Hackers Steal 600K Records from Health Care Firms – Could Your Wearable Device Be Next?
Security firm InfoArmor published a report in late July 2016 stating that a group of attackers infiltrated American health care institutions, stole at least 600,000 patient records and attempted to sell more than 3 terabytes of that associated data. In an interview with eWeek, chief intelligence officer Andrew Komarov noted that the hackers he investigated were able to compromise different health care institutions such as private clinics, vendors of medical equipment, and suppliers. Once inside the compromised systems, the hackers were able to take personally identifiable information and medical data, including imaging data (as shown to the right).
Komarov’s research should come as no surprise in view of a report issued by the Brookings Institute in May 2016 reporting that 23% of all data breaches occur in the healthcare industry. In fact, nearly 90% of healthcare organizations had some sort of data breach between 2013 and 2015, costing the healthcare industry nearly $6.2 billion.
According to a report done by Bloomberg BNA, while a number of legal mandates exist (e.g. the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology Certification Program, and the Food and Drug Administration’s (FDA) premarket review), the existing guidelines are limited. Furthermore, medical devices face certain unique cybersecurity pitfalls. For example, while HIPAA applies to protect health information regardless of where it’s stored, protected health information that exists on disposed of or nonfunctional medical devices can be overlooked.
Connected medical devices (i.e., medical devices that can transmit information through the internet or a networked system) also pose unexpected risks and challenges. For example, the ability for hackers to remotely access connected medical devices can hypothetically result in significant threats to patient health and safety. A 2012 episode of the television show Homeland featured a character hacking into and manipulating the pacemaker of the fictional vice president. While such situations seem far-fetched, in an interview on “60 Minutes,” it was revealed that Vice President Dick Cheney’s doctor had actually disabled the wireless functionality of his heart implant, fearing that it might be hacked in an assassination attempt.
While such fears may seem fueled by paranoia, recent studies have shown that such security threats may be a real concern. Bloomberg Businessweek reported in November 2015 that the Mayo Clinic engaged a number of high-profile “white hat” hackers to conduct a study of cybersecurity vulnerabilities in their medical devices. These “white hat” hackers worked on a number of different medical devices, including things such as cardiac monitors, infusion pumps, and hospital beds. In one alarming example, one hacker was able to gain control of an infusion pump – the Hospira Symbiq Infusion System – and was able to remotely cause it to deliver a potentially lethal dose of medication. Shortly thereafter, the FDA issued a safety notice recommending a recall and the stopped usage of the aforementioned pump.
With increasing concerns about cybersecurity, as discussed on this blog previously, the FDA is currently seeking comment on proposed guidelines that outline when software changes to medical devices would require manufacturers to submit a premarket notification.
Class Action Lawsuit Filed Against Fitbit
Fitbit, Inc., a manufacturer of wearable health technology, is involved in a national class action lawsuit filed on January 5, 2016 in the Northern District of California over two of its wristbands, the Charge HR and the Surge, based on their “PurePulse” LED-based technology used for tracking heart rates. Generally, the lawsuit alleges that the heart-rate monitor used in those wristbands, advertised under the now amusing tag line “every beat counts,” does not monitor heart beats correctly. This allegedly especially occurs during times of intensive exercise.
In a statement to ArsTechnica responding to the lawsuit, a Fitbit spokesperson wrote, “We do not believe this case has merit. Fitbit stands behind our heart rate technology… [b]ut it’s also important to note that Fitbit trackers are designed to provide meaningful data to our users to help them reach their health and fitness goals, and are not intended to be scientific or medical devices.” Further, Fitbit released another statement after the lawsuit saying that “PurePulse provides better overall heart rate tracking than cardio machines at the gym.”
Fitbit is also involved in another class action lawsuit filed in May 2015 regarding its sleep tracking data, and is also involved in several suits against rival wearable-device maker Jawbone.
Nokia Sensing XCHALLENGE Announces its Competition #2 Winners
The Nokia Sensing XCHALLENGE has announced its Q3 2014 Winners. According to XPRIZE, a non-profit organization that manages public competitions to advance technological development, the Nokia Sensing XCHALLENGE was offered to accelerate the availability of portable and affordable devices capable of accurately collecting real-time health information. The Nokia Sensing XCHALLENGE consisted of two distinct competitions: the first was held in Q1 2013 and the second was held in Q3 2014. The organization states that, through the Nokia Sensing XCHALLENGE competition, it seeks to accelerate the development of continuous monitoring technologies that track the health of the user, particularly for use in developing countries that lack access to affordable, fast, and reliable diagnostic tests. The competition guidelines focused on whether the entries (1) were relevant to public health needs; (2) advanced sensing technology in a unique and creative way; (3) accurately, reliably, and effectively collected and reported data; (4) were multi-functional and easily integrated with other technologies; and (5) were simple and easy to use for the end user.
XPRIZE recently announced that the Q3 2014 Grand Prize Winner was DNA Medicine Institute (DMI), Inc. of Cambridge, Massachusetts, led by CEO Dr. Eugene Chan. The company received an award of $525,000. DMI’s winning devices, including the rHealth X and X1 models (below middle and right) are intended for the ordinary consumer to diagnose various diseases from a single drop of blood. According to DMI, the devices operate by scanning proprietary diagnostic nanostrips for fluorescence and wirelessly collecting vital signs in real time using an array of sensors that adhere to a subject’s body (the devices can also send the collected data to mobile devices). According to USPTO records, DMI is the assignee of several pending patent applications generally directed towards: Multicoded Analytical Nanostrips; Microfluidic Passive Mixing Chip; Flow Based Clinical Analysis; and Capillary Manipulation of Clinical Samples. DMI is also a finalist for the $10M Qualcomm Tricorder XPRIZE, another competition managed by XPRIZE that seeks to stimulate innovation in the field of consumer diagnostic devices.
The Nokia Sensing XCHALLENGE also announced five additional Distinguished Award Winners that received an award of $120,000, including:
Biovotion of Zurich, Switzerland, led by CEO Dr. Andreas Caduff, created the Vital Sign Monitoring platform, a wearable armband that collects and analyzes data about various physiological parameters and sends the information to the user’s mobile device.
Eigen Lifescience of Stanford, California, led by Dr. Shan Wang, created the Eigen Diagnostic Platform, a device that uses magnetic field sensors to analyze interchangeable diagnostic cartridges to diagnose various diseases from a drop of blood. The information can be transmitted to the user’s doctor using an accompanying mobile device application.
Endotronix Wireless Health Monitoring of Woodbridge, Illinois, led by CEO Dr. Harry Rowland, created a device that monitors heart disease by measuring pulmonary artery pressure using a sensor implanted into the pulmonary artery. An accompanying device wirelessly retrieves pressure data from the sensor and uploads the data to a secure cloud server.
Share
