case things go awry. In March 2019, Bethany Corbin elucidated the challenges both brilliantly and clearly the legal challenges affecting internet-connected medical devices:
“Compounding this issue of non-regulation and insecure code is the lack of a comprehensive and workable liability framework for consumers to follow if their IoMT device malfunctions or is hacked. The application of tort principles to evolving IoMT devices is imperfect, creating challenges for plaintiffs seeking damages. In particular, the numerous actors in the IoMT supply chain make it difficult to apportion liability, with no clear boundaries establishing which party is at fault for a hack or breach. Similarly, defect-free software does not exist, which complicates the application of strict products liability. Further, end-user licensing agreements contractually limit manufacturer liability for defective devices, shifting the risk of harm to consumers and eliminating manufacturer incentives to comply with cybersecurity best practices.”48
In Summary
In the end, we have a tremendous number of factors that play into the challenges we face when it comes to protecting internet-connected medical devices. With no clear liability, there is little incentive to make secure products. The deck appears stacked against strong security in connected medical devices, and the drive to innovate further into Medicine 2.0 only compounds the issues over time. What we need to do is take a deeper dive into the technology to help us better understand the technological forces at play. What is underneath the proverbial covers is more concerning than the strategic challenges we face related to not just cybersecurity, but to the medical devices, our data, and in rare cases, our very lives.
Just because something rarely takes place does not diminish its importance. As internet-connected medical devices grow in number and complexity, so too will the vulnerabilities related to them, and ultimately this has an impact on the security of not only the devices, but also our data. To accentuate the point of continual innovation, that innovation is often on the software side of the house, and keeping up with the micro changes in each device can and does mean more security risks if proper oversight and process is not taken into account. The Silicon Valley approach of working directly with the customers to create changes almost on the fly is alluring to customers, but can also provide the fuel for more vulnerabilities in the ever-more interconnected world of internet-connected medical devices.
Notes
1 1 Nicole Feraro, “Health Prognosis on the Security of IoMT Devices? Not Good,” Dark Reading, April 25, 2020, https://www.darkreading.com/endpoint/health-prognosis-on-the-security-of-iomt-devices-not-good/d/d-id/1337649.
2 2 “The State of Ransomware in the US: Report and Statistics,” 2019, https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/.
3 3 “Covid-19: Ruthless Ransomware Authors Attack Hospitals,” 2020, https://securityboulevard.com/2020/06/covid-19-ruthless-ransomware-authors-attack-hospitals/.
4 4 Lily Hay Newman, “The Covid-19 Pandemic Reveals Ransomware's Long Game,” 2020, https://www.wired.com/story/covid-19-pandemic-ransomware-long-game/.
5 5 Jessica Kim Cohen, “Washington hospital refuses to pay $1 million ransomware demand,” 2019, https://www.modernhealthcare.com/cybersecurity/washington-hospital-refuses-pay-1-million-ransomware-demand.
6 6 Catalin Cimpanu, “First death reported following a ransomware attack on a German hospital: Death occurred after a patient was diverted to a nearby hospital after the Duesseldorf University Hospital suffered a ransomware attack,” 2020, https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/.
7 7 “German Hospital Hacked, Patient Taken to Another City Dies,” Cleveland Daily Banner, https://hosted.ap.org/clevelandbanner/article/cf8f8eee1adcec69bcc864f2c4308c94/german-hospital-hacked-patient-taken-another-city-dies.
8 8 Sergiu Gatlan, “UHS hospitals hit by reported country-wide Ryuk ransomware attack,” 2020, https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/?utm_medium=email&_hsmi=96262261&_hsenc=p2ANqtz-8L3v0ZVtO4P3wgXU05ReBUHRZfuWMMoaMdTsDri89BURxNP-RVxwkTlH5sJZwmIx-oW7eVuuuTbnGmMcuDQ4DLodl79gsRrcB4LfLdQWpIT_7ESHw&utm_content=96262261&utm_source=hs_email.
9 9 SonicWall, “2020 Cyber Threat Report,” 2020.
10 10 Kelly Jackson Higgins, “Over 80% of Medical Imaging Devices Run on Outdated Operating Systems,” 2020, https://www.darkreading.com/iot/over-80--of-medical-imaging-devices-run-on-outdated-operating-systems/d/d-id/1337273?_mc=NL_DR_EDT_DR_daily_20200311&cid=NL_DR_EDT_DR_daily_20200311&elq_mid=96222&elq_cid=23133172.
11 11 Dalvin Brown, “Hacking Diabetes: People break into insulin pumps as an alternative to delayed innovations,” 2019, https://medicalxpress.com/news/2019-06-hacking-diabetes-people-insulin-alternative.html.
12 12 Serena Gordon, “Medtronic recalls some insulin pumps as FDA warns they could be hacked,” 2019, https://medicalxpress.com/news/2019-06-medtronic-recalls-insulin-fda-hacked.html.
13 13 “How vulnerable is the internet of medical things to cyber threats?” https://www.nuspire.com/wp-content/uploads/2020/04/Nuspire-IG-Healthcare-Infographic.pdf.
14 14 “What hackers actually do with your stolen
