ARLINGTON, Va., July 26 -- The Association for the Advancement of Medical Instrumentation issued the following news release:
Government regulators and some manufacturers are making strides in improving the security of medical devices in the cyberworld, according to a security analyst whose "hacking" of his own insulin pump two years ago attracted widespread media attention, shedding light on potential dangers and vulnerabilities in modern healthcare.
Jay Radcliffe, a senior security analyst for InGuardians, a network security company, told AAMI in an interview that he believes the U.S. Food and Drug Administration (FDA) is taking the question of cybersecurity in healthcare technology "very seriously."
"I think that the FDA is doing, so far, an excellent job," he said. "They are very much ramping up to look at these issues." The agency, for example, recently announced it was developing a cybersecurity laboratory to focus on potential threats to medical devices and systems. Citing "an increased risk of cybersecurity breaches" in an interconnected environment, it also this summer urged manufacturers to "take appropriate steps to limit the opportunities for unauthorized access to medical devices," starting with the design phase.
Radcliffe said individual companies, such as Medtronic--whose insulin pump was the focus of Radcliffe's 2011 experiment--have "come a long way" in appreciating the issue of medical device security in a world that's grown increasingly wireless.
At the same time, Radcliffe cautioned that much about the vulnerabilities of medical devices and systems in the cyberworld is not yet fully understood, and more work is needed.
"It's kind of an unknown thing," he said.
Radcliffe is set to speak at the 2013 Black Hat computer security conference, running July 27 to Aug. 1 in Las Vegas. It was at that conference in 2011 that Radcliffe demonstrated how he was able to remotely tamper with his own insulin pump. Radcliffe did not name the company at that time, but later identified it as Medtronic in what he described as a bid to force the company to address the issue.
In 2011, Medtronic said that it took questions of patent safety and device security "very seriously" and expressed appreciation for the "security community bringing new information on the possibility of manipulating or 'hacking' our insulin pumps." Medtronic vowed to increase its focus "on the prevention of tampering with our products."
Two years later, Radcliffe said Medtronic has done just that. "They have been taking substantial steps to make this a big priority in their products and company culture," he said, pointing to the creation of a C-Suite executive position at the company devoted to privacy and security of devices.
Furthermore, Radcliffe said he believes the FDA has a newfound appreciation for potential threats, even though there's very little evidence that hackers have deliberately targeted healthcare technology. But it's the question of what could happen that Radcliffe says needs further consideration.
Radcliffe said that his point in highlighting potential security issues with medical devices is not to diminish their benefits in healthcare. And he said he is not trying to overstate the potential for harm.
"I still wear an insulin pump," he noted. "The risk of something happening to me is still infinitesimal."
Radcliffe said his advice for medical device companies is to be better prepared if someone reports a bug or problem with a device.
"The issue is not did you have a problem," he said. "The issue is how you respond to the problem."
In a statement released in June, an executive with the Advanced Medical Technology Association (AdvaMed), a trade group representing the device industry, said manufacturers are well aware of the need for increased security of medical devices involving digital technologies.
"Medical technology companies have taken steps to further reduce the already low risk of malicious hacking and to ensure patient safety, including building device security into new product development processes; continual vulnerability testing and remediation; and ongoing risk assessments," said Janet Trunzo, senior executive vice president, technology and regulatory affairs for AdvaMed.
"The medical technology industry looks forward to working with the FDA, healthcare providers, the academic community, security experts and other stakeholders on potential ways to continue to ensure the safety and effectiveness of digitally controlled medical devices."
TNS 24HariRad-130727-30FurigayJane-4437736 30FurigayJane