The Rocky Road to Healthcare IoT SecurityJuly 24, 2018 No Comments
Featured article by Inga Shugalo, Healthcare Industry Analyst at Itransition
In today’s healthcare world, the Internet of Things or IoT stands at the core of digital transformation along with blockchain, VR, AR, and other forefront technologies.
Particularly, diagnosticians use four main groups of connected devices :
- Non-invasive products for health monitoring, such as smart watches, bands, rings, pendants, headwear and more. These products usually connect through Bluetooth with nearby personal mobile devices, frequently via dedicated healthcare mobile apps.
- Invasive wearable medical devices, including portable insulin pumps that often use proprietary wireless protocols to communicate with mHealth apps or send the data straight to nextgen cloud-based EHRs.
- Smart implantable medical devices, among them pacemakers and dermally-implanted sensors that can use Bluetooth and proprietary wireless protocols to send information about changes in a patient’s body to EHRs and hospital apps for health specialists.
- Connected stationery medical devices, namely chemotherapy dispensing stations or cardiac monitoring systems for abed patients. These devices use more traditional wireless networks, such as WiFi, to transmit data to EHRs.
Healthcare organizations will undoubtedly benefit from adopting IoT. According to a recent report on PRNewswire, the global market’s volume for IoT sensors in healthcare accounted for $1.1 billion in 2017. The report also forecasts the market to reach $1.9 billion by 2022, growing at 12.7% CAGR.
Still, the increasing interest in connected devices and dedicated enterprise mobile development inevitably clashes with security concerns. While regular security breaches in healthcare carry a threat to sensitive clinical and patient identity data, IoT breaches can put patient health at risk.
Tampering with invasive and implantable smart devices can entail morbid outcomes, and every healthcare stakeholder’s task is to prevent any possibility for security breaches. But first, it is necessary to outline the risk landscape in healthcare IoT security and discuss the acute concerns.
Healthcare IoT security concerns
The firmware and software under connected medical devices have evolved pretty much the same way as other technologies, in a mix of versions and approaches to implementation that were driven by patients’ needs and vendors’ inclinations. Vendors are those who decide how to assemble and maintain the product, juggling the trinity of business goals to balance time efforts, costs, and resulting usability.
As a result, there are no widely accepted standards in operating environment, networking backend, architecture or communication methods for any group of healthcare IoT devices. Variety, in this case, means a multitude of security-related concerns, including malfunctions, patient information vulnerability, targeted disruptions, and mass attacks.
Any technology out there can glitch or stop working at one moment because of design, implementation or performance flaws, and medical IoT devices are no different. Even more, the complexity of connecting the device to a consumer or a technology that operates physical processes, like in infusion pumps, presumes an increased opportunity for accidental system failures.
Even though a pacemaker can be as prone to failure as a smart lamp, medical device malfunctioning cost is incomparably higher, bringing in potentially lethal risks. There’s also a concern that should any high-profile issue arise, the public outcry can change the opinion on healthcare IoT adoption among healthcare organizations and slow down the technological advance in this realm.
Patient information vulnerability
Connected medical devices acquire and store most personal physiological and psychological patient data, therefore patient privacy and patient health information (PHI) are major healthcare IoT security concerns. If a device is also integrated with medical billing records or syncs data with cloud-based EHRs, the patient risks both their medical and financial information at once.
As of 2017, more than 5.5 million patient records were breached in 477 incidents, HHS states. To avoid adding healthcare IoT security breaches to this number, users, providers, and vendors have to ensure that unencrypted personal data won’t tap into open networks and get intercepted.
Of course, we must note that IoT is still at the rise and no one really knows how PHI can be used for malicious schemes. But this doesn’t mean that hackers will miss the chance of gaining control over connected medical devices just for the sake of ransom, which is the next concern.
IT was and stays the point of attraction for criminal masterminds that seek to use vulnerabilities across systems and gain monetary benefits from it. But when it comes to connected devices that are actually bound or even embedded into a person, the consequences of hacking into this device reach far beyond financial gains.
In 2014, The US Department of Homeland Security (DHS) was investigating two dozen cases of suspected cybersecurity vulnerabilities in medical devices that could be exploited to harm patients such as overdose diabetes patients via an insulin pump or cause cardiac arrest by making the pacemaker send a deadly electric discharge.
On a bigger scale, the threat of widespread IoT disruption emerges. Theory is that specially created malware can spread across the internet, activating only when getting into a vulnerable medical device and receiving a specific command.
This concern is large enough to create a bunch of “art-imitating-life” scenarios. For example, in a Kingsman: The Secret Service movie, the villain puts explosive chips in the brains of world leaders and his minions too, with the ability to trigger detonation at any time. Hopefully, life won’t imitate art in this case.
Healthcare IoT security protection measures
The overall approach to meeting security challenges that follow each new technology adoption should stem from open collaboration among all involved parties. To manage and reduce healthcare IoT security risks, regulators, manufacturers, vendors, and providers need to be on the same side. Below are several recommendations on how to achieve better communication between stakeholders and support IoT adoption with minimized exposure to security threats.
Establish security-first policy
Security shouldn’t be an afterthought in 2018. Experts from IoT company Itransition insist that both medical device manufacturers and of dedicated healthcare mobile apps, must research, design, and develop their solutions with security features outlined prior to initial rollout. Otherwise, it will be too costly, ineffective, and sometimes even impossible to secure systems that are already in a patient’s hands or body.
Following the security-first policy might include automated logging and tracking of device modifications being in use to identify and manage vulnerabilities. Regulators can support the policy development with initial funding for an open-source, common-language software library for medical devices. At the next level, the community of medical device manufacturers and software vendors can design a risk model to guide the process of product innovation, development, and delivery.
While the existing models for cybersecurity risk management don’t match the need for handling healthcare IoT security, they still can serve as a starting point to build on. For example, NIST’s National Cybersecurity Center of Excellence (NCCoE) collaborates with the industry to secure wireless medical infusion pumps with a practical guide on off-the-shelf solutions. NIST has also initiated a $7.5 million program to explore Cyber-Physical Systems, including connected medical devices.
Moreover, the community of manufacturers and vendors can benefit from cooperation with computer security researchers and participation in “bug-bounty” programs. These programs offer financial rewards for the researchers who perform low-cost security testing.
Evolve regulatory approach
Currently, the regulatory side needs to eliminate two roadblocks that complicate collaboration between all stakeholders – hindered communication and outdated approval process.
To ensure regulatory interpretation and agreement, there has to be a transparent platform to discuss, ask questions, and access guidance. The closest existing model is the National Health Information Sharing and Analysis Center (NH-ISAC), which focuses on threat response. Using it as an example, the government can create a specified resource to facilitate communication on healthcare IoT security and make sure that new products will land on approval procedure ready and protected.
Speaking of which, passing FDA’s 510(k) process means that the medical device can be sold on the U.S. market, yet it isn’t “FDA-approved.” Sadly, some manufacturers have to constrain innovation and stick with older technologies because this is the way to get FDA approval. This approach can also affect device security in the future as well as its compatibility with other technologies, e.g. dedicated healthcare mobile apps.
Regulators can adopt the experience of other industries where software security is more mature. Simple as it is, vulnerabilities of general commercial software can correlate with ones in medical devices, e.g. running with an outdated OS or on a vulnerable server. Eliciting these pitfalls by prioritizing security, regulators won’t approve such product. Hopefully, next steps will entail revamping the FDA approval process and changing the requirements for product creation with the security-first approach.
As more innovations arise, the role of IoT devices in healthcare is increasing, but security concerns can significantly slow down the process. Isolated measures of separate manufacturers and vendors won’t do, we need the collaboration between the industry and regulators to initiate a healthcare IoT revolution. Only substantial changes will help manage security threats at the industry-wide level, such as putting the focus on security-first design, improving communication between all stakeholders, incentivizing safe production of new connected medical devices, and transforming the FDA approval process.
Inga Shugalo is a Healthcare Industry Analyst at Itransition, a custom software development company headquartered in Denver, Colorado. She focuses on Healthcare IT, highlighting the industry challenges and technology solutions that tackle them. Inga’s articles explore diagnostic potential of healthcare IoT, opportunities of precision medicine, robotics and VR in healthcare and more.
HEALTH IT, SECURITY