Hackers who breach security firewalls could potentially kill patients wearing remote-controlled pacemakers or insulin pump devices.
The main reason behind hacking of medical devices is usually the same as any cyber crime - identity theft and fraud.
Speaking at the Hospital Association of SA's annual conference in Cape Town on Tuesday, Tanya Vogt, executive officer of the SA Medical Technology Industry Association, it is true that there is no product which can 100% avoid misuse or being tampered with.
However, device companies are aware of this and test products extensively prior to bringing them to the market, and monitor applications continually.
It is particularly the case with novel medical technologies which combine a health tool with IT-based components.
Patients, healthcare providers and physicians using such technologies need to ensure they have the IT capabilities and infrastructure to process such data, including security measures. In this regard, the Protection of Personal Information Act is very relevant for all manufacturing companies.
Medtech companies selling these products do real-time monitoring and need to provide confirmation to users that they have addressed threat mitigation and that remediation processes are in place.
"While we must continue to keep up with technological advancement and strengthen legislation, the current South African regulatory framework already does much to prevent cyber breaches and reduce the risk of exposing patients to related risks," said Vogt.
Black market sales
Braam Oberholzer, head enterprise architect at Netcare and a pioneer in medical device software, said at the conference in Cape Town that the main purpose of criminal hackers of healthcare technology was identity theft. He added that last year already 15 million medical records globally were disclosed. Half way through this year, the number of disclosed records had already increased to 32 million.
"The danger is from those wanting street cred in the hacker community or criminals wanting to make a living out of it," said Oberholzer.
Medical data was relatively easy to hack in order to assemble an identity kit and forge documents which could fetch up to $20 000 on the black market, he said.
Oberholzer said the best way to curb the theft and disclosure of medical records was to use activity analysis software.
Corporates, researchers must collaborate
Greater collaboration between security research data scientists, data analysts and software companies would be needed to help bridge both the digital skills gap and improve security, Vogt added.
A working group was convened by the International Medical Device Regulatory Forum some six years ago to categorise this type of hacking risk, improve the quality of product management and the clinical evaluation of medical technology products.
The working group was also created to allow for risk-management, innovation and timely patient access to safe and effective medical devices. It works closely with the US regulator, the Food and Drug Administration (FDA) and other international regulatory agencies.