Summer 2019 From the President’s Desk

A New Form of HACKING:

Medical technology has come a long way in recent years, with advent of devices meant to improve patient safety and facilitate provision of care by health workers.  New types of intravenous pumps deliver fluids and medications with built in safety nets such as hard and soft dosing limits manageable by the hospital pharmacy remotely.  New model pacemakers offer monitoring and settings adjustment remotely over the phone, providing increased convenience and flexibility for the patient.  Modern insulin and pain pumps with remote programming capability allow changing of dosing parameters.  These are wonderful innovations, but as with most technology the advancements are happening faster than the safeguards for their use can be put into place.  It is a growing concern that cyber security is insufficient for the susceptibility of these devices to cause harm if they were accessed by an individual with malintent.

New on the scene in recent years are specialists called “white -hat” /ethical hackers who work to expose the vulnerability of medical devices and offer solutions to weaknesses found in the software.  Billy Rios and Jonathan Butts are two of the louder voices of this brigade, issuing over 500 advisories to vendors regarding potential weaknesses in their product security.  Most companies are cooperative and work towards improving the security of their products; happy for the advance notice and opportunity to avoid a possibly catastrophic problem.

What could go wrong?  To highlight the potential danger associated with medical device hacking, in 2009, researcher Kevin Fu, at the University of Massachusetts, showed the vulnerability of a cardiac defibrillator to hacking which can cause problems such as failure to sense a lethal rhythm and draining the battery making the device non-functional.  Jay Radcliffe, an ethical hacker demonstrated ability to take control of an insulin pump and deliver a lethal dose.  Billy Rios revealed the vulnerability of Hospira intravenous pumps to hacking and dose alteration done via a hospitals wireless network.  The fear is high, valid and led to Vice President Dick Cheney disabling the remote feature on his pacemaker, as a safeguard.
An article in Cyber Security Ventures offered these interesting statistics:

The US represents about 40 % of the global market for medical devices.
The average hospital room contains 15-20 medical devices.

• Each medical device has an average of 6.2 vulnerabilities.
• Medical devices used by hospitals have an average use of 20 years per device making them prime hacking targets.
• In 2017 465,000 pacemakers were recalled by the FDA due to security vulnerabilities with potential to put patient’s lives at risk.

There have been no reported incidences of pump hacking leading to patient injury to date, but experts say it will only be a matter of time.  Legal Nurse Consultants need to be aware of this potential danger and be prepared when/if it occurs.

Patricia Mitchell, RN, BSN, CLNC
President, Greater Orlando Chapter of AALNC