Analyzing the Healthcare IoT: How Safe are We?
In March last year, the Federal Bureau of Investigation issued an alert to healthcare organizations, warning them on the cyber security malicious practices that the IoT technology brings with it. The bureau stressed on the fact that, IoT is still in the nascent phase and incites impediments around its capabilities. It’s a measure to remain proactive as most of the connected devices are lanced with inadequate security and patching vulnerabilities, making IoT soft targets for cyber criminals.
Diving deeper into the realms of Internet of Things in Healthcare, we look at the four different categories of devices that populate the list:
- Consumer products for health-monitoring – Devices that communicate with personal mobile devices using Bluetooth. Eg: FitBit, Nike FuelBand, Withings Pulse etc.
- Wearable external medical devices – Devices like portable insulin pumps which use proprietary wireless protocols to communicate.
- Internally embedded medical devices – Devices like pacemakers which are implanted within the patient, communicating wirelessly, either through wireless protocols or Bluetooth.
- Stationary medical devices – These devices usually employ more traditional wireless networks like WiFi in hospitals or patients homes. Eg: chemotherapy dispensing stations, cardio monitoring for bed ridden patients etc.
These devices have been interlinked with each other to thoroughly monitor patients in order to keep them in good shape and provide them with the best possible medication available. The health monitoring devices, which are capable of monitoring the subjects remotely, provide real time feedback on nutrition, heart rate, blood pressure and other vital signs. The dependency on these devices has become such that, the patients seem to trust the tests they have personally researched about rather than the one administered by a doctor. This is a major risk because, like all things in the internet technology, the IoT devices in the medical field too are prone to hacks and data thefts. But here, in contrast to other sectors, the protection and prevention against such hacks and malfunctions can be the very difference between life and death. The networked medical devices raise four main areas of concern: accidental failures, privacy violations, intentional disruption and widespread disruption.
The malfunction of an IoT device, in healthcare, does not always points to an external agent. Like all devices, any accident occurring from outside can hinder the working of a device such as a pacemaker. This would delay the development and deployment of not just the pacemaker but any such medical devices for years, and in worst cases even decades.
Privacy violations seem to be another big concern whilst using smart devices. Since the entire IoT is dependent on wireless transmission and reception, it is a priority that personal information should not be divulged accidently, or be lost or robbed. Science fiction and thriller movies are a step ahead in showing what the potential loss of patient data can do and how it can be put to negative use by a host of parties. It won’t take much time for such events to turn into a real world problem and these issues must be dealt with immediate effects.
Interfacing sensors with medical billing records can be a major problem as patients may risk losing both medical and financial information. According to the Identity Theft Resource Center, 44 percent of all registered data breaches in 2013 targeted medical companies. Furthermore, the number of information security breaches reported by healthcare providers soared by 60 percent from 2013 to 2014—more than double than what is seen in other industries—with financial losses up by a whopping 282 percent, according to PwC’s Global State of Information Security Survey 2015.
Intentional disruption and widespread disruption majorly influence the application of IoT in the health sector. These two are in a way a direct or indirect consequence of the privacy violations. Intentional disruptions are a concern because networked medical devices are as vulnerable as any other networked technology. Hackers, spies, and terrorists seek to exploit IT vulnerabilities to create chaos. When a networked device is plugged into a person, the consequences of cybercrime committed via that device might be particularly personal and threatening. Such attacks that target individuals with the intent to harm them physically are unlikely. However, there is a very high probability of attacks that could cause widespread disruption. Theoretically, a piece of targeted malware could spread across the Internet, affecting everyone with a vulnerable device. This far-fetched but possible scenario has materialized in business IT systems and industrial control systems, like the sophisticated Stuxnet virus which targeted Iran’s nuclear program. The only catch here would be that, since these devices are not easily available on the black market, terror can’t take root through these devices, yet. But it would be sensible to assume that this won’t be the case for far too long.
Although, these issues might cast a dark shadow on the IoT devices, there are certain preventive methodologies, which if implemented in a right way, could make IoT in healthcare one the greatest technological breakthroughs of the 21st century.
As there were four concerns, there are four recommended safety measures:
- Stress security at the outset, rather than as an afterthought – When a IoT device, specifically for healthcare, is manufactured; the security and the integrity of the device should be tested at each successive step or process. Security shouldn’t be waved away as an afterthought as most of the manufacturers currently do today.
- Improve private-private and public-private collaboration – This deals with hosting forums wherein the government and the manufacturer co-ordinate with each other to tailor a more secure device. These forums can be of two types: a manufacturer working with the government or manufacturers coordinating with one another. Such collaborations can augment the safety of data on the cloud.
- Move towards evolutionary change of the regulatory approval paradigm for medical devices – The current regulatory paradigm must do more to encourage innovation, while still meeting regulatory policy goals and protecting the public interest. One possible incentive might be a streamlined approval process. The regulatory process should encourage security by design, as well as the ability to patch systems after they are deployed.
- Introduce an independent voice for the public – It is fundamental that this model offers a voice in the debate to the public, especially patients and their families. In most countries, governments and private companies do not adequately represent the public’s interest in medical issues. This applies specifically to strike a balance among effectiveness, usability, and security where the device is implemented and operated.
It is fair to conclude that even though complications and drawbacks might hinder certain stages of progress, Healthcare IoT is speculated to achieve heights. All boils down to the movement of organizations towards fortifying the security architecture of IoT tools, as it could bring a huge difference in the lives of people around the world.
By Chris Tjotjos, VP, Cisco Solutions Practice, Black Box...
By Laura Jackson, Sr. Manager-Risk Management, ABS Consulting
By Jason Cradit, VP of Information Systems, Willbros Group
By Steve Garske, Ph.D., Senior Vice President & Chief...
By Roman Trakhtenberg, CEO, Luxoft
By Renee P Wynn, CIO, NASA
By Mike Morris, CIO, Legends
By Louis Carr, Jr., CIO, Clark County
By Andrew Macaulay, CTO, Topgolf Entertainment Group
By Dominic Casserley, President and Deputy CEO, Willis...
By Dave Nelson, SVP-Portfolio Lead, Avanade, Inc.
By Michael Cross, SVP & CIO, CommScope Holding Company Inc.
By Pauly Comtois, VP DevOps, Hearst Business Media
By Dan Adam, CIO, Extreme Networks
By Matt Schlabig, CIO, Worthington Industries
By David Tamayo, CIO, DCS Corporation
By Scott Cardenas, CIO, City and County of Denver
By Marc Kermisch, VP & CIO, Red Wing Shoe Co.
By Brian Drozdowicz, VP, Digital Services, Siemens...
By Les Ottolenghi, EVP and CIO, Caesars Entertainment