Cyber Attacks: Lives at Risk

Health Care No Comments

An alert by India’s drug regulatory agency about some insulin pumps posing a “cyber security risk” shows the increasing vulnerability of medical instruments to online warfare

By Dr KK Aggarwal

Medical devices are increasingly connected to the internet, hospital networks and other medical instruments, to provide features that improve healthcare and increase the ability of such providers to treat patients.

However, they also increase the risk of cyber security threats. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting their safety and effectiveness. The need for effective cyber security to ensure medical device functionality and safety has become more important with the increasing use of wireless, internet and network-connected devices, portable media (USB or CD) and frequent electronic exchange of medical device-related health information.

Cyber security threats to the healthcare sector have become more frequent, more severe and more clinically impactful. Cyber security incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across facilities, in the US and globally. Such attacks can delay diagnoses and treatment and harm the patient.

Threats and vulnerabilities cannot be eliminated, therefore, reducing security risks is especially challenging. The healthcare environment is complex, and manufacturers, hospitals, and facilities must work together to manage the security risks.

And this imminent threat has now come to the fore. India’s drug regulatory agency, the Central Drugs Standard Control Organisation (CDSCO), has issued an alert about several models of insulin pumps made by the US company Medtronic, saying they pose a “cyber security risk” because unauthorised persons could wirelessly gain control over them. The July 2 alert has cited an “urgent safety field notification” from Medtronic and a US Food and Drug Administration (FDA) warning on June 27 about the pumps—electronic devices that deliver insulin into the bloodstream.

An unauthorised person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change the settings and control insulin delivery. Unauthorised tampering with the settings could expose patients to the risks of fatal low blood glucose or high sugar levels.

The FDA warned all patients and doctors about Medtronic MiniMed™ insulin pumps and said that patients with diabetes using these models should switch their insulin pump to models that are better-equipped to protect against these potential risks.

Medtronic is recalling these pumps. The following alerts were issued by it: “One should keep insulin pump and the devices that are connected to the pump within your control. Never share your pump serial number. Be attentive to pump notifications, alarms, and alerts. Disconnect the USB device from your computer when you are not using it to download data from your pump.”

It was in March 2019 that the FDA issued a safety communication to alert healthcare providers and patients about cyber security vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable cardiac devices, clinic programmers and home monitors. Although the system’s overall design features help safeguard patients, Medtronic is developing updates to further mitigate these cyber security vulnerabilities.

To date, the FDA is not aware of any reports of patient harm related to cyber security lapses. However, it is a fact that a remote control of the device in the hands of unauthorised persons can be used to stop delivering a shock when needed or giving a shock when not needed.

In another case, the FDA, in October 2018, issued a safety alert that Medtronic was issuing a software update to address a safety risk caused by cyber security vulnerabilities associated with the internet connection between Carelink 2090 and Carelink Encore 29901 programmers. These were used to download software from the Medtronic SDN. This update was a voluntary recall by the manufacturer to address the safety risk.

There have been other warnings of software glitches. On April 11, 2018, the FDA approved a firmware update that was intended as a corrective action to reduce the risk of patient harm due to premature battery depletion and potential exploitation of cyber security vulnerabilities for certain Abbott ICDs (implantable cardiac defibrillators) and CRT-Ds (cardiac resynchronisation devices). “Firmware” is a specific type of software embedded in the hardware of a medical device (e.g. a component in the defibrillator).

It was in January 2016 that the FDA issued guidance outlining important steps that medical device manufacturers should take to continually address cyber security risks to keep patients safe and better protect public health. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that they also consider improvements during maintenance of devices. The evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.

All medical devices that use software and are connected to hospital and healthcare organisations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation. The FDA guidance also addresses the importance of information-sharing via participation in an Information Sharing Analysis Organisation (ISAO), a collaborative group in which public and private-sector members share cyber security information.

The draft guidance indicates that in cases where the vulnerability is quickly addressed in a way that sufficiently reduces the risk of harm to patients, the FDA does not intend to enforce urgent reporting of the vulnerability to the agency if certain conditions are met.

These conditions include: there are no serious adverse events or deaths associated with the vulnerability; within 30 days of learning of the vulnerability, the manufacturer notifies users and implements changes that reduce the risk to an acceptable level and the manufacturer is a participating member of an ISAO and reports the vulnerability, its assessment and remediation to it.

Medical device manufacturers (MDMs) and healthcare delivery organisations (HDOs) should take steps to ensure that appropriate safeguards are in place. While MDMs should remain vigilant about identifying the risks and hazards associated with their medical devices, HDOs should evaluate their network security and protect their hospital systems.

Chapter XI, Section 66 of the Information Technology (IT) Act, 2000, particularly deals with the act of hacking. Section 66 (1) defines a “hack” as any person who dishonestly or fraudulently does any act referred to in Section 43, which deals with hacking. Section 66 (2) prescribes the punishment for it. Under the Act, hacking is a punishable offence in India with imprisonment up to three years, or with a fine up to Rs 2 lakh, or with both.

Though concerns have been raised in India regarding the potential for cyber interference with medical devices, generally, this has not been shown to be a clinical concern. But it is better to be safe than sorry.

Dr KK Aggarwal

Padma Shri Awardee

President Elect Confederation of Medical Associations in Asia and Oceania   (CMAAO)

Group Editor-in-Chief IJCP Publications

President Heart Care Foundation of India

Past National President IMA

Sri Lanka is measles-free: Will India achieve its target of eliminating measles by 2020?

Health Care Comments Off

Last week, Sri Lanka was declared free of measles by the World Health Organization (WHO). The country reported its last case of measles caused by an indigenous virus in May 2016. Sporadic cases, reported in the last three years have all been importations that were quickly detected, investigated and rapidly responded to, said the WHO.

Measles is a notifiable disease in Sri Lanka, which has a strong surveillance system in place and all vaccine-preventable diseases are an integral part of the communicable disease surveillance system.

In contrast, there has been a resurgence of measles in the United States. This year 1,109 individual cases of measles have been confirmed in the US from January 1 to July 3, as per CDC. This is the greatest number of cases reported in the US since 1992 and since measles was declared eliminated in 2000. Two factors have been identified as contributing to the outbreaks of measles; firstly, measles is being imported into the US via travelers with measles who bring the disease from other countries such as Israel, Ukraine, and the Philippines, where large measles outbreaks (defined as 3 or more cases) are occurring and secondly, the low vaccination rates because of vaccine refusal facilitates spread in unvaccinated people.

Europe too has witnessed a resurgence of measles, with Ukraine experiencing the worst outbreak in the region, totaling more than 25,000 cases recorded in the first two months of 2019.

Measles is a highly infectious disease that is potentially fatal. It spreads via airborne transmission through sneezing or coughing.

Measles is still common in many parts of the world including in India.

India has set itself a target of eliminating measles from the country by 2020. Towards this end, the Health Ministry launched a single “Measles-Rubella vaccine” for dual protection against the two diseases as part of Universal Immunization Program (UIP) in 2017. A total of 13.04 crore children have been vaccinated till 29th October 2018. Following the campaign, Measles-Rubella vaccine will be introduced in routine immunization, replacing the currently given two doses of measles vaccine, at 9-12 months and 16-24 months of age.

What India can do?

India accounts for one-third of all measles-related deaths worldwide. To achieve its target of eliminating measles from India, the first step should be to strengthen the surveillance system.

At least 95% of population must have immunity to spread of measles i.e. not less than 95% of the population must be vaccinated against measles to ensure community protection for everyone “herd immunity”. This happens when unvaccinated people are protected because so many of those around them are. About 15% of vaccinated children fail to develop immunity from the first dose, meaning that if only 80% are fully immunized, an outbreak is likely.

This calls for intensification of efforts to ensure maximum coverage of the population with the MR vaccine.

Dr KK Aggarwal

Padma Shri Awardee

President Elect Confederation of Medical Associations in Asia and Oceania   (CMAAO)

Group Editor-in-Chief IJCP Publications

President Heart Care Foundation of India

Past National President IMA

Superbugs persist on surgical gowns and surfaces even after decontamination

Health Care Comments Off

The superbug Clostridium difficile persists on surgical gowns and surfaces, even after being treated with the recommended amount of disinfectant, suggests a study from the University of Plymouth, UK.

In the study published July 12, 2019 in the journal Applied and Environmental Microbiology, researchers examined single-use hospital surgical gowns (made of polypropylene), hospital-grade stainless steel and floor vinyl that had been infected with with 1 × 106 spores/ml of two types of C. difficile spore preparations: crude spores and purified spores of C. difficile. These infected gowns were then treated for 10 minutes with disinfectant containing 1,000 parts per million (ppm) of chlorine-releasing agent sodium dichloroisocyanurate.

All strains of C. difficile spores remained viable on the gowns as well as on stainless steel and vinyl flooring after microbicide exposure at the recommended disinfection concentration demonstrating ineffectual sporicidal action. As the number of spores did not increase during contact time (10 seconds, 30 seconds, 1 minute, 5 minutes, 10 minutes), the transfer of spores likely occurred within the first 10 seconds.

This new study only adds to the growing evidence that for all practical purposes, everything used in healthcare including environmental surfaces can be considered to be contaminated and a potential source of cross-contamination in hospitals and transmission of health-care associated infections.

Universal precautions need to be stringently followed. Single-use items should be disposed of properly and surfaces should be wiped clean. Hand hygiene and antimicrobial stewardship activities should be diligently observed. Any variation in cleaning practices can result in suboptimal spore killing.

Dr KK Aggarwal

Padma Shri Awardee

President Elect Confederation of Medical Associations in Asia and Oceania (CMAAO)

Group Editor-in-Chief IJCP Publications

President Heart Care Foundation of India

Past National President IMA

« Previous Entries