Assassination by pacemaker: Australia needs to do more to regulate internet-connected medical devices

Bruce Baer Arnold, University of Canberra

In the future, people are going to be just a little bit cyborg. We’ve accepted hearing aids, nicotine patches and spectacles, but implanted medical devices that are internet-connected present new safety challenges. Are Australian regulators keeping up?

A global recall of pacemakers has sparked new fears and splashy headlines about hacked medical devices. But the next 20 years of medicine will normalise the use of intelligent implants to control pain, provide data for diagnostic purposes and supplement ailing organs, which means we need proper security as well as access in case of emergency.

Pharmaceuticals and medical devices in Australia are regulated by the Therapeutic Goods Administration (TGA), an arm of the national Health Department.

Can we rely on Australia’s medical devices regime? Recurrent criticisms by parliamentary committees and government inquiries suggest the regulator may be struggling.

The job of the TGA

The TGA regulates medical devices such as stents, pacemakers, joint implants, breast implants, and the controversial vaginal mesh that has featured recently in the media (and a Senate inquiry) over claims it seriously injured patients.

The role of the TGA is vital, because defective devices can result in injury or death. They have a major cost for the public health system and affect patient quality of life. They often result in litigation, sometimes with billion-dollar settlements.

In undertaking its mission, the TGA looks to information from manufacturers and distributors, from overseas regulators and its own staff.

Like counterparts such as the US Food and Drug Administration, TGA staff are under pressure to get products into the marketplace and reduce “red tape”.

The TGA and cybersecurity

Wireless medical devices need greater security than, say, an internet-connected fridge. It is axiomatic that they must work.

We need to ensure that information provided by the devices is safeguarded and that control of the devices – implantable or otherwise – is not compromised.

To do that, we can use existing tools such as robust passwords, encryption and systems design. It also requires product vendors and practitioners to avoid negligence. Regulators must proactively foster and enforce standards.

Put simply, bodies like the TGA need to deal with software rather than simply bits of metal and plastic. It is unclear whether the TGA has the expertise or means to do so.

Solutions, not panic

The past decade has seen a succession of inquiries into the TGA, including the 2015 Sansom Review and 2012 Senate PIP Inquiry. Each has demonstrated that the TGA is not always keeping up with its task.

Problems are ongoing: think defective joint implants, breast implants and vaginal mesh. But there are some potential paths towards improvement.

Accountability

One solution is to ensure the TGA is more accountable.

Currently, if someone wishes to bring a claim alleging a device was improperly permitted, the TGA has immunity from civil litigation about regulatory failure.

Removal of immunity will force it to focus on outcomes. That can be reinforced by giving it independence from the Department of Health, making it report direct to Parliament and ensuring the openness emphasised by the Pearce Inquiry.

Regulatory capture

Medical products regulation in Australia has been a matter of penny wise, pound poor. The TGA is funded by fees from the manufacturers and distributors that it regulates, in addition to some government funding.

It needs a discrete budget that recoups costs but is not dependent on companies that complain regulation is expensive. It needs enough resources to do its job well in the emerging age of the internet of things, including access to independent expertise regarding cybersecurity and devices.

A device register

How many devices have been implanted and how many removed? The lack of data about medical devices is a problem.

The government has so far not embraced recommendations for a comprehensive device register, one allowing timely identification of what was implanted and by whom.

Such a register would provide a means for determining problems with devices or medical practice. We need timely, consistent reporting of problems on a mandatory basis, as well as recall and transparent investigation of what went wrong.

Disclosure of interests

The inquiry into vaginal mesh revealed the WA Branch of Australian Medical Association had a financial interest in a device that may have seriously affected numerous women.

There must be full disclosure of such interests, with meaningful sanctions where disclosure has not been made. This requires action by the TGA, professional bodies and the government.

So, what about assassination by wireless pacemaker?

The cybersecurity of medical devices is a matter for everyone.

We need the TGA to work with manufacturers, distributors and health professionals to mandate best practice. Should, for example, manufacturers and practitioners ensure that implants do not rely on default passwords that are easily crackable? What about access by emergency services?

There is a fundamental need to develop and enforce a national safety standard regarding all wireless implants. For that we need thoughtful policy, not just headlines.

This article was originally published on The Conversation. Read the original article.

Author

  • Dr Bruce Baer Arnold is an Associate Professor in the School of Law at the University of Canberra. He has a strong interest in privacy, data protection, artificial intelligence and robotics, intellectual property and health sector regulation. He is on the editorial board of Privacy Law Bulletin and an OECD Health Information Infrastructure panellist. His work has appeared in Melbourne University Law Review, Journal of Medical Ethics, Monash Law Review, Laws, Adelaide Law Review, Local Government Law Journal, Alternative Law Journal and other publications. Dr Arnold was a former board member of the Australian Privacy Foundation and a member of OECD data protection working parties.

    View all posts