The Internet of Things (IoT) is swiftly becoming a key emerging technology to improve the delivery and outcomes of healthcare in the United States and globally. Networked medical devices connected to the Internet can be worn, or in some cases even implanted, in order to measure personal wellness, or to medicate and treat disease. As healthcare-related IoT becomes popular, experts continuously identify the cybersecurity risks of IoT devices. In the US healthcare system the cybersecurity risks associated with connected medical devices is already a pressing issue; the US FDA has identified over 300 IoT medical devices that are at risk for cyber-attack, with the potential to cause fatalities in patients who use these devices (Tolentino 2013).
Regardless of threats, IoT is a rising technology. Recent projections estimate IoT represents a $19 trillion USD global market and by 2020 it is predicted that 50 billion devices will be connected to the Internet. The healthcare segment of this market is expected to reach $117 billion by 2020 (McCue 2015), and IoT devices are estimated to save the US healthcare sector $63 billion over the next fifteen years (Healey 2015). In this paper, we will discuss the Internet of Things for Medical Devices (IoT-MD). We will then examine the cybersecurity risks associated with some connected medical devices as well as the potential threat this causes to patients. Finally, we will offer some suggestions on how cybersecurity risks can be mitigated by organizations that chose to use connected medical devices.
What is the IoT?
The term Internet of Things has a variety of definitions. A good starting definition is provided by the IT firm Gartner: “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment” (Gartner). However, if one goes back to the definition of Kevin Ashton, the individual who coined the term, the first component of the definition is that it is in contrast to the Internet itself, which was about data created by people; the next big communications revolution, which is the IoT, involves data being created by things (Techopedia). The “things” concerned are usually everyday physical objects whose primary purpose does not involve or need any kind of connectivity but that are or will be connected and are able to communicate in an intelligent fashion thus making the physical world one big information system. Therefore, there is an idea that the “things” do not include and go beyond computers, smartphones, tablets, or any other computing devices (Stroud). In addition to the machine or object itself, it can also refer to components of machines e.g. airplane engines or oil rig drills (Morgan 2014).
The use of IoT-MD
Almost half of US healthcare providers surveyed use IoT devices and technologies within their IT ecosystems (Healey 2015). These technologies are broken into four groups: wearable external medical devices; internally embedded medical devices; fixed networked medical devices, and health monitoring consumer products. And these technologies are making a significant difference in the lives of those who use them. One study found a 64% drop in re-admission for those who used remote care IoT devices. Additionally, patients trust tests which they personally administer through IoT devices as much or more than tests administered by medical officials. More than 70% of those patients surveyed were open to using additional IoT-MD including toilet sensors, prescription bottle sensors, or swallowed monitoring devices (Healey 2015).
Health professionals agree that there are major benefits to the development of IoT-MD including the following:
a) They allow remote and continuous monitoring of a patient’s health by promoting the quick flow and easy access of information and are especially useful for tracking lifestyle diseases such as hypertension, diabetes and asthma, which need continuous monitoring (Khanna and Misra 2014);
b) They improve home care, thus saving patients time and money (note that the average per day cost for in-patient treatment in the US is $1,700)(Harpham 2015);
c) As IoT-MD become increasingly sophisticated and responsive to individual patient needs, they can help improve patient outcome as well as achieve greater productivity, reliability and quality of service, while reducing costs, reducing waste and reducing loss (Harpham 2015);
d) They improve use experience for the patient as they allow patients and caregivers to have a richer and more intimate engagement with each other. Automation of engagement also allows better compliance to treatment regimens (Khanna and Misra 2014); and
e) They allow for the collection of a vast amount of data which ultimately promotes an evidence-based medical system (Khanna and Misra 2014). The data collected can also help automate processes and enable improved decision-making ultimately contributing to higher quality care, faster delivery times, reduced waste, shorter wait times and better patient care (TELUS 2014).
Cybersecurity threats to connected medical devices
Given the benefits for both patients and providers, the upward trajectory of IoT in healthcare is guaranteed. However, one large negative are the cybersecurity risks that using these devices bring – risks that can be fatal to patients. For example, famed hacker Barnaby Jack has reportedly developed software that can hack into existing medical devices. Jack claimed to be able to send an 830-volt electric shock through any pacemaker from as far away as 50 feet. He also claimed to be able to remotely control the amount of insulin delivered through insulin pumps. These hacks could easily result in patient death (Bosanac 2015; Healey 2015). (For additional examples of the vulnerabilities of IoT-MD, see Table 1). To date, there have not been any documented cases of hackers holding a user ransom by their medical device, but this does not diminish the fact that there are real risks to the IoT devices of today. As IoT platform developers Ayala have stated: “Because the embedded operating systems in those devices are not often designed or installed with security as a primary consideration, there are vulnerabilities present in virtually all of them” (Ayala Networks 2015).
The FDA is correct in stating that cybersecurity risks cannot ever be completely eliminated, but cybersecurity governance initiatives and proactive strategies can be adopted to assess and mitigate vulnerabilities in the healthcare sector (U.S. Food and Drug Administration 2016). There are currently over 300 medical IoT devices approved by the FDA which are at risk for cyber-attack, including insulin pumps, drug infusion pumps, ventilators, pacemakers, implantable cardioverter defibrillators, and anesthesia devices (Tolentino 2013), providing plenty of opportunity for exploitation of vulnerabilities. A recent report from tech research firm Forrester stated that the number one cybersecurity prediction for 2016 is that hackers would release ransomware for medical devices or wearables (Taylor 2015). Unlike credit card theft, which can be quickly resolved, medical identity theft can have long-term effects on individuals personally. If a medical record has been corrupted, this can lead to incorrect diagnoses, incorrect prescription drug records, and adverse patient outcomes (Taylor 2015).
Loss of privacy is another major consideration in the use of IoT-MD. In 2015, the Ponemon Institute reported that 90% of US healthcare firms had been victims of cyber-attacks, costing the healthcare system $6 billion (Pettypiece 2015). IoT devices potentially hold the most risk for privacy breach, as they collect the greatest amount of personal biological data, in addition to being connected to the healthcare network, very often providing access to users’ personal private and financial information through a backdoor. As network utility is critical to their function, healthcare providers need to ensure unencrypted data is not transmitted on open networks. With the large number of security problems plaguing most computer equipment, healthcare providers may be wary of integrating computer technology with more mundane devices that were previously unconnected, even with the lure of efficiency and cost savings.
In addition to worrying about cybercriminals, a further concern of patients relates to the collection of personal information. Manufacturers of IoT devices can profit from the data generated, as they enable creators to keep tabs on the habits and patterns of the users of these devices. The value is in recognizing the patterns – the more IoT that is used, the more data is collected and the more information about behavior is made known (Bloomberg 2014). Consumers of these products will demand more control over their private information, while manufacturers who develop the technology will be incentivized to store private information for research and commercial purposes.
Healthcare cybersecurity: The state of affairs
Cybersecurity in the healthcare sector is a vital issue. In 2013, 44% registered cybersecurity breaches were in the healthcare industry and this increased by 60% in 2014 – this is more than double the increase in other industries and resulting financial losses up 282% (Healthcare IT News 2015). Unfortunately, according to Forrester analyst Stephanie Balaouras, the healthcare industry is “woefully behind” when it comes to cybersecurity preparedness. Balaouras states that the industry has “done it begrudgingly and they’ve done it as something that they need to comply with at the lowest possible cost, as opposed to something they really embrace” (Taylor 2015). She states that HIPAA compliance represents the majority of focus, as opposed to concerns with overall privacy. Insurance companies (holding medical records), hospitals and doctors allocate an average of just 14 percent of their IT budgets to security, compared to other industries who are investing over 20 percent, despite being less lucrative criminal cyber targets (Taylor 2015).
This risk can be grave for those who rely on their IoT device to provide life-saving care. Hackers can exploit this vulnerability, and as McAfee points out, “Theoretically, a piece of targeted malware could spread across the Internet, and only take action when it confirmed it was in a medical device. Such malware could affect everyone with a vulnerable device” (Healey 2015). This is not a far-fetched scenario, as we have seen this play out in other industries such as malware in Ukrainian industrial control systems causing a power grid failure. And because many healthcare IoT device manufacturers write customized code, but are not software specialists, nor building in the ideal cybersecurity protections, there are often security holes in these devices waiting to be exploited (Healey 2015). Even with software expertise, cybersecurity is often an afterthought. Many IoT devices used in healthcare today have been identified to hold cybersecurity vulnerabilities, some of which can be life-threatening.
For example, the Hospira LifeCare Drug Infusion Pump has been reverse engineered exposing security vulnerabilities that would allow hackers to administer a deadly dosage of drugs remotely. This vulnerability exists in five models of the pump, and there are 400,000 in use throughout the US today (Zettler 2015).
Additionally, X-ray systems have been found tobe vulnerable to hacks through the centralized storage units to which their data is stored. These units often do not require any authentication for access and often do not log those who access the system (Zettler 2015). Other examples of potential vulnerabilities within the hospital are blood refrigeration systems, CT s canners, and defibrillators (Zettler 2015).
Regulation in the United States
Fines for data breaches continue to increase every year. Organizations that experience breaches have also become cognizant of the fact that patient privacy is valuable. For example, New York Presbyterian Hospital and Columbia University agreed to pay the Office for Civil Rights (OCR), part of the Department of Health and Human Services, $3.3 million and $1.5 million, respectively, for failing to protect thousands of medical records in 2014. Many more settlement agreements are in the OCR’s pipeline (Taylor 2015). The threat to patient privacy will only increase as the use of IoT-MDs increases.
In January, 2015, the Federal Trade Commission released a Staff Report on IoT. This report focused on the issues of privacy, security and on the need for legislation to regulate the IoT. Regarding privacy, the report suggested that companies practice “data minimization” which involves limiting the collection of data and the time that data is held for the period of time it needs to be used. And concerning security, the report recommended that companies should prioritize the building of security into devices and that they should train employees adequately, should ensure that contractors can maintain security, and should monitor devices and report to the consumer when security breaches are detected. The reports suggested that IoT-specific legislation would be premature at this point. Instead, it recommended that broad security and privacy legislation should be introduced to deal with these matters while remaining flexible enough to adapt to technological innovations
(Thompson and Mattalo 2015).
In January 2016 the FDA released Postmarket Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and
Food and Drug Administration Staff, which identified the cybersecurity vulnerabilities for IoT postmarket medical devices (FDA 2016). The FDA noted that the healthcare community needs to be proactive in addressing the cybersecurity risks of these networked devices in order to mitigate the impacts on patients and reduce the cybersecurity risks to the healthcare field generally. As stated in the draft, the risk management for these IoT devices must be shared among all of the actors, including: “the medical device manufacturer, the user, the Information Technology (IT) system integrator, Health IT developers, and an array of IT vendors that provide products that are not regulated by the FDA” (FDA 2016). The FDA recommends collaboration among the actors, by clarifying the FDA recommendations and outlining the risks for the end users.
Effectively mitigating risks
1. Built-in security platforms: security by design
The first step to mitigate security risks in IoT devices is for the manufacturers of such devices to design the IoT platform with security in mind, incorporating granular controls and leveraging a pre-built role-based security model. Security must be a fundamental building block of the connected device and not just an afterthought. The Operational Technology (OT) network, which consists of physical security and secure access to information systems, must be implemented at the platform and device levels, in addition to having standards-based Internet security controls. At the least, AAA security should be incorporated into the design of IoT devices: this consists of authentication of users, authorization of access, and the ability to audit usage. The use of two-factor authentication is recommended as it ensures that every user access within the service is secured with two factors of authentication, and therefore, two layers of security which makes it more difficult for hackers to gain access to data (Ayala Networks 2015).
Some IoT platforms use both multi-factor authentication and encryption to secure devices that have embedded IoT modules, enabling secure Internet connectivity and data transmission. Every enabled module is authenticated before it is allowed to obtain or write data to or from the IoT service. The service generates a public/private key pair for every module, and the public key is burned into the module, ensuring only the IoT service provider can decrypt the key, which makes the device protected against network spoofing. Using these mechanisms, only devices that have been properly authenticated using the public/private key pair would be authorized to have access to the production service (Ayala Networks 2015).
Owing to the nature of many IoT-MDs being mobile, as with security measures for BYOD and other portable and mobile connected devices, they must be equipped with capabilities for managing data in the event of loss or theft, such as remote deletion of data and disabling connectivity. Further, encryption, authentication and role-based access must be employed. All data in transit (e.g. through networks, smart devices, wireless devices, Bluetooth devices, etc.) should be encrypted to secure the data and prevents it from being readable (Ayala Networks 2015).
Finally, many connected devices, such as wireless access points or printers, come with known administrator IDs and passwords and they may also provide a built-in web server to which administrators can connect, log in and manage the device remotely. This is a huge vulnerability that can make IoT devices more susceptible to outside attack. For example, in 2013, the Department of Homeland Security issued a warning for over 300 medical devices with factory-set passwords that cannot be changed by users but can be discovered by anyone online who downloads the device’s manual (O’Neil 2016). In order to combat this, connected devices should undergo a stringent commissioning process in which the initial configuration settings is rigorously tested and scanned to identify potential vulnerabilities before they are moved to the production environment (Ayala Networks 2015).
2. Role-based access
Role-based access control is essential to protecting patient or user privacy. Ideally, the IoT-MD platform should enable access to certain functions on the device using service Application Program Interfaces (APIs) to be configured specifically. Therefore, in addition to multi-factor authentication to protect the data, each user should also have a set of designated privileges for various functions, and they can only access those functions that are specific to their tasks. For example, a nurse’s access to a device will be different from that of a specialist physician or physiotherapist. Deciding how much access to allow users based on their roles is crucial for maintaining high levels of security. Finally, after the patient has completed their treatment, access to IoT devices should automatically expire and be transferred to the next user (Khanna and Misra 2014; Ayala Networks 2015).
3. Security beyond the device itself: end-to-end security
Security must extend from the device, to the cloud, and to the application, starting with encryption at the chip level to prevent spoofing, and key transmission protocols like Transport Layer Security (TLS) to get information safely to its destination. The method of transmitting the data is also important. The best approach is to use HTTPS as the standard format to ensure the server is fully authenticated using PKI certificate chain verification and each packet is encrypted using AES 128-bit encryption. All user identifiable information should be encrypted when stored and backups too should be encrypted, with the encryption keys stored securely (Ayala Networks 2015).
Ideally the IoT device manufacturers consider cybersecurity throughout the design and manufacturing process. However, as previously stated, cybersecurity risks cannot be completely eliminated, and there is an important role for the healthcare sector and users to promote good cybersecurity hygiene through “routine device cyber maintenance, assessing postmarket information, employing a risk-based approach to characterizing vulnerabilities, and timely implementation of necessary actions” (FDA 2016). The healthcare sector is advised to adopt the framework developed by the National Institute of Standards and Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity,” which calls for proactive approaches to cybersecurity. Manufacturers are also advised to consider the “reasonable worst-case estimate” in their risk management approach, which can be measured through cybersecurity vulnerability assessments that rate the foreseeable vulnerabilities (FDA 2016).
As technology is outpacing both regulation and cybersecurity frameworks, the future of risk in healthcare IoT devices is entirely dependent on the speed in which the healthcare providers and regulatory authorities react to these technological advances. While at this point there are no specific requirements, the risks to individuals and the healthcare sector writ large is becoming increasingly apparent.
Though we are not yet at a point where cyber-crime has become all invasive, the healthcare sector is at a tipping point in which the focus on IoT device usage should go hand in hand with ensuring patient safety through a focus on cybersecurity. Considering almost half of US healthcare providers surveyed use IoT devices and technologies within their IT ecosystems, and the dramatic rise in cybersecurity threats in the healthcare sector, collaboration is needed between government, industry and the healthcare sector to address this critical issue and find equitable and efficient solutions that hold patient safety and patient privacy as priorities.
While IoT devices offer cost-saving customized care that will allow medical staff to provide innovative time-saving solutions, it is only a matter of time before the blatant cybersecurity vulnerabilities will be too tempting for aggressive cyber-criminals to ignore. Device manufacturers should be encouraged to incorporate strict cybersecurity protocols in IoT-MD development, and older devices should be modified to follow the NIST framework.
Cybersecurity is an issue that touches every industry, however healthcare provides a unique challenge in which the cyber-interface can be connected directly to vital biological functions. With individual lives at stake, regulatory and cybersecurity frameworks should be created to consider rational worst-case scenarios for risk management considerations.