The internet of things (IoT) brings increased connectivity to all markets and industries, enabling a wide array of new services for customers and new business models for service providers. The internet of medical things (IoMT), aka connected medical devices, is not only accelerating medical progress, but also enabling a more human approach to care and healing. Data allows us to refine treatments and paves the way for precision medicine, better connectivity enables more timely care, and streamlined workflows improve operational productivity for healthcare organizations.
IoT technology is taking over the healthcare industry because it has become essential. But once a device is connected to your network, who is responsible for IoMT security and privacy?
The Value and Market Size of the IoMT
By 2023, the healthcare security market is expected to grow significantly — up to $8.7 billion, according to a Frost & Sullivan study released in April 2019. This growth would be largely driven by new purchases and deployments while healthcare organizations embrace emerging technologies such as the IoT, digital therapeutics, cloud hosting and artificial/augmented intelligence. However, these technologies are significantly increasing the complexity of safeguarding patient data.
Medical devices have added a positive value to how medicine is practiced. They are very important in diagnostics and the prevention and treatment of diseases. Without the assistance of medical devices, physicians may be unable to perform proper treatment in healthcare facilities. Such devices can have a significant effect on reducing or even eliminating symptoms and can turn a potentially fatal condition — such as cancer, COPD, asthma, type 1 diabetes, etc. — into manageable chronic conditions.
They can also serve as interim solutions. For instance, devices like cardiac and pulmonary assist and renal dialysis enable patients who are desperately in need of transplants to survive long enough to receive one. The capacity of devices to improve — or even save — patients’ lives in the absence of a cure will continue to grow as multiple scientific disciplines (including biomedical engineering, biomaterials research and cell biology) make individual advancements and complement each other in medical device design.
The IoMT spans a wide range of devices that can be categorized into three main groups based on the perceived risk of the product type, according to large regulatory agencies like the FDA, European Commission and Health Canada. Each class of devices follows a different route for their approval cycles. The categories are as follows:
- Class I or non-invasive devices, which rate as low to moderate risk. This category includes enema kits, elastic bandages, manual stethoscopes and bedpans.
- Class II or invasive devices that carry moderate to high risk, such as acupuncture needles, infusion pumps, air purifiers, surgical drapes and pregnancy test kits.
- Class III or active devices, which usually sustain or support life, are implanted, or present potential unreasonable risk of illness or injury. This category includes implantable pacemakers, pulse generators, HIV diagnostic tests, automated external defibrillators and breast implants.
Medical device manufacturers have numerous added tasks on top of the complex R&D phase of medical devices that include user interfaces, verification and validation efforts, and full life cycle services. They need to worry about reduced time to market, reduced product cost, compliance with medical device-related regulations, and end-to-end product services. And they need to collaborate with suppliers, distributors, customers and partners to optimize workflows constantly and devise innovative products without compromising quality. Developing well-analyzed and researched products to attain that technological edge requires streamlined processes.
How Vulnerable Are Connected Medical Devices?
Even though all devices are strictly regulated for patient impact, the industry has been behind the curve in dealing with risks of potential cybersecurity threats in the past few years. Like other computer systems, medical devices can be vulnerable to security breaches that affect the safety and effectiveness of the device. Connected devices and legacy systems leave hospitals wide open to cyberattacks, and recent data shows that the proliferation of medical IoT devices — along with unpartitioned networks, insufficient access controls and legacy systems — has created a massive and vulnerable attack surface that can be exploited by cybercriminals.
The “2019 Spotlight Report on Healthcare” from Vectra also reveals the following critical factors for this surge of attacks:
- Unsecured legacy systems still exist across the industry
- A major challenge for healthcare facilities that run 24/7 is downtime for patching
- Healthcare networks have a 3:1 device-to-people ratio
- Any device with an IP address can connect to unsecured networks and be subject to attacks
Researchers at Trend Micro analyzed internet-connected medical devices and systems using the Shodan search engine and found many that were viewable publicly. While internet connection is a requirement for many devices and systems to function, hospitals and clinics often leave devices and systems exposed online if they incorrectly configure their infrastructure. In fact, Shodan search results showed that more than half a million devices use the 10-year-old OpenSSH 4.3 software, which puts all these devices at risk.
IoMT Security Risks Can Be a Matter of Life and Death
Mitigating medical device cybersecurity risks can be a matter of life and death. Industry experts have pointed out that any connected cardiac medical devices, such as a smart pacemaker and monitor combination, could be hacked, and patient lives could be at risk. Similar vulnerabilities exist in morphine infusion and insulin pumps that could remotely overdose and potentially kill patients.
Examples of medical devices that have seen documented attacks include blood gas analyzers, PACS systems and X-ray machines. Other devices that are vulnerable to hacking that could lead to the death of a patient include implantable cardioverter defibrillators, blood refrigeration units and CT scanners. Medical devices still running Windows XP and other legacy operating systems are also easy targets.
A pacemaker device security audit by WhiteScope found more than 8,000 flaws, some potentially deadly, including a lack of encryption and authentication, simple bugs in code and poor design that could put patient lives at risk. One manufacturer alone had 3,715 flaws and another had 2,354. In one instance, the researchers found a few models didn’t require physicians to authenticate a programmer, and the programmers didn’t authenticate implantable pacemakers, which means that anyone who can get within range of the device can alter the implanted device’s settings.
“Any pacemaker programmer can reprogram any pacemaker from the same manufacturer,” the researchers noted.
What Can We Do Now to Improve IoMT Security?
Medical Device Manufacturers
Medical device manufacturers (MDMs) need to protect their substantial investment in the intellectual property of software, critical assets, design protocols, keys and firmware against reverse engineering, hacking and the potential liability of devices being counterfeit or intentionally misconfigured even before they are launched in the market.
Integrating security and adopting a DevSecOps approach to include application and infrastructure security from the start has become a mandate in most SW development houses. We need to automate security gates to keep the DevOps workflow from slowing down and select the right tools to embed security into the overall design and architecture continuously. This builds on the cultural changes of DevOps to integrate the work of security teams from day one of the design process.
The FDA issued clear guidelines on premarket regulations around the security of medical devices in October 2018 that confirm the responsibility of MDMs to include cybersecurity measures in the design, development and preparations for premarket submission of their medical devices. The agency is working actively to issue the new set of regulations by the end of 2019.
Embedded software protection tools should be deployed to conceal proprietary algorithms and secrets, including cryptographic keys. Once protected, IoMT applications can be safely deployed on untrusted hosts and in hostile environments such as mobile devices. These technologies, libraries and tools enable MDMs to customize the protection of their critical digital assets, which can be useful for security-savvy organizations that want the very best in renewable software security.
The security-by-design approach provides application protection through sophisticated data, function and control flow transformations, anti-debug, whitebox cryptography, and active integrity verification. Integrating this security technology with an enterprise security information and event management (SIEM) solution provides an advance warning of threat actor activity before the device or software is affected. Real-time health checks of device software, correlation and forensic analysis of all security data and event feeds help to prevent attacks and automate incident response playbooks.
Healthcare Delivery Organizations
Similarly, healthcare delivery organizations (HDOs) such as hospitals need to run a tightly controlled inventory of all devices connected to their networks and allow only patched and monitored devices to be deployed. The digital signature of each device should be registered using AI-enabled analytics tools that identify the behavior of each device type and model and promptly identify anomalies as they occur so that affected devices can be tagged for the right decision. From there, they can be quarantined, deactivated or monitored in accordance with hospital policies.
The FDA has issued postmarket guidelines to manage active medical devices that are being used in labs, hospitals, clinics and other care facilities. MDMs should continue to provide security patches for their IoMT operating systems and applications, including legacy ones — as much as is technically possible. Delivery organizations are advised to segregate the unpatchable devices and minimize network traffic to and from them and the rest of the network.
A good reference for HDOs to leverage is the MITRE ATT&CK framework, which is designed to assess, plan for and respond to cybersecurity incidents around medical devices and ensure their effectiveness and safety for patients. It is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Implement End-to-End Security Controls
Having comprehensive and integrated end-to-end solutions for the internet of medical things is key for the industry focusing on MDMs and HDOs. These solutions should start on day one of the product life cycle of a medical device and continue through its submission and approval by regulatory agencies and deployment for patient use.