Hacking & Privacy: Should We Be Worried?

Adrian Rutt
Bioethics 528
Research Paper

Hacking & Privacy: Should We Be Worried?

Introduction

Its no secret that hackingand by extension privacyhas been taking the ethical center

stage within the past decade or so. The most poignant (and recent) example dealt with the recent

U.S. election: Did Russian hackers infiltrate the DNC or influence the recent election in any

way? Less, however, has been said with regard to the hacking of medical technology and

information, though the topic has indeed been broached by some scholars and ethicists. As a

recent article in Wired argued, Its insanely easy to hack medical equipment, and that the

healthcare industry is just now waking up to the security problems with medical equipment, and

that the problems exist because medical equipment has only ever been regulated for reliability,

effectiveness and safety, not for security (Zetter, 2014).

In this paper, I hope to first survey the differences between privacy and security, noting

the philosophical differences between and consequences of both concepts. I will then examine

the process and potential consequences of both the hacking of medical data and of actual medical

devices, and why we should be worried not only in the latter case but the former as well. In

addition, to these more abstract formulations, I will present some case studies to bolster those

worries. I will then briefly survey some of the proposed remedies and protections a few people

have proposed to keep our information and technology as safe as possible.

 Hacking & Privacy: Should We Be Worried? 2

Privacy & Security

Derek Bambauer argues that although security and privacy are complementary notions,

their differences are necessary to note in the context of debates surrounding medical ethics. For

my purposes, it will not be necessary to unpack Bambauers argument at length but only to note

the sharp distinctions he draws so that we can carry them into a discussion about medical ethics.

Privacy, he says, establishes a normative framework for deciding who should

legitimately have the capability to access and alter information, while security is a set of

technological mechanisms (including, at times, physical ones) that mediates requests for access

or control (Bambauer, 2013). Tying them together, we might say that privacy informs security,

or that whatever we determine privacy to be must then be complemented by an analogous

security system setup to retain that measure of privacy. This might at first be somewhat obvious,

but the microscopic picture may not be so: Bambauer argues that because security implements or

stems from privacy, it should be treated more seriously and thus punished more harshly when

flawed (Bambauer, 2013). This is because privacy rests on values whereas security is a more

technical matter of how we actually protect what we deem valuable or private. In other words,

its different to have some piece of information about ourselves released that we decided could

be public, versus deciding something ought to be private and the mechanisms somehow dont

make that happen. All this is to say is that a failure of values is going to be more likely and

happen often; a failure of technology, because it should be in-line with the former, is given less

wiggle room.

The difference matters, more specifically, because often people conflate security flaws

with privacy issues, thus leading to questions not of better security measures but of discussions
 Hacking & Privacy: Should We Be Worried? 3

about what, exactly, we should even want to keep private. This is somewhat disconcerting if only

because this way of framing the problem is liable to the give-an-inch, take-a-mile argument: that

breaches in our privacy because of poor security standards makes us question not the security but

whether its even all that bad that some piece of information was released is the wrong way to

see the issue. This is not all that different from the alarming complacency with regard to Fourth

Amendment breaches under the argument Well I have nothing to hide.

However, Bambauer is not saying that we shouldnt be having debates about privacy,

only that we should be careful about conflating the two concepts. Security, his point is, ought to

keep up with these normative discussions about privacy. It is clear that, for the most part, it

hasnt. Worse yet, we are aware, in most cases, that it hasnt.

Dangers Abound

With respect to the hacking of medical information, the consequences are obvious: We as

a society have determined that our medical histories and lives are largely a private affairor at

least a minimally social affair. Thus the steps we take to secure or guard against potential

hackers ought to reflect that normative assessment.

The problem, as the Wired article points out, is that everything these days is largely

web-based. That is, to a hacker everything is connected. As one security consultant puts it:

A lot of the web services allow unauthenticated or unencrypted communication

between the devices, so were able to alter the info that gets fed into the medical

recordso you would get misdiagnosis or get prescriptions wrong The

 Hacking & Privacy: Should We Be Worried? 4

physician is taught to rely on the information in the medical records [but] we

could alter the data that was feeding from these systems, due to the

vulnerabilities we found (Zetter, 2014).

Because everything is unencryptedor lacks the necessary security given the level at which we

want these things to be privatethe potential for massive breakdowns in the system are at an

all-time high. Similarly, most of the interventions are of an ad hoc nature; that is, they are only

fixed because something malfunctioned or something got hacked. This is exactly backwards or at

least not sufficiently reflected upon.

Realizing that no small part of this issue circumambulates around the idea of money and

resources, it still stands to show that now we are doing things to protect ourselves from very real

threats. In other words, it at one time made sense not to encrypt or heavily secure medical

records, data, or equipment, but now it seems bordering on foolishthat is to say unethicalnot

to take the necessary steps to do so given the technological advances and hacking capabilities

that we see unfold on a daily basis. Whether its the hacking of celebrities phones or the DNC, it

seems we have a new hacking story every day.

And yet, its not the case, most of the time, that hackers are using high-level tactics. As

Paul Frenger says, In its simplest form, medical device hacking can result from an

unsophisticated brute-force approach (Frenger, 2013). Its quite simply too easy to hack data

and devices. Circling back to Bambauers point, we simply just have not kept our security

measures proportionate to our concerns about privacy. Notice that there are two ethical debates

here: one over the value-laden discussions about what we even want to keep private, and the
 Hacking & Privacy: Should We Be Worried? 5

other concerns the gap between privacy and security. Should healthcare institutions be ethically

responsible and thus culpable for breakdowns in their networks? Perhaps the level of ethical

culpability should be proportionate to the ease at which the system was hackedthat is, whether

or not this could have been reasonably prevented.

Although it is warranted to worry about breaches of confidentiality, fidelity, or other

ethical issues, this may not be the ethical worry.

We found a couple of defibrillator vendors that use a Bluetooth stack for writing

configurations and doing test shocks [against the patient] when theyre implanted

or after surgery They have default and weak passwords to the Bluetooth stack

so you can connect to the devices. Its a simple password like an iPhone PIN that

you could guess very quickly (Zetter, 2014).

As is implied with the above passage, death and very real physical harm are the most pressing

issues with regards to the hacking of medical devices. Although targeted attacks would be

difficult to pull off at the moment, this should still be very worrying, as even a whiff of

possibility shows the need to, as I mentioned earlier, stay as far away from purely ad hoc

measures as one reliably can (Zetter, 2014).

In other words, we need to do a better job of raising awareness of the extent to which

personal data is available, accessible and collected; the extent to which it has been

compromised; and how easy it is, in some cases, to go from mere data mining to device hacking

(Kleinig et al., 2011). We should not have to wait for a disastrous attack to happen for something
 Hacking & Privacy: Should We Be Worried? 6

to changeespecially considering we know at a very intimate level already the weakness of

security standards in some of these devices and in hospitals generally. For example a coroner in

Mississippi testified in 2001 that a diabetic surgeon who used a microprocessor-controlled

insulin pump was murdered by delivery of a pre-programmed overdose of lethal

medications secretly injected into its insulin reservoir by his wife, a nurse (Frenger, 2013). The

operative word here being pre-programmed. If something can be pre-programmed and is

connected to a network or web-based system (as most are) it can most likely be hacked as well.

Similarly, Jay Radcliffe, an insulin-dependent diabetic, revealed to the Associated Press

in Fall 2011 how hackers could manipulate his Medtronic pump to deliver an insulin overdose,

and well-known hacker Barnaby Jack reverse-engineered a wireless implanted pacemaker-

defibrillator to reprogram it from 30 feet away to deliver a potentially fatal 830 volt shock to a

simulated patients heart (Frenger, 2013).

It is true that cases such as the above are not bountiful and in some cases only theoretical

and experimental, but this is no reason for complacency. The course we are currently on suggests

that if we dont take the proper precautions and have public discussions about these types of

situations they can very well become prevalent. Its time we realize that, in essence, medical

equipment has only ever been regulated for reliability, effectiveness and safety, not for security

(Zetter, 2014). As a sort of meta-point, more articles like the one in Wired or Crains (referenced

below) need to be written: accessible, written-for-the-public expositions (exposs in some cases)

are precisely what is needed. Academic worrying, though totally warranted and necessary,

doesnt do much for public awarenessthere needs to be two sides to the awareness coin.
 Hacking & Privacy: Should We Be Worried? 7

Less physically consequential but nonetheless ethically serious is the hacking of patient

data and records. One study suggests that [the] digitization of patient records may increase the

likelihood of data breaches (Miller & Tucker, 2011). This seems obvious, but the consequences

of such are not. Employers having even second-hand access to employee data or potential

employee data could promote discriminatory practices at some of the highest levels e.g., the

hiring or firing based on health. Even records, though, present a slippery slope to even more

serious situations: the ability to hack patient records and fudge dosage numbers, medicinal

requirements, prescriptions, etc., could lead to great harm to the patient or even, obviously,

death.

More indirectly, the hacking of medical data presents major problems with identity theft

and similar scenarios. As one recent article written for Crains point out:

Because the records include so much information, thieves can falsify insurance

claims and collect checks, get tens or hundreds of thousands of dollars of free

care on someone else's insurance (which might affect the real policyholder's

coverage limits), and falsify driver's licenses to illegally get prescriptions

(Sweeney, 2017).

Solutions-Based Thinking

We need to aim for not perfect but better. That is, no one is arguing that we should have

seen this coming (because were still in the seeing it coming stage), but only that our security

measures should be proportionate to the level of privacy we desire, if somewhat and naturally a
 Hacking & Privacy: Should We Be Worried? 8

little behind. Further, I suggest that hospitals and healthcare institutions ought to be more

ethically and legally culpable for breakdowns in their systems based on, as I mentioned above,

whether or not a team of professionals determines the hack to be a preventable occurrence. This

is not unlike, in traditional medical ethics, referring to other professionals to see if they would

have acted the same as one of their colleagues in any given situation. The ethical IT team would

determine whether, with how the hack was done, if it could have been prevented with reasonably

better security standards, of course taking into account the skill and tools of the hacker. To

answer the question of this essay, Yes, we should be worried, but we need not blow it out of

proportion nor be alarmist about it if only because that hardly helps the situation.

One of the major roadblocks to bettering our security systems and protecting patient data

and devices is money, which brings up all sorts of ethically murky issues about whether there

really is such thing as too high a cost to protect someone who has given themselves or some

information about themselves to another person for safekeeping. A recent report found that

health organizations may have to spend $834.3 million in total costs to address violations of the

Health Insurance Portability and Accountability Act (HIPAA) in 2009 (Miller and Tucker,

2011). These violations, of course, owing to the releasing, hacking, and dissemination of

confidential patient data. Though it should be noted that not all were direct cyber-attacks and or

hacks.

Besides better overall security systems, healthcare facilities might just better their

superficial security as well as their damage control systems. As one author frames it:
 Hacking & Privacy: Should We Be Worried? 9

Secure password systems should be developed; passwords being non-obvious

and changed regularly. Methods of tracing back through the telecommunications

network should be explored. Computer systems holding sensitive information

should have some sort of anti-hacker alarm system fitted (Ayala, 2016).

Especially of note should be the last category. It is worth mentioning that if our security systems

are indeed behind the ball in terms of protecting what we want private, it might be due time to

acknowledge more responsive and of-the-moment alarm systemssystems that can alert IT

professionals immediately of an ongoing attack or soon thereafter. This would be helpful in cases

where hackers demand money in exchange for not releasing thousands of patients data.

One particularly alarming case worth mentioning involved the hacking of Acxiom, a

marketing technology giant. The attacks were not detected by Acxiom, but by local law

enforcement and then by the Federal Bureau of Investigation Acxiom had no idea its systems

had been compromised until a Cincinnati sheriff turned up compact discs filled with the

company's records while searching the home of a systems administrator for a marketing firm

(Bambauer, 2013). Not only, then, were the companys servers hacked, but the company didnt

even notice. We might give companies or healthcare institutions an ethical pass on being hacked,

but it seems unlikely that that would extend to not even noticing being hacked. Alarm systems, at

the very least, should be up to a standard in which a quick response can alert patients, customers,

response teams, etc. to the hack.

Concluding Remarks
 Hacking & Privacy: Should We Be Worried? 10

The first step to any progress on this front is awareness. Doctors, nurses, patients, etc.,

have to know or be aware of the risks that are present. Its true that most cannot actually do

anything about these hacks directly, but their concern would send a ripple effect that would, in

some cases, force the hand of hospital software departments and IT professionals to do

something more. An important thing to note is that these arent all simply failures of technology,

but rather failures of proper ethical standards reflecting the level of protection promised. This

cuts both ways: hospitals, in the nearer future, would most likely end up saving money by

increasing their security standards since they will see a decrease in low-level, ransom-style hacks

(surprisingly common).

Until an attitude sea-change takes place, I fear we will treat the protection of our private

information as somehow less than, say, doctor-patient confidentiality. Putting it another way,

until we see the IT professionals having just as much a duty to protect our information, our

autonomy, and our wellness, the problem will only get worse. The first step is raising awareness,

but it is not, especially in such serious areas as health care, enough to simply be aware. We have

to protect ourselves.

References

Ayala, L. (2016). Cybersecurity for hospitals and healthcare facilities: a guide to detection
 Hacking & Privacy: Should We Be Worried? 11

and prevention. Berkeley, CA: Apress.

Bainbridge, D. I. (1989). Hacking: the unauthorised access of computer systems; the legal
implications. The Modern Law Review, 52(2), 236245.

Bambauer, D. E. (2013). Privacy versus security. The Journal of Criminal Law and
Criminology, 103(3), 667683.

Frenger, P. (2013). Hacking medical devices: a review. Biomedical Sciences Instrumentation,

49, 4047.

Kleinig, J. (2011). Recommendations. In Security and privacy: global standards for ethical
identity management in contemporary liberal democratic states (pp. 241246). ANU
Press.

Miller, A. R. & Tucker, C. E. (2011). Encryption and the loss of patient data.
Journal of Policy Analysis and Management, 30(3), pp. 534556.

Saco, D. (2002). Hacking cyberspace. In Cybering democracy: public space and the internet
(pp. 141198). Minneapolis, MN: University of Minnesota Press.

Sweeney, B. (2017, April 10). The frightening new frontier for hackers: your medical records.
Crain's Chicago Business. Retrieved from http://www.chicagobusiness.com

Zetter, K. (2017, March 4). Its insanely easy to hack hospital equipment. Wired. Retrieved
from https://www.wired.com