Compliance Corner – News Round Up

April 28th, 2017 by Sharon L Nelson, MSN, RN, CNS, CIP, Executive Director, Consulting and Compliance Services

We generally treasure our convenience tools – laptops, smart phones, baby monitors, home security systems – yet we are aware these tools can be hacked with deleterious effects. Now add to that list of hackable devices life-sustaining, health tools and medical devices, from pacemakers to insulin pumps.

In FDA, Industry Fear Wave of Medical-Device Hacks, Casey Harper reports regulators and medical-device makers are preparing for “an expected barrage of hacking attacks.” Among events propelling the FDA and other agencies to coordinate a preparedness plan are:

  • Over 113 million personal health records were compromised in 2015, nine times as many as in 2014.
  • A marketed insulin pump utilizing a wireless controller can be hacked to access the device and cause a potentially fatal overdose of insulin.
  • In 2015 the FDA told hospitals not to use a particular marketed infusion pump because the pump was accessible through a hospital network, potentially allowing a hacker to change the medication dose.
  • In 2013, a hacker claimed he could obtain control of a pacemaker from up to 50 feet away and use the device to create a lethal shock.

Harper reports DHHS has taken action to combat cybersecurity threats aimed at medical devices. Through the Office of the National Coordinator for Health Information Technology, funds will support healthcare stakeholder education and the development of a system via which information about breaches and ransom ware attacks can be shared.

What happens when a medical device or a medical system/institution is hacked? There are unfortunately a number of ways a hacker can impact medical care:

  • An institution’s electronic medical records can be taken over by a hacker, taking advantage of a security flaw system vulnerability.
  • Medical record information can be changed, placing individual patients as well as the institution at significant risk.
  • The institution can also be locked out of its website, with the content’s return dependent upon a ransom.

Hacking of a medical device could result in injury, illness or death. Harper asks who is liable in such circumstances and points to the FDA Guidance document – Content of Premarket Submission for Management of Cybersecurity in Medical Devices:

FDA recognizes that medical device security is a shared responsibility between stakeholders, including healthcare facilities, patients, providers, and manufacturers of medical devices.

Melissa Markey, a technology and cybersecurity attorney, also responds to the question:

Even though we would have all intuitively said, well yes medical device-makers obviously should make their devices safe from being hacked, that FDA guidance removes any question, I think, that, yeah, this is an obligation.

What are the next steps in protecting our systems, our patients, ourselves? Harper reports the FDA and industry are hiring cybersecurity experts, and hospitals are backing up their files and adding cybersecurity protections into their contractual agreements. Understanding who has access to sensitive information and the relative security of that access can help identify areas potentially in need of additional protections.

As you enjoy connectivity, convenience, and medical device advances, so too consider your questions, identify your vulnerabilities and manage your risks where possible.



Keeping our sights on research involving big data, its benefits and its challenges, we look to a work completed as part of a National Science Foundation (NSF)-funded project. Ten Simple Rules for Responsible Big Data Research highlights the work of a diverse group of scholars from social, natural, and computational sciences “charged with providing guidance to the NSF on how to best encourage ethical practices in scientific and engineering research, utilizing big data research methods and infrastructures.”

Balancing awareness of the benefits big data research offers with the limitations facing researchers the authors address the need for responsibility and direction in big data research. Working from a premise that “all big data research on social, medical, psychological, and economic phenomena engages with human subjects and researchers have the ethical responsibility to minimize potential harm,” the article outlines ten rules to consider in responsibly managing the ethical issues of big data research and human subjects.

The rules are richly referenced and contain examples demonstrating how “anonymized data have produced unanticipated ethical questions and detrimental impacts.” Topics include ways to minimize harm resulting from big data research practices and ways researchers can contribute to building best practices in this field.

While these rules aren’t always simple, they provide a framework for identifying and addressing potential ethical challenges and complications. Each of us may at any time identify ourselves as either the researcher or the researched. We must recognize the responsibility associated with this research, treating “big data research with the respect it deserves and recognize that unethical research undermines the production of knowledge.”

Learn what you can do by exploring the “Ten Simple Rules” here.