Medical Devices, Data More Vulnerable: Will Insulin Pumps, Pacemakers Be Under Attack?

Although no such attacks have yet been reported, medical devices could be susceptible to hackers, and a thorough security analysis should be done as part of FDA approval, researchers argue in a posting on Medpagetoday.com. Premarket regulatory evaluation should include a risk-based security assessment depending on the nature of the device and the perceived threat of a security compromise, said a member of Beth Israel Deaconess Medical Center, in Boston, and a member of the University of Washington in Seattle. They made their argument in a “Perspective” article in the April 1 issue of the New England Journal of Medicine. “We think medical device security should be improved before there is a widespread incident, rather than waiting for the incident to occur and then acting,” one member said in an e-mail to MedPage Today. “It is very difficult to add on security after the fact.” The authors said that in terms of security risks, medical devices are like “the drug supply of a generation ago.” The contributors said computer security specialists “see weaknesses in the current technology of many medical devices.” Potential vulnerabilities include unauthorized device reprogramming and data extraction. Or hackers could flood a device with information so that normal communication fails to reach it. There are also tactics to prematurely drain a device’s battery and eventually reduce its lifespan by repeatedly awakening it from a sleep state.

Data theft and other fraudulent activities related to exposure of electronic medical record (EMR) data more than doubled last year, to seven percent in 2009, compared to three percent in 2008, market research firm Javelin Strategy & Research reports. And EMRs can be so rich in sensitive data like Social Security numbers, insurance ID numbers, medical history and even payment information that they are tremendously valuable to criminals. Criminals tend to use information stolen from medical records for an average of 320 days, vs. just 81 days for pilfered data from other sources, the firm reports. It takes twice as long to detect medical data fraud than with other forms of identity theft, and costs $12,100 to do so, also more than twice the general average. “There’s more Identity fraud of any kind being generated from exposure to health records which [have] particularly sensitive information,” the president of Javelin Strategy & Research says, according to InformationWeek. And he believes fraud will increase as EMRs proliferate. “We think medical providers aren’t up to the task. They won’t have security best practices in place to match the incidents of fraud, and we think theft of personal health information is going to get worse,” he adds.

Health Information Security Conference to run May 11-12 in D.C. The National Institute of Standards and Technology (NIST) is co-hosting a conference to explore the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The conference on “Safeguarding Health Information: Building Assurance through HIPAA Security,” presented in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights, will be held on May 11 and 12, 2010, in Washington, D.C. This conference will provide a forum to discuss the present state of health information security, and practical strategies, tips and techniques for implementing the security requirements of HIPAA. Industry panels will discuss breach notification rules and the state of compliance with the Security Rule. The meeting is expecting to draw hundreds of HIPAA security rule implementers; security, privacy and compliance officers; assessment teams and audit staff.