Search

Data I love you: in sickness and in health

In our next blog, we refer to two series: Homeland and The Circle.

Is it possible to hack a pacemaker?

Homeland pacemaker hack
Homeland pacemaker hack

Excerpt from episode 10 of the 2nd season of Homeland. Source: Showtime

Healthcare equipments, such as connected insulin pumps or new generation pacemakers, have major security flaws. In episode 10 of the second season of Homeland, an American series focused on post-9/11 espionage, Nicholas Brody is a former marine, a prisoner of war of Al-Qaeda. Released by the U.S. Army, he enters politics and meets William Walden, Vice President of the United States and former director of the CIA. As soon as they start talking, he is in pain: his pacemaker is hacked by a cybercriminal.

Hacking a pacemaker: fact or fiction? In 2017, the Food and Drug Administration (FDA) – the U.S. administration that, among other things, authorizes the marketing of drugs – recalled 465,000 pacemakers to update them. “FDA researchers proved that it was possible to take control of the device at a relatively short distance or accelerate the heart rate,” Usbek&Rica wrote in September 2017.

According to 01net.com, researchers at WhiteScope, meanwhile, found 8,600 security flaws within pacemakers manufactured by four different companies, again in 2017. Note that this figure also includes the third-party components and software that make the device work.

Data that did not escape the attention of Marie Moe, a cybersecurity researcher who herself has a pacemaker. “Can hackers break my heart? “, is the almost poetic (if not so literal) title she gave to her TEDx talk.

In 2016, following the implantation of the defibrillator within her body, she was gripped by a concern: what if cybercriminals were able to hack into her equipment remotely? To find out for sure, she decides to hack it herself. With the help of her research team, she buys pacemakers on eBay or from medical professionals.

The researcher not only discovered that it was possible to extract data from pacemakers but also to turn them off remotely (while remaining quite close to the targeted persons). Her research has also brought to light numerous configuration defects and bugs of which she is a victim. Her work has thus served first and foremost to improve the functioning of her device, and by extension, that of an entire sector.

The commodification of health data: for or against?

Another cybersecurity specialist, another TEDx, another pathology. In 2015, Salvatore Iaconesi, an ethical hacker, consultant for multinationals, and the professor gave a talk on an experience that could have been tragic. Stricken with a brain tumor, he struggles to get a photo of it from his doctor. He decides to hack the hospital that treats him and obtains his entire medical file. He puts it online and calls the Internet users to help him.

He then received nearly half a million contacts, some very serious (90 doctors and researchers helped him), others more personal (messages of support, poems…). An artist will even make a 3D print of his tumor. Each new information he receives from his doctor is then discussed with a team of specialists via the platform he created to establish the best strategy to cure. Today, Salvatore Iaconesi is doing well and as a specialist in open source, he wants to be a perfect example of making medical data available to as many people as possible.

Like Salvatore, many voices are speaking out to make as much health data public as possible, to advance research, and/or allow patients to benefit from monetizing their data.

Michèle Anahory, Olivier Spreux (both lawyers in health law), Robert Chu, and Alexis Normand (managers of the start-up Embleema) all four signed an opinion piece published in Le Monde in January 2019. For them, each “citizen should be able to authorize the exploitation of his or her data, in the form of licenses, for defined purposes and be paid in royalties.“

For them, the observation is simple: “When targeting a pathology, pharmaceutical research acquires digitized medical records at great expense. For example, Roche’s acquisition of software company Flatiron in early 2018 for $1.9 billion (€1.65 billion) gave the lab its hands on the complete medical histories of about 200,000 cancer patients or about $10,000 per file. Even if the purpose is legitimate, since it is to accelerate the development of treatments, the patients know nothing about it.

The collective further states: “Our data are indeed considered as assets by the platforms, which aggregate and sell them. The value of European citizens’ data will amount to some 1,000 billion euros in 2020. Individuals do not benefit from this flourishing business.

Two of the signatories, Robert Chu and Alexis Normand, know something about this. Their start-up Embleema raised €3 million in February 2019. This fundraising was notably carried out in partnership with Pharmagest, a French company specialized in the marketing of digital solutions for pharmacies.

Embleema has developed a digital platform called PatientTruth, based on blockchain, that “wants to give patients back control over their medical data to speed up the launch of new treatments,” Les Echos explained in February 2019.

“This is a huge improvement over the current model where intermediaries […] capture all the value of the data whose source: patient, hospital or research center receives no remuneration, or is even unaware that it is being sold,” explains Robert Chu, president of Embleema, to Les Echos.

Health data, a new business challenge for GAFAM?

This consensual sharing of medical data has been highlighted in a recent work of film – which will be the second fiction featured in this article. It is The Circle, a 2017 film adapted from the novel of the same name (written by Dave Eggers).

In the near future, young Mae has just landed her dream job: she joins one of the teams of The Circle, the largest technology services group in the world (this is nothing more or less than an unconcealed characterization of Alphabet, Google’s parent company). The company lives and breathes by the data it collects, analyzes, and sells. One of the services it offers will benefit Mae’s father, who has multiple sclerosis. In exchange for free treatment, he will have to agree to be permanently monitored by The Circle. All of his health data will therefore go to the company.

In reality, are GAFAMs – namely Google, Amazon, Facebook, Apple, and Microsoft – interested in our medical data? For each of them, the answer is yes. There are so many articles about their projects related to the medical sector that we are obliged to limit ourselves to those of Google. First of all, to keep the link with the work of fiction The Circle, and simply to avoid weighing down the analysis.

In 2017, Verily, Google’s health subsidiary launched the Baseline project: 10,000 volunteers were recruited to be equipped with a battery of connected objects (and that even goes as far as the sensors under their mattress). The goal? To follow the evolution of their health remotely and for four years.

In medical research, this is called a cohort study. It is a fairly common practice that consists of observing the evolution of the health status of a defined population over time. The only new fact is that Google is the first non-academic player to launch one. The Baseline project has been set up in partnership with Stanford and Duke universities. The number of funds required: 100 million dollars. Note that Verily raised $1 billion in January 2019.

Laurent Alexandre, a surgeon, and essayist, interviewed by Les Echo declared in 2017: “Baseline is a testing ground for Google, which is starting small to learn before going big. My hunch is that, within ten or twenty years, the platformers will have created their cohorts, of not 200,000 but several tens of millions of people, and will use them to redo medical studies on an industrial scale that have so far been questionable.“

And the surgeon may have a point. Baseline’s slogan is: “We’ve mapped the world, now let’s map human health.

Acquire health data via the Internet

When Google does not acquire medical data from voluntary patients, the multinational buys them from websites referenced on its search engine. At least this is what was revealed by an investigation of the Financial Times taken up byLes Echos in November 2019.

The British business daily’s investigation reveals that the most popular health sites in the UK are sharing their users’ most sensitive medical data with dozens of online advertising companies around the world. And they do so without clearly asking for consent, as required by the European General Data Protection Regulation […]. Approximately 80% of the 100 sites studied are concerned,” says Les Echos.

And the financial daily continues: “The examples given by the Financial Times are enough to make a medical profession bound by the Hippocratic oath shudder. Drugs.com sent drug names to Google subsidiary DoubleClick […] BabyCenter sent ovulation cycle information to Amazon. The British Heart Foundation or Bupa, a private medical provider, sent keywords like “heart disease” or “considering an abortion” to Scorecard Research and BlueBay, an Oracle subsidiary.“

The UK is not an isolated case. In September 2019, another survey, this time conducted by Privacy International – an NGO that campaigns against privacy violations – looked at 136 particularly popular web pages, all of which focused on depression. These were available in France, Germany, and the UK.

“76.04% of these pages contain third-party trackers with marketing purposes,” the article details. Here again, Google’s subsidiary DoubleClick, but also AdSense, are among the companies that have positioned the most trackers on these pages.

“Information that reveals when someone is feeling sad or anxious – specifically when combined with other data about their interests and habits – can be used to target Internet users when they are most vulnerable,” Privacy International analyzes.

So, whether it is a question of selling products or services to Internet users, marketing their health data to the giants of the sector, allowing patients to earn additional income by selling their data and/or advancing medicine and the development of new treatments, the issue of health data remains thorny. New, in the face of a sometimes stuttering application of the law and unequal from one country to another, this issue concerns us all: because these data are above all ours.

Far from imposing a ready-made answer, whether it is about our health data, our children’s data, the data captured by our homes, the data we will leave behind after our death, or the data we share with our conversational AIs, we hope that this series of contents will have made you think. Because the use of our data is not an issue of the future, as shown by all these works of anticipation that we have highlighted, but a question of the present.

 

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT