• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

  • Latest News
    • Cardiovascular
    • Orthopedics
  • Wall Street Beat
    • Funding Roundup
    • Mergers & Acquisitions
  • Podcasts & Webinars
    • Podcasts
    • Webinars
  • Resources
    • About MassDevice
    • Newsletter Signup
    • Leadership in Medtech
    • Manufacturers & Suppliers Search
    • MedTech 100 Index
    • Videos
    • Whitepapers
  • DeviceTalks Tuesdays
  • Coronavirus: Live updates
Home » The hack-able body: Are device makers doing enough to shield patients from hackers?

The hack-able body: Are device makers doing enough to shield patients from hackers?

March 7, 2012 By Arezu Sarvestani

Laptop image

Karen Sandler was 31 years old, working at a non-profit organization providing free legal help to computer programmers, when she was diagnosed with an enlarged heart and informed that she’d need a machine to help keep her alive.

Her mother accompanied her the day a doctor recommended that Sandler undergo surgery to implant a medical device into her chest. He handed Sandler a pager-sized machine called a cardioverter defibrillator – a miniature, implantable equivalent of having EMTs follow her around all day with defibrillator paddles should her heart stop.

The device was a round, metal compartment housing a tiny computer, an electrical pulse generator and a battery. Connected to her heart with metal wires, the device would monitor her heart rate and deliver an electrical pulse to shock it back to a normal rhythm should a mild burst of activity, such as hurrying across a street or running to catch a bus, over-exert her. Even as a self-professed "technology warrior," the prospect of becoming part machine caught Sandler off guard. Computers crash, run out of power and succumb to hackers. Would becoming a "cyborg" ultimately count as an affliction or an upgrade? And could she really trust a machine with her life?

Sandler grew up around machines and the programs that run them. Her father was a computer programmer; she taught her first basic computer class at summer camp when she was 16. She received a bachelor’s degree in engineering from the Cooper Union before pursuing a law degree from Columbia University, where she co-founded the Columbia Science & Technology Law Review. It was while working for the Software Freedom Law Center, an organization offering legal help to computer programmers working on open-source software projects, that she learned of her condition.

Sandler was scared but skeptical – not of the diagnosis, but of the machine. The diagnosis was serious and heart surgery is a complicated and dangerous procedure, but with the device in her hand and her worried mother sitting nearby, the first words out of Sandler’s mouth were, "What does it run?" While framed as a software question, her concern was much more personal: What exactly was the doctor proposing to weave into her heart? She had the physical device before her, but she was concerned about the imperceptible workings inside the machine to which she was to entrust her life.

Sandler had worked with computers long enough to know that all programs have bugs – that’s why computers need frequent updates and anti-virus software is a must. Undiscovered bugs can cause a machine to behave erratically or leave it open to infiltration by "crackers," the techie term for hackers with malicious intent who penetrate closed systems.

Sandler wasn’t ready to trust her heart to a program she hadn’t seen. Her work with open-source computer software had taught her that the best way to detect bugs and fix them is to tap the wisdom of the crowd through open-source programming. Open-source projects allow the world to view a copy of machine’s source code, the underlying instructions that tell the device what to do. In terms of an implantable defibrillator, that would mean making public a copy of the code that tells the device when to provide a shock and how much shock to provide, as well as how to monitor the heart rate and log unusual events. Modern heart devices can communicate wirelessly, so the software is additionally responsible for prescribing how a machine sends and receives signals and how it determines whether a signal is authorized to access the machine. While an individual person’s device needn’t be open to the world, a circulated copy can gather comments and suggestions that the device manufacturer can choose to adopt or ignore.

While it seems counter-intuitive, open-source software is often more reliable because it has had the benefit of being tested, checked and patched by a larger team of people. The most famous software programs are closed-source, such as Microsoft’s Word and Adobe’s Photoshop, but open-source software projects are silently ubiquitous. The U.S. Defense Dept., massive corporations like Merrill Lynch and the entire London Stock Market rely on an open-source project called Linux.

"It’s not a guarantee that bugs will be found if you make software free and open, but it makes it much more likely over time," Sandler says.

Sandler knew that the software protecting her heart was inevitably fallible, but the stakes were much higher than usual. Software flaws could not only mean errant shocks due to bugs in the code, but coupled with wireless accessibility they might mean someone could crack the code inside her heart. Sandler searched for new sources of information, having gotten nowhere with her doctor or the medical device sales reps he referred her to. The first specialist she talked to told her that she was paranoid – who would bother to crack a medical implant’s programming in the first place? No one had done it before and the implants were designed only to communicate with special computers sold to doctors. Sandler called St. Jude Medical (NYSE:STJ), Medtronic (NYSE:MDT) and Boston Scientific (NYSE:BSX), 3 of the biggest heart device makers, and found herself at a dead end each time. No one would tell her about the source code that would end up inside her body.

Device makers have good reasons for keeping their software a secret, a tactic sometimes referred to as "security through obscurity." Each manufacturer designs its own software to run its own devices, meaning that publishing the inner working of the machine would expose weaknesses. If the programming has vulnerable points, making them public could give competitors a leg up or give crackers the blueprints for bringing down the device.

Another motivating factor may be in the way the FDA reviews the machines and the software inside them. While the agency never directly reviews software unless something has already gone wrong, the FDA treats a patch in programming the same way it would treat a physical change to the product. A medical device with altered software is often considered a new device, which requires a new round of expensive and time-consuming evaluation. Furthermore, patients with the original device wouldn’t be allowed to simply download an updated version of the software – they would have to undergo surgery to implant a new device after the original product had been recalled. The danger in relying on obscurity as a security measure, however, is that weaknesses remain hidden to the community at large, but not to the crafty crackers who sneak their way in.

"Keeping the code closed doesn’t keep sophisticated people from hacking it," Sandler says.

And once the secret is out – once a single person has discovered and leaked a copy of the program – that device is exposed forever.

Read more (Page 2)

Filed Under: Cardiac Implants, Health Information Technology, News Well Tagged With: Boston Scientific, Cardiac Rhythm Management, Cybersecurity, Insulin Management, MassDevice Q&A, stjudemedical

In case you missed it

  • Report: Dexcom in talks to acquire Insulet
  • Henry Schein investors push back on executive pay
  • Alcon to pay $60M to acquire Kala Pharmaceuticals’ dry eye treatment
  • Creo Medical inks collaboration agreement with Intuitive
  • MedTrace Pharma moves forward on 15 O-water imaging tech
  • HistoSonics, GE Healthcare agree to integrate ultrasound into sonic beam liver therapy
  • Pfizer, BioNTech moving forward on seeking COVID-19 vaccine EUA for youngest children
  • Zimmer Biomet narrowly avoids shareholder rebuke on executive pay
  • FDA says Philips ventilator recall produced over 21,000 device reports, 124 deaths
  • Boston Scientific’s Acurate Neo2 valve performs well in studies
  • MicroTransponder reports first commercial implantation of its stroke rehab neurostim system
  • Ambu replaces CEO with new leadership
  • Moderna’s first bivalent COVID-19 vaccine booster candidate shows promise
  • AdvaMed joins Biden’s Joint Supply Chain Resilience Working Group
  • FDA clears Accelus’ Toro-L interbody fusion system
  • Teleflex’s UroLift cleared in China to treat BPH
  • Globus Medical announces first surgeries with Excelsius3D

RSS From Medical Design & Outsourcing

  • Henry Schein investors push back on executive pay
    Nearly half of Henry Schein (Nasdaq:HSIC) shareholders who voted at this month’s annual meeting voted against the company’s pay packages for top executives, according to a new SEC filing. About 48.5% of voting shareholders voted against the company’s executive pay plan in what’s known as the Say-on-Pay vote, according to vote results of the May… […]
  • Creo Medical inks collaboration agreement with Intuitive
    Creo Medical Group (LON: CREO) announced today that it has signed a multi-year collaboration agreement with Intuitive to make certain Creo surgical technologies compatible with the surgical robotic giant’s systems. The London exchange reacted by sending CREO shares up more than 4% to 100 pence apiece by the close of trading today. As of midday… […]
  • MedTrace Pharma moves forward on 15 O-water imaging tech
    MedTrace Pharma announced the first person scanned in its Rapid-Water-Flow Phase 3 clinical trial, further testing its tech to bring 15 O-water to imaging. The first subject scan took place at Aarhus University Hospital in Denmark, using 15 O-water produced, dosed and injected through MedTrace’s P3 automated delivery system. The clinical trial aims to evaluate… […]
  • Zimmer Biomet narrowly avoids shareholder rebuke on executive pay
    An unusually large share of Zimmer Biomet (NYSE:ZBH) investors voted against the orthopedics company’s pay packages for top executives at the annual shareholder meeting. About 54% of voting shareholders supported the pay packages of the company’s five top-paid executives at the May 13 meeting, according to results filed with the SEC yesterday. In 2021, nearly 93%… […]
  • BD, Mitsubishi Gas Chemical partner on better materials for plastic syringes
    BD (NYSE:BDX) announced that it partnered with Mitsubishi Gas Chemical Company on applying new technology to pre-fillable syringes. MGC develops the Oxycapt technology designed to integrate the best of plastic and glass for plastic syringes. BD and Tokyo-based MGC will work together to apply Oxycapt technology to the next generation of pre-fillable syringes (PFS) for advanced… […]
  • Ambu replaces CEO with new leadership
    Ambu today said it has hired board member Britt Meelby Jensen to replace CEO Juan Jose Gonzalez, effective tomorrow. “Since Juan Jose Gonzalez joined as CEO in 2019, Ambu has made good progress and achieved important milestones on the strategic transformation into the world’s largest single-use endoscopy company,” Ambu Chair Jørgen Jensen said in a… […]
  • AdvaMed joins Biden’s Joint Supply Chain Resilience Working Group
    AdvaMed executive Abby Pratt has joined the executive committee for the Biden administration’s Joint Supply Chain Resilience Working Group, the medtech industry association said today. The working group’s members from government and industry will assist with implementation of the National Strategy for a Resilient Public Health Supply Chain. Pratt oversees supply chain issues as SVP… […]
  • Toray develops new stretchable film for medical devices
    Toray Industries has a new stretchable film based on its proprietary polymer Reactis technology, with potential applications that include robotics and biological and industrial sensors. Tokyo-based Toray said it shipped samples to customers and plans research and development efforts to commercialize the new grade of film. “Recent years have increased the potential for developing stretchable… […]
  • Google Health hires FDA’s chief digital health officer
    Former FDA Chief Digital Health Officer of Global Strategy and Innovation Bakul Patel has started a new job with Google after 13 years with the regulatory agency. Patel became senior director, global digital health strategy and regulatory for Google Health earlier this month, he said on LinkedIn. Patel recounted highlights of his “incredible journey since… […]
  • Expect more heart and lung failure years after COVID, Abbott’s heart failure CMO says
    Two years into the COVID-19 pandemic, we know more than ever about the SARS-CoV-2 virus and how quickly it moves to ravage the human body. What remains to be seen is how the virus — and perhaps more importantly, our immune system’s response to it — will affect the health of people long after infection,… […]
  • FDA moves forward with Voluntary Improvement Program to bolster medical device quality
    Kathryn Burke, Emergo Group The U.S. Food and Drug Administration has issued new draft guidance to establish a full-blown voluntary program for improving quality-related processes in medical device manufacturing following promising results of a pilot program. The FDA guidance stems from a pilot undertaken by the agency along with the Medical Device Innovation Consortium (MDIC) in 2018.… […]

Leave a Reply

You must be logged in to post a comment.

Primary Sidebar

DeviceTalks Weekly

May 20, 2022
DeviceTalks Boston Post-Game – Editors’ Top Moments, Insulet’s Eric Benjamin on future of Omnipod 5
See More >

MEDTECH 100 INDEX

Medtech 100 logo
Market Summary > Current Price
The MedTech 100 is a financial index calculated using the BIG100 companies covered in Medical Design and Outsourcing.
Need Medtech news in a minute?
We Deliver!

MassDevice Enewsletters get you caught up on all the mission critical news you need in med tech. Sign up today.

MDO ad

Footer

MASSDEVICE MEDICAL NETWORK

DeviceTalks
Drug Delivery Business News
Medical Design & Outsourcing
Medical Tubing + Extrusion
Drug Discovery & Development
Pharmaceutical Processing World
MedTech 100 Index
R&D World

Device Talks Webinars, Podcasts, & Discussions

Attend our Monthly Webinars
Listen to our Weekly Podcasts
Join our Device Talks Tuesdays Discussion

MASSDEVICE

Subscribe to MassDevice E-Newsletter
Advertise with us
About
Contact us
Add us on Facebook Follow us on Twitter Connect with us on LinkedIn Follow us on YouTube

Copyright © 2022 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Advertise | Privacy Policy | RSS