Computer hacking, and the permutation of crimes that can be committed by hackers, generally does not spur images of infliction of physical harm. However, in a chilling turn of events, computer hackers have opened a new front in the damage that can be inflicted through cybercrime. In a nefarious series of developments, cyber-liabilities now arise from remote manipulation of the operation of implanted medical devices or from social media-based messaging that is calculated to cause physical harm to the curated audience. In short, promising technological advances have been leveraged by bad actors in a fashion not primarily intended to extract money, but rather intended to cause actual physical harm to individuals.
In an attack that appears motivated more in an attempt to inflict physical harm, as opposed to simply hacking for financial gain, the Epilepsy Foundation announced on December 16, 2019 that it had filed a formal criminal compliant after the organization’s Twitter feed was hacked. The Foundation reported that a series of attacks were ‘designed to trigger seizure(s)’. The hacking of the foundation’s Twitter account was used to post GIFs and videos that had seizure-inducing strobe and flashing lights. People with epilepsy are prone to having seizures being triggered through viewing of flickering images and strobe lights. Perhaps the most twisted aspect of this crime is that it happened during National Epilepsy Awareness Month, when the largest number of people with epilepsy are likely to view the foundation’s social media outlets.
It is rare for hackers to inflict physical harm on their intended victims, but it is not unprecedented. Previously, in 2008, the Epilepsy Foundation was the victim of hackers who gained access to the Epilepsy Foundation’s website, bombarding it with hundreds of pictures and links to pages of rapidly flashing images. Within some of the posts were small flashing pictures or links, disguised as helpful links, that when clicked on took the viewer to pages of pulsating images with a myriad of colors. The breach triggered migraines and near-seizure reactions for some site viewers.
Additionally, in June of this year, in a proactive move designed to prevent a malevolent hack, the FDA issued a recall for two insulin pumps manufactured by Medtronic. The FDA took this action, stating that the devices that feature wireless remote access for dose adjustment, could be hacked and accessed by someone other than the pump’s user or caregiver or medical provider, and could deliver unsafe, possibly lethal, doses of insulin. The FDA’s message in this recall was that while increased use of wireless technology and software provides safer, more convenient healthcare delivery, there is cause for increased vigilance in this new modern era of healthcare and technology.
What is most remarkable about the FDA’s actions is that it was proactive. Most government action relative to cybercrime, until now, has been reactive in nature, with government agencies taking remedial action once a cybercrime has been perpetrated. Given the frightening implications of possibly hacking an insulin pump, along with the cybercrimes committed through the Epilepsy Foundation’s social media platforms, we may be witnessing the beginning of more steps towards increased oversight in this arena by government agencies.
To further illustrate how such attacks can strike anyone, one of this blog’s co-authors, who serves as a board member for not-for-profit Epilepsy Florida, shares, as an illustration of these high-tech medical risks, that the co-author’s minor child happens to experience seizures if exposed to strobe lights, and also carries an implanted medical device that can be operated and programmed remotely by the child’s medical team. Therefore the risks highlighted above are particularly poignant and real not just to the co-authors, but to thousands of similarly situated individuals nationwide. While not minimizing the financial liabilities in the cybersecurity space, these latest trends serve as a useful reminder to the entire medical research, development, and health service industries that a high priority should be placed on ongoing vigilance and securing sound security counseling resources.