When it comes to worries about medical devices, two very different threats are in play. On the one hand, we fear that corporate powers will take data about us from our devices and offer us little in return. On the other hand, we’ve been taught to fear that individual hackers will interfere with the devices themselves, potentially threatening our lives through the very tools designed to preserve them.
At a Future Tense event in Washington, D.C, on April 9, medical device security expert Kevin Fu worked to assuage the latter of these concerns, even as he indirectly approached the former. No matter what, Fu said near the start of his presentation, “Patients are much safer with medical devices than without, even when there are security problems.”
As Fu explained, the real threat with many medical devices can come from the doctors who work on them, especially when those physicians haven’t properly secured their own computers. When doctors use machines infected with malware to service pacemakers and other medical devices, that malware can potentially clog up the workings of those gadgets. Such interference is likely to be entirely accidental, a mere byproduct of the malware’s interaction with the systems it has infected.
Hospitals are especially vulnerable to such threats, partly because they tend to use computers running older operating systems. No longer updated by their manufacturers, these OS’s (cough, XP, cough) are often riddled with security vulnerabilities. It therefore becomes all the more important that physicians and medical technicians understand how to properly protect their computers—and thereby their patients. Just as we expect our doctors to scrub in before surgery, so too should we expect them to tidy up their hard drives.
Where poor digital hygiene and nonexistent digital literacy can interfere with medical technologies, manufacturers’ policies, technical complexity, and opacity can keep us from the data that our devices generate. Many of us now produce astonishing amounts of information—whether through dedicated fitness trackers, pedometers in our phones, or more particular devices like constant glucose monitors. The trouble is that few of us know what to make of that data, and fewer still know what the companies who collect it are doing with it. Joel Selanikio, a Georgetown University assistant professor of pediatrics and CEO of Magpi, said that we’ve made a deal with the companies that are monitoring us through these devices, but we rarely know what that deal is or what we’ve signed up for.
As Hugo Campos recently explained in Slate, implanted medical device manufacturers rarely grant patients access to data. What’s more Sara M. Watson, a fellow at the Berkman Center for Internet and Society, pointed out that many data collection companies aren’t currently offering their customers much in return. Fitbit, for example, is doing relatively little to recommend healthy habits, she said. This is partly because our data are too dense to be clear. Producing truly effective results from health data may mean allowing companies to measure our information against that of other people. Our individual data are unlikely to offer truly meaningful insights, and even the medical establishment lacks the resources to sort through the sea of information that we are generating.
As Deborah Estrin, a computer science professor at Cornell Tech and co-founder of Open mHealth, argued, this may mean moving away from a paradigm of data ownership. “From a pragmatic perspective,” she said, “I think a battle we should fight is that people should have access to their data.” That is, individuals should be allowed to examine their own results. Estrin believes they should also be willing to submit those results to others who can help them interpret it through large-scale comparative projects and other ventures. Casting a broader analytic net could reveal otherwise unforeseeable connections. Even an individual’s Netflix viewing habits might become a data point if they turned out to link up with other patterns. To yield such results, however, we would also have to cede control of even more of our data.
Naturally, these issues raise important privacy concerns directly related to the questions of cybersecurity. Lucia Savage, chief privacy officer for the National Coordinator for Health Information Technology, observed that current privacy standards are often ill-equipped to accommodate new forms of medical information. For example, she explained that HIPAA does not require compartmentalization of anything but mental health issues. Meanwhile, Alvaro Bedoya, executive director of the Center on Privacy and Technology, noted that not a single consumer privacy bill has been voted out of committee recently.
Ultimately, concerns about medical devices may be overblown. In a comment that came close to summing up much of the event, Fu said that his biggest concern is the possibility that patients might start to refuse medical care on the basis of sensationalized fears. Instead of wringing our hands, he and his fellow speakers suggested, we would do well to advocate for greater care, clearer policies, and more robust privacy standards.