You are here

Cyberprivacy

FDA Pushes for Cybersecurity for Medical Devices, Health Information Technology

Submitted by Amaris Elliott-Engel on Sat, 10/25/2014 - 11:25

What if hackers caused medical devices to malfunction? Disrupted healthcare services? Accessed patient information or electronic health record data? Those are examples of potential digital security pitfalls for the healthcare industry. Here's a piece I wrote for the National Law Journal about the need to develop industry standards for cybersecurity for medical devices and other health information technology: 

A cybersecurity framework for medical devices and health-care technology needs to be developed in a partnership between the government, manufacturers and health-care providers, officials from across the public and private sectors during a workshop convened by the U.S. Food and Drug Administration.

“Right now, for cybersecurity, we’re all in a reactive mode,” said Deborah Kobza, executive director of the National Healthcare Information Sharing and Analysis Center. “We need to change that to be in a preventive mode.”

The concern is that hackers could cause medical devices to malfunction, disrupt health-care services or steal patient information and electronic health records. The FDA, along with the Department of Health and Human Services and the Department of Homeland Security, sponsored the two-day workshop this week.

The Advanced Medical Technology Association’s Jeffrey Secunda said that, “for devices that are facing the Internet, you do have the risk of advanced persistent threats.”

How the FDA is going to approach cybersecurity, including evidence that devices have led to patient harm, “is exactly why we’re convening this meeting,” said Suzanne Schwartz, director of the FDA’s emergency preparedness/operations and medical countermeasures in the Center for Devices and Radiological Health.

Workshop participants said they were unsure how much tolerance there is for the risk that patients information could be breached in the effort to make electronic health records and health information technology “interoperable” and more accessible to patients.

Dr. William Maisel, the FDA’s chief scientist and deputy center director for science at CDRH, said there are 100,000 medical devices on the market and the technology changes rapidly. The FDA doesn’t view it as a solution to take in all the information about digital security vulnerabilities in medical devices and pass it on to the community, he said.

Instead, federal regulators want an “ecosystem where that information is being shared,” such safe harbors for medical device manufacturers and health-care providers to make reports about cybersecurity breaches without incurring liability, he said.

Participants said that providers don’t report digital security breaches for fear or exposure during litigation.

The National Healthcare Information Sharing and Analysis Center’s Kobza noted that her group has entered a memorandum of understanding with the FDA to develop a protocol about sharing information about medical devices.

Merger of Online & Offline Data Heightens Intrusiveness of Tracking

ProPublica's Julia Angwin reported this week on how marketers' tracking of customers is getting more intrusive: "Online marketers are increasingly seeking to track users offline, as well, by collecting data about people's offline habits—such as recent purchases, where you live, how many kids you have, and what kind of car you drive."

Angwin goes on to explain how it works: after sharing your e-mail address with a store, a marketer locates customers online when they use their email addresses to log into websites, then a marketer tags customers' computers with a tracker, and then when customers arrive at the website of the same story they will see a site customized to them.

UN Human Rights Chief: Internet Privacy Is a Matter of Human Rights

Navi Pillay, the United Nations human rights chief who has been asked by the international membership organization to prepare a report on protection of the right to privacy, said that international action led to the end of apartheid in South Africa and that it can again lead to the end of massive surveillance of online activity, The Guardian reports. The experience of international action on apartheid "inspires me to go on and address the issue of internet [privacy], which right now is extremely troubling because the revelations of surveillance have implications for human rights … People are really afraid that all their personal details are being used in violation of traditional national protections," Pillay said.

UN Adopts Privacy Resolution

The United Nations adopted a resolution, sponsored by Brazil and Germany in the wake of the revelation that the United States was eavesdropping on leaders in those countries, supporting the protection of Internet privacy, the BBC reports. The non-binding resolution affirms that '"the same rights that people have offline must also be protected online,'" the BBC further reports.

The hope of such non-binding international measures is that they will influence international norms.

The Good News About Watered-Down UN Resolution On Right to Privacy

Philip Alston, writing in Just Security, asks if the United Nations let the United States off the hook regarding Internet privacy. While the language of a United Nations resolution was watered down at American urging, Alston argues that there is good news in a resolution that is set to be adopted by the full UN this month. Among other good points, "by basing itself on the formulations of the right to privacy included in both the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, the resolution implicitly rejects the US line that privacy rights derive only from a specific treaty which the US in turn insists has no extra-territorial implications," Alston writes. 

 

United Nations Advances Measure to Make Privacy Rights Universal

A United Nations committee has advanced a resolution sponsored by Brazil and Germany to make the right to privacy against unlawful surveillance applicable to anyone in the world, The Washington Post reported. The two countries sponsored the measure after revelations of monitoring  by the United States of Brazilian President Dilma Rousseff and German Chancellor Angela Merkel.

The resolution is expected to pass the United Nations General Assembly too, The Post further reported. While the resolution is not binding law, General Assembly resolutions " reflect world opinion and carry political weight," The Post also reported.

The largely symbolic resolution was watered down though. The Post reported: "The key compromise dropped the contention that the domestic and international interception and collection of communications and personal data, 'in particular massive surveillance,' may constitute a human rights violation."

 

US Seeks to Kill Off Online Privacy Rights

Both Brazil and German, which have been the subjct of American surveillance, are seeking to "apply the right to privacy, which is enshrined in the International Covenant on Civil and Political Rights (ICCPR), to online communications," Foreign Policy reports. The United States, however, is pushing back, "to kill a provision of the Brazilian and German draft which states that 'extraterritorial surveillance' and mass interception of communications, personal information, and metadata may constitute a violation of human rights," Foreign Policy further reports.

Separately, Reuters reports that a "draft U.N. resolution that some diplomats said suggested spying in foreign countries could be a human rights violation has been weakened to appease the United States, Britain and others ahead of a vote by a U.N. committee next week." The initial draft would have had the General Assembly declare it is "'deeply concerned at human rights violations and abuses that may result from the conduct of any surveillance of communications, including extraterritorial surveillance of communications,"' but the draft now proposes the General Assembly declare it is '"deeply concerned at the negative impact that surveillance and/or interception of communications, including extraterritorial surveillance and/or interception of communications, as well as the collection of personal data, in particular when carried out on a mass scale, may have on the exercise and enjoyment of human rights,'" according to Reuters.

Federal Trade Commission Set to Regulate Your Spying Coffee Pot

The Federal Trade Commission is set to regulate connected devices that share consumer data. Or as GigaOm more pithily says it: the Internet of Things. Why does this matter? GigaOm reports: "There are two issues at play here, one being the privacy of consumer data and the other being the security of the networks delivering that data. The privacy issue, however, also contains a security dimension since the devices can share things that affect a person’s safety — such as where they live and whether or not they are home."

Moreover," EPIC, the Electronic Privacy Information Center, argues that the privacy implications of connectivity start with the devices, which could allow a person to be tracked continuously across a variety of networks," GigaOm also reports.

GigaOm's Stacey Higginbotham argues for a middle ground between stifling a new industry and consumer privacy.

European Parliament Votes to Suspend Terrorist Financial Data-Sharing After Snowden Revelations

The European Parliament voted to suspend a data-sharing agreement with the United States that allows access to financial transactions for the purposes of tracking the financing of terrorists, GigaOm reported, although only the European Commission can actually suspend the agreement.

Edward Snowden's leaks exposed that the National Security Agency has been tapping the SWIFT database of international transactions "directly in order to extract information, thus breaking the terms of the agreement with the EU. The intelligence agency has apparently also been illegally accessing credit card transaction data in Europe, the Middle East and Africa," GigaOm also reported.

Investigative Report: NSA Collects Millions of Email Contact Lists

The Washington Post reports on how the National Security Agency is sweeping up contacts lists in Americans' e-mail accounts and instant messaging accounts. For example, "during a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers, according to an internal NSA PowerPoint presentation," The Post reported. Over the course of a year, that would be millions of accounts. Is this contact information being paired with the already-revealed collection of nearly every record of phone calls made in the United States?

Even Americans who aren't living or working abroad are having their contact information collected because "data crosses international boundaries even when its American owners stay at home. Large technology companies, including Google and Facebook, maintain data centers around the world to balance loads on their servers and work around outages," The Post also reported.

On an amusing note, spam is just as annoying for spies as it is for the rest of us. "Spam has proven to be a significant problem for the NSA — clogging databases with information that holds no foreign intelligence value," The Post also reports.

Pages

Subscribe to RSS - Cyberprivacy