Innovations in medical IoT show great promise to improve patient care and reduce costs. However, most of these IoT devices are hackable, and introduce cybersecurity risks that could negatively impact patient care and the bottom line.
Medical oT technology has changed the game for healthcare providers seeking to reduce costs and improve delivery of patient care. The advances are promising, and the medical IoT market is set to explode. Predicted to reach $136.8 billion worldwide by 2021, IoT device manufacturers are racing to meet the demand, while introducing unquantifiable cybersecurity risks to healthcare organizations and patients in their care.
Mounting Medical IoT Security Issues
The variety and novelty of these devices introduces a range of cybersecurity concerns related to the Confidentiality-Integrity and Availability (CIA) triad that underpins HIPAA compliance, patient data protection, and overall information security.
- Infusion and Insulin Pumps
- Smart Pens
- Implantable Cardiac Devices
- Wireless Vital Monitors
- Thermometers and Temperature Sensors
- Security Cameras
From tracking the news headlines, the following six medical IoT devices have already proven to be more vulnerable—and therefore critical—to watch closely in the network.
- Infusion and Insulin Pumps
Infusion pumps makes up over half of all medical IoT devices deployed today. Medical professionals can now remotely manage and administer blood, saline, and other medical fluids with IoT-controlled infusion and insulin pumps. The ability to deliver healthcare in this capacity decreases costs, assures quality of patient care, and allows multiple infusions to be managed simultaneously from one central hub.
But this type of technology also invites malicious threat actors interested in disrupting these life-sustaining advances in medicine by exploiting the connectivity capabilities that link drug delivery systems and medical records.
As long as pumps use wireless remote controls, connect to the internet, relay patient data, and deliver critical therapies, vulnerabilities will accompany the technology. Check out the NIST released guidance to secure wireless infusion pumps in healthcare organizations due to the incredible complexity required to secure them. - Smart Pens
The proliferation of digital devices and touch screens make patient care documentation a breeze and also introduces HIPAA security compliance issues that must be managed. Considering the treasure-trove of patient data stored in smart pens, they are an attractive target that cybercriminals could easily exploit like this cybersecurity researcher did in 2017. In addition to the information housed on the device itself, the researcher also used the smart pen as an entry point into information technology writ large, including patient medical record databases. - Implantable Cardiac Devices
Another disruptive innovation in healthcare has been the advent of implantable cardiac medical devices, including pacemakers and the devices used to program them. Not surprisingly, these devices also yield potential security vulnerabilities that pose risks to patients. Researchers discovered that a simple denial-of-service attack against a pacemaker has the potential to kill.
In October 2018, the FDA issued a Safety Communication informing patients and healthcare providers about the cybersecurity vulnerabilities related to Medtronic’s cardiac implantable cardiac device programmers. The software update released by Medtronic solved the issue, but it wasn’t the first vulnerability that made its way to FDA-Safety Communication status. Since 2017, the FDA has issued four safety communications regarding vulnerabilities associated with popular implantable cardiac devices. - Wireless Vital Monitors
Wireless devices that can transmit heart rate, blood sugar, and other vitals directly to the physician and patient via Bluetooth are convenient methods to monitor patient health, even while the patient is discharged. Physicians and patients can easily be alerted of abnormal vitals through mobile phones, applications, other devices. It is crucial that the wireless monitors interface through encrypted networks and applications to avoid leaving the data and device exposed to cyberattacks. - Thermometers and Temperature Sensors
Did you hear about the casino that got hacked via their lobby fish tank’s smart thermometer? Comical, and true, the reality is there’s a lot more than fish on the line when it comes to temperature control within a healthcare environment.
With IoT being embraced across healthcare systems, monitoring IoT-enabled temperature systems will be key to avoiding a foreseeable attack. Sensor technology today is cheap, and operations management is likely eager to adopt (if they haven’t already) IoT to manage everything from refrigeration to HVAC. It’s important for teams to work together to ensure deployed IoT is documented, and entered into an inventory, with make, model, and lifespan noted. Any manufacturer-issued patches should be included in continuous vulnerability scans and implemented during firmware and software updates. - Security Cameras
Hopefully, you haven’t missed the news about Mirai, the botnet that launched the largest DDoS (Distributed Denial of Service) attacks on record by connecting to other connected IoT devices. Using default usernames and passwords, the Mirai botnet can command internet-connected devices to launch globally-scaled DDoS attacks against high-profile services, applications, websites or organizations. Additionally, connected cameras offer access points that could lead to patient data.
The Solution for Medical IoT Device Security
While there is no documented evidence to-date of a hacker harming a patient through a medical device, leading cybersecurity researchers have pointed out that every medical device is hackable. These vulnerabilities must be addressed.
That’s where a Managed Detection and Response (MDR) service comes into play. If a threat actor attacks a vulnerable IoT device, security analysts actively monitoring the network will see the anomaly to investigate further. In turn, if indeed an incident has occurred, they can then help respond to the threat. Ultimately, whether sourced in-house or outsourced, a coordinated strategy for detection and response is the only way to safely operate Medical IoT devices for patients and the organizations serving them.
The Future of Medical IoT and Cybersecurity
The future of Medical IoT is growing at such an exponential rate because of its promises to help advance patient engagement and improve delivery of health care. While the disruptive innovation of Medical IoT on one hand is exciting, on the other, the security concerns are significant. As IoT progresses in the healthcare industry, healthcare IT managers and CISOs should be aware of their most vulnerable IoT and take steps to inventory, manage, and monitor deployed IoT technology to reduce cyber risk.
Because when patient care is at stake, there really is no time to delay.