Dick Cheney famously disclosed a few years ago that he had the wireless function of his pacemaker disconnected while he was Vice President because he was concerned that hackers might fiddle with the device remotely and do him harm. We at the Drug and Device Law Blog can’t help but wonder whether the Veep placed himself ahead of or behind the risk-benefit curve. Sure, he mitigated the risk that some malicious and very clever hacker would successfully target him. But he also disabled an important feature of a device that was intended to protect and extend his life.
Was he better or worse off? We don’t know. We do know that when we first learned about wirelessly connected implanted medical devices, we were amazed by technology that appeared straight out of Star Trek. You know, like when Bones would treat some befallen Enterprise crew member in a color-coded T-shirt by waving a handheld device over his or her clothed skin. That’s how we pictured connected devices like cardiac defibrillators—capable of transmitting telemetry, issuing warnings, accepting software upgrades, taking commands, and otherwise treating human frailty—remotely and without the need for any invasive procedure.
The potential benefits to health are tremendous, and wireless connectivity is now common in numerous types of medical devices, implanted and not. But what about the potential risks? We are told that Cheney’s paranoia became the basis for an episode of Homeland, a show we have never seen, but that apparently involved a fictional Vice President harmed by pacemaker hackers with malice aforethought. (Although we have never watched Homeland, we have seen every episode of Veep, which stars Julia Louis Dreyfus as a different fictional Vice President (and later President) and is wickedly funny, but so profane that our mother-in-law elected to leave the room rather than watch it. But we digress).
So is medical device hacking a genuine risk or it is the stuff of television melodrama? You will be comforted to know that no one has reported an injury or death attributed medical device hacking. But that does not mean that we should dismiss the risk out of hand. In today’s world of the “Internet of Things,” where seemingly everything is networked, there have been news reports of hacking into things like automobiles, home security systems, even airplanes.
There is a risk that medical devices could be next. We do not know the scope or severity of the risk, and we are not Chicken Little. But a consensus has formed that there is a potential vulnerability here that needs to be addressed. On June 13, 2013, the FDA issued a Safety Communication entitled “Cybersecurity for Medical Devices and Hospital Networks,” in which the agency recommended that “medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack.” According to the Alert, the FDA had “become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices . . . .” When it came to describing the vulnerabilities, and especially the “incidents,” the FDA offered no particulars. It did, however, fire this shot across the bow:
For all device manufacturers: Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance. The FDA expects medical device manufacturers to take appropriate steps to limit the opportunities for unauthorized access to medical devices. . . .