Cyber Security & Implanted Bio-Monitoring Devices

Dylan Roskams Edris describes risks associated with implantable remote bio-monitoring devices.


Over the past few years, there has been a rapid growth in the development of implantable remote bio-monitoring systems for medical purposes. For example, implantable monitors that allow for constant monitoring of blood glucose and heart status are being tested in clinical trials. A defining feature of implantable monitors for medical care is the ability to transmit the data they collect wirelessly without patient intervention. Suzanne E. Spaulding, former Under Secretary for the U.S. Department of Homeland Security, said that: “It has been predicted that by 2020 the internet will expand to include 50 billion connected devices.”  We can expect that this will include the expansion of bio-monitoring systems.

The appeal of such technology is clear. For chronic conditions like diabetes, the early detection of hypoglycemia can let the patient or healthcare professional take emergency action or notify paramedics before the patient has a potentially fatal seizure. In addition, if a physician or sufficiently sophisticated medical system can access data related to a chronic condition on a remote basis preventive measures can be taken to stop dangerous acute symptoms from occurring in the first place.

However, the uptake of implantable remote bio-monitoring also poses several risks. First, there is a risk that bio-monitoring devices could be illegally hacked or intercepted. If the operation of a device is dependent on the transfer of information between the device and some centralized healthcare system then interference with information going in either direction could affect the device’s function. There is already a risk that, for example, a pacemaker connected to a local system could be hacked, but further integration into informational infrastructure only increases the opportunities for access.

Second, there is a risk that the data gathered by the bio-monitor could be used or shared for other legal purposes. The implantable devices intended to serve health needs could also act in a surveillance capacity. Biometric data relating to how much glucose someone is using, or how fast their heart rate is, can be used as indicators of activity. The more physically active someone is the higher their heart rate and glucose metabolism. If this information is combined with location data, for instance if the data is transmitted through a smartphone, conclusions can be drawn about how much physical activity someone is engaged in at a particular location. Such an activity map could prove useful in various legal contexts. For example, if someone is accused of a crime, and their alibi is relaxing at home, biometric and location data can be used as evidence of whether one was home and whether one was relaxing.  A man in Ohio was arrested in 2016 based partially on just such information.

Similarly, if someone with an implantable bio-monitoring device is injured during an accident and claimed that this was because of a driver’s negligence, their biometric data could be relevant to an ensuing lawsuit. It could be used, for example, if a traveling salesperson were to claim that he or she can no longer walk the long distances required for the job because of a car accident caused by the negligence of the defendant. Evidence of how far the salesperson has travelled and under what levels of physical strain could speak directly to the truth of such a claim for compensation of lost wages. It is quite possible that in such a scenario the person wearing the implantable bio-monitoring device would be compelled to release the relevant bio-information. Arguably, regardless of whether the data is used legally, we should be cautious about extending the surveillance capacities of the state under the guise of improved health. If, for example, the data was used to show that someone was engaged in high levels of physical activity in the bedroom of a motel, they may well consider that data extremely private and sensitive. Furthermore this burden of surveillance would not be extended universally, but would fall directly on those vulnerable patients who require implanted devices.

Both the illegal and legal uses of implantable bio-monitoring devices and data deserve further consideration. It is imperative that device manufacturers, lawmakers, judges, and society at large consider these risks in a proactive way. For example, judges can ensure that any order for the release of biometric health information is handled by trained professionals, and that filters are applied so that only relevant data are put before the public eye of the court. In doing so decision makers can make sure patients are informed of risks and that use of their data outside of healthcare is restricted to only those circumstances where the serious invasion of privacy is justified.


Dylan Roskams Edris is a 3L law student at the Schulich School of Law at Dalhousie University, and a Research Intern at the National Core for Neuroethics at the University of British Columbia. @DylanWRE