Hacking In Medical Devices: White And Black Hats, Part 1

By Matthew Cavanagh and Madeleine Friel, Design Science

Hacking in medical devices is a sensitive topic. In general, hacking has some deeply negative connotations^[i], and when it comes to health and medical devices, it’s not difficult to see how sensationalism can creep its way into the discussion. While some hackers surely are dangerous, others have nobler causes — this general dynamic has been re-created in the healthcare space, where interconnectivity and software are increasingly critical to the operation of medical devices, both inside and outside of hospitals.

This article is the first in a two-part series, “Hacking in Medical Devices: White and Black Hats.” Here, in part one, we’ll discuss the white hats: programmers and engineers who have lifted the hood on medical devices to understand their underlying mechanics. Part two looks at the black hats, or hackers with malicious intent, whose threat to private patient health information and patient safety is already causing a stir in the medical device industry^[ii]. In February, a cyberattack on the second-largest health insurer in the United States put up to 80 million peoples’ personal information at risk. Part two also will explore in detail how the industry may need new standards for risk management, safety requirements, and adverse events.

With increased and more reliable data collection, clinicians have new tools to aid in patient treatment decisions. The potential benefits in terms of cost and quality of care are undeniable, but these devices rely more on lines of code than human operators, introducing an entirely new set of challenges and opportunities. For some perspective on the risk, consider your average hospital facility, equipped with thousands of networked medical devices, from computers to rolling stations and X-ray machines to infusion pumps.

Cybersecurity and open-source software sit at the complementary ends of the networked medical device spectrum, balancing each other in a basic design tradeoff between interconnectivity and vulnerability. What has become clear is that the current regulatory environment may unintentionally facilitate black hats’ activities, as device vendors are confused about the U.S. Food and Drug Administration’s (FDA’s) position on software updates^[iii][iv]. The regulatory climate may also interfere with white hats’ abilities to share the results of their work with the general public.

White Hats — Design For And By Intended Users

Patient-centered device design has brought the ever-changing capabilities of consumer technologies to a slow-moving marketplace. In line with general consumer trends, users want increased functionality and communication between the devices they use in their daily routines. Outside of the hospital environment, open-source software in medical devices has empowered people — particularly parents of children with diabetes — to find new and innovative ways to use their medical devices and to improve their quality of care. What we have is a market in transition that requires adaptation, not only from healthcare professionals and patients, but also from manufacturers and the FDA.

Patients have unprecedented involvement in their own health care^[v] — wearables, sensors, and e-health apps are a few ways the healthcare space has transcended its traditional boundaries, opening the door for a new class of users who are stretching the capabilities of their medical devices. As users take more control over their devices, their modifications illustrate unmet user needs for manufacturers to explore in future designs.

This trend is particularly salient in the treatment of diabetes, where users have developed software workarounds to enhance the capabilities of their treatment devices. John Costik, an engineer and parent to a child with type 1 diabetes, developed the “CGM in the Cloud” concept^[vi], which pushes real-time data from continuous glucose monitors to the cloud, where it can then be accessed by devices in remote locations. This capability allows a parent or caregiver to remotely monitor trends in their child’s glucose levels and to make the appropriate decisions when it comes to insulin therapy.

As discussed in “CGM in the Cloud: A Community Unites to Tackle Diabetes,” published in A Sweet Life: the Diabetes Magazine, Costik brought his innovation to other families with diabetic children. Costik and Lane Desborough, also an engineer and the parent of a child with type 1 diabetes, developed Nightscout, an open-source platform for storing CGM data from the Dexcom G4^[vii]. Their Facebook group page has over 13,000 members, networking with each other to discuss their experiences working on open-source solutions to sharing data on type 1 diabetes patients.

This community represents the development of a new set of stakeholders in device design and use — users who take device improvements into their own hands, however risky that might be. An important caveat on Nightscout’s website highlights this risk. It reads, “Note: There is no support or warranty of any kind. The quality and performance of the project is with you if you choose to use it. This is a project that was created and supported completely by volunteers.”

Nightscout’s cyber-slogan, #wearenotwaiting, shows members’ discontent with the pace at which manufacturers integrate the capabilities of widespread consumer technologies. However, just because “they aren’t waiting” does not mean that manufacturers aren’t listening. In January, Dexcom gained FDA approval for its Share System, which displays data from the G4 Platinum CGM System using applications on multiple mobile devices. This software allows users to share their CGM data with followers, bringing the work of open-source pioneers like John Costik into the realm of regulatory compliance^[viii].

Nightscout and the Dexcom G4 have mapped out a new trajectory in medical device design, progressing from innovative, custom modifications to an approved, regulated device. This path is a testament to the potential that these “citizen hackers” possess. They are part of a new design practice, where stakeholders in the device life cycle not only have the means to identify new user requirements, but also to develop working models themselves.

The characters in this open-source insulin story are developing custom, novel functionalities to satisfy their unmet needs, showing an unprecedented level of control over their devices. Related, in the quest for an artificial pancreas device system (APDS) for people with type 1 diabetes, everyday users are playing an important research role: They’ve developed several closed-loop, do-it-yourself pancreas systems that link CGMs with actual insulin pumps. Using open-source software^[ix], these systems retrieve data from glucose monitors and then relay prompts to insulin pumps. Openaps.org, a site dedicated to innovating open-source artificial pancreas systems, states that “we believe that we can make safe and effective APS technology available more quickly, to more people, rather than just waiting for current APS efforts to complete clinical trials and be FDA-approved and commercialized through traditional processes.”

Conclusions

Although their research takes place outside the boundaries of conventional regulatory processes, its lessons may be of inestimable importance to the development of an approved, functioning, artificial pancreas system. Medical device companies are being outpaced by consumer technologies, to the dissatisfaction of their expectant and demanding users. Consequently, these users are taking the issue into their own hands by unlocking the potential capabilities of software on their medical devices.

In this series’ next installment, “Hacking In Medical Devices: White And Black Hats, Part 2,” we explore how malicious hacking has affected the healthcare space and how regulatory efforts can help in the fight.

About The Authors

Matt Cavenagh specializes in ethnographic research, with experience managing data analysis, research synthesis, and deliverable creation. Recent projects involve graphical user interfaces, product labeling, surgical instrumentation, injection devices, implant devices, and robotic surgical systems.

At Design Science, Madeleine Friel contributes to all aspects of usability research, including protocol creation, study moderation, data analysis, and report writing. She also participates in ethnographic research, supporting data analysis and deliverable creation. Recent project work involves surgical sealant processes, injection devices, infusion systems, nasal inhalation devices, and web-portal design.

Resources

[i] http://www.newyorker.com/tech/elements/a-short-history-of-hack

[ii] http://www.medicaldevice-developments.com/features/featurehacked-to-death-the-dangers-of-devices-4621331/

[iii] http://blog.klocwork.com/software-security/software-security-vulnerabilities-widespread-in-healthcare-sector/

[iv] http://www.meddeviceonline.com/doc/medjacking-how-hackers-use-medical-devices-to-launch-cyber-attacks-0001

[v] http://www.meddeviceonline.com/doc/top-trends-driving-medical-device-design-in-experts-weigh-in-0001

[vi] http://asweetlife.org/feature/cgm-in-the-cloud-a-community-unites-to-tackle-diabetes/

[vii] http://www.nightscout.info/

[viii] http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm431385.htm

[ix] http://openaps.org/