to pick with mom and dad.  Before you know it, Junior could rewire your insulin pump to transfer all your money to their Starbucks card and program your defibrillator to order them delivery pizza and beer every night at 10:00, just in time for South Park.

And god help you if your spouse knows how to hack into hardware or software systems.  You will never piss them off again.  Unexpected side benefit:  divorce rates would decline significantly.

But seriously, there are people and companies working on solutions to this wired medical device security issue, although it appears we are a long way from their full realization.  Some, such as a group of researchers from Purdue and Princeton Universities, are working on firewall technologies (called Medmon) that could be embedded in devices embedded in you.  According to these super smart people, “…many of the solutions that have been developed for other classes of computing platforms, such as servers, PCs, and mobile phones, cannot be used for medical devices due to the extreme computation and battery constraints and because of the unique way medical appliances are used.”

They go on to say that the Medmon firewall could be built into a separate unit worn by a patient with a medical implant or a wearable device or be integrated into a mobile device such as a smartphone or watch, but that any effort to commercialize this for real  will require significant reductions in the size and significant improvements in the energy efficiency of their prototype unit.

Another potential solution is the use of password protection technology, but the limitations here are also problematic.  How many times have you forgotten your email password when travelling?  “wait,” you say to yourself, “Was it FluffyBunny2012 or fLUFFYbUNNY2012?”. Now imagine playing that little mind game when you are on your way to the ER via ambulance. Some have suggested that you could tattoo the password on your body, but where? And what font is suitable for a medical tattoo placed right next to your Grateful Dead dancing bear tattoo?  These are the decisions that can give one pause.  What if you just gave your password to your next of kin for emergency situations?  I am guessing there are plenty such relatives that would make themselves conveniently unavailable in an emergency if you stiffed them at Christmas.  Tough problem, particularly since the current EMRs out there do not access each other readily and probably do not have an entry field for personal neurostimulator password either.

Clearly the advantages of wired implantable medical devices outweigh the disadvantages, in that the devices can send warnings when your body might fail or when the device itself is experiencing problems.  But we are going to have to figure out, as an industry, how to ensure these devices can get the signal they need without interference  (WTF? network busy?  Uh…help!) and that they are safe from malicious intent.

According to the aforementioned Forbes article:

“There is no single agency that has primary responsibility from Congress to ensure the security of these devices, but rather several overlapping jurisdictions. These include the Centers for Medicare and Medicaid Services (CMS), Food and Drug Administration (FDA), Department of Health and Human Services (HHS), Department of Defense (DoD), Department of Veterans Affairs (VA), and the Department of Homeland Security (DHS). The technical issues are complicated, so the diffusion of responsibility becomes even more of a concern. This all translates into a lack of accountability and oversight and ultimate patient jeopardy.”

And in the end, as with all things healthcare, follow the money.  The Forbes article adds:

“Economics also play a role in reporting: there is no real penalty for reporting vulnerabilities and incidents and in fact, it appears that there is a direct disincentive for notification. A hospital may not wish to incur liability by disclosing an incident. This is a vicious circle because the lack of data may lead to a false sense of security and lack of preparedness for cyber security issues.”

In this day and age it seems the only way to get hospitals to do all of the right things right is to pay them for compliance and to fine the hell out of them for non-compliance.  As the parent of any teenage hacker will tell you, bribery works.

In the meantime, the next time your doctor tells you that your symptoms suggest you may have a virus, don’t forget to ask her these important patient engagement questions:  “Is it the flu or is it the ILOVEYOU virus?  Should I refrain from exertion or email? Do I need to take a pill or reboot my server?”

Welcome to modern medicine.