Professional Documents
Culture Documents
Adrian Rutt
Bioethics 528
Research Paper
Introduction
Its no secret that hackingand by extension privacyhas been taking the ethical center
stage within the past decade or so. The most poignant (and recent) example dealt with the recent
U.S. election: Did Russian hackers infiltrate the DNC or influence the recent election in any
way? Less, however, has been said with regard to the hacking of medical technology and
information, though the topic has indeed been broached by some scholars and ethicists. As a
recent article in Wired argued, Its insanely easy to hack medical equipment, and that the
healthcare industry is just now waking up to the security problems with medical equipment, and
that the problems exist because medical equipment has only ever been regulated for reliability,
In this paper, I hope to first survey the differences between privacy and security, noting
the philosophical differences between and consequences of both concepts. I will then examine
the process and potential consequences of both the hacking of medical data and of actual medical
devices, and why we should be worried not only in the latter case but the former as well. In
addition, to these more abstract formulations, I will present some case studies to bolster those
worries. I will then briefly survey some of the proposed remedies and protections a few people
Derek Bambauer argues that although security and privacy are complementary notions,
their differences are necessary to note in the context of debates surrounding medical ethics. For
my purposes, it will not be necessary to unpack Bambauers argument at length but only to note
the sharp distinctions he draws so that we can carry them into a discussion about medical ethics.
legitimately have the capability to access and alter information, while security is a set of
technological mechanisms (including, at times, physical ones) that mediates requests for access
or control (Bambauer, 2013). Tying them together, we might say that privacy informs security,
security system setup to retain that measure of privacy. This might at first be somewhat obvious,
but the microscopic picture may not be so: Bambauer argues that because security implements or
stems from privacy, it should be treated more seriously and thus punished more harshly when
flawed (Bambauer, 2013). This is because privacy rests on values whereas security is a more
technical matter of how we actually protect what we deem valuable or private. In other words,
its different to have some piece of information about ourselves released that we decided could
be public, versus deciding something ought to be private and the mechanisms somehow dont
make that happen. All this is to say is that a failure of values is going to be more likely and
happen often; a failure of technology, because it should be in-line with the former, is given less
wiggle room.
The difference matters, more specifically, because often people conflate security flaws
with privacy issues, thus leading to questions not of better security measures but of discussions
Hacking & Privacy: Should We Be Worried? 3
about what, exactly, we should even want to keep private. This is somewhat disconcerting if only
because this way of framing the problem is liable to the give-an-inch, take-a-mile argument: that
breaches in our privacy because of poor security standards makes us question not the security but
whether its even all that bad that some piece of information was released is the wrong way to
see the issue. This is not all that different from the alarming complacency with regard to Fourth
However, Bambauer is not saying that we shouldnt be having debates about privacy,
only that we should be careful about conflating the two concepts. Security, his point is, ought to
keep up with these normative discussions about privacy. It is clear that, for the most part, it
Dangers Abound
With respect to the hacking of medical information, the consequences are obvious: We as
a society have determined that our medical histories and lives are largely a private affairor at
least a minimally social affair. Thus the steps we take to secure or guard against potential
The problem, as the Wired article points out, is that everything these days is largely
web-based. That is, to a hacker everything is connected. As one security consultant puts it:
between the devices, so were able to alter the info that gets fed into the medical
could alter the data that was feeding from these systems, due to the
Because everything is unencryptedor lacks the necessary security given the level at which we
want these things to be privatethe potential for massive breakdowns in the system are at an
all-time high. Similarly, most of the interventions are of an ad hoc nature; that is, they are only
fixed because something malfunctioned or something got hacked. This is exactly backwards or at
Realizing that no small part of this issue circumambulates around the idea of money and
resources, it still stands to show that now we are doing things to protect ourselves from very real
threats. In other words, it at one time made sense not to encrypt or heavily secure medical
records, data, or equipment, but now it seems bordering on foolishthat is to say unethicalnot
to take the necessary steps to do so given the technological advances and hacking capabilities
that we see unfold on a daily basis. Whether its the hacking of celebrities phones or the DNC, it
And yet, its not the case, most of the time, that hackers are using high-level tactics. As
Paul Frenger says, In its simplest form, medical device hacking can result from an
unsophisticated brute-force approach (Frenger, 2013). Its quite simply too easy to hack data
and devices. Circling back to Bambauers point, we simply just have not kept our security
measures proportionate to our concerns about privacy. Notice that there are two ethical debates
here: one over the value-laden discussions about what we even want to keep private, and the
Hacking & Privacy: Should We Be Worried? 5
other concerns the gap between privacy and security. Should healthcare institutions be ethically
responsible and thus culpable for breakdowns in their networks? Perhaps the level of ethical
culpability should be proportionate to the ease at which the system was hackedthat is, whether
We found a couple of defibrillator vendors that use a Bluetooth stack for writing
configurations and doing test shocks [against the patient] when theyre implanted
or after surgery They have default and weak passwords to the Bluetooth stack
so you can connect to the devices. Its a simple password like an iPhone PIN that
As is implied with the above passage, death and very real physical harm are the most pressing
issues with regards to the hacking of medical devices. Although targeted attacks would be
difficult to pull off at the moment, this should still be very worrying, as even a whiff of
possibility shows the need to, as I mentioned earlier, stay as far away from purely ad hoc
In other words, we need to do a better job of raising awareness of the extent to which
personal data is available, accessible and collected; the extent to which it has been
compromised; and how easy it is, in some cases, to go from mere data mining to device hacking
(Kleinig et al., 2011). We should not have to wait for a disastrous attack to happen for something
Hacking & Privacy: Should We Be Worried? 6
security standards in some of these devices and in hospitals generally. For example a coroner in
medications secretly injected into its insulin reservoir by his wife, a nurse (Frenger, 2013). The
connected to a network or web-based system (as most are) it can most likely be hacked as well.
in Fall 2011 how hackers could manipulate his Medtronic pump to deliver an insulin overdose,
defibrillator to reprogram it from 30 feet away to deliver a potentially fatal 830 volt shock to a
It is true that cases such as the above are not bountiful and in some cases only theoretical
and experimental, but this is no reason for complacency. The course we are currently on suggests
that if we dont take the proper precautions and have public discussions about these types of
situations they can very well become prevalent. Its time we realize that, in essence, medical
equipment has only ever been regulated for reliability, effectiveness and safety, not for security
(Zetter, 2014). As a sort of meta-point, more articles like the one in Wired or Crains (referenced
are precisely what is needed. Academic worrying, though totally warranted and necessary,
doesnt do much for public awarenessthere needs to be two sides to the awareness coin.
Hacking & Privacy: Should We Be Worried? 7
Less physically consequential but nonetheless ethically serious is the hacking of patient
data and records. One study suggests that [the] digitization of patient records may increase the
likelihood of data breaches (Miller & Tucker, 2011). This seems obvious, but the consequences
of such are not. Employers having even second-hand access to employee data or potential
employee data could promote discriminatory practices at some of the highest levels e.g., the
hiring or firing based on health. Even records, though, present a slippery slope to even more
serious situations: the ability to hack patient records and fudge dosage numbers, medicinal
requirements, prescriptions, etc., could lead to great harm to the patient or even, obviously,
death.
More indirectly, the hacking of medical data presents major problems with identity theft
and similar scenarios. As one recent article written for Crains point out:
Because the records include so much information, thieves can falsify insurance
claims and collect checks, get tens or hundreds of thousands of dollars of free
care on someone else's insurance (which might affect the real policyholder's
(Sweeney, 2017).
Solutions-Based Thinking
We need to aim for not perfect but better. That is, no one is arguing that we should have
seen this coming (because were still in the seeing it coming stage), but only that our security
measures should be proportionate to the level of privacy we desire, if somewhat and naturally a
Hacking & Privacy: Should We Be Worried? 8
little behind. Further, I suggest that hospitals and healthcare institutions ought to be more
ethically and legally culpable for breakdowns in their systems based on, as I mentioned above,
whether or not a team of professionals determines the hack to be a preventable occurrence. This
is not unlike, in traditional medical ethics, referring to other professionals to see if they would
have acted the same as one of their colleagues in any given situation. The ethical IT team would
determine whether, with how the hack was done, if it could have been prevented with reasonably
better security standards, of course taking into account the skill and tools of the hacker. To
answer the question of this essay, Yes, we should be worried, but we need not blow it out of
proportion nor be alarmist about it if only because that hardly helps the situation.
One of the major roadblocks to bettering our security systems and protecting patient data
and devices is money, which brings up all sorts of ethically murky issues about whether there
really is such thing as too high a cost to protect someone who has given themselves or some
information about themselves to another person for safekeeping. A recent report found that
health organizations may have to spend $834.3 million in total costs to address violations of the
Health Insurance Portability and Accountability Act (HIPAA) in 2009 (Miller and Tucker,
2011). These violations, of course, owing to the releasing, hacking, and dissemination of
confidential patient data. Though it should be noted that not all were direct cyber-attacks and or
hacks.
Besides better overall security systems, healthcare facilities might just better their
superficial security as well as their damage control systems. As one author frames it:
Hacking & Privacy: Should We Be Worried? 9
should have some sort of anti-hacker alarm system fitted (Ayala, 2016).
Especially of note should be the last category. It is worth mentioning that if our security systems
are indeed behind the ball in terms of protecting what we want private, it might be due time to
acknowledge more responsive and of-the-moment alarm systemssystems that can alert IT
professionals immediately of an ongoing attack or soon thereafter. This would be helpful in cases
where hackers demand money in exchange for not releasing thousands of patients data.
One particularly alarming case worth mentioning involved the hacking of Acxiom, a
marketing technology giant. The attacks were not detected by Acxiom, but by local law
enforcement and then by the Federal Bureau of Investigation Acxiom had no idea its systems
had been compromised until a Cincinnati sheriff turned up compact discs filled with the
company's records while searching the home of a systems administrator for a marketing firm
(Bambauer, 2013). Not only, then, were the companys servers hacked, but the company didnt
even notice. We might give companies or healthcare institutions an ethical pass on being hacked,
but it seems unlikely that that would extend to not even noticing being hacked. Alarm systems, at
the very least, should be up to a standard in which a quick response can alert patients, customers,
Concluding Remarks
Hacking & Privacy: Should We Be Worried? 10
The first step to any progress on this front is awareness. Doctors, nurses, patients, etc.,
have to know or be aware of the risks that are present. Its true that most cannot actually do
anything about these hacks directly, but their concern would send a ripple effect that would, in
some cases, force the hand of hospital software departments and IT professionals to do
something more. An important thing to note is that these arent all simply failures of technology,
but rather failures of proper ethical standards reflecting the level of protection promised. This
cuts both ways: hospitals, in the nearer future, would most likely end up saving money by
increasing their security standards since they will see a decrease in low-level, ransom-style hacks
(surprisingly common).
Until an attitude sea-change takes place, I fear we will treat the protection of our private
information as somehow less than, say, doctor-patient confidentiality. Putting it another way,
until we see the IT professionals having just as much a duty to protect our information, our
autonomy, and our wellness, the problem will only get worse. The first step is raising awareness,
but it is not, especially in such serious areas as health care, enough to simply be aware. We have
to protect ourselves.
References
Ayala, L. (2016). Cybersecurity for hospitals and healthcare facilities: a guide to detection
Hacking & Privacy: Should We Be Worried? 11
Bainbridge, D. I. (1989). Hacking: the unauthorised access of computer systems; the legal
implications. The Modern Law Review, 52(2), 236245.
Bambauer, D. E. (2013). Privacy versus security. The Journal of Criminal Law and
Criminology, 103(3), 667683.
Kleinig, J. (2011). Recommendations. In Security and privacy: global standards for ethical
identity management in contemporary liberal democratic states (pp. 241246). ANU
Press.
Miller, A. R. & Tucker, C. E. (2011). Encryption and the loss of patient data.
Journal of Policy Analysis and Management, 30(3), pp. 534556.
Saco, D. (2002). Hacking cyberspace. In Cybering democracy: public space and the internet
(pp. 141198). Minneapolis, MN: University of Minnesota Press.
Sweeney, B. (2017, April 10). The frightening new frontier for hackers: your medical records.
Crain's Chicago Business. Retrieved from http://www.chicagobusiness.com
Zetter, K. (2017, March 4). Its insanely easy to hack hospital equipment. Wired. Retrieved
from https://www.wired.com