On Thursday, March 26, Future Tense—a partnership of Slate, New America, and Arizona State University—will hold an event on medical device security and privacy at the New America office in Washington, D.C. For more information and to RSVP, visit the New America website.
This past week’s data breach at health insurer Premera Blue Cross is the latest in a long string of cyberattacks targeting major companies, including Anthem, Sony, Home Depot, and Target. Every consumer’s data already has a bull’s-eye on it; soon, as our devices, homes, and bodies become more interconnected, forming an Internet of Things, the tools we will rely upon to get us through each day will be increasingly susceptible to black hats as well.
The risk won’t be evenly distributed, however. What’s going unsaid about the looming threat of attack on the Internet of Things is that the very old and sick—the most vulnerable members of our society—are likely to be the first casualties. We’re not just talking about the fact that it will soon be possible to hack pacemakers and insulin pumps, either. Even if we manage to lock down the cyberdefenses of those crucial devices, the security of the broader Internet of Things will always be as unsound as its weakest link. As the elderly learn to count on interconnected technologies to take care of things from medication compliance and dosage adjustment to personal security, the question is: Will that trust be misplaced?
Connected consumer technologies are about to improve the way we grow old, and not a moment too soon—before long, the economy will be creaking under the weight of the baby boom generation’s health care and elder care costs. Part of the promise of the Internet of Things is that it stands to improve older adults’ abilities to live independently despite mounting health conditions and also to keep those health conditions under control for a long time. As a result, although the frail won’t be the earliest adopters of the Internet of Things, they will be the first major group to trust it with their lives.
When many devices are in constant communication with one another, each is a potential security liability. Any breakdown in such a system could be catastrophic for the frail, older user—both because of the seriousness of the health issues being managed and also because the affected person wouldn’t be able to respond to problems quickly. If purchasing patterns of personal emergency response systems are any indication, adult children of the elderly will be the ones doing the bulk of the buying and installation of assistive Internet of Things technologies, so the older user population, unfamiliar with how exactly their devices work together, will be ill-prepared to respond to issues as they arise. Especially if those problems are malicious in origin.
Imagine an older adult—call her Annabelle—as few as five years in the future. Her needs are elevated (she manages several health conditions and is sometime forgetful), yet those needs remain predictable enough that she can live in her own home. Let’s tour that house. Every technology we mention here already exists in at least functional prototype form today.
At Annabelle’s front door, a security system keeps tabs on who is knocking. Her smart refrigerator monitors the freshness of her foods. A screen on the microwave oven, connected to her diet-tracking app, reminds her to eat more green veggies to keep her iron and potassium levels up. She is connected to her pharmacy through a pill reminder device that prompts her to take her medications and refills her prescriptions automatically. Her personal emergency response system, radar-based fall detection system, and pressure-sensitive floor mats work together to do more than alert emergency services should she fall—they also proactively monitor for predictors of a fall, such as changes in gait. Her continuous blood glucose monitor sends data via Wi-Fi to a cloud-based system, communicating with her insulin pump and also delivering food recommendations to her kitchen. Her smart toilet gives a virtual daily checkup. A smart scale checks her weight every morning to help her watch for fluid retention, keeping her congestive heart failure in check.
Meanwhile, her Social Security check is deposited into a bank account that also enables automatic home delivery of her groceries, medications, and taxi payments. She may be older, frail, and managing multiple chronic conditions, but technology is keeping her healthy, safe, and at home.
Enter the hacker who is more interested in causing mischief than swiping customer information. After cracking a pharmacy chain’s network, the hacker interrupts Annabelle’s medication management system and falsely advises her to randomly increase and decrease her medications. Believing that the changes are related to data gleaned by the sensors in her smart toilet, Annabelle alters her dosage accordingly. Her wearable blood glucose and blood pressure monitoring system sounds so many alarms that she turns it off in disgust—after all, she never liked wearing that bracelet anyway—and as a result the feedback loop controlling her insulin pump is severed, subjecting her to the possibility of diabetic shock at home, alone. Meanwhile her smart refrigerator, connected to her wearable sensors, advises ordering all new healthy foods, an unusual step that Annabelle decides is probably the result of a malfunction and ignores. She starts keeping spoiled food, and then her food adviser app fails to help her plan healthy meals because the fresh ingredients aren’t available in the fridge. Instead of a balanced diet, she is now missing vital nutrients critical to managing her risk of stroke or heart attack. The system she relies on to order and deliver groceries wouldn’t work anyway, because the credit card company changed her card number in response to the pharmacy hack. Annabelle feels proud that her scale reports that she is maintaining a healthy weight each morning, even though she has no idea that she is retaining fluid due to the increased sodium in her new diet.
The major cyberthreats we know today are theft and harassment. The threat tomorrow will be related to health and safety, and we have little to no experience with how it will materialize. Many of the devices in Annabelle’s house will be widely available in the near future, and even if each individual component is vetted by both government and industry, the sum of the parts—the Internet of Things—will be safety-tested by the frailest among us.
We’re not powerless to respond, however. It’s a no-brainer that government and industry alike must begin instituting higher levels of cybersecurity, especially regarding crucial life-support systems such as pacemakers. But in addition to beefing up security, we also need to better understand how issues can propagate through our newly interconnected web of life-supporting devices—a complex-systems problem. One solution may be to outfit every device with algorithms similar to those used by credit card companies to detect fraud, which would set off an alarm when anything out of the ordinary happens, such as when an insulin pump delivers far less insulin than normal or a smart toilet detects off-the-charts levels of iron. Ideally in the households of older adults, such an alarm would trigger a visit from a tech-savvy family member or aide who could diagnose the problem. In such moments a vigilant clinician, family member, or friend would provide system redundancy and, consequently, the ultimate in cybersecurity.
In the end high-tech caregiving technology must only complement a high-touch approach, not replace it. As we grow to rely on increasingly interconnected devices to keep us alive and healthy, the stakes of system failure will be almost as high as those on the International Space Station—multiplied by hundreds of millions of people.