What’s Needed to Improve Security in Medical Implants

Ritwik Batabyal, CTO & Innovation Officer at Mastek, wants to broaden the conversation about network-connected implants and their risks. Working for a well-established company in the area of ​​digital services, he is witness to the dramatic growth in interconnected pacemakers, infusion pumps, and other devices—20% increase in 2023, he says. The security flaws in these products therefore become of greater concern.

The value provided by attaching medical devices to local networks and to the Internet is enormous. Clinicians can monitor device output and alter treatments on the fly. Patients like having the data too, in order to feel more in control of their health. Updates are easy.

But devices tend not to use the security precautions that are common on the Web and other client-server situations: full end-to-end encryption, user authentication, and so on. This lapse isn’t because the manufacturers are indifferent; it’s because the implants need to be as small as possible, and need to fit in a lot of software functions. There just isn’t memory or CPU power for a full security implementation.

A recent AMA interview refers to “thousands” of known vulnerabilities in medical systems, including devices. An Information Week article says that 17% of hospital breaches used IoT devices as entry points, and that the devices have 6.2 known vulnerabilities on average.

Ultimately, advances in hardware may provide enough CPU and memory to permit more complete security on the devices. Although Moore’s law has reached its limit, many innovative materials are being tried for integrated circuit components.

In the meantime, Batabyal recommends that medical treatments avoid automatic feedback loops. Such loops are common in industrial settings. Even your home heating and air conditioning systems respond to changes in temperature automatically. But given the potential for malicious intruders to alter the output of medical devices, Batabyal recommends that a human always review the data and make the decision.

It might also be hard for patients to detect if an implant stops working. They need to poll the devices regularly, as computer systems on networks do.

Breaches will reduce patient trust in the implants that are so important to their lives. In general, Batabyal would like device manufacturers to pay more attention to security and to offer more training in that area to their employees. Because so many devices are already in the field, manufacturers and practice will need plans to upgrade them as improvements in computer security emerge.