When many Americans envision our nation’s cybersecurity vulnerabilities they imagine the susceptibilities of our nation’s physical infrastructure — a paralyzed power grid, a hijacked nuclear power plant — high-shock events that would decimate the lives of millions of Americans.
Of course, these are viable threats. In July, it was reported Russian hackers infiltrated the business systems of U.S. nuclear power and other energy companies, but as we incorporate internet-connected technology into every aspect of our lives — from what we wear to how we secure our home and drive our cars — cybersecurity becomes increasingly personal.
In our nation’s hospitals — one of our most unpredictable environments — technology helps provide better quality and more efficient health care, but its incorporation has left some of our most intimate data vulnerable.
In June, the NotPetya attack that struck Ukraine’s critical infrastructure quickly made its way across Europe and into the United States, and many of our hospital systems were forced to cancel operations. Unfortunately, attacks of this kind are not a one-time occurrence. In fact, since 2009, the health-care data of more than 127 million Americans has been compromised by cyber criminals, and medical data vulnerabilities are just the beginning.
As our physical and virtual worlds continue to meld, bad actors are not only attempting to steal sensitive information but also manipulate life-sustaining internet-connected medical devices, such as internal defibrillators, pacemakers and automated insulin pumps.
The interoperability of these devices is critical in helping doctors monitor patients and detect problems with implanted devices. However, the ability for these technologies to adapt through internet connectivity — their greatest strength — is also their greatest vulnerability.
Last year, an insulin pump manufacturer warned more than 100,000 patients that their devices were susceptible to cyber hacking that could enable an unauthorized accessor to issue commands to the pumps.
Just a few months ago, security researchers identified a vulnerability with more than 450,000 internal pacemakers that could allow a hacker to hijack the pacemaker and drain the battery or alter the device’s pacing.
As the number of internet-connected medical devices and their respective vulnerabilities continues to grow, we must proactively take substantive steps to bolster their security and protect the Americans who rely on them by establishing health-care industry guidelines for how to best to defend against these types of radical cyber assaults.
I was joined by my colleague, Rep. Susan Brooks (R-Ind.), in introducing the Internet of Medical Things Resilience Partnership Act, legislation that will bring public and private sector counterparts together to address the vulnerabilities of medical technologies by establishing a robust, yet malleable, comprehensible cybersecurity framework.
We cannot stand idly by while these imminent attacks threaten the American people. Failure to work collaboratively to address medical data vulnerabilities would be failing the patients — the millions of Americans — who rely on these life-sustaining devices.