The face of the healthcare industry is changing. With the advent of Internet of Things technologies (IoT), in-body and wearable medical devices are now capable of reporting patient statistics in real time, administering medicine, autonomously delivering corrective stimulus and more.
Patients receive alerts on their smartphones when their glucose levels drop, doctors are notified if a patient misses a scheduled dose of medication, and apps can even help predict the onset of a major depressive episode.
This is the world of the Internet of Medical Things (IoMT), also called healthcare IoT. Comprised of medical devices and applications linked to healthcare IT systems via WiFi, smart health devices eliminate some of the need for human to human interaction and human to machine interaction when reporting patient vitals and other health-related events. Cloud-based data storage systems provide ample room for stats and are accessible by medical professionals.
According to a 2016 report by Allied Market Research, the size of the worldwide IoMT market is predicted to reach US$136.8 billion by 2021. In 2018, there were already 3.7 million smart medical devices in use and this number is expected to rise in line with the accessibility of health wearables and an ageing global population.
In 2017, around 60 percent of global healthcare organizations had already implemented IoMT tech. Frost & Sullivan, a market research firm, suggested this number would rise by 27 percent by 2019.
IoMT devices offer patients a means of tracking their own health at home, administering medication schedules correctly, and sharing vital data with healthcare providers. Medical professionals receive reliable statistics and information that can be used to manage patient conditions with efficacy. Large banks of trustworthy online health data could also make a valuable contribution to ongoing medical research. The possibilities are only just beginning to be explored and the future is sure to hold exciting discoveries and tools that completely revolutionize the way we view and provide healthcare. But while we stand on the brink of these changes, there are several urgent concerns that need to be addressed regarding both data privacy and device security.
IoMT Safety and Physical Security
We can imagine IoMT security as a two-part issue. Of primary concern is a patient’s physical safety — security experts have already warned that pacemakers are vulnerable to hacking. One device, made by Abbott’s, was recalled by the American Food and Drug Administration (FDA) but the warning came only after a significant number of devices were installed in Australian patients.
The very same factors that make remote-access embedded IoMT tools desirable (low cost, small size, remotely accessible) are those that leave them prone to cyber-attacks. Most embedded IoMT devices lack the power and memory capabilities to support full cryptographic security or encryption. On the latter point, because these devices are not secured, they must rely heavily on encrypted WiFi to protect users. Access controls are also affected by the lack of power.
Another complicating aspect is that patients and doctors may be more drawn to convenience and easy access than to tightened security. Remote monitoring, the very thing that makes smart pacemakers and other embedded health devices so attractive and important to ongoing IoMT technologies, means an added vulnerability.
While many with a vested interest, including Abbott’s attempt to downplay the risks involved, some very tangible physical threats are present. At the time of writing, there hasn’t been a reported attack on a person’s embedded medical device. But security experts warn that it’s possible, if not out of malice, then in an attempt to extort money. Ransomware, which threatens victims with data theft unless they pay heavy fees, is on the rise.
In a very valid point, Matt Green, a John Hopkins professor specialized in cryptography, argued that the threat is real but may not play out the way people imagine: “This whole “nobody will hack pacemakers, the world isn’t Homeland” ignores the threat of extortion attacks on manufacturers.”
Some citizens express concern. In a 2007 move that largely preempted the wider conversation, Dick Cheney, then Vice President of the United States, had his pacemaker modified to avoid attacks.
Password protection, or a similar authentication method, is problematic as well. If only authorized people can access devices, this presents a complication during medical emergencies. If the patient and their primary care doctor are the only people who know the credentials, emergency staff may struggle to gain access and urgent treatment could be delayed.
Not only pacemakers are vulnerable. Any medical device that is connected to a network is exploitable. This includes MRI machines, electric wheelchairs, and insulin delivery devices. Researchers Billy Rios and Jonathan Butts, who work for QED Security Solutions, went as far as developing an app that can kill people to make a point about the flaws in Medtronic’s MiniMed and MiniMed Paradigm insulin pump lines. A step hey took only after their warnings to Medtronic went unheeded.
IoMT and Data Security
The other threat, while not quite as insidious as physical harm, comes a close second. All the collected health data generated by medical devices provides hackers with a desirable target — one that they have not ignored.
In 2016, 16 million patient records were stolen from healthcare providers in the US. Across the Atlantic, Britain’s National Health Service (NHS) suffered a severe blow to its systems in 2017 when a ransomware attack locked the computers that manage patient data and booking systems.
We can imagine that top-level administrators did indeed feel like weeping when they discovered that the WannaCry virus would cost them 19 million pounds sterling. In contrast, the hackers made very little in ransom.
One might wonder why hackers would turn their attention to governmental services when far more lucrative targets exist. It’s always possible that the aim is to create havoc as opposed to generating wealth. Antagonists from hostile foreign governments may see health services as a key part of a nation’s infrastructure, one that could provide a path to other critical areas.
As frightening as threats to physical security and data security are, there is no reason to fear technology. As we stand, there is little point advocating for a return to simpler, less-connected devices and data storage systems — the world doesn’t work like that anymore and sacrificing advances in healthcare seems a high price to pay. Instead, technology must rise to meet the new wave of challenges.
Most attacks targeting healthcare systems are missile attacks. These provide an element of protection for the antagonist and leave very few traces. Despite limited recourse, missile attacks have the ability to cause major damage.
To mitigate the potential of harm and to protect their systems, most organizations providing healthcare services have started taking serious protective measures including building layers of cybersecurity into their IT strategies. Hospitals should heed these newer standards and implement them as well to protect users and data banks at the delivery level.
That said, like anything tech-related, once one problem is solved or addressed, another is likely to rear its head. Perhaps in the future we might see a new industry emerge, one that is centered around protecting IoMT devices and healthcare data en masse.
Even with such an industry in place and when we consider that these systems are designed by humans for humans, we must allow for the possibility of human error.
No matter how informed and well-trained healthcare staff are on the latest threats, a single click on one nefarious attachment and malware can infiltrate a whole system and possibly interrelated systems as well.
An additional complication is that organizations and healthcare providers may play down incidents out of fear of legal or financial repercussions given that the responsibility for securing systems falls on their shoulders. If under-reporting is already taking place, the threat level could be much greater than we think.
Even worse, if organizations have paid hackers to avoid facing up to the issue, this could prompt a rise in similar or copycat attacks.
The key to better healthcare security lies in providers and organizations understanding the extent of the threat and taking firm measures to guard against it. Manufacturers of IoMT devices should take note of and act upon warnings they receive from third-party security experts. Some transparency is needed, too; patients with embedded devices have the right to know the security status of the tools inside their bodies, before an attack occurs, not after the fact.