Medical device companies under increasing pressure to bolster cybersecurity measures warned that heightened security comes at a cost.
Adding new layers of security into devices like pacemakers and insulin pumps, which have proven hack-able in recent years, may require compromises in features like battery life, device makers told the Government Accountability Office.
The federal watchdog agency, which recently conducted a review of the state of medical technology information security preparedness, reported that some device manufacturers are beginning to consider hacking a potential safety risk but that they must make compromises to balance cyber-safety and reliability.
A common security weakness cited by several GAO experts was the lack of authentication or authorization capability.
"The devices do not distinguish between communications from an authorized and unauthorized users," according to the report.
That’s particularly problematic for devices that can communicate wirelessly on public networks, such as insulin pumps that connect to smart-phones as well as pacemakers that communicate with remote patient monitoring systems.
In addition, an extra layer of security that validates access of a medical device may keep out unwanted intruders but that must be balanced against the speed with which a physician may need to access and reprogram a device in an emergency situation.
"A physician in an emergency room might not be able to make life-saving modifications to a patient’s pacemaker if the physician does not have the appropriate authorization to access the device," the GAO reported.
AdvaMed 2012 conference-goers, make sure to attend our panel presentation, "The Hackable Body – Should We Worry About medical Device Hacking?" on Wednesday, October 3 at 10:45 a.m. at the Boston Convention & Exhibition Center.
Have questions you’d like addressed during the panel? Send them to Arezu@MassDevice.com and we’ll include them in the panel presentation.
Medical device experts further warned that the lifetime of a device may be shortened if the technology is responsible for new tasks.
"Incorporating encryption into the medical device could mitigate the information security risk of unauthorized changes to the settings of the device," according to the GAO report, which was released last week. "However, experts we spoke with said adding encryption to a device could drain its battery more quickly, making it necessary to change the battery more frequently."
That may not pose a onerous burden for an insulin pump user, but replacing the battery on in implanted device like a pacemaker involves an invasive and potentially dangerous surgical procedure.
Cybersecurity experts, however, called foul on this particular warning, deeming it an industry attempt to dodge the cost of enhanced security.
"Two information security experts we spoke to said that, in their opinion, technology has advanced such that encryption can be added to a medical device without using as much energy as before," according to the GAO. "However, manufacturers have chosen not to take advantage of this newer technology, in part, because of the potential for increased costs in producing the device, according to other experts."