Recently I had the privilege to yet again attend WPP’s technology and innovation conference, STREAM. Held in Marathon, Greece, the setting provides its own magic, but the attendees are an eclectic group that leaves me inspired and always sends me home with all kinds of new ideas. Exactly what you want from a conference such as this.
On the last night there, a bunch of us were fighting it out playing Mindflex, a concentration game where you battle for control of the game piece by wearing a headset that measures your brain activity and concentration. I did not do well. (I blame the cocktails). I was struck about how quickly science fiction level tech is becoming a mainstream reality. We all can probably remember a time when we dreamed up some fascinating gadget or gizmo that was controlled merely by thinking about it, but it always seemed impossible.
Yet here I was, sitting in Greece, trying to focus my way to victory by playing a game with my brain. Welcome to the year 2012. Where mind control devices are now affordable retail hardware.
When I was done with my turn, I left to apply some alcoholic salve to my humiliating loss and struck up a conversation with a few techies that worked at various start-ups. Each was telling a story or two about how they knew someone who tried hacking into this site or that server. Mostly harmless stuff, but it fostered an idea. In the age of seamlessly integrated network technology and data collection software appearing all over the healthcare space, are we asking for trouble? More importantly, could an organization like Al-Qaeda or Anonymous hack into medical technologies and wreak havoc on a large scale?
In 2006, the first wirelessly accessible,medically implanted device was utilized in the general population. The device was a glucose monitor and it passed data back to a users computer to give more frequent updates on how a patients insulin levels were progressing throughout today. In 2010, Dick Cheney was outfitted with an artificial heart implant that is controlled by a computer inside his body. The computer is capable of receiving software updates and sending data to an external location via a wireless connection.
As of 2012, implanted devices can control heart rhythms, monitor hypertension, provide functional electrical stimulation of nerves, operate as glaucoma sensors and monitor bladder and cranial pressure. External devices can monitor vital signs, assist the movement of artificial limbs and function as miniature “base stations” for the collection and transmission of various physiological parameters. All of these devices, which are almost too numerous to count, can be connected to a computter via a wireless signal. As of the writing of this post, several microchips and WiFi enabled devices have been approved to be included in capsule and pill form, opening the door for even more amazing advances.
Along with all of these advances, there’s the ubiquity of the data that comes along with them. In 1972, the Regenstreif Institute developed the first electronic medical records system. Although the concept was widely hailed as a major advance in medical practice, physicians did not flock to the technology. Fast forward 40 years, and there are now literally millions and millions of data points about patients contained within EMRs all over the world.
In his Ted talk from 2011, Avi Rubin posits that all technology devices can be hacked. We’ve seen the news about the activities of hacker groups and terrorist cells, but could medical devices be the next front in the war on terror? Frighteningly, the answer is yes. So where might the chaos happen? Lets take a look at the 5 most likely targets.
If you do a Google search on the term “Exploding Medical Impants” or “Hacking Medical Implants” (Go ahead, you know you want to. I’ll wait), you’ll find very quickly a list of results that will make you think twice before getting that pacemaker. Imagine what could happen if a group of people were so inclined to do this on a broad scale. If a signal or code could be distributed over a long range (think ultra-long range wifi), you could potentially create a scenario where thousands of impants are tampered with at once. Along with the catastrophic cost of life, the chaos and panic created would rock the economy, the emergency response system, and consumer confidence.
Right now in the U.S., almost 50% of all medical records are contained within some kind of electronic database. With all the recent attention hacker groups like Anonymous, The Script Kiddies, and LulzSec have gotten, its easy to see how data security should be the #1 issue keeping IT pros awake at night. Now consider this. In the wrong hands, medical data could prove crippling to a large portion of the population. Imagine if there was a publicly available list somewhere (WikiLeaks anyone?) about who had HIV or herpes, who had an abortion or who was gay. Think about the “whitelisting” those people might face when interviewing for a job or trying to get a date. Once data like that is released into the wild, it’s almost impossible to scrub clean.
Forced dosing changes
E-Prescribing is becoming a common feature in the primary care of patients. For those unfamiliar, when you visit a doctor who uses and EMR system, he can send your prescription directly to the pharmacy of your choice so it’s waiting upon your arrival. This feature should reduce errors in prescriptions, since pharmacies no longer have to decipher the awful handwriting of your doctor. If a security loophole were exploited, it would, in theory, be possible to install a code that would change the prescription data on its way to the pharmacy. Imagine needing hypertension medication and getting ADHD medication instead. Think about it, how may of you check to make sure you got the right meds when at the counter? Most people probably just assume that they pharmacy got it right. If an individual was to be targeted this way, you could potentially switch their meds for something fatal and the murder would look like a screw up.
The Walking Dead
Mmmmmmm Brains. OK no, not that kind of walking dead. I’m sure by now you’ve all seen the movie Crank. No? In Crank, Jason Statham plays an assassin who is injected with a toxin that will kill him if his pulse drops below a certain rate. The toxin doesn’t exist, but an equally more frightening possibility does: explosive breast implants. During raids in Afghanistan, documentation was found that showed terrorist groups were trying to figure out how to create explosive breast implants to put into potential suicide bombers. If someone were to do this, you could potentially create a Crank like event where you could coerce people to do very bad things on your behalf under the threat of blowing them sky high. Is it too early to copyright the movie concept? I’m thinking of “Boombs” as working title.
In 2010, nearly 11,000 organs were sold on the black market. 11,000. Demand is so high that some patients are paying up to $200,000 for a kidney. Given the money to be made, hacking the medical record system could prove highly lucrative. In this case, harvesting the organs wouldn’t be the goal. Instead, hacking the medical system could create the possibility of reordering the waiting list for patients. Under this scenario a wealthy person could work both angles; first by trying to obtain a black-market organ for transplant, and second, by trying to jump the line to get one legitimately.
These are just some of the scenarios we may face as we move into the era of ubiquitous medical data and technology. Hopefully for all of us, the data security that’s protecting these systems will be strong enough to prevent one of these nightmare scenarios.