| INDIA LEGAL |July 22, 2019 33cases where the vulnerability is quickly
addressed in a way that sufficiently
reduces the risk of harm to patients, the
FDA does not intend to enforce urgent
reporting of the vulnerability to the
agency if certain conditions are met.
These conditions include: there are
no serious adverse events or deaths
associated with the vulnerability; within
30 days of learning of the vulnerability,
the manufacturer notifies users and
implements changes that reduce the risk
to an acceptable level and the manufac-
turer is a participating member of an
ISAO and reports the vulnerability, its
assessment and remediation to it.
Medical device manufacturers
(MDMs) and healthcare delivery organi-
sations (HDOs) should take steps to
ensure that appropriate safeguards are
in place. While MDMs should remain
vigilant about identifying the risks and
hazards associated with their medical
devices, HDOs should evaluate their
network security and protect their hos-
pital systems.
Chapter XI, Section 66 of the Inf -
ormation Technology (IT) Act, 2000,
particularly deals with the act of hack-
ing. Section 66 (1) defines a “hack” as
any person who dishonestly or fraudu-
lently does any act referred to in Section
43, which deals with hacking. Section66 (2) prescribes the punishment for it.
Under the Act, hack ing is a punishable
offence in India with imprisonment up
to three years, or with a fine up to ` 2
lakh, or with both.
Though concerns have been raised in
India regarding the potential for cyber
interference with medical devices, gen-
erally, this has not been shown to be a
clinical concern. But it is better to be
safe than sorry.—The writer is President, Heart Care
Foundation of India, and President-
elect, Confederation of Medical
Associations of Asia and OceaniaT
here are currently 10 to 15 con-
nected devices per hospital bed,
many of which are vulnerable to
cyber attacks. Anything that connects
wirelessly to other equipment can be
compromised. These include:
Pacemakers: Some 4,65,000 devices
from Abbott’s were recalled by the FDA.
Hackers can endanger lives by remotely
causing the batteries in pacemakers to
go flat or forcing life-saving devices to
run at potentially deadly speeds. The
idea of hacking a pacemaker was first
identified by the popular TV show Home -
landback in 2012. In a case of fact fol-
lowing fiction, former US vice-president
Dick Cheney (in picture) and his cardiol-
ogist ordered the manufacturer of his
pacemaker to disable its wireless capa-
bilities. The connectivity or “remote mon-
itoring” used by the latest generation of
pacemakers makes them ideal for hack-
ing. All pacemakers ena b led with
“remote viewing”, regardless of their
manufacturer, can potentially be hacked.
Drug infusion pumps: In September
2017, the Industrial Control Systems
Cyber Emergency Response Team iden-tified problems with a number of syringe
infusion pumps in US hospitals. A total
of eight security vulnerabilities were
found in the Medfusion 4000 Wireless
Syringe Infusion Pump, which is manu-
factured by Smiths Medical. The threat
detected could allow a remote attacker
to gain unauthorised access and impact
the operation of the pump, including the
administration of fatal overdoses.
Specific high-severity security flaws
identified were—the use of hard-coded
usernames and passwords to automati-
cally establish a wireless connection if
the default configuration has not been
altered, lack of authentication when the
pump was configured to allow file trans-
fer protocol connections and lack of
proper host certificate validation, leaving
the pump vulnerable to man-in-the-mid-
dle (MiTM) attacks.
MRI systems: A Bayer Medrad device
is used for monitoring what’s known as
a “power injector” which helps to deliver
a “contrast agent” to a hospital patient.
The lack of function could trigger a num-
ber of clinical mistakes, including an
increased need for hospital resources
and unnecessary medical care delays.
Heart rate monitors: An implantable
cardioverter-defibrillator (ICD) can deliv-
er a shock to the heart. Modern ICDs
can also function as pacemakers. TheMedtronic Maximo was discovered vul-
nerable to cyber attacks.
Hospital networks: When these net-
works are attacked, it’s not just patient
records that are compromised. Much of
the equipment used in hospitals is tight-
ly connected. While radio replay and
network vulnerabilities like those discov-
ered in ICDs and pacemakers are the
most common flaw found in individual
devices, breaking into hospital networks
could allow attackers to target multiple
patients by sending incorrect information
to physicians and targeting specific
pieces of medical equipment. A danger-
ous situation, indeed.Hacked medical
devices
Twitter: @indialegalmedia
Website: http://www.indialegallive.com
Contact: [email protected]In January 2016, the FDA issued
guidance outlining important steps that
medical device manufacturers should
take to continually address cyber security
risks, to keep patients safe.