When my mother tells me that her computer is running slow and she needs me to “clean it up” for her, I never imagined the day she might be calling about the same problem with a medical device. While I’d obviously not have the same access to it that I have on a computer, it does reflect a scary situation in medical device technology today. The fact that viruses and malware are infecting existing medical devices is frightening. Further, the fact that companies are hesitant to address the issue as they don’t want to change the device and potentially face regulatory issues is even more worrisome.
While no death has been attributed to the hacking of a medical device or the presence of a virus or malware, does it feel to anyone else that we are simply awaiting the inevitable moment? Even Hollywood has run with the concept as an episode of Homeland had an assassination carried out via the hacking of a medical device (pacemaker, I believe, as I unfortunately missed the broadcast). Then there are those that say an event like what was portrayed is extremely unlikely to occur and that the examples of hacked medical devices are achieved under “ideal” conditions. They argue that in “the real world,” the hacking of a medical device to enable one to have the ability to manipulate settings and create an adverse event would require a perfect set of circumstances that are not likely to occur. Still, a chance is a chance and the problem is significant enough that it certainly needs to be addressed.
As horrible as this situation is and as much as I hope it is resolved sooner rather than later, there are curious “sidebars” to the story. One that I’ve been thinking about is the legal ramifications of such an event. While I would think that a hacker specifically targeting a device and manipulating it for the purpose of having it malfunction would result in a murder charge, I’m not as certain for the developer of malware or a computer virus. If a malfunctioning medical device was found to have had malware present and that malware was cited as the primary cause for the device’s failure and a patient’s death, would the author of the malware be wanted for murder? What about manslaughter? If authorities were able to identify the creator of a virus that infected a medical device and caused a fatal event, what are the legal ramifications for that person?
Ideally, we’ll be unable to answer this question and the FDA will address the regulatory issues that prevent medical device manufacturers (or at least give them pause) from securing their existing devices that are out in the marketplace and susceptible to attack. Moreover, with all the attention being given to the lack of security in medical devices, the onus is on medical device manufacturers to address this issue during the development of new products. Acknowledging the need for security in new medical devices is a major step in the right direction compared to the industry’s general stance on its need previously. However, the FDA also needs to resolve any regulatory issues that make it difficult for those same medical device manufacturers to address security on technology that’s already in the marketplace.
On the whole, paying more attention to securing medical devices is a good thing, for both the manufacturers and the FDA. Having the problem in the limelight puts public pressure on the FDA to get resolutions in place, while, at the same time, makes device makers aware that the public is going to be significantly less forgiving over such an event, since they’ve been made well aware of the danger. Even if an event is unlikely, ignoring the possibility does not make the issue go away. Medical device manufacturers need to address security in their devices as much as they can now, and the FDA needs to address the issue such that OEMs can resolve future threats.