Medical devices are an especially rich cybersecurity target for malicious activity by those seeking commercial gain or just trying to wreak havoc. And while data theft is a serious threat, the risks posed by hacks that involve the expanding universe of networked medical devices can be especially menacing.
Nach DavĆ© and John Pappan, Premier Research
In 2015, the FDA warned that a networked infusion pump was vulnerable to being accessed and controlled by unauthorized users. Concerned that attackers could harm patients by altering their medication dosing, the agency warned healthcare facilities to discontinue its use. Years earlier, before hacking of these devices was on most peopleās radar, doctors for former Vice President Dick Cheney ordered that his heart defibrillatorās wireless capability be turned off to prevent the possibility of tampering by terrorists.
Software-enabled devices have expanded exponentially and their function has evolved from one-way vendor monitoring to fully networked equipment with bi-directional connectivity. That has opened the door to wide-ranging exploitation of device data.
The most obvious motivation is mining data for information that can be used to target customers. A company that sells products and services to diabetics, for example, could benefit from locating patients who use insulin pumps. It may extend beyond patients to include family members: A genetic testing company might appeal to relatives of diabetics who are interested in knowing their own risk, or to purveyors of exercise equipment promoting the importance of fitness in diabetes prevention.
But thereās more than reaching consumers. If youāre considering building a hospital in a remote part of Africa, having access to data from patientsā devices in that region could help you decide whether to proceed. There are also many nefarious uses for stolen data. For example, a device maker could monitor the performance of its competitorsā products and use the information to modify its own offerings and exploit a competing productās shortcomings in its marketing.
There are many other examples of less-than-altruistic uses of device data. A company whose drugs treat common chronic conditions might learn that a competitor is developing an implantable device that would give patients a concentrated form of treatment that cuts cost by reducing the required dosage. Stolen data about the device could be manipulated to call its safety into question.
Networked devices also can provide wide-ranging biometric patient information such as blood pressure, respiration, and blood enzyme levels. Companies that issue individual life insurance policies often purchase this information, repackaged by third parties to appear of legitimate origin, to evaluate clients for insurability and to set premiums.
And then there are people who use this data for truly devious purposes, including theft of