Every day, we are being bombarded by news of cyberattacks and breaches of our national critical infrastructure—which includes our healthcare system and the connected technologies that are now associated with it. So, what does this mean for our future, particularly as we continue to grow older and many of us face the issue of “aging in place” as we deal with chronic health conditions?
The folks at my company have been pondering such socially relevant questions since the dawn of the commercialization of electricity and the associated unintended consequences of electric shock and fire. More recently, we’ve been dealing with the sociotechnical problems arising from our transformation into a global, data-centric society. Where previously we dealt with safety issues of systems involving hundreds, or thousands, or hundreds of thousands, of volts of electricity, we now recognize that often less than five volts of electricity can represent “1s” and “0s” that when misused can have catastrophic consequences for the most critical services that we use every day: Water, electricity, food-production, distribution and preparation, transportation, communication and healthcare.
“How can low voltage 1s and 0s be misused?” you may wonder. History has shown us that software- dependent systems can be vulnerable to “random faults.” An example of a random fault would be when in microcontroller memory, a “1” changes to a “0” or vice versa because of electromagnetic interference or collision of a high-energy particle (e.g. cosmic radiation). In the early days of embedded software, before designing with redundancy plus diversity became “standard” practice, there were many cases where high-safety critical systems such as large combustion controls could enter a hazardous state (e.g., explosive or toxic combustion), due to a single “bit flip.”
These are some of the same system “vulnerabilities” that have more recently begun to be exploited by hackers for financial gain, to meet nation state objectives, to disrupt social processes, to gain notoriety, or just to satisfy personal curiosity. As an example, until fairly recently (in the last decade or so), there were a number of devices with critical functions dependent upon random number generation (e.g., slot machines) that could be compromised by forcing a processor reset using EMI “glitching,” which would then allow the perpetrator to predict the outputs based on the random number generator following the same prior sequence (pseudorandom generation) after the forced reset (e.g., Lucky 7s!).
Over the years, the appearance of some of these kinds of gross vulnerabilities have been diminishing in the marketplace, as standards for functional safety and security have become increasingly popular with product developers. Standards such as UL 2900 have begun to raise the bar for cybersecurity hygiene, but the “cat and mouse” games will likely never end…so where do we go from here?
Like the old saying goes, “those who don’t know history are likely to repeat it.” Some say that the current problems with cybersecurity in healthcare stem from the overly rapid deployment of new connectable technologies into the marketplace through various initiatives to drive technological solutions that address the problems of “aging in place,” providing healthcare to underserved areas, making health records more accessible to patients, and reducing the overall cost of healthcare. Therefore, for the past several years we’ve had to develop approaches to protect these systems.
Now that we’ve begun to make progress in securing this critical infrastructure, perhaps it’s now time to reestablish our focus on the potential benefits of connectable, interoperable technologies. With emerging standards like AAMI/UL 2800 currently out for public comment, and intended to address safety, security, and essential performance of multivendor interoperable systems, we may now be able to get back on the path of using digital health solutions to improve overall patient care and wellness.