By Zaid Altawil, M.D.
Technology in medicine is advancing at ever faster rates, thanks to impressive (and exponential) progress in both cost and scale. Connected “Things” are getting smaller, cheaper, and more ubiquitous. If you don’t believe me, check your heart rate on your smartwatch.
Technological advances impact how we deliver care in our emergency rooms. While medicine has traditionally been slow on the uptake, we are seeing increasing examples of medical technology in action in the emergency department (ED). Connectivity is rapidly embedding itself in patient care, from how patients pursue care (ex. patient self-presenting because their holter monitor registered a 6 beat pause and they were contacted by the monitoring company) to how we monitor them in the emergency department (Bay 6’s bed is beeping, he’s trying to make run for it!)
As reflected in recent pop-culture phenomena such as the Netflix Original “Black Mirror” or USA Network’s “Mr. Robot”, the looming specter of malicious intent is ever present when technology is involved. As our care becomes intertwined with the internet-of-things (or recently coined internet of medical things), security becomes ever more important. Want can we do as emergency physicians?
Let’s start with awareness.
Imagine this scenario, you are called to the resuscitation room to evaluate a patient with symptomatic bradycardia. The patient reports that he was reading his favorite journal in a coffee shop when he suddenly began to feel palpitations and shortness of breath. He begins to lose consciousness, and you rifle through your Advanced Cardiac Life Support (ACLS) algorithms. But what caused this? Well it turns out that his pacemaker is malfunctioning, and it’s not due to lead issues (ex. dislodgment), pocket issues (ex. migration, erosion), or battery failure.
While no actual cases have been documented in the literature, these flaws were demonstrated in 2012 when hacker BarnabyJack reverse engineered a pacemaker’s transmitter to deliver an 850-volt shock. Reports of this vulnerability go back as far 2007, when Dick Cheney’s physician disabled the wireless function on the then vice president’s pacemaker, fearing a terrorist could assassinate the vice president by sending a deadly signal to his device a.
Despite the theoretical threat, and the paucity of literature reports, this flaw has had real world implications. In 2017, the FDA recalled nearly 500,000 pacemakers when a vulnerability was discovered that could allow hackers to reprogram pace makers to slow down or even stop b.
The good news is that as of April 2018, the FDA approved a firmware update for many Abbott (formerly St. Jude) ICDs (implantable cardioverter defibrillator) and CRTs (cardiac resynchronization therapy)c.The update requires any external devices attempting to communicate with the ICD/CRTs to provide authorization. This authorization can only be provided by their proprietary programmers and transmitters, such as those found in clinic and in their home monitoring systems. Abbott has also gone so far as to offer the option of disabling radiofrequency communication for some of its older devices that cannot handle an update. The downside however is that this will prevent data from being accessed by the users and their physicians.
For now, as EM physicians, we can do our part in recognizing the possibility of such an event occurring, and gently reminding our patients to get their devices updated, if they have not already done so.
Consider another scenario where a patient is brought in by paramedics in a combative altered mental state. The patient is diaphoretic, screaming and needs four security guards to tie him down. You have given him intramuscular glucagon, intraosseous D50 many times and only now secured IV access to hang a continuous infusion of D50. Yet the patient remains in refractory hypoglycemia. What is going on??
In 2017, programmers at Rapid 7, a cybersecurity consulting firm, announced vulnerabilities in the Animas OneTouch Ping insulin pump system d. The system uses wireless communication between its pump and its glucometer to transmit glucose values in real time without requiring the user to input the amount of insulin needed. The programmers found that these communications were delivered using clear text without any encryption, opening to the possibility that anybody in close proximity could listen in to the communications and potentially trick the pump into believing that their own external messages were actually coming from the glucometer itself. This could allow ‘hackers’ to prompt the pump to deliver an extra-large dose of insulin when none was required. Consider the video below, where Jay Radcliffe wirelessly programs a OneTouch pump to deliver a 20U insulin bolus:
These disclosures were released after communication with Animas. For their part, Animas have relayed the warning to their customers. However, it is unclear whether security on these pumps has been tightened. What does this mean for us as emergency physicians? Well for one, it involves being more cognizant of the patient’s medical history, particularly with respect to what kind of hardware they are carrying. The risk of this sort of incident is pretty low given the relatively low prevalence of patients presenting with medical devices that are susceptible to security vulnerabilities, and it does require a significant amount of technical expertise. For now, it is an interesting tidbit of information to help keep your medical students on their toes. But it can happen.
On another hypothetical difficult (quote horrible) shift, your charge nurse hurriedly runs over to tell you that EVERY, SINGLE infusion pump in the ED is beeping like crazy. Blood pressures are going low on nicardipine, and others are blowing through the roof on norepinephrine. As you frantically tell her to literally disconnect every line, you start to panic about how to deliver titrated medicines to patients who need them. What’s going on??
In 2015, the FDA released a security advisory recommending that consumers avoid using a particular brand of wireless infusion pumps due to security vulnerabilities that would allow those with malicious intent to access the pump and deliver fatal doses of medications e. This security vulnerability was demonstrated in a video produced by Blackberry (yes, that blackberry) where a security expert was able to access a PCA pump and deliver many times the safe dose of morphine. While that particular type of pump was discontinued by its manufacturer for different reasons back in 2015, the threat is still present, as evidenced when security vulnerabilities were uncovered in a different brand of infusion pumps in 2017 f.
These examples serve to show the many ways in which cybersecurity compromises can affect patient care. While thankfully no cases of direct patient harm have been reported, the threat remains a real possibility. The FDA has been doing its part to address these cybersecurity concerns. It has held public workshops, webinars, as well as releasing new guidelines on submissions for software contained in medical devices g. Hospital systems are also preparing for potential cyber-security attacks that could threaten patient care systems. While slow on the uptake, they face many challenges including a wide array of potential target, third-party software and hardware that make security compliance difficult. Most importantly the human element is particularly challenging to account for, as demonstrated by the uncountable phishing attacks that occur every year h. These attacks are invited in by the system’s users themselves, whenever they click on links with malicious attachments, supply their passwords to fraudulent links by accident, or reply to emails asking for more information.
The emergence of disaster protocols similar to those put in place for natural disasters and mass shooting is necessary, as the trend is towards ever more connectivity. Is not hard to imagine a future where all medical machines are connected wirelessly. As our patients become more connected to the internet of (medical) things, it is our responsibility as providers to become more cognizant of the potential dangers they are exposed to.
- Gupta, S. (2013). Dick Cheney’s heart. [online] Cbsnews.com. Available at: https://www.cbsnews.com/news/dick-cheneys-heart/ [Accessed 21 Jun. 2018].
- Fda.gov. (2018). Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication. [online] Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm [Accessed 5 Jun. 2018].
- Fda.gov. (2018). Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication. [online] Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm [Accessed 21 Jun. 2018].
- Rapid7 Blog. (2018). R7-2016-07: Multiple Vulnerabilities in Animas OneTouch Ping Insulin Pump. [online] Available at: https://blog.rapid7.com/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump/ [Accessed 21 Jun. 2018].
- U.S. (2018). UPDATE 1-FDA warns of security flaw in Hospira infusion pumps. [online] Available at: https://www.reuters.com/article/hospira-fda-cybersecurity/update-1-fda-warns-of-security-flaw-in-hospira-infusion-pumps-idUSL1N10B2MA20150731 [Accessed 5 Jun. 2018].
- MDDI Online. (2017). Why Infusion Pumps Are So Easy to Hack. [online] Available at: https://www.mddionline.com/why-infusion-pumps-are-so-easy-hack [Accessed 21 Jun. 2018].
- Fda.gov. (2018). Cybersecurity. [online] Available at: https://www.fda.gov/medicaldevices/productsandmedicalprocedures/ucm373213.htm [Accessed 21 Jun. 2018].
- SC Media UK. (2018). Devastating phishing attacks dominate 2017. [online] Available at: https://www.scmagazineuk.com/devastating-phishing-attacks-dominate-2017/article/685213/ [Accessed 27 Jun. 2018].
- Image by AdinaVoicu is licensed under Creative Commons CC0
- By U.S. Department of Agriculture (20111025-FNS-RBN-2007) [CC BY 2.0 (https://creativecommons.org/licenses/by/2.0) or Public domain], via Wikimedia Commons
- TheDigitalArtist. Creative commons.
- By Image from the U.S. Air Force website, but likely made by office of the President. [Public domain], via Wikimedia Commons
- Gage Skidmore [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0)%5D, from Wikimedia Commons
- Image by sasint is licensed under Creative Commons CC0
- Image by JESHOOTScom is licensed under Creative Commons CC0
- Image by Zaid Altawil
- Image by Selling_illegal_pepe, reddit.com