PATTY MITCHELL, RN | Legal Health Care A New Form of Hacking
Medical technology has come a long way in recent years, with advent of devices meant to
improve patient safety and facilitate provision of care by health workers. New types of intravenous pumps de- liver  uids and medications with built in safety nets such as hard and so  dosing limits manageable by the hos- pital pharmacy remotely. New model pacemakers o er monitoring and set- tings adjustment remotely over the phone, providing increased conve- nience and  exibility for the patient. Modern insulin and pain pumps with remote programming capability allow changing of dosing parameters.
 ese are wonderful innovations, but as with most technology the ad- vancements are happening faster than the safeguards for their use can be put into place. It is a growing concern that cybersecurity is insu cient for the susceptibility of these devices to cause harm if they were accessed by an indi- vidual with malintent.
New on the scene in recent years are specialists called white-hat ethi- cal hackers who work to expose the vulnerability of medical devices and o er solutions to weaknesses found in the so ware. Billy Rios and Jonathan Butts are two of the louder voices of this brigade, issuing over 500 advi- sories to vendors regarding potential weaknesses in their product security. Most companies are cooperative and work toward improving the security of their products – happy for the ad- vance notice and opportunity to avoid a possibly catastrophic problem.
WHAT COULD GO WRONG?
In 2009, researcher Kevin Fu, at
the University of Massachusetts,
showed the vulnerability of a cardiac •Explore regulatory options to de brillator to hacking which can streamline and modernize timely cause problems such as failure to
sense a lethal rhythm and draining
the battery making the device
AttorneyAtLawMagazine.com
non-functional. Jay Radcli e, an ethical hacker demonstrated ability to take control of an insulin pump and deliver a lethal dose. Billy Rios revealed the vulnerability of Hospira intravenous pumps to hacking and dose alteration done via a hospitals wireless network.  e fear is high, valid and led to Vice President Dick Cheney disabling the remote feature on his pacemaker, as a safeguard.
 ere has been no evidence of direct patient harm related to device hack- ing to date, but most experts believe it is only a matter of time. Forbes maga- zine reported an outbreak of “Wanna- Cry” ransomware that a ected 48 hospitals in the UK, and several un- named facilities in the United States.  e hackers then demand a ransom for the release of the  les threaten- ing to destroy them if their demands were not met.  e devices targeted in the U.S. were Bayer Medrad smart in- jectors which deliver contrast media during imaging studies.  e Wanna- Cry caused the injectors to become non-operational for about 24 hours, however, in the UK the ransomware caused complete shutdown of imag- ing departments.
A lack of industry standard is asso- ciated with cybersecurity for medical devices and the concern is that as hos- pitals update their equipment, they will still not re ect best practices for technology safety.
 e FDA has been implementing plans and processes to address this new threat.
GOALS OF MEDICAL DEVICE SAFETY ACTION PLAN:
medical devices.
•Advance medical device cyberse-
curity.
•Integrate the Center for Devices
and Radiological Health’s premar- ket and post-market o ces and activities to advance the use of a Total Product Life Cycle approach to device safety.
AN ARTICLE IN CYBER SECURITY VENTURES OFFERED THESE INTERESTING STATISTICS:
• e United States represents about 40% of the global market for medi- cal devices.
• e average hospital room contains 15-20 medical devices.
•Each medical device has an average of 6.2 vulnerabilities.
•Medical devices used by hospitals have an average use of 20 years per device making them prime hacking targets.
•In 2017, 465,000 pacemakers were recalled by the FDA due to security vulnerabilities with potential to put patient’s lives at risk.
PROTECTYOURSELF
Know the product. Investigate and make sure the manufacturer built the device with cybersecurity concerns addressed. Share information via Shared Analysis Organizations which encourages individuals and business- es to identify, detect, and understand vulnerabilities in medical devices. Keep your medical device so ware up to date; this makes it harder to hack.
Innovations in medical device tech- nology are exciting and provide im- provement in patient care and safety and management of medical devices. It is important moving forward to improve the merg-
ing of cybersecu- rity with device development to safeguard patients from the threat of device hacking.
•Establish a robust medical device patient safety net in the United States.
implementation of post-market
mitigations.
•Spur innovation towards safer
Patty Mitchell, RN, BSN, CLNC is the president of Central Florida Legal Nurse Consultants. Her nursing career has spanned over 24 years, in the hospital acute care setting. She is a graduate of the Medical Legal Consulting Insti- tute and maintains her certi cation. Patty is the president elect of the Greater Orlando Chapter of the American Association of Legal Nurse Consultants. She has provided consulting services since 2014, to both plaintiff and defense attorneys on a wide variety of cases. She is a member of the National Association of Certi ed Legal Nurse Consultants, and Sigma Theta Tau, nursing honor society.
21