Author: Gabrielle Flora, Associate Director, BRC
Photo Credit: Nick Chicarielli, Graphic Design Intern
Click for Information and Recordings
In comic book stories, the form of the villain follows certain functions. The villains are introduced slowly. They lurk in the shadows, planning and plotting. You see the progression of their nefarious actions and know, unequivocally, that the destruction is coming. You cling to the hope that the superhero will get there just in time to save the day, when the day comes. And the villain’s day always comes.
We’ve all grown up with these stories, and while there are no superpeople with superpowers (that we know of) protecting us from harm and no villains with ice blasters trolling our streets, we certainly do have modern day heroes to protect us from modern day villains. After lurking in the shadows, planning and plotting, the great villains’ day has finally come. They are hackers with the ability to cause mass destruction across the many facets of our new and burgeoning internet of things.
The biggest threat they pose is to human health. They can hack your banks, your hospitals, your phones and wearables and cause you physical or mental harm. They can copy, delete, or alter your medical records. They can steal medical data. They can even buy and sell black market organs or perform other similarly heinous actions in a place known only to those hacker villains most foul as “The Dark Web”. But rejoice, dear citizen, for there are cyber superheroes out there fighting day in and out to save you from this evil.
Cybersecurity experts gathered to discuss strategy and how to protect the citizenry better during the recent conference, Internet of Medical Things: Cybersecurity in Discovery, Development, and Devices, hosted by the BioPharma Research Council on July 29th in Princeton. I sat in awe of these superpeople, powerful cybersecurity professionals from across the country, as they discussed how to deal with this latest threat.
The first cybersecurity expert to speak was Colin Morgan, Senior Information Security Manager and Information Security Officer for Johnson & Johnson. “I’m here to talk to you today about the risks involved with these life saving devices,” he said, “ and how you can help make sure devices are safe.”
He cautioned that your identity can be stolen through your healthcare records. Records can be manipulated to cause harm. Implantables like pacemakers and insulin pumps can be operated remotely. Simply put, in this day and age a hacker can take over medical devices and use them to kill. Telesurgery, robotics, machine learning, activity trackers and wearables, and connected devices are all emerging healthcare technologies easily hackable by those villains who might seek money or to exercise power over another individual. According to Morgan, the future of healthcare technology is even riskier, with systems being developed such as robotic disease removal tools, instantaneous diagnostics, cyborgs, and bionic eyes - all eventually hackable.
“This data is very valuable to hackers. There is a huge market for this stuff” said Miranda Alfonso-Williams, Principal Consultant at WAM Consulting Group. She noted the value in the future of sensors, passively gathering data about an individual through monitoring of regular bodily functions and that this data is open to meaningful interpretation. “Hackers will generally go after the low-hanging fruit. What we don’t want to do is make it easy for them,” she said. Her strategy? Developing controls and processes that are uniform and strong is the first step. “We see the evolution that is occurring around the globe. Around 2020, the internet of things will be valued around $122 billion,” she said. “The philosophy regarding privacy is very different depending on where you are in the world.” There is strength, she believes, in unifying worldwide protection efforts, in education about these issues, and in remaining vigilant in the face of hackers worldwide.
Dr. Suzanne Schwartz is Director for Emergency Preparedness/Operations and Medical Countermeasures Center for Devices and Radiological Health at the FDA. Dr. Schwartz believes that cybersecurity is a real public health issue, also calls for a community approach. “The concept of rallying around this shared purpose, this space, is one of shared ownership and responsibility,” she said. Dr. Schwartz feels the evolving internet of things is an ecosystem and that medical devices and information sharing need to evolve past their vulnerabilities to survive. “If we are going to make improvements with respect to cybersecurity,” she said, “these are the threats we need to overcome.”
There is, however, another perspective on cybersecurity for the internet of medical things. “The weakest part is the thing itself. These things are not built for medical thinking. They are built for battery life and battery beats security,” said John Wilbanks, Chief Commons Officer at Sage Bionetworks.
According to Wilbanks, scientific studies would benefit immensely from open sharing of data because analysis of data is more precise with much larger sample sizes. Integration of medical data to Amazon-like sites might help create new insights and further medical progress in a given area of study. “I come from the sharing side of things,” he said. “Informed consent is the key.” He suggests the creation of a cultural commons, where medical data is shared freely and openly for the advancement of science. He believes in the use of smartphones and smart devices for data collection.
As an example, his current research focuses on Parkinson’s disease, with patients using their mobile phones to submit their medical data through a series of tests, such as tapping back and forth on touch screens or measuring their gait and balance through the phone. This data is submitted to the collective through informed consent and is utilized by researchers of Parkinson’s to develop better diagnostics. While this approach does not address all sides of security, it is certainly a unique perspective to consider. “We’re trying to empirically demonstrate that experts beat out non-experts when using computed biological data.”
At the end of the day, the important thing is that these cyber experts continue to address the challenge of protecting the citizenry from this new, omniscient villain. Knowing that they are out there, dutifully working to ensure that we are safe, that we are cybersecure, is just as comforting as if they were wearing capes and battling vagrants in the streets. “Safety is our number one concern,” said Captain Mainframe, (secretly Colin Morgan by day), “Let’s save lives together.” Spoken like a true superhero.