By Suzanne Hodsden
The National Security Agency (NSA) is interested in collecting information from biomedical devices for national security purposes, according to recent statements made by the agency’s deputy director, Richard Ledgett. Under- and unprotected devices in the Internet of Things (IoT), including medical devices, could be both a help and a hindrance to intelligence agencies like NSA, he said, providing them with a wealth of information and potentially exposing them to terrorist surveillance.
As the digital health trend continues to accelerate, studies have revealed that medical devices such as pacemakers and insulin pumps incorporating “smart” technology are not as secure as they need to be. In recent report by Bloomberg Business, experts hired by the Mayo Clinic to investigate digital health security estimated that hospitals and medical devices were about 10 years behind the industry standard.
Despite growing security concerns, the development and production of connected health devices is not slowing down. A recent survey conducted by Philips reported that 57 percent of patients aged 18 to 34 have at least one health monitoring device and that interest in these devices was especially high in emerging markets.
When asked if the sheer mass of data generated by IoT intimidated him, Ledgett told attendees of the Defense One Tech Summit 2016 that he was up for the challenge, reported The Intercept.
“As my job is to penetrate other people’s networks, complexity is my friend,” said Ledgett. “The first time you update the software, you introduce vulnerabilities, or variables rather. It’s a good place to be in a penetration point of view.”
Ledgett explained that the NSA was only interested in biomedical device data from a theoretical research point of view at this time, adding that the agency will continue to focus its efforts on technology that terrorists currently prefer to use.
Investigating vulnerabilities in medical device technology used in the U.S. and overseas would give the agency a “tool in the tool box,” said Ledgett. He added that doing so would also give the agency an idea of the future risk posed by agency employees with internet-connected biomedical devices.
As the Intercept pointed out, the NSA is not the first U.S. intelligence agency to show interest in medical data. Last Feburary, the director of national intelligence, James Clapper, told the U.S. Senate that intelligence agencies were interested in listening to many connected devices, from refrigerators to pacemakers, and mining their potential for identification, location tracking, or access to bigger networks, reported The Guardian.
Meanwhile, the FDA is ramping up efforts to improve device security. Last August, the agency released the first cyber-security related alert for a specific device. In January, the agency released a guidance that would help device manufacturers assess cybersecurity risks in the post-market setting.
In an MDO guest column, Shahid Shah, CEO of Netspective Communications and cybersecurity expert, argued that manufacturers who incorporate security and data privacy early in a devices’ lifecycle can ensure differentiator status in a market saturated with connected devices.