In a previous article, we discussed the benefits of digitalisation in healthcare. In this article, we explore some of the digitisation of healthcare risks and concerns – both for healthcare professionals and for the patients themselves.
As in all revolutions, there is much positive potential, but there are also considerable risks. Knowledge is a powerful tool – the starting point to leverage the pros whilst minimising the cons. There are three major Digitisation of Healthcare risks:
- Cybersecurity (hacking)
- Electromagnetic interference
- Issues concerning data protection and security.
Let us first consider hacking. The depiction of the potential consequences of hacking a medical device, in this case, a pacemaker, came to many via the television series ‘Homeland’. In the award-winning series, an assassin hacked into the fictional US Vice President’s pacemaker to kill him. The subsequent revelation from the (actual) former US vice-president Dick Cheney, that when he had a device implanted to regulate his heartbeat in 2007, he had his doctors disable its wireless capabilities to prevent a possible assassination attempt, made headline news. “I was aware of the danger, if you will, that existed,“ he said in a report on ABC News. “I found [the depiction] credible because I knew from the experience that we had assessing the need for my own device that it was an accurate portrayal of what was possible.”
The potential for medical device hacking isn’t just a hypothetical scare story. With the progressive movement to digital health, medical devices are increasingly interconnected with hospital systems, hospital networks, the internet, smartphones…… so, the cyber security risk is a real one. Security researchers from all over the world have illustrated the relative ease with which devices can be hacked by someone with the know-how – from MRIs to anaesthesia machines, nuclear medical devices, pacemakers, and insulin pumps – all have vulnerabilities to attack. In short, anything that connects wirelessly to other equipment can be compromised, anything connected to the Internet is hackable.
According to Alpine Security, there are now 10 to 15 devices per hospital bed in the United States, many of which are vulnerable to attack. Whilst the connectivity of medical devices certainly increases the amount of data available to physicians and can lead to better outcomes for patients, unless stringent security measures are taken, hackers can compromise anything that connects wirelessly.
The main driving force behind cybercriminal activity is the theft of medical or personal data for financial or political gain. The cybercrime economy is one of theft, with cybercriminals acting as the internet’s burglars. This remains true in a medical context. Private medical data is among the most sensitive and valuable data that can be made public, and its use by cybercriminals for extortion purposes could be immense.
The biggest threat to medical security involves the shutting down of entire hospital networks. Instead of focusing on individual patients and their embedded devices or personalised healthcare apps, ransomware hackers are more likely to attack entire hospital systems. Any organization that is subjected to a ransomware attack will be subjected to similar outcomes: widespread panic, confusion, and significant impairment of operational capacity, not to mention the potential for loss of life. One such high-profile incident was the WannaCry ransomware attack on the UK’s National Health Service. This cyber-attack cost the NHS £92m after 19,000 appointments were cancelled.
IT’S NOT ALL BAD NEWS
Most manufacturers and healthcare providers are acutely aware of the risks posed by hackers and take rigorous steps to proactively identify, mitigate, and address security-related issues. Patient safety, the integrity of patient data and the secure functionality of medical devices are paramount considerations.
Cyber protection is big business too. Ethical hackers, also known as ‘white hat hackers’, are cybersecurity specialists who test systems’ security to expose vulnerabilities and find flaws so that the system’s owner can repair them. Hacker, programmer and computer security expert, the late Barnaby Jack, first demonstrated the wireless hacking of insulin pumps at the McAfee FOCUS 11 conference in October 2011 in Las Vegas. He was also instrumental in demonstrating the risk hacking posed to pacemakers and heart implants. In 2012 Jack’s testimony led the FDA to change regulations regarding wireless medical devices.
KNOWLEDGE IS KEY
Knowledge is the starting point for people being able to make considered, informed choices about their healthcare. Patients certainly need to be aware of potential risks. At the same time, they need to be reassured that healthcare professionals, worldwide, take these issues extremely seriously and are constantly working towards patient safety. The risk to individual patients certainly does not outweigh the benefit of treatment.
Patients should be encouraged to speak to their physicians, to ask questions like, ‘Is the software to my pacemaker up to date?’. Or ‘What measures have been taken to protect my insulin pump?’. Asking their doctors appropriate questions can help them cope and manage risks in advance.
There are other resources open to patients too such as patient advocacy forums, Medwatch (the FDA Safety Information and Adverse Event Reporting Programme) and the FDA Maude (Manufacturer and User Facility Device Experience) system.
Yes, there may be a risk from any cyber security perspective, and there is a possibility that an attacker could compromise a device, but the probability is relatively low and what needs to be considered is that the risk of not having a device far outweighs the risk of a potential cyber security attack.
ELECTROMAGNETIC INTERFERENCE (EMI)
Electromagnetic interference – or disturbance from radio frequency transmitters like RFID (radio-frequency identification) – is a relatively new area. EMI can affect several types of medical devices that have electrical or electronic systems such as pacemakers or defibrillators – implanted or external, implanted neurostimulators, programmable hydrocephalus shunts, cochlear implants, ECG monitors and infusion pumps.
There are many sources of EMI in hospitals and healthcare environments but the ones most likely to cause problems with certain medical devices include emergency vehicle/services radios, diathermy (electro-surgery), mobile phones, radiofrequency identification (RFID) devices and electromagnets.
EMI can also be caused by everyday objects like cell phones, Wi-Fi devices, microwaves, telecom networks, power grids, defence installations, even lightning strikes, solar flares, and magnetic storms. So, if, for example, a patient with an implanted device goes to their clinician to report things aren’t working out quite as expected, the clinician will need to work with the patient to narrow down where they have been, what environment they were in, and then try to work out if the device was affected by some sort of EMI.
Manufacturers of medical devices are required to minimise the risk that their device can cause, or be affected by, EMI. Where the risk is not eliminated, the manufacturer must include information about the residual risk in the instructions for use.
DATA PROTECTION & SECURITY: WHERE TRUST AND INTEGRITY ARE ESSENTIAL
Whilst the general population may not be aware of many of the practical challenges in managing the risks of digital healthcare, one area they are almost certainly aware of is data collection and storage. Trust and transparency are essential in creating a positive relationship between the ‘big three’ stakeholders in healthcare: patients, institutions, and manufacturers. Patients need to be able to ask questions and to believe that things are being done in an ethical, state-of-the-art manner.
Effective regulation plays a big part in maintaining public trust. So, in turn, institutions have the responsibility of setting regulations and standards to ensure that medical devices are safe and fit for purpose. We need clear rules and standards. However, whilst testing requirements must rightly be rigorous, they should also be proportionate and based upon scientific evidence. With the pace of new discoveries being made, and with so much innovation in digital medicine, it is not always an easy task keeping up with the rapid rate of progress. To be truly effective the regulators need to hire experts – data engineers, informaticians, genomics experts – just to keep up with science that progresses so quickly.
Imposing testing protocols that have not been adequately researched, or are fear or perception based (albeit with good intention), can hold up a product’s launch for years. This not only pushes up costs (potentially making a product either not commercially viable or else accessible only to a fortunate few), but by delaying market availability, patients are deprived of timely access to therapeutic benefits that could help them manage their conditions more comfortably and effectively.
Finally, manufacturers must play their part by diligently doing what is required of them and by increasing communication and transparency to patients. A positive circle of interaction between patients, institutions and manufacturers will continue to produce improved benefits for all: timely, cost-effective, and safe technology being more widely available to all patients.
CommuniD’s mission is to help patients remain up to date with current medical device solutions in an environment that is constantly evolving. The content of this article is for educational purposes only and should not be used as a substitute for professional medical advice, diagnosis, or treatment. Never ignore professional medical advice in seeking treatment because of something you have read on the CommuniD website or articles.
If you want to learn more about Digitalisation in Healthcare, please
- Look around our website
- Contact us @ elvio.gramignano@communid.co.uk
- Follow CommuniD on LinkedIn www.linkedin.com/company/communid