Keeping Neurotech Secure
Neurotechnology device manufacturers have an array of technical, regulatory, and marketing issues they must confront as they develop new stimulation and sensing products. Power management, biocompatibility, lead placement, and product safety are just a few examples that come to mind. But as we report in our article on page 1 of this issue, cybersecurity and privacy issues have joined the list of issues that vendors must confront before introducing a new product.
At the 2015 Neurotech Leaders Forum earlier this month, NBR senior editor Jennifer French chaired a session on neurotech privacy and security. One of the panelists, Stephanie Preston from Battelle DeviceSecure Services, recommended that neurotech companies develop, publish, and practice a responsible disclosure policy. A comprehensive policy allows for the reporting of discovered vulnerabilities by cybersecurity researchers and consumers as well as responsive communication and breach resolution.
Unfortunately, when it comes to medical devices, there are unique limitations on these security practices. Energy consumption is at the top of the list. Adding more functions to a device warrants more power consumption—adding strain to precious battery life. Also, the additional computational and transmittal demands placed on the devices’ microcontrollers for cybersecurity needs stands to impact overall performance. Finally data storage on an implanted medical device chip is a finite resource because of the limited real estate. These trade-offs must be a component of the design process early on. Trying to retrofit an existing design for cybersecurity purposes may not be so easy.
The session at the Leaders Forum also touched on data privacy issues. Ariel Garten from EEG headset manufacturer InteraXon discussed her involvement with a nonprofit organization called Center for Responsible Brainwave Technologies (CeReB). CeReB seeks to develop ethical standards for vendors and users of consumer EEG headsets.
A whitepaper published by the organization identifies privacy risks posed by these devices. First, shared brainwave data may carry information that is not fully understood yet and could later be used against the customer. Also, the shared data could potentially be cross-correlated with other information about the participant and passed on to a third party. CeReB recommends that commercial EEG vendors identify how they will use collected data, educate users about the potential for downstream involuntary disclosure of sensitive information, and ensure that consent and opt-out provisions are clearly identified and supported.
We concur with the recommendations from Battelle and CeReB and welcome more discussion on neurotech privacy and security in the future.
James Cavuoto
Editor and Publisher