MIllIons oF PatIEnts efit from programmable, implantable medical devices (IMDs) that treat chronic ailments ben-
such as cardiac arrhythmia, 6 diabetes, and Parkinson’s disease with various combinations of electrical therapy and drug infusion. Modern IMDs rely on radio communication for diagnostic and therapeutic functions— allowing health-care providers to remotely monitor patients’ vital signs via the Web and to give continuous rather than periodic care. However, the convergence of medicine with radio communication and Internet connectivity exposes these devices not only to safety and effectiveness risks, but also to security and privacy risks. IMD security risks have greater direct consequences than security risks of desktop computing. Moreover, IMDs contain sensitive information with privacy risks more difficult to mitigate than that of electronic health records or pharmacy databases. This column explains the impact of these risks on patient care, and makes recommendations for legislation, regulation, and technology to improve security and privacy of IMDs.
from left, Benjamin Ransford (university of massachusetts), Daniel halperin (university of Washington), Benessa Defend (university of massachusetts), and shane Clark (university of massachusetts) worked to uncover security flaws in implantable medical devices.
PhotograPh by ben ransforD
Consequences and Causes: security Risks The consequences of an insecure IMD can be fatal. However, it is fair to ask whether intentional IMD malfunctions represent a genuine threat. Unfortunately, there are people who
cause patients harm. In 1982, someone deliberately laced Tylenol capsules with cyanide and placed the contaminated products on store shelves in the Chicago area. This unsolved crime led to seven confirmed deaths, a recall of an estimated 31 million bottles of Tylenol, and a rethinking of security for packaging medicine in a tamper-evident manner. Today, IMDs appear to offer a similar opportunity to other depraved people. While there are no reported incidents of deliberate interference, this can change at any time. The global reach of the Internet and the prevalence and inter-
mingling of radio communications expose IMDs to historically open environments with difficult to control perimeters. 3, 4 For instance, vandals caused seizures in photosensitive individuals by posting flashing animations on a Web-based epilepsy support group. 1
Knowing that such vandals will always exist, the next question is whether genuine security risks exist. What could possibly go wrong by allowing an IMD to communicate over great distances with radio and then mixing in Internet-based services? It does not require much sophistication
References:
Archives