On Thursday, March 26, Future Tense—a partnership of Slate, New America, and Arizona State University—will hold an event on medical device security and privacy at the New America office in Washington, D.C. For more information and to RSVP, visit the New America website.
When Reuters announced the successful deployment of the first Internet-enabled pacemaker in the United States, it was a dream come true for many. The news came late in the summer of 2009, three weeks after Carol Kasyjanski became the first American recipient of a wireless pacemaker that allowed her doctor to monitor her health from afar. Since then there has been a proliferation of Internet-connected personal medical devices, or iPMDs, which now include insulin pumps, glucometers, blood pressure cuffs, pulse oximeters, walking canes, and of course, the ubiquitous fitness wearables.
However, a recent report from the Federal Trade Commission called into question the safety and security of interconnected devices. The report, titled “Internet of Things: Privacy & Security in a Connected World,” noted that connected devices may also collect, transmit, store, and potentially share vast amounts of consumer data, some of it highly personal. And because everyday devices and sensors are able to connect, communicate, or transmit information with or between one another over the Internet of Things, iPMDs now pose a security risk.
In her analysis of the FTC’s report, Christine Kern—a contributor to the publication Health IT Outcomes—identified several possible security problems exacerbated by the Internet of Things, or IoT: unauthorized access and misuse of personal information, facilitating attacks on other systems, even risks to personal safety. Among these risks was the possibility that hackers could, for instance, remotely manipulate a connected pacemaker or insulin pump, with fatal outcomes.
Fortunately, in my home country of Nigeria, implanted Internet-enabled personal medical devices are yet to enter the mainstream. While peripheral devices such as pulse and pressure monitors are available to those who can afford them, Internet-connected pacemakers, insulin pumps, and other internal devices have yet to make their debut. So for now, there is no fear that one of my countrymen could be remotely sent to an early grave by a hacker. For now, the security risks posed by iPMDs are not seen as significant.
Yet the situation in Nigeria is as unfortunate as it is fortunate. The fact that we have yet to adopt “connected health” means that the Nigerian health system is heavily reliant on face-to-face contacts between patients and health care providers. Even though the nation is adapting mobile phone technology to health care as part of the mHealth revolution, such solutions mostly allow health care workers to give better patient care and receive better data collection while they are working in the field. There is no mHealth solution to kick-start a stopped heart or to automatically regulate one’s insulin dose.
The United Nations Foundation has identified several challenges to the use of information and communication technology for health care in Nigeria. Its September 2014 report evaluated the federal government’s “Enabling Environment for ICTs for Health in Nigeria” program. The report concluded that program still faces challenges that must be addressed with legislation, better standards and interoperability, greater investment, and new infrastructure.
The advisory firm Dalberg, on the other hand, believes that sub-Saharan Africa is poised to benefit fully from the Internet. There is an expectation that Nigeria will soon join the league of nations that have to worry about health data security. Strengthening that expectation is the “Aba-made” phenomenon.
The city of Aba lies in the Igbo heartland of southeastern Nigeria—an area renowned for its informal economic vitality and for the rapid development of small-scale manufacturing since the adoption of Nigeria’s Structural Adjustment Program in 1986. “Aba-made” is a widely used Nigerian expression for cheap, low-quality goods, although some Aba manufacturers have successfully moved into higher-quality niches within the formal economy. As Kate Meagher notes in the journal African Affairs, Aba is popular for its footwear and garment industry, but in recent times the city has joined in what the Oxford Business Group has described as the Nigerian manufacturing renaissance—Nigerian manufacturers are now producing electronic gadgets, including computers and mobile phones.
In a survey of the Nigerian footwear industry in the International Journal of Marketing Studies, Gazie Okpara and Aham Anyanwu confirmed what is common knowledge in Nigeria: a preference, among Nigerians, for European and American goods. This market reality spurred the most important element of the Aba-made phenomenon—the perfection of the art of reverse-engineering. Aba-made goods look very much like those from the original manufacturer. They usually work as well, too. But most of all, they are often cheaper than the real thing.
What does the “Aba-made” concept have to do with medical devices? Well, consider that sooner than later iPMDs will find their way into Nigeria. It is possible that some of those devices will become re-engineered to meet the market realities of a developing economy. This will open up a whole new source of concern, not just for data ownership and security, but also for liability when things go wrong.
Because of this plausible reality, it’s important that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cybersecurity threats, as recommended by the U.S Food and Drug Administration. But it is equally important that manufacturers realize that in this increasingly small globe their devices will ultimately end up among very intelligent people with needs greater than the available resources. There is a need to secure iPMDs against harmful reverse engineering.
At the moment, Nigerians may not be worried about medical data and device security. But soon some of us will be enjoying the freedom granted by an Internet-enabled pacemaker. It would be good to have that without the heartache that comes with worrying about what a hacker might do in this new world of implanted Internet-connected medical devices.