The term, Internet of Things (IoT), was first coined in 1999 by an executive at Procter & Gamble who was trying to gain momentum for new RFID technology. It wasn’t until around 2010 that the term became more widely adopted. However, once it caught fire many other terms started being thrown around as well, such as, Industrial Internet of Things (IIoT), Industry 4.0, and soon thereafter Internet of Medical Things (IoMT). While it’s a clever way to slip right into using acronyms in your professional circles, it’s important to understand the complexity of what the term captures and how to provide the right security around it.
As we frequently talk about in our work, data privacy is extremely important and must be protected at all costs. Yet, it isn’t the only vulnerable asset on the market. Ransomware cases are teetering on explosive growth and the threat actors are getting smarter and more invasive by looking at any entry point to cripple your business. From manufacturing equipment to logistics systems, critical infrastructure to medical devices, everything is exposed and vulnerable to attack. Specifically, in the healthcare industry, what do administrators and security professionals alike need to know about the IoMT?
For starters, it’s important to know that the IoMT captures a broad range of segments within the industry. As the Alliance of Advanced BioMedical Engineering pointed out in a 2017 blog, the market consists of devices, equipment, services and more across a variety of uses.
Let’s first look at the On-Body segment which includes devices like insulin pumps, pacemakers, or even a basic Apple watch. While there may not be a market just yet for hackers to mess with your Apple Watch’s pulse oximeter capabilities outside of doing corporate reputational harm, medically prescribed devices like the Medtronic MiniMed insulin pump have been proven vulnerable in a way that could cost lives. In 2017, two researchers discovered that the pump could be hacked and went through all of the proper channels to challenge Medtronic to provide an adequate fix to mitigate the threat. Two years later, as their battle with Medtronic and regulators stalled with no results, they decided to go to the extreme of designing a simple app that can easily hack the device, with deadly outcomes. Healthcare providers need to keep current on identified threats to devices they are medically prescribing to their patients, as one can only imagine what culpability may exist if a patient were to be injured as a result.
Next, we have the In-Home segment consisting of personal emergency response systems (PERS), remote patient monitoring (RPM) and telehealth virtual visits. In light of the COVID-19 crisis, the Department of Health and Human Services has been providing Emergency Use Authorizations (EUAs) to various medical device companies which may allow them to operate without key features that could protect data because the FDA is permitted to waive certain requirements. This means that any institution or healthcare provider utilizing such devices need to act with the utmost care and ethics to avoid costly mistakes in unproven territories. Certifying that your health system has the right protections in place to keep virtual visits and home monitoring safeguarded is critical.Community Segment
The Community segment has five main components, they are: mobility, emergency response intelligence, kiosks, point-of-care devices, and logistics. Again, systems that are vulnerable to providing entry points into a healthcare system and/or a way in to interrupt medical service delivery when needed. Imagine a kidney being donated in Washington, DC that has to be flown to Chicago for transplant all while wired up to sensors that help track important stats such as temperature and other factors that could affect the viability of the organ upon arrival. Now imagine those sensors are hacked and false data is created, a person’s life hangs in the balance of this type of critical information being credible and reliable. Operators of these devices need to remain on top of any patches and updates for the products, as well as ensuring each endpoint is protected and monitored.
Then there is the In-Clinic segment which also consists of point-of-care devices with the key difference from those in the Community segment being the provider is using these types of devices remotely. Recent product developments such as remote monitoring EKG devices that use the internet to connect with the doctor’s office to report on atrial fibrillation detected could be vulnerable as well. Or consider cloud-based examination platforms that clinicians can access for assessing care. Simple practices such as password management and education can be all the difference to protection of data.
Lastly, there is the In-Hospital segment which encompasses the wide range of devices and systems used within a physical healthcare setting. This ranges from systems such as personnel management systems to inventory management to a tracking system for the vaccine for the coronavirus. The COVID-19 pandemic makes it imperative that hospitals have their finger on the pulse of their PPE stock, their staff’s vitals and virus status, and case management of individuals in varying stages of disease. Especially when hospital systems have merged, legacy systems need to be converted quickly and proper network segmentation are both great places to start.
With all this said, how do we get hospitals and healthcare systems to think differently about the crises they face in a highly connected world when they are at the frontlines of battling a pandemic? The healthcare system, as a whole, has been on a campaign to get patients to think more proactively about wellness rather than reactively about illness. Could this same tact work on them? We need to collectively work on educating the healthcare system about their own preparedness. The same mindset shift is needed in the medical community. Cybersecurity wellness is an ounce of prevention and has to be addressed to avoid detrimental, and even deadly, interruptions to their business.