In recent years, hackers have increasingly targeted healthcare. A number of these attacks have been ransomware, in which the hacker demands a certain amount of funds to end the hack, while more serious instances have involved gaining access to patient health information – this type of data is becoming more valuable to hackers than banking information, due its perpetual nature. The focus of hackers has always been on accessing data for wide range of purposes, such as national intelligence, identity theft, intellectual property and more.
However, there is a dark side to hacking, which is making its way to healthcare. The “weaponization of code”, in other words a hacker applying code to have a lethal impact through the alteration of an automated treatment or therapy. It may sound similar to the plot of a dystopian film, but in fact in early October this year, Johnson & Johnson (J&J) reported on security vulnerabilities related to unauthorized access, on its Animas OneTouch Ping insulin pump. While no attempts have been made to hack these devices, J&J describes potential hacks as being able to overdose diabetic patients with insulin. The company has notified the 114,000 patients using the Ping pump of this threat, but also urges continued use, as the risk of intrusion is low. A set of guidelines has been shared with users to mitigate the already unlikely event of being hacked. J&J is not the only company to have dealt with these types of security risks. This summer, St. Jude Medical was at the center of serious allegations around cybersecurity vulnerability regarding its pacemakers and implantable defibrillators.
In 2015, Accenture estimated that one in 13 patients, in the United States, will experience healthcare related hacking through 2020, and that it will cost the healthcare sector a total of $305 billion in that same period. However, it may be necessary to also start estimating casualties due to hacking. The issue is real. Whether a company markets a device or service, which is connected somehow; it must be designed with the emerging weaponization of code in mind. It is especially important with peripheral devices, as perhaps these devices may need embedded security elements – a component that lacks in most connected devices today.
IHS Markit anticipates that by 2040, seven billion people worldwide will be connected to healthcare services in some digital manner. The pervasive thought of healthcare services becoming heavily automated, driven by predictive analytics, can draw a frightening picture if security vulnerabilities at this level are not dealt with. Even more frightening is the changing landscape of warfare, and its adoption of code. As the geopolitical scene is as tense as ever, it is not unlikely that warfare could be led through patient connectivity as well.
For questions or inquiries, please contact Roeen Roashan, Roeen.Roashan@ihsmarkit.com.