While the technological advances in Internet of Things (IoT)-connected devices have changed the face of medicine, they have also raised concerns about healthcare IoT security. As with most technology, though, advances do not come without risk. All the patient data an organization collects, transmits, and stores by any means becomes a target for cybercriminals.
The latest statistics show that:
- The medical IoT market will reach more than $150 billion in two years.
- The sector is also a primary target of cyberattacks.
- Healthcare providers stand a 75% chance of a data breach of more than 5 million records.
- Breaches are expected to cost the industry a total of $6 trillion this year.
A significant portion of the cost comes from fines related to privacy law violations. If the industry wants to realize the projected savings of $300 billion per year, it needs to find more robust security solutions — especially for opportunities at the space’s edges.
What is Medical IoT?
As a general concept, the IoT is a system of devices with the ability to independently communicate over a network. It includes such items as smart TVs, electronic doorbells, kitchen appliances, or security cameras, all of which can be connected to the internet, controlled by linked mobile devices, and require information security applications to protect their data.
When these IoT-enabled items share a common application such as manufacturing or medical care, the network is considered a subset of the IoT. In industry, it is the Industrial Internet of Things (IIoT); in health and applications related to patient care, it is the Internet of Medical Things (IoMT).
The range of connected IoT devices in medicine has exploded in recent years to include:
Fitbits and smartwatches are two examples of wearables that consumers can purchase to monitor their health. They count steps, track heart rate, and more to improve overall wellness.
Monitoring and Tracking Symptoms
These include any medical device that can be used at home, and results sent to medical professionals for review in real-time. These might include heartrate monitors and items to check blood sugar.
Connected devices can help healthcare professionals track when or if their patients take their medication. An abrupt stop in medication can have serious side effects, but a medical device that aids in medication tracking can lower that risk.
A combination of medication and sensors monitor a patient’s physiological symptoms while taking medication or undergoing treatment. These are common in medicine, and include a variety of infusion pumps, among other items.
Medical Waste Management
An IoT device can help automate the process of disposing of medical waste to reduce risk of contamination.
IoT is being used to more accurately track drugs through the supply chain and to ensure drugs are dispensed according to orders.
IoT innovations are helping healthcare operations better track, record, and plan for equipment upgrades to items like MRI machines.
These are just a fraction of the possible healthcare use cases. Consider these applications, then multiply by the number of times a single medical provider could use them. Suddenly, a single facility could have hundreds if not thousands of connected medical devices to manage, increasing the potential vulnerabilities for system administrators.
The Security Implications of IoMT
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines an individual’s privacy rights regarding medical records. Recent laws such as the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) have strengthened those protections, making it essential that healthcare organizations protect patient privacy.
A few facts to keep in mind:
- In 2019, $12,274,000 was paid in fines and settlements by healthcare systems for data breaches and inadequate protection of patient information.
- Data breaches are not the only form of cyberattack healthcare institutions can experience.
- Recent attacks have resulted in denial of service and ransomware attacks.
- An Alabama hospital chain was unable to accept new patients for 10 days after being the victim of a ransomware attack. The health care network paid the ransom and could resume operations.
- Alabama was not an isolated incident, though.
- In October 2020, three government agencies, including the FBI and the Department of Health and Human Services, announced there was “an increased and imminent cybercrime threat to US hospitals and health care providers.”
- Bad actors are just waiting for an opening in device security to launch an attack.
There is no doubt that IoMT can change the future of healthcare, but the lack of healthcare IoT security solutions will hinder its expansion. Healthcare networks cannot afford to be held for ransom or have patient records stolen. Such an event breaks the trust between an organization and its patients.
10 Questions You Should Be Asking About IoMT Security
Addressing the security of IoMT rests with manufacturers, the healthcare industry, and those who rely on healthcare organizations for care. Government agencies can help provide guidance and possible oversight where applicable. When looking to the future of IoT security, all stakeholders should be asking questions such as the following.
1. How can healthcare providers secure IoT devices?
IoT security has three underlying areas of weakness:
Outdated operating systems
The use of old operating systems is another problem. They were not designed for 21st-century operations or secure medical records, and thus present security vulnerabilities for any organization.
Having all connected medical devices and other IoT devices on a single network means every doctor can use the information to properly treat those in their care, but it also means hackers can access the entire health care system once they have successfully compromised it.
Equipment is not always replaced or its software patched and updated to minimize possible security risks, meaning a team of IT professionals is needed to constantly report breaches and manage that risk.
Before the healthcare industry can secure today’s medical devices, it has to address the problems created by using older technology. Healthcare institutions lack a cybersecurity framework to guide their efforts to improve security controls.
2. Which patient data elements are hackers after?
Hackers are after as much personal data as possible. The more extensive the details, the easier it becomes for them to steal an identity. That also means the more complete the information, the more money it is worth on the dark web. Since all U.S. patient records must now be stored electronically, hackers can access a person’s medical history once they breach the system. That includes physician notes and test results, as well as patients’ Social Security numbers, insurance details, and much more.
3. What other information are hackers after?
Recent cyberattack efforts have targeted medical research facilities. Most of those attempts have been initiated by nation-states with sophisticated tools that pose an ongoing threat to patient safety.
4. What are manufacturers doing to secure IoT medical devices?
The FDA has issued guidelines that recommend that manufacturers of medical devices follow the “Identify, Protect, Detect, Respond, and Recover” model that aligns with the NIST Cybersecurity Framework. This is only a recommendation, however, and manufacturers are under no obligation to adhere to the guidelines, but it is an attempt at standardizing security requirements for medical IoT devices.
5. What can you do to help protect their data?
People need to secure their home networks to protect against unauthorized access, as breaches at home can easily lead to breaches at other institutions. Individuals should follow such best practices as:
- Make sure your Wi-Fi router has the latest patches.
- Create a strong password for every device.
- Do not share passwords among devices.
- Do not respond to emails from unknown sources.
- Do not select links to unfamiliar websites.
You should think about the information you post on social media, as well. Hackers can use that information to gain trust, use a home network as an entry point, and launch a breach on a healthcare organization.
6. What happens if a device is lost?
Protocols should be in place for deactivating a device if it is lost. A device that is not disabled can be used as an access point into a wider network. It doesn’t matter how well the item is protected, hackers will find ways to bypass any security measures given enough time. Removing the device from the list of valid devices reduces the available attack surface and thus lowers the risk of denial of service attack issues or other breaches.
7. How is network access controlled?
All facilities should follow a zero-trust authentication model. In a zero-trust model, all connections must be verified at the time of the connection — every time. Requests for access from inside a facility should be treated with as much scrutiny as an external request. Many facilities assume that a request from behind the firewall can be trusted.
8. How is data secured when at rest?
Organizations can protect data-in-transit through encryption and virtual private network (VPN) implementations, but what about when the data is stored? Unsecured data makes it easy for hackers, as they do not have to attempt to rebuild the data before selling. Whether it is database encryption or blockchain technology, organizations must find ways to improve data security.
9. How are updates or patches applied?
Companies provide updates and patches to correct or improve functionality, but they often address possible vulnerabilities. These corrections should be applied immediately to all impacted devices. In the healthcare sector, organizations must have protocols in place to ensure that all devices are updated. Threat actors are looking for that one device that has not been updated.
10. Where should the IoMT industry begin?
Step one is an assessment of current security measures and an updated inventory. Organizations can then begin to answer the above questions as they pertain to their healthcare environment after step one is completed.
If you are interested in investing in the healthcare IoT industry, it’s best to do your due diligence on any opportunities before diving in. Contact Option3Ventures to discuss any security-related issues or for more information on the trajectory of the IoMT space. Our cybersecurity investment experts can answer your questions and help you find the right path for your healthcare IoT security needs.