Healthcare sector warned to be alert for hack attacks of networks and devices
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
For decades, the biggest worry of regulators at the US Food and Drug Administration has been medicines with toxic side effects. Increasingly, however, they are contending with a new danger as the rise of “digital health” makes cyber security potentially a matter of life and death.
Some of the most exciting innovations in medicine are coming from the use of digital technology to improve monitoring and management of people’s health.
But what are the risks of this new era of “connected healthcare” being exploited by people intent on stealing sensitive data, or worse, causing harm to patients? The FDA says the threat is real. In January it issued recommendations for how manufacturers should safeguard medical devices against cyber breaches, urging them to make security a priority in every stage, from the design process of a device onwards.
“All medical devices that use software and are connected to hospital and healthcare organisations’ networks have vulnerabilities,” says Suzanne Schwartz of the FDA’s Center for Devices and Radiological Health. “Some we can . . . protect against, while others require vigilant monitoring.”
These concerns have been building for some time. Dick Cheney, the former US vice-president, revealed in 2013 that doctors had disabled the wireless capabilities of his pacemaker as a precaution against hacking.
This added credibility to a storyline in the TV drama Homeland in which terrorists murdered a fictional vice-president by sabotaging his pacemaker.
Kevin Bocek, head of security and threat intelligence at Venafi, a cyber security company, says such scenarios are becoming more plausible.
He cites the example of wearable devices being developed to manage treatment of chronic diseases. These include diabetes kits that can determine the right dosages of insulin based on a patient’s glucose level.
“If a hacker was to intercept [wireless] traffic between the dosage tracker and [the] communications network, they could make the device relay lethal dosages of medication to a patient,” says Mr Bocek. “It could even be possible for hackers and cyber criminals to take over a healthcare provider’s entire network of dosage tracker users and hold their lives to ransom for financial and other nefarious gains.”
Of course, it is in the interests of cyber security professionals to talk up such threats. However, while there have not yet been any documented cases of physical harm caused by hackers, there is plenty of evidence to show that health technology is vulnerable to attack.
In 2015, the Office of Civil Rights in the US said there were 253 breaches of medical data affecting 112m health records. Several big US health insurers, including Anthem and Premera Blue Cross, were among those targeted. “If the bad guys are after health records they’ll certainly go after wearables and [connected] devices,” says Mr Bocek.
Healthcare has become an important front in the wider war against cyber crime, not just because of the growing volume of medical data being generated and shared, but also because of the personal and potentially valuable nature of the information involved.
Critics say that, in the rush to digitise patient records and embrace technology, healthcare systems have not paid enough attention to security. In the UK, the Information Commissioner’s Office, the privacy watchdog, says data breaches in the NHS are “a major cause for concern”.
“The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers,” said Christopher Graham, the Information Commissioner, last year.
Such concerns are sure to increase after Jeremy Hunt, UK health secretary, announced plans in September for NHS patients to have access to their medical records online within a year.
Policymakers hope digital technology can make health systems more efficient in an era of rising demand and limited resources. They also see an opportunity to promote health and disease prevention by giving people more insight into what is happening inside their bodies.
Many people already use wearable apps to monitor information such as physical activity, heart rate or sleep patterns. The focus is now on developing more sophisticated devices that can produce clinically reliable data in frontline healthcare and medical research.
PwC, the consultancy, reckons the annual market for digital products and services in healthcare will be worth $61bn by 2020. Matthew Godfrey-Faussett, a partner at law firm Pinsent Masons, says improved security is crucial if such projections are to be fulfilled.
“The integration of technology into healthcare has the potential to revolutionise patient care,” he says. “However, the regulatory challenges associated with medical devices and data protection, combined with scepticism among the public about the use and safety of their personal data, leave . . . significant hurdles to overcome.”