April 19, 2023

Right to Privacy and Implantology

This article has been written by Ms. Madhavi Sanapala, a 5th year LL.B. student of Dr. B. R. Ambedkar College of Law, Andhra University. 

Introduction

The world is improving every day and prospering in many different ways. Biological engineering is one such area. The professionals were able to develop tools that assisted in the evolution of medicine by bringing engineering principles and design concepts to healthcare, and “Implantable Medical Device,” shortly called as an IMD, is one of its by-products. Implantable Medical Device is an instrument that is partially or completely inserted into the body. These gadgets are most frequently implanted by doctors during surgery, which in contrast to surgical ones, remain in the body following the procedure. Since the first pacemaker was implanted in 1958, numerous technical and medical efforts to build implantable medical devices have run into challenges with materials, battery power, functionality, electrical power consumption, size shrinking, system delivery, and wireless communication.

But with increased computing, communication, and decision-making abilities, the IMDs have gained a lot of exposure and improvement over the last decade, best known in the name of cochlear implants, pacemakers, intraocular lenses, etc., The future super-aged society, which will increase demand for the equipment, will ensure that the trend of advancement in medical technology continues. Be that as it may, like a coin bearing two sides, the never-ending headway of technology, and mix matching it with the medical field has brought back to the starting point of the race, viz. “Privacy.”

Implants and their compromised privacy

One of the most important components of any such gadget design is data security and therefore privacy and security have become crucial considerations. As a result of the ever-expanding data processing capabilities in these implants, and because technology now permeates practically every aspect of our lives, the data security of such gadgets has been under the spotlight. Privacy is a fundamental right that is required for autonomy and the preservation of human dignity. It serves as the cornerstone around which many other human rights are built. By employing privacy to erect walls and uphold limits to keep unauthorized people out of our lives, we may negotiate who we are and how we want to interact with the world. With the use of privacy, we can set limits on who can see our information, conversations, whereabouts, and bodies.

The risks that human implants pose to becoming a victim of crime in light of recent technological advancements, as well as analysis on how the law can address new issues posed by what may turn out to be the next generation of cybercrime: assaults on technology that has been implanted in human bodies. Common sorts of computer security breaches, such as those brought on by computer viruses, Internet hackers, and the loss or theft of laptops with sensitive data, are well known to the majority of people. However, security worries also extend to the advanced medical equipment’s embedded computers, which have grown more complicated and frequently depend on specialized software and significant automated functions. Numerous devices carry out intricate analyses, possess sophisticated decision-making abilities, store comprehensive personal medical data, and engage in automatic, remote, and wireless communication. Millions of patients have benefited from these features’ better care and quality of life, but they have also made these devices more vulnerable to security breaches, which could jeopardize their functionality as well as the security and privacy of patients.

As IMD technologies advance, it will be more crucial than ever to strike a balance between safety and effectiveness and security and privacy. Although it is advancing at a rapid pace, we still have a limited understanding of how device privacy and security interact with and impact medical safety and therapeutic efficacy as the appropriate balance between security, privacy, safety, and utility may vary based on the IMD in question, further complicating matters. There is a dispute on the security requirements for medical devices, despite almost universal agreement on the significance of security for personal health information and electronic health records. The president of the Heart Rhythm Society, for instance, noted that the devices “were not designed to withstand a terrorist attack” when a modern implantable defibrillator was revealed to be vulnerable to unauthorized communication, potentially harmful device reprogramming, and unauthorized data extraction.

It would be “very rare” for a medical device malfunction to inflict intentional injury, but it is a possibility “that cannot be disregarded.” The capture of private information could be for financial gain or a competitive edge; reputational harm to a device manufacturer; sabotage by a vengeful employee, a displeased client, or a terrorist to cause property damage or harm to people; or just the satisfaction of the attacker’s ego. It may be through sniffing, data interference, hacking, and denial of service. 

Data breach Risks

Modern IMDs frequently have personal data stored in their memory. In the event that hackers acquire access to connected medical equipment or a wider network of health data, there is a risk that it may be compromised for all time. These are some examples of personal health information:

• Health insurance numbers

• Prescriptions

• Diagnosis and treatment

• DNA data

• Biometric data

• Financial information

Only data validation and user authentication may be necessary for devices with non-essential functionality (such as cochlear implants or implantable heart monitors) and those that are thought to be at minimal risk for a security compromise. Contrarily, extra security measures, such as the incorporation of redundant security features and meticulous testing and verification of security properties, would be needed for devices with life-sustaining operations, such as pacemakers and insulin pumps.

Why?

An attacker can use fundamental information to participate in social engineering and identity theft, including the patient’s name, date of birth, and doctor’s contact information. More technical data may be utilized to deduce specifics of a patient’s health, which an attacker may use to facilitate attacks dependent on particular pathological conditions, like the stimulation settings of the IMD or the rate of battery depletion. The growing amount of biometric data that these gadgets are gathering is also troubling from a security standpoint. Closed-loop IMDs use physiological parameters collected by sensors to better manage electric impulses or drug delivery by effector elements, but these data may be useful to attackers who want to learn specifics about a patient’s pathology or even possibly access information regarding a patient’s psyche, as illustrated by Martinovic and associates who successfully used side-channel attacks against a non-invasive brain-computer interface system and the software that controls it.

Current Scenario

All digital information is vulnerable, but a hacker’s primary goal is financial gain. While tampering with an implanted medical device is not an apparent way to make money, the threat still exists. Implantable medical devices are, according to the majority of experts, a fairly minor target for hostile hackers when it comes to cybersecurity flaws in the healthcare industry. Dean Sittig, Ph.D., a professor of biomedical informatics at the University of Texas Health Sciences Center in Houston, argues that you could see a wild science fiction story in which someone attempts to kill someone by hacking a pacemaker. “But unless that device is connected to a notable individual like the leader of a country, there is not a lot of incentive for hackers to go after a target as tiny as a single pacemaker or infusion pump.”

On May 16, 2018, the topic of regulating medical implants was first brought up, in India. The decision has been made that these gadgets will be regulated beginning in April 2020. “Devices utilized for life support or nutrition in humans, or implanted into the body, may represent potential risks and must be rigorously regulated. The devices are not currently subject to any safety checks. As stated by S. Eswara Reddy, the Drug Controller General of India, “this will control and make sure that gadgets that are implanted in the body are not hurried onto the market, avoiding important testing that would protect consumers.”

Conclusion

Currently, particular gadgets may automatically interact with doctors’ offices, hospitals, and manufacturers and may be accessible for reprogramming, data extraction, and software updates — all communication paths that pose a risk for security breaches. Although many patients have benefited from the use of medical devices, their growing prevalence, automation, functionality, connectivity, and ability to communicate remotely make them more security vulnerabilities. The security of medical computers and gadgets is not a luxury, despite the fact that few patients are known to have been hurt by security breaches. In order to protect the well-being of millions of people and to guarantee the confidentiality of protected electronic health information, a role-based authorization and a number of administrative, technical, and physical security measures should be implemented.

References

https://www.sciencedirect.com/science/article/pii/S153204641500074X
https://www.researchgate.net/publication/263265182_Attacking_Human_Implants_A_New_Generation_of_Cybercrime
https://www.researchgate.net/publication/333409826_Data_Security_and_Privacy_Issues_of_Implantable_Medical_Devices
https://www.ipstars.com/NewsAndAnalysis/IP-protection-for-medical-devices-in-India-increases/Index/4412
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3797898/#:~:text=INTRODUCTION,procedure%20%5B1%2D2%5D.
https://academic.oup.com/medlaw/advance-article/doi/10.1093/medlaw/fwac038/6773065
https://e-archivo.uc3m.es/bitstream/handle/10016/26173/security_JBI_2015_ps.pdf?sequence=1&isAllowed=y

Aishwarya Says:

Law students often face problems, which they cannot share with their friends and families. We have started a column on our website Student’s Corner. In this column we are talking to several law students about the challenges that they face. Students who are interested in participating in the same, can fill this Google Form.

IF YOU ARE INTERESTED IN PARTICIPATING IN THE SAME, DO LET ME KNOW.

The copyright of this Article belongs exclusively to Ms. Aishwarya Sandeep. Reproduction of the same, without permission will amount to Copyright Infringement. Appropriate Legal Action under the Indian Laws will be taken.

If you would also like to contribute to my website, then do share your articles or poems to aishwarya@aishwaryasandeep.com

Join our  Whatsapp Group for latest Job Opening

Related articles