Last month the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning of vulnerabilities concerning several medical IoT devices that could lead to data breaches.
These insecurities included buffer overflows, integer underflows, the improper restriction of operations, race condition, argument injection and null pointer dereference.
What’s more, all were described as being remotely exploitable by anyone with a low level of skill and knowledge.
So, how secure are the IoT-enabled medical devices already in use or in the pipeline?
And, aside from the obvious patient care benefits, what risks may IoT also be delivering?
The IoT revolution in healthcare
IoT has been given a clean bill of health in terms of its potential for growth in future medical device applications.
It’s not all directly about saving lives, however.
One of the biggest drivers of growth is the rapid adoption of healthcare information systems. In addition, there has been widespread adoption of IoT devices for connected security cameras – according to Aruba Networks, 87% of US healthcare organisations use these devices for tracking high-value medical equipment.
Other cases have more direct relevance to patient care. These include monitoring vitals, an increasing reliance on cloud-based big data for diagnostics and improving device accuracy and connectivity.
What IoT technology offers, above all, is remote monitoring, accuracy, speed and efficiency. It promises to revolutionise the traditional paper-based healthcare treatment by simplifying access to real-time patient data and remote patient monitoring.
IoT devices in healthcare
A quick review of some of the remarkable devices that are already being trialled – or are already in use – would include:
- CycoreThis remote monitoring cuff reduces the severity of disease-specific and general symptoms among patients with head and neck cancer during radiotherapy.
- OpenAPSThis open-source initiative stands for Open Artificial Pancreas System. It not only gauges the amount of glucose in a patient’s bloodstream, but also delivers insulin when required.
- Ingestible sensorsProteus Digital Health leads the way here. It has developed the first FDA-approved drug with a digital tracking system. Its pills dissolve in the stomach and produce a small signal that is picked up by a sensor worn on the body. This data can confirm the patient is taking prescribed medication as directed.
- Cardiac careThere are many wearable and invisible devices in development that allow real-time data from a patient’s heartbeat to be analysed by AI. Alerts can be instantly issued to the medical support team.
- RadiologyDevelopments are being made to combine IoT, machine learning and cloud technology to better manage workflows which are dependent on medical scanning devices. These optimise their availability and required downtimes.
Will secure data be an IoT casualty?
Electronic medical devices are already subject to intense scrutiny.
- Risk control is placed squarely at the feet of medical OEMs by the European Medical Devices Regulations (MDR).
- The updated ISO13485 has a similar focus on better risk control, improved supplier management and more detailed record of each stage in the device’s design and development.
- The complex rules of CE marking also need to be adhered to for any devices intended for sale in European markets.
The medical market already requires better traceability of components used in devices throughout the supply chain, more detailed technical documentation and more rigorous auditing during design and manufacture. It also necessitates ongoing clinical evaluation and post-market clinical follow-up.
And now, medical OEMs also need a partner who fully understands and can implement the strictest security processes and procedures for data transference.
The challenge of IoT
Healthcare data security breaches is rapidly becoming one of the biggest challenges that healthcare organisations face – hacked healthcare data fetches 10 times as much on the criminal market as credit card data does.
What’s more, a research group did not need too long to hack into a connected pacemaker, where they found several potentially life-threatening vulnerabilities caused by inadequate authentication and encryption practices.
In recent years in the US alone, there have been nearly 500 breaches reported annually, affecting 5.6 million patient records.
The recent Vectra 2019 Spotlight Report on Healthcare indicates that one cause of this is the proliferation of healthcare IoT devices.
It also goes on to identify other equally significant causes unrelated to the devices themselves:
- A lack of network segmentation
- Insufficient access controls
- A reliance on legacy systems
In addition, the report identifies gaps in policies and procedures that can result in errors by healthcare staff. Another investigation discovered that the majority of breaches are created by unwitting internal actors (59%) rather than criminally-minded external ones (41%).
Let’s just pause here: as important as data security must be taken by medical OEMs there is also a much wider problem at play.
This can be summarised as:
- Healthcare organisations often can’t afford to have their systems down to be patched, even for just a few hours – they need to be able to operate at all times.
- As a result of this, outdated systems and software have become common – and many legacy systems lack what are, in today’s environment, essential cybersecurity controls.
- Compounding this is that, due to a lack of training or the needs of emergency situations, a lot of well-planned protocols, procedures and security controls are being overlooked by medical staff.
The healthcare IoT: our part in protecting patients and patients’ data
It is clear that ensuring security in an IoT-driven healthcare system requires joint efforts from the providers and manufacturers of IoT devices and the healthcare organisations themselves.
Yet, it remains the responsibility of those who sell medical IoT devices – and their manufacturing partners – to ensure that two thorough health checks are always undertaken.
The first is to introduce new ways to monitor patients and equipment while improving care and lowering costs.
The second is to ensure that these devices are 100% data secure in their operation. Connected devices – from Wi-Fi enabled infusion pumps to smart MRI machines – must not increase the attack surface of other devices that are sharing their information.
Here are the basic security actions that must be taken at the design and production stages:
- AuthenticationOEMs should issue certificates for healthcare devices. These will validate identities to make sure that only authorised users or services can access the device.
- EncryptionDevices must communicate via an encrypted link to ensure that healthcare data is transmitted privately.
- IntegrityA certification process must be in place so that messages can be signed. This ensures that when the message is received by another device it can be verified as unaltered and to have not been intercepted.
If you’d like to discuss your latest IoT-enabled medical NPIs, our team are always happy to connect.