In 2022, Lakhs of people watched South Indian, thriller movie named, "Enemy" wherein a fictional Union Minister was about to be assassinated via terrorist cyberattack on her pacemaker. While the movie wasn't an exact replica of life incidents, the episode was inspired by real-life Vice President Dick Cheney's security issues of his implanted defibrillator, as well as by the issues raised by a new generation of Implanted medical devices. Devices like pacemakers, insulin pumps, and bladder stimulators monitor body functions, deliver medications, and even communicate remotely with doctors.

However, the price for such improved healthcare can be an increased cybersecurity risk and potential civil liability for device manufacturers. The article seeks to address the main reasons and strategies ahead for the question pertaining to cybersecurity for implanted medical devices as it has already transgressed from the world of fiction and theory to the real world.

What is the mechanism behind IMDs and how do Cyberattacks occur on such devices?
The attack on such medical devices could be categorised as "passive cyberattack" due to the fact that it infringes the security of the device and wrongfully obtains the patient's data which are usually used by doctors to analyse the health of the patient. An IMD is usually defined as "an electronic device that is permanently or semi-permanently implanted on a patient with the purpose of treating a medical condition, improving the functioning of some body part, or providing the user with a capability that he/she did not possess before.

The most common IMDs include cardiac implanted devices (such as pacemakers and implanted cardioverter defibrillators, or ICDs), which are designed to treat cardiac conditions by monitoring the heart's electrical activity and applying electrical impulses or shocks to restore the heart's rhythm to the appropriate speed.

However in "active cyberattacks", the attacker is not only capable of interfering with the patient's data which is exchanged through radio waves but is also capable of sending commands to the IMDs which could be used to induce shock to the patient or repeatedly request information from the IMD to drain its battery or deliver overdose of medication which could be fatal.

Though such instances of cyberattacks are rare[1], yet one must not ignore its potential threats keeping in view the statistical data of usage of such implants and the past incidents across the globe. In the US alone in the year 2010, 2.6 million people relied on IMDs. While in 1998, the radio waves from television station had interfered with the electromagnetic frequency of medical devices situated in a nearby hospital which made them incapable to function thereby affecting the critical care readings.[2]

In 2003 and in 2009 respectively, the Slammer and Conficker worms had each infected some networked hospital systems responsible for monitoring heart patients. And in one of the first computer attacks in the year 2008, to actually cause physical harm, hackers added flashing computer animation to an epilepsy support group's online message brings trauma to the group [3]

Cybersecurity measures for IMDs
India has observed an exponential spike in cybersecurity related incidents, the number stands at 1.4 million incidents in 2021 and 212,000 incidents in January and February 2022 alone. The cybersecurity department of the the Indian Computer Emergency Response Team has executed a new cybersecurity design to attack on the issues of cybersecurity- threats and in India. However, there exists a need for the parliament to frame laws specifically for IMDs and its cybersecurity concerns.

But improving security for IMDs is problematic, since manufacturers must necessarily take various factors into consideration, such as usability, patient values, battery life and system performance, and cost. Other approaches, like adding encryption, might require updates of the software on certain IMDs and controllers." A more radical measure, on the other hand, may demand completely new devices or components such as manufacturers to design a 2 way communication system instead of previously used unilateral apparatus.

As IMDs become smaller, more functional, and ever more complex, the challenge of making them secure becomes more daunting than ever.[4] In the end, to accommodate patient preferences in additional to meeting the evolving realities of the technological landscape, manufacturers and healthcare providers may need to implement different security measures in different contexts. Here are some different approaches to cybersecurity and IMDs.

The Proprietary approach
This approach is more focused towards narrowing the challenge of security. The IMDs are designed in such a manner that they would work for some but not for others, hence it is a

"Custom-tailored" measure. It is to be noted that any security measure that is unique to specific manufacturer would change depending upon the type of device and its internal functions.

The Patient –Centred Approach
According to research conducted at the University of Washington's Value Sensitive Design Research Lab, cardiac patients with IMDs preferred security solutions that "warned of potential problems. User authentication, such as the use of passwords, can provide a measure of security from cyber threats while placing more responsibility in the hands of the patient, and simultaneously reducing reliance on more "inconvenient" security measures.

There is a drawback, however; doctors who might not know the password would be unable to control the IMDs in the event of an emergency in which the patient was unconscious. Bracelets with the passwords on them are one option, but patients lose medical alert bracelets all the time. One potential solution is to have IMD-access passwords tattooed on patients in a discreet manner, such as a barcode visible only under ultraviolet light.

The Heart-to-Heart Approach
This method involves encrypting the heart itself by using reading of heartbeat as biometric authentication that confirms that the individual trying to download data or access or reprogram critical features of the IMD is an actual person authorized to do so and in direct contact with the patient, not a remote hacker.

In it, a doctor holds a device against the patient's body, and the device reads the patient's heartbeat and compares it to one relayed in a wireless signal from the IMD itself, before confirming that the signals match. It doesn't depend on any registration of a biometric reading however it operated by checking that the signals are identical before medical personnel gain access to the implant. This method avoids the cumbersome, time-consuming process that might otherwise confront doctors or paramedics during an emergency. The rhythmic dynamic character of the human heart makes this security measure possible. It produces a unique rhythm, so the "password" is different in each measurement.

The Firewall
Researchers at Princeton University and Purdue University, recognizing the danger of hacking into IMDs like pacemakers and insulin-delivery systems, found that most of the typical security solutions developed for other types of computing platforms wouldn't work on medical devices because of factors like battery constraints and the unique way in which IMDs are used. So they developed a different approach-a firewall known as Medmon. Similar to how firewalls secure home or business computer networks by spotting and blocking malicious traffic, Medmon "triggers response mechanisms that could warn the user or jam the malicious communication."

The Zero-Power Defense
Another option explored by researchers addresses the concern of adding more complex security features to IMDs that could jeopardize the device's utility, because of the high rate at which they would consume the IMD's limited battery life. In order to provide enhanced security without draining a device's battery, scientists have suggested using an energy-harvesting computer as a gateway device. Those trying to communicate with an IMD, such as medical personnel, power the gateway device with their own radio transmissions.

Those who are unauthorized, like cyber attackers, would be deterred at the gateway stage, preventing the IMD's limited battery power form being drained. Historically, however, while some wireless medical devices use data encryption and communicate over medical-grade band frequencies, most do not. Encryption capabilities add complexity and demand more system resources to function properly, and many IMDs lack sufficient battery and computing power to implement the sort of encryption algorithms that would be needed.

Civil liability implications for IMDs
In situations where there has been a breach of consumer information, it is almost inevitable that class-action lawsuits will be filed against the company or entity that owned or licensed the data subjects' information that was subject of the breach.[5]

Historically, plaintiffs in these cases have had a difficult time prevailing given the uncertainty surrounding how information was taken in a data breach scenario, which makes showing the actual harm resulting from the data subject difficult to prove as it relates to standing. Plaintiffs in a lawsuit are required to prove standing as an essential element of their claim.[6]

In order to meet this burden, they must prove they have "suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by favorable judicial decision."[7]This requires plaintiffs to show they have either suffered actual harm, or that they will suffer future harm to a sufficient degree to confer standing.

Because consumer data breach cases are primarily premised on the plaintiffs' concern that their personal information will be used to commit fraud against them in the future, such claims are generally couched as a future harm that has not yet occurred, which will be the same analysis when dealing with healthcare information. [8]

Conclusion
Concerns about what may happen in the future are necessarily unpredictable and, thus, the issue of standing has proved to be problematic for plaintiff consumer data breach litigation cases where the plaintiffs have not already suffered actual cognizable harm. The year 2015 marked what, at first blush, appeared to be a watershed moment in the development of this body of jurisprudence with the United States Court of Appeals for the Seventh Circuit's opinion in Remijas v. Neiman Marcus Group,[9]

For several years courts looked to the United States Supreme Court's Clapper v. Amnesty Int'1 USA decision for guidance on the standing issue in cases premised on allegations of future harm. In Clapper, the Court set forth the framework for this analysis. To satisfy this framework, an injury must be 'concrete, particularized and actual or imminent; fairly traceable to the challenged action; and redressable by a favourable ruling."[10]

References:

• Joseph p. mcclain, phd, director of clinical engineering division, time to upgrade: new telemetry standards call for a new generation of wireless equipment
• Kevin Poulsen, Hackers Attack Epilepsy Patient Via Computer, WIRED (Mar. 28, 2008)
• Daniel Halperin, et al., Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.
• Hammond v. The Bank of N.Y. Mellon Corp., 2010 WL 2643307
• Lujan v. Defenders of Wildlife
• Hollingsworth v. Perry, 133 S. Ct. 2652, 2661 (2013)
• Dana Post, Plaintiffs Alleging Only "Future Harm" Following a Data Breach Continue to Face a High Bar, THE PRIVACY ADVISOR (Jan. 28, 2014),
• Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015).
• Clapper, 133 S. Ct. at 1147 (quoting Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149 (2010)
• Amy M. Rubenstein & Brittany Robbins, Hacking Health Care: When Cybersecurity Can Mean Life or Death

End-Notes:

1. Amy M. Rubenstein & Brittany Robbins, Hacking Health Care: When Cybersecurity Can Mean Life or Death
2. Joseph p. mcclain, phd, director of clinical engineering division, time to upgrade: new telemetry standards call for a new generation of wireless equipment
3. Kevin Poulsen, Hackers Attack Epilepsy Patient Via Computer, WIRED (Mar. 28, 2008)
4. Daniel Halperin, et al., Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.

Written By: Vaishnavi S - Student at V.M. Salgaocar College of Law, Goa