By Stephanie Domas and Nancy McMillan
As the healthcare industry moves towards precision medicine, are we doing enough to protect the privacy and integrity of patient data? Advances in genomics, medical sensors and data-driven healthcare are enabling doctors and patients to make healthcare decisions that are more personalized and targeted. However, precision medicine is only effective if the data it is based on can be trusted. Cybersecurity is a critical, but often overlooked, component of the precision medicine revolution.
The Data Behind Precision Medicine
What do we mean by precision medicine? The National Institutes of Health (NIH) has defined precision medicine as "an emerging approach for disease treatment and prevention that takes into account individual variability in genes, environment and lifestyle for each person." In other words, it is the ability to make informed healthcare decisions according to individual patient needs. While this often means using genetic or genomic data to target treatments, precision medicine isn’t just about genes. Treatments can also be targeted for patients with specific environmental exposures or lifestyle considerations.
- Treatments for some types of cancers, such as breast cancer and prostate cancer, can now be prescribed according to the genetic profile of the patient or of the tumor itself.
- Genetic tests have been developed to screen for genes implicated in depression and other psychiatric disorders in order to better predict how individual patients may respond to specific medications.
- Diabetes treatments can be prescribed using data from body-worn sensors as well as lifestyle data logged into mHealth apps in order to help patients better regulate blood sugar levels.
This personalized approach to healthcare is made possible by an unprecedented volume of patient data. Information used for personalized medicine may include data gathered from bioassays and other clinical screeners, genetic sequencing data, data from body worn sensors or home health monitoring devices and behavioral data gathered using electronic logs or mHealth apps. Some types of data will be pulled into the official Electronic Health Record (EHR) and some will be stored locally on devices or in cloud-based applications to complement the EHR. This large volume of data enables patients and healthcare providers to make more effective and individualized healthcare decisions. However, it also opens up new challenges in data security.
The Data Security Challenge for Precision Medicine
When thinking about cybersecurity for patient health records, data privacy may be the first issue that comes to mind. These records can now store immense troves of personal information, possibly including the patient’s entire genome. What could possibly be more personal than that? However, data privacy risks are in general rather small. Patients may fear the implications of a hacker deliberately stealing their genetic heath data, but that information is not easily monetizable, which makes it of little interest to attackers.
The bigger security risk for precision medicine is one of data integrity. Precision medicine depends on the reliability and accuracy of the data it is based on. If the data is corrupted (intentionally or unintentionally), doctors and patients may make erroneous decisions using this false data. In some cases, the potential for harm could be enormous if wrong treatments are prescribed or needed treatments are withheld based on corrupted data.
Imagine, for example, the implications if a woman receives bad data on her genetic risk for breast cancer. She may decide on an unnecessary preventative mastectomy believing herself to be at high risk, or, conversely, skip mammograms believing herself to be at low risk. Other situations are even more immediate and potentially life threatening, such as a diabetic patient basing insulin dosages on corrupted data.
As applications for precision medicine grow, cybersecurity for the devices that gather, analyze and transmit our data is of paramount importance. Patients need to trust that their data will be protected in order to trust the technology. More critically, patients and clinicians need to be able to trust the integrity of the data they are using to make critical medical decisions.
How Medical Data Can Be Corrupted
Precision medicine may involve many different types of medical devices, including:
- Genetic sequencers
- Body-worn sensors such as pedometers, motion and position sensors, sleep monitors, heart monitors or temperature sensors
- Home health devices such as smart scales or blood pressure cuffs that record data and send it to healthcare providers
- mHealth apps that patients use to self-record behavioral or biometric data
- Imagers and diagnostic devices with analytical capabilities
Increasingly, the devices that we use to collect and analyze patient health data, including genomic and biometric data, are connected to the internet, hospital networks or each other. Even devices that are not continuously connected are likely to be connected to a network or to another device such as a laptop or thumb drive in order to transmit data or receive software updates. Each of these connections, no matter how brief, is a potential vector for a cybersecurity breach that could result in data corruption.
In most cases, the individual device is not specifically targeted: there is probably limited value for a hacker in breaking into a genetic sequencer or medical imaging device. However, these devices can be vulnerable to software and data corruption even if they are not the primary target of an attack. Many computer viruses are designed to propagate themselves as widely as possible. These bits of malicious code will insert themselves into any device that has a software vulnerability that they can exploit. The infected device may be directly harmed by the virus or may simply act as a vector as the virus attempts to infiltrate hospital networks or other devices. Malice is not a prerequisite for harm; data corruption may occur simply as a side effect of other things the virus is doing in the system as it blindly follows its programming.
Viruses that make their way into a device through a network connection or a thumb drive can cause the device to behave in unpredictable ways, including returning false or misleading data. Sometimes, the data corruption may be obvious, with the device returning nonsensical data or simply no data at all. In other cases, the effects of corrupted code may be more subtle: a sequencer returns false negatives for a particular set of genes, a device mislabels data files so patient records are swapped, or sensor data is 10% higher or lower than the actual value. These cases are potentially much more dangerous because while clinicians are likely to question or ignore nonsense data, they may take a simple false positive or a mislabeled set of records at face value and prescribe the wrong treatment.
Building Cybersecurity Into the Precision Medicine Plan
To keep the precision medicine movement on track, medical device developers need to have a cybersecurity plan in place for the smart, connected devices that make the movement possible. Any device that relies on software to collect, analyze, store or transmit data needs to be built with data security in mind and assessed for potential cybersecurity vulnerabilities.
Fortunately, there are guidelines in place that device developers can follow. The FDA has released both premarket and postmarket guidance for medical device cybersecurity. In addition, The National Institute of Standards and Technology (NIST) has developed a framework that defines 18 families of cybersecurity controls that can be used to identify relevant cybersecurity vulnerabilities for a medical device or mHealth app. These documents provide best practices for medical device development, vulnerability assessment and post-market updates.
A cybersecurity plan for medical devices should include several components that span the development process.
- Before device design begins, manufacturers should perform market research and analysis to identify relevant and emerging cybersecurity risks and stakeholder requirements. Many hospital purchasers now write cybersecurity requirements into purchasing contracts and expect written documentation of the cybersecurity plan.
- Cybersecurity needs to be built into the design process from the beginning. This should include development of a device-specific threat assessment that characterizes, models and measures threats specific to the device such as points of connection, methods for updating code, data storage and data transmission. The threat assessment will help developers make design decisions that minimize cybersecurity risks.
- Vulnerability assessment should be generally conducted at the prototype or pre-launch phase. This may include penetration testing, in which security experts try to break into the device. It may also include “fuzz testing,” in which the device is flooded with massive amounts of mutated data to uncover the potential for abnormal behavior, crashes or data corruption. Vulnerability assessment can help to uncover conditions that may result in the device returning bad data.
- After market release, developers need to have a plan for updating the device as new security threats are identified and the software ecosystem surrounding the device changes. For example, an update to an operating system or browser on a computer that connects to a genetic sequencer may necessitate updates to the code of the sequencer itself. Newly discovered viruses may also drive software updates. Developers must have a plan to make these updates securely, without opening up new vulnerabilities.
- It is also recommended that developers have a responsible disclosure policy in place in order to collect and respond to vulnerabilities discovered by users or security professionals once the device is on the market.
Preparing for the Future of Precision Medicine
Precision medicine is still in its infancy. As we continue to explore the links between genes, environment, behavior and health outcomes, the applications for precision medicine are likely to explode. That growth depends on the security and integrity of the data used to drive decisions. The time to think about the cybersecurity implications of precision medicine is now.
If cybersecurity isn’t part of your core expertise, or you want an objective third party opinion, it’s wise to consider bringing in outside security experts to assist with threat assessment, secure device development, and vulnerability testing. Battelle has put together a suite of services for medical device manufacturers called DeviceSecure® Services, which incorporates secure design, vulnerability assessment, and anti-tampering and anti-counterfeiting measures. We work with device developers at every stage of the product lifecycle, from device design and testing to development of post-market security practices.
No device is ever 100% secure, but medical device developers who integrate cybersecurity throughout their development process will be well prepared to address and mitigate potential data security risks. A comprehensive approach to cybersecurity will go a long way towards protecting the privacy and integrity of patient data, building trust among their users and buyers and reducing liabilities. Increasing the security of medical devices will give precision medicine a solid foundation of trustworthy data to grow on.
About the Authors
Stephanie Domas is Lead Security Engineer for Battelle’s DeviceSecure® Services. In this role, she is responsible for the design, architecture, verification, and execution of security best practices in the development of new medical devices as well as the testing and cybersecurity risk mitigation of legacy systems. Ms. Domas is an invited active member of the Association for the Advancement of Medical Instrumentation (AAMI)-UL Joint Committee 2800 - Medical / health device communication standards, the IEEE guidelines for security in medical device software development and production, and AAMI TIR 57 – Principles for medical device information security risk management. Ms. Domas has expertise in firmware reverse engineering (x86, x86_64, MIPS, 8051), penetration testing, application fuzzing, as well as application development (C/C++). Ms. Domas is a registered Professional Engineer (PE) in the state of Ohio, and a Certified Ethical Hacker (CEH). In addition, Ms. Domas serves as an adjunct faculty member at the Ohio State University College of Computer Engineering.
Dr. Nancy McMillan is a Manager and Research Leader at Battelle. She has a broad background in statistics, with specific training and expertise in Bayesian statistics and considerable experience applying statistical concepts across a wide range of applied problems. She been a practicing applied statistician working in a research environment for 20 years. Her work focuses on providing quantitative analysis that captures uncertainty to support science-based decision making, particularly for problems that require analysis of big data, such as Precision Medicine. She has been a certified Project Management Professional since 2011.