Modeling Cyber Threats as Medical Adverse Events

This chapter reviews best practice approaches to performing cybersecurity risk management. It introduces the cybersecurity risk equation and explains how to apply cybersecurity controls to mitigate cybersecurity risks. The chapter also provides an overview of approaches to identify cybersecurity threats and known categories of cybersecurity threats to digital health.

The “Smart” Clinic

“Smart” devices have become ubiquitous in society and are used by almost all of us on a daily basis, but the security history of these devices is notorious due to their lack of protections. The vision of a smart clinic where real-time patient data arrives on-site before the patient, where check-in desks are no longer necessary, and where treatment and prevention advice are based upon an entirely new spectrum of biophysical and socioeconomic measures is truly compelling but also fraught with hazards. Data can be misused and misinterpreted. Unconscious bias can slip into any well-intentioned data analysis and any “fully wired” building is most likely an attack-surface nightmare. To realize the vision of smart clinics, a complete shift in mindset to “first do no harm” is essential.

The Technology of Biotechnology and Big Data in Medicine Development

The rise of big data and digital health in medicine have been concurrent over the last two decades. Often confused, while virtually all digital health solutions, such as sensors wearable devices, and diagnostic algorithms, involve big data, not all big data in health care originates from digital health tools. Genomic sequencing data being one example of this. In this chapter, the role and importance of big data in medicines and medical device discovery and development are detailed with the specific focus of providing a detailed understanding of the product discovery, product development, clinical trials, regulatory authorization, and marketing processes. Concepts such as “dirty data,” regulatory decision-making, remote and virtualized clinical trials, and other key elements of digital health are discussed.

A Brief History of Biomedical Products Regulation

The history of biomedical product regulation is a history of hard-won progress. Often, only after tragedy, has regulatory statute caught up to drugs with horrid side effects or medical devices that offer no benefit but may do harm. Harmful or questionable products slip through cracks in regulatory statutes and are brought to market quickly and prolifically, while regulators play catch up and must demonstrate harms before being enabled to police or regulate them. A notable present-day example is e-cigarettes, a multi-billion-dollar industry with clearly questionable marketing practices, which arrived and grew quickly without any form of premarket regulatory obligation. Similarly, digital health tools are proliferating, and most are yet to be subject to premarket regulation. This chapter provides a brief history of biomedical-products regulation with a focus on benefit-risk determination and its impacts on regulatory policy.

The Evolution of Digital Technologies in Health Care

Although digital health often is touted as something revolutionary and brand new, the truth is that electronic biomedical equipment has existed for decades and many new digital health tools are simply incremental enhancements. In some cases, a device has been miniaturized for convenience and home use. In other cases, novel algorithms are being placed into clinician workflow as decision aids, not unlike the Physicians’ Desk Reference (PDR) that often was consulted during clinical encounters. The part that is new is Internet connectivity and all the accompanying benefits and risks. In this chapter, the history of biomedical tools and their evolution over the last three decades is reviewed in detail with an eye toward understanding incremental advancements, such as miniaturized heart arrhythmia measurement tools, as well as leaps in progress, such as the widespread adoption of electronic health records.

Electronic Health Records

A key opportunity for anticipating and understanding the potential risks and benefits of digital health is readily available in the form of electronic health records (EHRs). Touted as a transformation in health care and funded by tens of billions of dollars in federal investment, the outcomes remain mixed. Although the anticipated benefits of increased visibility to healthcare spending and utilization are real, the massive ongoing expense, the time taken away from clinical encounters, and the massive burden on clinicians are all frequently reported unsolved problems. The need to address all stakeholders, to obtain objective measurement, to spend equal time spent examining risks and benefits, and to achieve long-term sustainability are just a few examples of lessons learned from the implementation of EHRs that should be applied to digital health.

Nonadversarially Driven Toxicities

The Internet and digital health tools have brought us the convenience of online medical appointment scheduling, quick access to definitions of medical terms, and many other conveniences and capabilities, but these are not without concurrent risks of harm. Widespread availability of self-care tools has the potential for overdiagnosis and overtreatment. Fixation upon potential medical conditions has led to increased cyberchondria; and convenience, when taken to far, can drive risky practices and overdependence on tools that are meant to aid in care but not intended to be reliable life support. In this chapter we examine the five nonadversarially driven toxicities of digital health in order to understand how human frailty, habit, and bias may exacerbate the risks of otherwise harmless and helpful digital health aids.

Virtual Health Assistants

There is no doubt that virtual assistants, such as Alexa and Siri, have changed the human-computer interface forever. These capabilities bring convenience, relatability, and, at times, safety to our daily lives. It must also be noted, however, that these “assistants” have surveillance capabilities at their core. The average user really does not know what the devices are recording, transmitting, or measuring. The privacy, cybersecurity, and physical security hazards of these technologies are becoming well known and understood, and the application of these devices to healthcare use cases must be approached with care and skepticism that are at least equal to the optimism with which they are currently being hyped and marketed.

Five Mitigations for the 10 Toxicities

Throughout the text we have discussed the necessity of sound and comprehensive medical benefit-risk assessment of digital health tools and have introduced the 10 Toxicities: privacy, security, misinformation, charlatanism, cybersecurity, overdiagnosis, cyberchondria, medical device deregulation, and user error. To many, these hazards appear new, evolving, and, possibly, overstated. The truth is, however, that there is preexisting precedent and numerous examples for all of them. This chapter presents five mitigations for these toxicities including awareness and education, a new regulatory paradigm, professionalism and workforce development, and new models of collaboration between health care and law enforcement. Fortunately, it is not too late to get ahead of the hazards of digital health and ensure optimized benefits and minimized risks.

Pulse Oximetry in Anesthesia—The “Perfect” Medical Technology Use Case

It can be difficult to quantify progress or success when it comes to digital health, because there are many and highly varied stakeholders and perspectives to be considered, including some that are in opposition. Technological “advances” that bring clear benefits to patients, providers, and healthcare institutions are rare but do happen. In the 1980s, the first digital pulse oximeters changed the way blood oxygen saturation was monitored during surgery, an innovation that resulted in less pain for patients and better patient safety, superior real-time data for anesthetists, and greatly reduced surgical liability for hospitals. Inventions with such clear benefits to so many stakeholders remain rare three decades later. In this chapter, the evolution of digital pulse oximetry for oxygen saturation monitoring during surgical anesthesia is discussed via personal anecdote from the author.