Medical Devices and Their “Cyber” Problem

January 25,2017

Of all the notable—and quotable—things that our 45th president has said leading up to his election (or since taking office last week), one particular term has stuck with me more than others: “CYBER.” And while the way this word has been used is funny to laugh at, there is something of note here that doesn’t get talked about enough. As more and more devices in our daily lives become “connected” and capable of talking to one another, we’re making ourselves and our devices vulnerable to risks that didn’t exist before.

I recall when my brother and his wife were about to welcome their first child, I pointed him to the newest Wi-Fi baby cameras. When they told me that made them uncomfortable and they weren’t ready to risk that someone could hack the camera, I imagine that I rolled my eyes and thought the odds of that happening must be infinitesimally small. Why give up all those cool benefits for a risk so small? I simply couldn’t understand their stance—at first.

In America, where the most common passwords are “123456” and “password,” maybe I’m making too many assumptions about people caring about their digital information, invasion of privacy, or the safety of their devices. Then again, maybe all of this new tech with super simplified setup apps on our iPhones has numbed us to just how complicated and difficult it is to protect ourselves in this connected world.

When it comes to email and photos, most people don’t seem to be overly concerned. I admit that while I change my passwords every few months, I’m not always taking advantage of the features companies offer to secure my devices or info, such as 2-factor authentication or allowing Safari to suggest passwords using iCloud Keychain. And while I can state that I care more than most, I’m probably not doing enough and have become comfortable with the risk.

But emails and photos only make up the surface of what is a much scarier problem. That is, given enough time, just about anything with electronics and connecting to some type of network today is hackable. We now live in a world where it’s not just about someone stealing some photos or credit card numbers: The very devices that keep us alive are now capable of causing us harm.

This leads me to medical devices.

In 2015, Hospira drug pumps were found to have hackable software, and a Popular Science article posted that hacked medical devices may be the greatest cyber security threat in 2016. In 2016, Johnson & Johnson announced that one of their insulin pumps was vulnerable to wireless hacking, and a Bloomberg article detailed security vulnerabilities in St. Jude Medical’s pacemakers and defibrillators that led to a security company shorting the stock instead of disclosing the vulnerability and an FDA safety communication. Scary stuff.

The irony of this problem is that these devices do improve the quality of care and lessen the burden of care in most instances. Solving this problem is a difficult one. Imagine sitting with your mother and suddenly her pacemaker stops and she goes into cardiac arrest. Or a large-scale hacking event shuts down all ventilators in a major metropolitan hospital. These efforts could be targeted at specific people, such as a politician, or en masse to all people using a particular medical device. Imagine a world where the person on their laptop across from you at the coffee shop could be upping the amount of morphine you’re receiving in your pain pump without you even knowing? The risks are now far too high to ignore. Luckily for us, the conversation is already underway.

Part of the solution comes from the FDA, who last January released draft guidance on the “Postmarket Management of Cybersecurity in Medical Devices.” Just prior to turning out the lights on 2016, the FDA released a final guidance. This guidance brings forward a renewed focus on cybersecurity for manufacturers of medical devices during design and development as well as during postmarket surveillance, so much so that the FDA now expects manufacturers to implement a comprehensive cybersecurity program throughout the entirety of the device life cycle. This includes a risk management program with tools (eg, Common Vulnerability Scoring System) and processes for assessing the risk to patients. Relative to many guidances that have been previously released, this one is fairly complicated and it’s yet to be determined how exactly the FDA will enforce it.

If anything, this guidance highlights the unique problems connected technologies bring about. This isn’t just about medical devices in a hospital, it’s also about the ever rapidly growing market of medical wearables and apps. There is an app, Natural Cycles, backed by clinical trials of more than 4000 women and a physicist that helped find the Higgs boson, that can tell if you’re ovulating based on a daily temperature reading. Another, Bloomlife, monitors a woman’s contractions in her third trimester and includes a small wearable.

What is clear is that medical devices aren’t just for hospitals anymore and that there’s a dark side to the use of connected devices that requires a great deal more consideration and conversation. Medical device companies aren’t just creating devices with software, now they’re also security companies who have to consider the ways in which someone may hack it with intent to do harm. To date, no one has died due to a medical device being hacked, but rest assured, there will be a first.

While I couldn’t understand my brother’s concern with a Wi-Fi camera at the time, I definitely do now. But only through the lens of understanding that we all have to make decisions about the risks we’re willing to take with connected devices, medical or otherwise. Let’s hope this guidance helps us get the medical devices part right.


Jamey Hardesty is a member of the medical strategy team at Fingerpaint’s headquarters in Saratoga Springs. He’s our resident epidemiologist, having spent time in China and Africa, where he researched HIV and the measles virus. He’s a lover of technology and innovation and is constantly looking for unique strategies to help grow the vision of our pharma and biomedical clients. In his free time, Jamey travels the world, scuba diving and climbing things. He’s also our resident coffee and beer guru, so if you’re looking for the right coffee-infused beer, he’s your guy.

Back to all Stories