Not yet a Member?
HR Magazine is highlighting the next generation of HR leaders.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Attend a comprehensive, instructor-led review before you sit for your SHRM exam.
Learn to implement the complex changes and ensure compliance with the FLSA. 2-Week Virtual Seminar, Nov 29-Dec 8.
Health care benefits and security professionals are being urged to monitor cybersecurity issues related to medical devices that are implanted in patients.
Technology now makes it possible for a determined person to tamper with someone’s heart pacemaker or another crucial medical device through an electronic connection such as the Internet. Though no such crime is known to have occurred, the concern is great enough that in October 2014, the U.S. Food and Drug Administration (FDA) released guidance for new medical devices to minimize the possibility of them being compromised in this manner.
The issue gained attention in 2007 when security concerns prompted Vice President Dick Cheney to have the wireless feature of his implanted heart defibrillator disabled. In a 2012 episode of the TV drama “Homeland,” a fictional vice president was murdered through a cyberattack on his pacemaker.
Security experts say that these kinds of cybersecurity issues could increase as hackers get more sophisticated and more patients seek to monitor their health information through smartphones.
“The real risk that somebody’s going to go around manipulating individual patients is very, very low,” said Ken Hoyme, a security expert with Minneapolis-based Adventium Labs and a co-chair of the Association for the Advancement of Medical Instrumentation (AAMI) device security work group. Hoyme said there is little incentive for such an attack.
However, said Chris Petersen, founder and chief technology officer of Boulder, Colo.-based security intelligence firm LogRhythm, “While it seems far-fetched, the technology and wherewithal are here today.”
The FDA guidance urges manufacturers:
The guidance is not legally binding and does not impact medical devices and systems already in use.
There are three classes of medical devices regulated by the FDA. Class III, the group with the highest level of risk, includes pacemakers and other implants. These devices will get enhanced FDA scrutiny when manufacturers seek the agency’s approval for them, according to Karen Jackler, a spokeswoman for the FDA’s Center for Devices and Radiological Health.
In a statement, Janet Trunzo, senior executive vice president for the Advanced Medical Technology Association (AdvaMed), said, “We understand the FDA’s desire to be cautious in this area,” and that “manufacturers recognize the need for increased security with these devices.”
Jeff Secunda, a vice president with AdvaMed, told
SHRM Online that ensuring security for medical devices “is not a new issue. Manufacturers have been doing this for years as part of their risk assessments.”
He said that “very often there is a balance between usability and security” of medical devices that providers and patients must weigh. Typically, a boost in security comes with an increase in cost, he added. “There is no free lunch.”
As a result of the FDA’s guidance, “Now cybersecurity is considered a foreseeable risk,” said Kevin Fu, an associate professor at the University of Michigan and a co-chair of the AAMI work group.
“The real cost is going to be if the health care community and patients are unwilling to accept new devices because of lack of cybersecurity. I think the FDA guidance is going to bring more consistency and more confidence to the process because of a level playing field,” Fu stated. “I actually think it’s going to save costs in the long run.”
Hoyme said that “the vast majority of cybersecurity problems tend to be accidental effects on medical devices” through broad malware and virus attacks.
Fu added that hackers attacking medical equipment and systems often have purposes other than disabling devices. Some of the biggest attacks have involved “organized crime going after insurance information for fraudulent billing.” Personal health information security is beyond the mandate of the FDA.
The FDA’s Jackler noted that some operating systems used in medical devices are identical to ones used in products produced by other industries.
Said Secunda: “Anybody has the potential for an attack.”
Medical device cybersecurity issues won’t disappear quickly, if ever.
“It will take a long time for the FDA guidance to have any practical effect on health care networks,” said Petersen. “There is a lot of legacy equipment” with lifespans of up to 20 years, he said. Many such devices cannot be retrofitted easily to deter cybersecurity attacks.
“When you develop a product, if you don’t design security in, it is very hard to add it later. It’s like trying to put a new foundation under a house,” said Petersen. He urged employers to question their insurance companies and health care providers about controls on the medical devices they use, which he said will add pressure on device manufacturers to boost security.
Internet and other forms of connectivity represent a major point of concern. “Connectivity is akin to exposure to disease. The more connectivity you have, the more potential risk,” said Hoyme. “Even if you lock everything down, you’re still not going to have perfect security. The goal is actually about risk management and better patient outcomes.”
Steve Bates is a freelance writer based in the Washington, D.C., area and a former writer and editor for SHRM.
SHRM Online Safety & Security page
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies