Potentials of IoT in Healthcare
The internet of things (IoT) is ever-expanding, and while this growth is bringing new capabilities and opportunities for business innovation, it also presents new challenges and security risks. And there is no greater risk than that of life or death, which is a core concern around the IoT in healthcare.
Even though the healthcare industry has been slower to adopt Internet of Things technologies than other industries, the Internet of Medical Things (IoMT) is destined to transform how we keep people safe and healthy. IoMT refers to the connected system of medical devices and applications that collect data that is then provided to healthcare IT systems through online computer networks.
IoT is at the heart of the digital healthcare ecosystem. This ecosystem includes patients and medical staff, medical devices (e.g., diagnostic and imaging), surgical robots, wearables, intelligent equipment, and countless wireless sensors, all of which share sensitive patient data.
Despite the obvious cybersecurity concerns, it appears the IoT momentum is picking up speed. According to Gartner, the IoT in healthcare is forecast to grow by 29 percent in 2020. A report by Allied Market Research predicts that the IoT healthcare market will reach $136.8 billion worldwide by 2021. Today, there are 3.7 million medical devices in use that are connected to and monitor various parts of the body to inform healthcare decisions.
The primary motivators behind this rapid growth are lowering costs and improving patient care through big data. “With all this data, they can look at how to improve their service and lower the cost to deliver that service. But moreover, it’s a question of moving from a reactive to a proactive healthcare model, which is one of the key benefits of the IoT,” says Alan Mihalic, president and founder of the IoT Security Institute. On the patient side, the internet of things can offer tremendous benefits. When healthcare providers have more data about the status of patient health, proactive care becomes possible.
IoMT Cybersecurity Challenges
Most IoMT devices were not designed with security in mind, which makes them especially vulnerable to compromise. One study suggested that there is an average of 164 cyber threats detected per 1,000 connected host devices. In 2019, cybersecurity experts found dangerous vulnerabilities in the technical design of some insulin pumps, prompting the FDA to issue a warning that hackers could compromise insulin pumps by connecting to them via WiFi and changing the pump’s settings to either under- or over-deliver insulin.
Connected medical devices – from Wi-Fi-enabled infusion pumps to smart MRI machines – increase the attack surface of devices sharing information and create security concerns including privacy risks and the potential violation of privacy regulations. The contamination and loss of data and the potential to seize control of a device should be top concerns for healthcare IT teams. An exploited vulnerability leading to the hijacking or ransoming of a device could not only result in clinical risk but even the loss of life.
The recent Vectra 2019 Spotlight Report on Healthcare indicates that the proliferation of healthcare IoT devices, along with lack of network segmentation, insufficient access controls and reliance on legacy systems, has created an increasing attack surface that can be exploited by cyber criminals determined to steal Personally Identifiable Information (PII) and Protected Health Information (PHI), in addition to disrupting healthcare delivery processes.
Cybercriminals usually focus on stealing Electronic Health Records (EHRs) due to their black-market value which could be worth hundreds or even thousands of dollars. In the first half of 2019 alone, 32 million healthcare records were compromised as a result of multiple security incidents. Criminals may also install malware or ransomware on the hospital network, encrypting and disabling the connected servers and systems and causing total disruption to the provision of healthcare. As a result, healthcare systems may remain dysfunctional for several days.
According to the IBM 2019 Cost of Data Breach Report, the average cost per breached record in healthcare is $429. Therefore, it is no wonder that a large hospital’s real cost of recovering from a ransomware attack generally runs in the millions of dollars.
As the number of connected devices increases, we need to determine how to handle the data load securely. Protecting a patient’s medical, insurance and personal information must be a top priority. Threats and vulnerabilities cannot be eliminated, therefore, reducing cybersecurity risks is especially challenging. The health care environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.
IoMT Devices Security By Design
Every type of connected medical device has its own set of complexities that need to be secured at the time of product design. Each device has an application programming interface (API), a user interface, a URL and often interfaces for HDMI, Bluetooth or WiFi, all of which may be exploited if not properly secured by the device manufacturer. Unfortunately, the major burden of responsibility for securing these devices ultimately falls on the healthcare provider.
In view of this situation, the U.S. Food and Drug Administration released the guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Guidance for Industry and Food and Drug Administration Staff.” The guidance recommends that manufacturers consider cybersecurity risks as part of the design and development of a medical device and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks. The guidance also recommends that manufacturers submit their plans for providing patches and updates to operating systems and medical software.
The FDA developed the document “to assist industry by identifying issues related to cybersecurity that manufacturers should consider in the design and development of their medical devices as well as in preparing premarket submissions for those devices.”
Building protection into the device itself provides a critical security layer that ensures devices are no longer depending on the corporate firewall as their sole layer of security and allows security to be customized to the needs of the device. The engineering team must be as focused on security as they are on the functionality of the device. Building security capabilities into a medical device will not only enable the device to meet the FDA security guidelines but also enhance the device’s overall security posture.
The FDA guidance is aligned with the NIST Cybersecurity Framework and recommends that medical device manufacturers consider the Identify, Protect, Detect, Respond, and Recover core functions to guide their cybersecurity activities. In line with these core functions, the FDA suggests security measures that device manufacturers should consider for the protection of medical devices that include:
- Limiting access to devices to trusted users using authentication, such as ID and password, smart card and bio-metrics, including multi-layered authentication “where appropriate;”
- Ensuring secure data transfer to and from the device, using encryption where appropriate;
- Implementing features that allow for security compromises to be detected, recognized, logged, timed and acted upon;
- Providing information to end-users concerning appropriate actions to take upon detection of a cybersecurity event.
The FDA also outlines key information that manufacturers should provide in their premarket submission for FDA product approval related to the cybersecurity of their medical device, including:
- Hazard analysis, mitigation’s and design considerations pertaining to cybersecurity risks associated with the device;
- A traceability matrix that links actual cybersecurity controls to the cybersecurity risks that were considered;
- A summary describing controls that are in place to assure that the medical device software will maintain its integrity from the point of origin to the point at which that device leaves the control of the manufacturer;
- Instructions for use of recommended cybersecurity controls appropriate for the intended use environment;
- A summary of the plan for providing validated software updates and patches as needed throughout the life-cycle of the medical device to continue to assure its safety and effectiveness.
Managing Security of IoMT Devices
Since cybersecurity risks to medical devices are continually evolving, it is not possible to completely mitigate risks through premarket controls. FDA recognizes that medical device cybersecurity is a shared responsibility among stakeholders including health care facilities, patients, providers, and manufacturers of medical devices.
Therefore, effective cybersecurity risk management should be of utmost concern. Following the release of the premarket considerations, FDA released the guidance “Postmarket Management of Cybersecurity in Medical Devices” which emphasizes on the development of cybersecurity risk management programs to mitigate vulnerabilities that may permit the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may result in patient harm.
The cybersecurity risk management program is recommended to be aligned with the NIST Cybersecurity Framework and should include the following components:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Maintaining robust software lifecycle processes that include mechanisms for
- monitoring third party software components for new vulnerabilities throughout the device’s total product life-cycle;
- design verification and validation of software updates and patches that are used to re-mediate vulnerabilities, including those related to off-the-shelf software;
- Understanding, assessing and detecting presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling
- Using threat modeling to clearly define how to maintain safety and essential performance of a device by developing mitigations that protect, respond and recover from the cybersecurity risk;
- Adopting a coordinated vulnerability disclosure policy and practice.
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.
To help hospitals and other healthcare organizations develop a cybersecurity preparedness and response framework, the FDA collaborated with the MITRE Corporation and developed the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. The playbook describes the types of readiness activities that will enable healthcare organizations to be better prepared for a cybersecurity incident involving their medical devices and gives product developers more opportunity to address the potential for large scale, multi-patient impacts that may raise patient safety concerns.
Cybersecurity risk management is a shared responsibility among stakeholders including the medical device manufacturers and the hospitals. When manufacturers consider cybersecurity during the design phases of the medical device lifecycle, the resulting impact is a more proactive and robust mitigation of cybersecurity risks.
Similarly, a proactive and risk-based approach to the postmarket phase for medical devices, through engaging in cybersecurity information sharing and monitoring, promoting “good cyber hygiene” through routine device cyber maintenance, assessing postmarket information, employing a risk-based approach to characterizing vulnerabilities, and timely implementation of necessary actions can further mitigate emerging cybersecurity risks and reduce the impact to patients.
ITEGRITI can help healthcare organizations develop consistent cybersecurity risk management programs to meet compliance with the FDA recommendations. To learn how contact our experts.