The internet of things (IoT) is ever-expanding, and while this growth is bringing new capabilities and opportunities for business innovation, it also presents new challenges and security risks. And there is no greater risk than that of life or death, which is a core concern around the IoT in healthcare.
Devices like smartphones, tablets, laptops and digital assistants have already penetrated the industry, and the IoT is at the heart of the digital healthcare ecosystem. This ecosystem includes patients and medical staff, medical devices (e.g., diagnostic and imaging), surgical robots, wearables, intelligent equipment and countless wireless sensors — all of which can share sensitive data.
Despite palpable cybersecurity concerns, it appears the IoT momentum train is picking up speed. According to Gartner, the IoT in healthcare is forecast to grow by 29 percent in 2020, trailing building automation and automotive as one of the fastest growing industries.
As IoT use cases proliferate, their impact on the healthcare industry can only deepen — and that has implications both auspicious and ominous.
The Internet of Things Can Be Rewarding for All Parties
Alan Mihalic, president and founder of the IoT Security Institute, has noted that the IoT in healthcare is rolling out incredibly quickly and echoed Gartner’s prediction that billions of devices will be connected by 2020. Mihalic believes the primary motivators behind this rapid growth are lowering costs and improving patient care through big data.
“Big data is the opportunity that allows the industry to address both,” he said, noting that the information it can provide goes beyond industry data and includes that of external parties and external vendor providers as well. “With all this data, they can look at how to improve their service and lower the cost to deliver that service. But moreover, it’s a question of moving from a reactive to a proactive healthcare model, which is one of the key benefits of the IoT.”
On the patient side, the internet of things can offer tremendous benefits. When healthcare providers have more data about the status of patient health, proactive care becomes possible. Imagine your doctor informing you about a health hazard you will likely face before it happens based on data of this kind.
“If you’re walking around with a device that lets a health provider be made aware that you’re about to have a dangerous heart incident because it’s fluctuating, that can be incredibly powerful,” said Mihalic.
Even the smart refrigerator you have in your home could send relevant data back to a healthcare provider about your diet. Privacy concerns aside, the potential for better care is massive. On the other hand, the potential risk for lost, stolen or misused data is also enormous.
Calculating the Costs of the IoT in Healthcare
At the onset, transitioning toward digital healthcare can affect the bottom line significantly. New hardware, new procedures, training costs, infrastructure costs — it can all add up quickly. The validation of the cost, according to Mihalic, is to maintain trust in line with community expectations.
“If I’m prepared to give you all my medical records, I expect you to be able to protect them in a manner which you consider reasonable or the average person would consider reasonable,” he said.
Since most of the data will be cloud-based, many different data protection scenarios also come into play. With all that data, the discussion around privacy, cybersecurity and protection of data is paramount. It’s a complicated issue to tackle, but fortunately the IoT Security Institute has developed an extensive framework that providers can follow.
People, Places and Hardware
Instead of discussing the meticulous details of the framework, I thought it best to walk through the most critical elements of healthcare IoT with Mihalic and present some general tips the industry can follow.
As organizations look to source IoT devices to incorporate into their healthcare systems, Mihalic recommends a heavy dose of due diligence and a hint of skepticism. Questions to ask include:
- How secure are they?
- How are they built?
- Do you know where they come from, and do you trust the manufacturer?
“These devices are a big link in the chain; one weak link and the whole chain collapses,” Mihalic advised.
Before deployment, tests should be run with an eye toward producing a report that identifies where the weaknesses are and where they need to be addressed. In that report, you could also include recommendations for training.
Once you’ve identified the key actors in your solution — which may include nurses, doctors, surgeons, administrators and others — ongoing education about the IoT is critical. This may be the biggest hurdle to overcome, as healthcare professionals have enough on their plate as it is, and taking time for additional education may not be at the top of their priority list.
“No matter how good you are at security, if you don’t educate your staff about the risk associated with these devices, no amount of peripheral protections can help you,” said Mihalic.
Building and Engineering
Included in the IoT Security Institute’s framework is an illustration outlining the considerable reach of IoT technologies within the built environment. Understandably, the task of securing such a vast number of communication channels, data flows and interfaces can seem quite daunting. According to the framework, “smart technologies by their very design and purpose extended beyond traditional IT security services and actors. The cyber professional, design engineer, privacy advisor and facilities manager all have a role to play in securing and protecting this vast digital ecosystem.”
Mihalic suggested that, whenever possible, healthcare facilities should be designed so information can be shared across all parties and stakeholders, including site engineers and architects. All providers must be in line with the security framework, as any threat actor who wants to hack a hospital could attack a design company directly to steal blueprints that show where the hospital’s vulnerabilities are.
Security Advice for Healthcare Professionals
Independent security researcher Rod Soto agreed with Mihalic that it is essential for healthcare professionals to become acquainted with these technologies and their inherent risks.
“The security of the IoT may affect their jobs now,” Soto added. “Although they are not technical professionals, they must be trained in security awareness. They must understand that those devices can be used against them or their patients. Blindly relying on machines connected to the internet or trusting the data from them without verifying is a recipe for disaster.”
Yet today’s medical professionals are often unaware that many IoT products lack security, according to Jelena Milosevic, pediatric nurse and cybersecurity advocate.
“We all assume that any devices we use inside of hospitals or healthcare institutions are secure and safe,” she said. “Many of my colleagues don’t believe that it’s that bad. They think that warnings are some kind of science fiction.” She further explained how medical professionals may use as many features of a new device as they can without a second thought, since they assume the features wouldn’t be there if they weren’t safe.
“But we can’t give them everything they want — if it can’t be made safe and secure, we need to make it clear to them,” she said. “They will accept it, especially if they understand that patients could be harmed.”
Awareness of potential threats can help healthcare professionals make better decisions for IoT use cases and ensure that data collected for patient safety is trustworthy.
The IoT Crystal Ball
Proper implementation of the IoT in healthcare can mean life or death for some patients, and if we don’t get cybersecurity right, there could be serious trouble. Mitigating cyber risk is crucial for any industry, but there’s no room for error in healthcare. While everything here may seem overly taxing, Mihalic is confident that the state of the industry can only get better.
“We’re opening the discussion and providing the ability for security and privacy professionals to download our framework and to start having that conversation,” he said. “We’re at a real important crossroads because in the next year, two years, five years, billions of devices and trillions of sensors will be connected. We need to pick up the pace and keep our eyes on the ball. We can’t be overwhelmed with the commercial bells and whistles and the flashy lights and colors.”
Concluding my conversation with Mihalic, I asked him if security in the industry is improving, and his response was fitting: “I think it’s getting better because I’m talking to you, right?”
As long as we continue to have conversations about the importance of cybersecurity, we’ll at least be on the right track.