Blog
THE HEALTHCARE INTERNET OF THINGS – FOR BETTER OR WORSE
By Rema Deo , HCISPP
By now, everyone is familiar with the Internet of Things (IoT), an expanding network of physical devices, appliances, and equipment that are embedded with sensors, software, and other technologies in order to connect and exchange data with other devices and systems over the Internet.
It’s an exciting digital world in which your smartphone can control the tiny computers in your air conditioning system and your house lights. Where the small computer in your refrigerator monitors water quality and automatically orders a new filter from the manufacturer. Where your computerized oven can be turned on remotely to preheat while you drive home.
Medical Devices Interconnected
The Internet of Things is a reality in the healthcare industry as well, connecting life-saving equipment in emergency rooms, enabling doctors to monitor patient health remotely, introducing new ways to manage chronic conditions, and providing numerous other conveniences. Following are just a few real-life examples:
- Medicine dispensers connect electronically with systems that automatically update the healthcare provider when a patient has skipped a dose of medication.
- ‘Smart’ hospital beds are equipped with sensors that indicate when the bed is occupied, alerting nursing staff if a patient is attempting to get out of bed.
- Ingestion monitoring systems, whereby swallowed pills transmit data to a device, are able to monitor and report whether a patient is taking medication as scheduled.
- ‘Smart’ inhalers track when individuals suffering from asthma or Chronic Obstructive Pulmonary Disease (COPD) require their medicine, with some devices even equipped with allergen detectors.
The Cybersecurity Challenge of the IoT
As exciting as these new conveniences are, they come at a price. That’s because manufacturers typically have not built robust security into the tiny computers that enhance their products. This is as true in healthcare as in home appliances.
Any medical device designed to electronically connect to a network or the Internet, if not configured and programmed properly, can readily serve as a gateway for bad actors to gain unauthorized access to patient data as well as to wreak havoc with dosages, measurements, tests, reports, and other elements of healthcare monitoring and treatment. Cybersecurity is an inherent challenge when countless devices and systems are interconnected.
In the healthcare industry, this challenge exploded over the past decade. Consider just three examples from 2017 alone:
- Eight security vulnerabilities were detected in the Medfusion 4000 Wireless Syringe Infusion Pump, used for accurate medication delivery in critical care units, including data collection and reporting.
- Computer-controlled magnetic resonance imaging systems in U.S. hospitals were hacked and rendered nonfunctional for an extended period of time.
- 465,000 implanted cardiac pacemakers were recalled by the FDA after it was found that the pacemaker’s programming could be hacked and altered.
In the past decade, ten types of implantable cardioverter defibrillators, more than 100,000 insulin pumps, and numerous other medical devices and hospital equipment were found to contain security vulnerabilities that placed the medical personnel and patients using them at very great risk.
Valued at $425.5 billion (USD) in 2018 and projected to reach $612.7 billion in 2025, the global market for medical devices is enormous and rapidly expanding. Cybersecurity challenges associated with medical devices are expected to rise as well.
FDA Response to Cybersecurity Challenges
As electronically connectable devices become increasingly important to healthcare, the U.S. Food and Drug Administration (FDA) has stepped up with initiatives designed to improve the security of new devices and update the security of existing IoT devices.
Fundamental to these initiatives, the FDA charged medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs) to ensure appropriate safeguards are in place . MDMs have been urged to be vigilant in identifying risks and hazards related to their medical devices, including cybersecurity vulnerabilities. HDOs are charged with evaluating their network security and protecting hospital systems from unauthorized access and improper Internet connections. Together, they are responsible for addressing patient safety and security risks and ensuring that their devices and systems perform properly.
Collaborating with the National Institute of Standards and Technology (NIST), the FDA has helped develop several measures intended to better protect patients by securing medical IoT devices. The FDA also partnered with the Medical Device Innovation Consortium (MDIC) and MITRE, which manages research and development centers for several government agencies, to develop guidance and protocols to improve medical device security.
In its role as cochair of the International Medical Device Regulators Forum (IMDRF), the FDA helped develop a global medical device cybersecurity guide , published in March 2020. Its purpose is to promote a globally harmonized approach to medical device security that ensures the safety and performance of medical devices while encouraging innovation.
The guide leverages the NIST Cybersecurity Framework and recommends that manufacturers follow its principles in creating trustworthy medical devices. These principles include preventing unauthorized use, maintaining the confidentiality of data, designing the device to detect cybersecurity events in a timely fashion, and responding to potential cybersecurity incidents, to name a few. The guide spotlights core cybersecurity risk areas—such as insufficient access controls and unencrypted data transmission—and urges manufacturers to regularly update the software on their medical devices in order to provide the most robust security.
Rather than detailing how a manufacturer or healthcare delivery organization should go about meeting various recommendations, the FDA leaves those decisions to the entities themselves to be implemented according to federal regulatory requirements defined in the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act).
Taking the First Step
The most effective means to discover vulnerabilities in an organization’s entire ecosystem is a comprehensive security risk assessment , as mandated by HIPAA. A comprehensive assessment will evaluate every element of security from networks and systems, to applications and software, to connected equipment and devices. A security risk assessment also provides specific recommendations for addressing each vulnerability, and prioritizes recommendations based on the severity and potential impact of each risk. Cybersecurity firms providing security risk assessments may also offer remediation plans and implementation assistance. A comprehensive assessment is the vital first step in securing the Internet of Things in the healthcare industry.
Given the size of the medical device market, the scope of security risk and its potential impact, the growing body of available guidance , and ready access to proven remedial services and tools, there is no reason for the healthcare industry not to maintain the highest level of cybersecurity throughout its Internet of Things. Every member of the industry, from manufacturers to healthcare deliverers, should be acting swiftly and smartly to reach this goal.