The Internet of Things (IoT) enables millions of smart devices worldwide that are connected to the internet to collect, process and share data. The adoption of IPv6, which offers enough IP addresses for every device globally, has been a tremendous boost for the IoT to scale. Not only has the IoT reshaped many aspects of our everyday life, but it has also been a complete overhaul for the healthcare industry.
Nowadays, a typical hospital utilizes dozens of IoT devices, including wearables, guided imagery, monitoring sensors, implantable, ingestible, etc. Thanks to this type of technology, healthcare staff can now assist and monitor patients remotely, which is a big step forward in access to healthcare, especially for patients with transportation barriers, the elderly and those who live in remote areas.
The COVID-19 pandemic paved the way for even more accelerated adoption of IoT in healthcare. Overwhelmed health facilities and reduced in-person contacts have been some of the triggers for increasing remote medical assistance. Medical IoT device values in healthcare will almost quadruple from US$177.64 billion in 2021 to over $467.25 billion by 2027. The Compound Annual Growth Rate (CAGR) is estimated to be 7.49 percent.
In the past, the adoption rate of IoT devices in the healthcare industry has been slower due to regulatory policies and legislation related to data security and privacy. During the COVID-19 pandemic, emerging regulations were adopted using fast-tracked procedures to approve IoT utilization.
Large-scale use of IoT in healthcare involves the processing and transfer of patients’ personal information, which raises issues around privacy and security. While IoT technology offers several advantages for better patient care, many medical IoT devices lack robust security. In general, each device connected to the internet is a potential security risk that could lead to a possible security incident or data breach through various threat vectors. Associated risks could be an entry point into a healthcare organization’s infrastructure. Exposure to medical IoT devices can further compromise information and systems or undermine patients’ safety through poor or weak security controls, including inadequate security testing.
Security attacks against IoT devices during the pandemic have been alarming: ambulances rerouted, outpatient visits for pregnant women and radiation treatments for cancer patients delayed, medical records encrypted and made inaccessible or permanently lost, etc. Considering the amount of personal information stored and processed, it’s no secret that hospitals and other healthcare organizations are favorite targets of ransomware attacks. Ransomware attacks cost healthcare organizations US$20.8 billion in 2020 (in the middle of the COVID-19 outbreak), with 560 healthcare provider facilities falling victim to the malware. The healthcare industry faced a 755% increase in those attacks in 2021, according to the 2022 Cyber Threat Report released by SonicWall. Hospitals can’t go long without patient data; thus, they are more likely to pay ransoms promptly with air-gap backup technology. In addition, hackers have been able to take control of medical devices, alter their configurations or parameters, and turn them into deadly weapons. Imagine how a tiny change in the value of vital metrics collected by IoT medical devices, like glucose or oximeters, may affect patient care. It might lead to the wrong recommendation of medication dosages and potentially fatal consequences.
Nowadays, it is unclear who is legally responsible for medical IoT data breaches. In some cases, technology providers hold responsibility. However, in some lawsuits, healthcare institutions have been held accountable. The confusion escalates as IoT devices may not necessarily be hosted on a hospital’s network but instead in a patient’s home. Who should be responsible in this case: the patient or the healthcare institutions? These doubts need to be clarified as telemedicine continues to grow in prominence.
To increase their resiliency and be better prepared for future IoT attacks, healthcare institutions should consider the following best practices:
- Applying appropriate technical and organizational measures (TOM) to implement the data protection principles
- Implementing an effective authentication mechanism
- Implementing security protocols and privacy-preserving solutions for tracking, monitoring and analytics
- Maintaining an inventory of the IoT devices and related assets
- Providing network segmentation and protecting each of the subnets at its level
- Real-time monitoring and detecting
- Encrypting data based on their criticality level (e.g., PI, PII, PHI, etc.).
On the other hand, IoT manufacturers and developers should consider implementing “security by design” and “security by default” principles while building up such devices. Good cybersecurity processes are critical to preventing medical device IoT attacks. In an age of record numbers of cyberattacks, vendors must be held accountable in all areas related to the design, security baselines, and strong security controls, including frequent patching to reduce significant risk to patients.
In March 2020, the International Medical Device Regulators Forum (IMDRF), a voluntary organization, assembled a Medical Device Cybersecurity Working Group and released Principles and Practices for Medical Device Cybersecurity. This document outlines guiding principles for vendors, vulnerability remediation, and incident response, and includes several industry references for further information. While tailored for the general security principles of medical devices, this includes medical devices IoT. The National Institute of Standards and Technology (NIST) in September 2021 released Summary Report for the Virtual Workshop Addressing Public Comment on NIST Cybersecurity for IoT Guidance. This report is significant because it outlines critical stakeholders across the industry, academia and government to address cybersecurity concerns for IoT, which directly impacts medical devices that use IoT.
Threats will continue to exist for medical devices where IoT technology exists with limited or poor security controls. The associated risks have a significant monetary impact, from design flaws to regulatory or corresponding fines related to a data breach. The potential to improve and make a difference is increasingly growing, with industry support helping pave the way forward.
