Computer hackers able to kill patients
Hospital Association of South Africa
Hobbyist or criminal hackers who breached security firewalls could potentially kill patients wearing remote-controlled pacemakers or insulin pump devices, it emerged at the Hospital Association of South Africa’s annual conference on Cape Town’s Foreshore yesterday (Tuesday, 27 August 2019). Speaking during a panel discussion of South African medical technology experts, Tanya Vogt, Executive Officer of the SA Medical Technology Industry Association, said the risk was so real that a group of local medical device experts formed a working group some six years ago to categorise risk and improve quality product management and the clinical evaluation of medical technology products.
She said South Africa, while having basic certification and guidelines on safety and performance for these devices, was behind the international risk curve when it came to legislation around recall and adverse events linked to medical devices. Credible manufacturers needed some kind of regulatory approval, but even this did not help much when it came to the ability of hackers to access real-time monitoring of connective devices. The working group was also created to allow for risk-management, innovation and timely patient access to safe and effective medical devices, she said.
To illustrate the creative flexibility of hackers, Vogt said hackers recently used a digital thermometer placed in a fish tank to steal a huge amount of money from a Las Vegan casino. The Federal Drug Administration was asking users of medical devices to please update their software to avoid hackers copying and adapting programs to their own nefarious ends. “This doesn’t make it foolproof, but it does render it safer and more effective,” Vogt observed. She said that early this August a cyber-security conference was held in Las Vegas to which the world’s top 10 ten medical device manufacturers were invited. One hundred ethical hackers were then invited to “prod and poke their devices,” as a means of improving safety. Greater collaboration between security research data scientists, data analysts, Google and Microsoft would be needed to help bridge both the digital skills gap and improve security.
Virtual reality for patients
She began her presentation by showing an evocative video of a patient with a terminal disease wearing a virtual reality headset to show him which of his organs were affected and help his doctor explain to him how the disease was progressing and why. While obviously no cure, this was a highly effective tool in helping the patient understand his condition and even come to terms with it.
Braam Oberholzer, Head Enterprise Architect at Netcare and a pioneer in medical device software, revealed that there were 15 million disclosed medical records globally in 2018, increasing to 32 million half way through this year. “The danger is from those wanting street cred in the hacker community or criminals wanting to make a living out of it,” he said. He said the best way to counter this was to use activity analysis software, ‘because there are people interested in this data not for fun.”
Healthcare was an easy target with statistics from the ‘dark web” showing that “we’re dealing with comprehensive health care.”
The banking industry was way ahead in responding quickly to fraud. This was born of necessity because credit or debit cards had a much shorter shelf life than medical records.
Oberholzer explained that the main purpose of criminal hackers of healthcare technology was identity theft. Medical data was relatively easy to hack in order to assemble an identity kit and forge documents which could fetch up to $20 000 on the black market.
Raymond Plotz, Chief Information Officer for Mediclinic, Southern Africa and current chair of the Care Connect Health Information exchange, said technology was a powerful tool to address a fragmented healthcare system. He gave the example of a patient walking from one facility to another where nobody knew who he was and had no information about him. Because the ability to transfer information between facilities and practitioners was so vital, six central corporate healthcare role players came together four years ago to create a South African health information exchange in order to lower costs, increase efficiency and facilitate better patient outcomes.
They had to first overcome challenges around information exchange and privacy. He stressed that all care providers had to take full responsibility for clinical records and should never use any patient information for analysis without explicit individual consent. He said that the model, out of which his NGO, Care Connect was born, was tested in January by two pivotal partners, Mediclinic and Discovery, and would be piloted this October. It included clinical information, co-morbidities and chronic conditions and would be rolled out over the next two years. He said Care Connect would be open to both the public and private sectors. The medical technology panel discussion included Suren Govender, Chief Digital Officer of the Life Healthcare Group and was moderated by Valter Adao, Chief Digital and Innovation Officer for Deloitte.