Former IBM Corp. senior threat intelligence analyst Jay Radcliffe hacked into his own insulin pump and managed to manipulate the amount of insulin delivered to his body at potentially fatal levels. In 2011, he presented his findings at the Black Hat security conference in Las Vegas but did not identify the manufacturer of the insulin pump. Later, he revealed the company to be medical device manufacturer Medtronic, identifying four of the Dublin-based company’s insulin pumps vulnerable to cyberattacks. If Radcliffe had executed a true cyberattack that killed or extorted patients, San Fernando Valley companies would have been at risk. The MiniMed insulin pump he hacked was partially developed by the Alfred Mann Foundation in Valencia and was later sold to Medtronic, which has its diabetes division in Northridge. According to David Hankin, chief executive of the foundation, the breach might have been the result of outdated software in the device. In a later statement, Radcliffe acknowledged that the probability of an insulin pump hack attack is low. However, the Food and Drug Administration and the medical device industry are beginning to take preventive measures to avoid these potential issues. “As far as I know, very few cases have been affected at the device level – if any – yet there is this focus on it,” said Hankin. “I’m not sure if the focus is currently as warranted as it may be sometime in the future, if there are actual cases of people with medical devices harmed by a cyberattack.” Close calls Just last month, Hollywood Presbyterian Hospital paid a $17,000 ransom in bitcoins to regain control of its computer systems after hackers infected the systems with ransomware, preventing hospital staff from communicating electronically. Police stations, insurers and certain high-profile companies — including Sony Corp., Target Corp. and JP Morgan Chase — have experienced recent data breaches, which have prompted more copycat crimes. Last year, UCLA Health System’s computer network was hacked, jeopardizing up to 4.5 million patients’ personal information. UCLA Health System was highly criticized at the time for not encrypting patient data and faced multiple lawsuits for the breach. While those attacks involved institutions rather than individuals, they show the vulnerability of medical technology. On Jan. 22, the FDA issued a draft guidance titled “Postmarket Management of Cybersecurity in Medical Devices,” which outlined recommendations for the industry on how to approach cybersecurity. “Medical device manufacturers need to provide secure connection and communication between the device, the computer it connects to and the application that views personally identifiable information and protected health information,” said Jerry Irvine, chief information officer of computer consulting firm Prescient Solutions in Schaumburg, Ill., and a member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council. “This should be performed with encrypted communications between the devices, encryption of data on devices and secure connections of devices.” The Mann Foundation, whose founder passed away earlier this month, operates as a medical device company minus the marketing and sales. According to Hankin, this allows the organization to address a medical problem without the added pressures associated with monetization. The foundation employs engineers, scientists, clinicians and physicians to tackle health issues – including device security. After product development, the organization will either license the technology to another company or spin it out into a business. The foundation said it has implemented safeguards in its medical device technology to avert cyberattacks. It is especially concerned with life-sustaining and supporting devices – such as cardiac pacemakers and an implantable infusion pump that was spun out as Medallion Therapeutics Inc. in Valencia. “The infusion pump is something we have to take very seriously,” said Hankin. “One of the hallmarks of our infusion pump is that it is safer than the other infusion pumps on the market. Because that’s one of our selling points for that particular device, we take its safety component very seriously.” Although the FDA guidance is not mandatory, the agency is implementing more scrutiny during the medical device approval process after regulatory submission, according to Hankin, who has two devices in the pipeline for FDA approval. Attorney Gerry Hinkley, partner and chair of the health care industry team at L.A. law firm Pillsbury Winthrop Shaw Pittman, reviewed the FDA guidance and wrote an article on the topic. “The FDA’s guidance strikes a balance between protecting patient health and safety and encouraging the continued development of innovative technologies,” said Hinkley. “Generally speaking, the FDA has taken a more realistic approach to cybersecurity and has acknowledged that it does not want to be overly aggressive with regulation to the extent that such regulation would hamper continued development and improved device efficacy.” App vulnerability Spun out from the Mann Foundation in 2004, Valencia’s Bioness Inc. also has been affected by the heightened attention on cybersecurity. The company’s business focuses on two product types: neurorehabilitation devices for central nervous system disorders, such as strokes and multiple sclerosis, and peripheral nerve stimulation devices for pain management. In response to the growing concern, the company’s entire design as well as its validation and verification process has been changed, according to Chief Executive Todd Cushman. The company uses double encryption for patient data, implements double code for added security and follows the FDA’s recommended guidelines to combat the potential for hackers to break into its devices. “There’s been a lot of concern with wireless technology on how cyberterrorists could possibly get into the system and do something that would be a tragedy,” said Cushman. “We have to take all of this into consideration now. It’s very easy for us to have an app to program a device, but that’s also a very easy way for us to jeopardize patient safety.” Even though more companies are getting on board with cybersecurity, the industry faces technical hurdles in protecting against cyberattacks. “The problems with security implementation within medical devices is that these devices are, by design and requirement, generally small and need to be extremely reliable,” said Prescient’s Irvine. “Implementation of excessive software or controls on these devices is difficult because of their small platforms.” The Mann Foundation’s Hankin believes since the FDA is taking medical device cybersecurity more seriously, companies must as well. Every medical device must go through the FDA approval process, and if companies can’t comply, their devices won’t be approved. Bioness’ Cushman does not foresee medical device hacking becoming a problem, if responsible designs are implemented and proper planning in communication protocols for wireless technology are executed preemptively. “In the future, we are going to have to constantly monitor this area, because computer technology is always changing,” he said. “It’s getting easier and easier to use, and to me, that translates into it may be getting easier and easier to hack.”