It’s easy to make fun of the Internet of Things as a pointless field in which Internet connectivity is added to devices for no other reason than that it can be. For example, the $99 Griffin Technology Bluetooth Connected Toaster, debuted at CES this year, allows the user to control toasting levels via a special smartphone app that does the same job as a simple rotary dial — in case you need to toast bread while you are far away from the toaster, for some reason.
But in the healthcare field, smart devices are more than just a gimmick. The latest generation of connected medical devices gives healthcare providers real-time information on the conditions of their patients. Smart sensors can track heart rate, blood sugar levels, blood pressure, and other vital information in real time, allowing medical professionals to respond to problems faster than ever before and averting crises before they happen.
It’s little wonder that according to Transparency Market Research, the smart medical device market will reach $66 billion by 2024.
The Biopharma Research Council will host a webinar on the Internet of Medical Things on Thursday, July 27, from 1 to 3:30 p.m. For more information, visit www.biopharmaresearchcouncil.org.
One of the presenters at the seminar will be Mitchell Parker, executive director of information security and compliance at IU Health in Indianapolis, Indiana. In this role as an IT executive of a major healthcare system, Parker deals directly with both the opportunities and challenges created by Internet-connected medical devices.
In a recent article for Health Tech Magazine, Parker discussed how to deploy smart medical devices while keeping them secure.
Security is one of the major risks that come along with the Internet of Medical Things. Because IOT devices are typically simpler and easier to hack than full-fledged computers, they are common targets for hackers who like to take them over en masse to build “botnets” that can be used to launch denial of service attacks.
Hospitals are also vulnerable to “ransomware” attacks in which hackers take over a medical system’s computers, encrypt the data, and demand payment to undo the damage. In May a wave of ransomware attacks hit corporations and hospitals all around the world, disrupting medical services in Europe and Asia.
Parker noted that past cyberattacks show the vulnerability of hospital systems to hackers:
“The Mirai botnet, which primarily affected security cameras and other internet-connected devices running the Linux operating system, was devastatingly effective, as it showed how large numbers of compromised machines could be used to disrupt traffic across the internet, including a 1-terabit-per-second distributed denial of service attack against a French web host. Many of those devices had just been installed and did not receive security patches for many Linux kernel or application vulnerabilities,” he wrote.
Parker also said Android-based botnets surfaced last year, which used smartphones and tablets to launch malware and distributed denial of service attacks. Androids are easier targets because they do not receive security updates as frequently as desktop computers.
The heavy spike in healthcare-related cyberattacks has made healthcare leaders think twice before deploying Internet-connected medical devices, Parker wrote. He offered eight steps to consider when balancing the risks and benefits of deploying IOT medical devices.
Have a comprehensive vendor review or contract management program in place. Any effort should address the vendors’ risk management program, vendor vulnerability management and disclosure, and support of any underlying operating systems or applications. That allows organizations to make a decision up front whether to use these connected devices to handle information. If a device does not receive security updates or a vendor is not responsive to disclosed vulnerabilities, it’s better to know this before proceeding.
Reduce the amount of data on any connected device to the absolute minimum necessary. Make sure to keep only what is absolutely necessary on the device. A corollary to this: Keep the services and connectivity of the device to an absolute minimum, and use firewalls and other network-based protection as needed on end-user devices.
Create a separate and secure technology infrastructure for data integration. What’s more, constantly update the infrastructure, monitor for vulnerabilities, and review for any anomalies in data or system activity. Put all incoming data through a well-tested supporting infrastructure first to reduce risk to your electronic medical record system.
Build an educational plan around the devices for your organization and customers. Ensure that anyone who deploys the devices can understand them, answer potential questions, and work with consumers to update and monitor usage. Also, confirm contact information in case of an issue to reduce triage time.
Develop a comprehensive activity review process. Review your users’ device activity on a regular basis, ensuring periodic updates to such tools and resolutions to known vulnerabilities for customers. Such a process must extend to administrators, super-users, and anyone else who has access to system data, as insider threats cause many data breaches.
Make sure there’s a budget set aside. Build in enough budget to ensure the availability of staff to answer customer questions, review devices and infrastructure, and continually assess risk from inside and outside threat vectors.
Develop a staffing plan. Adequately staff for device deployment, customer service, and activity review on the secured infrastructure and devices, and update both regularly. Many vendors claim that their tools require less maintenance or tout the ability to maintain thousands of devices without dedicating full-time staff; that simply is not true for devices containing protected health information (PHI), as the HIPAA Security Rule requires regular review of user activity on systems containing PHI.
Ensure your security and risk management plan addresses potential issues. The plan must start with an initially secure configuration of the devices and infrastructure at the device, application, network, and infrastructure layers. It then should address how the devices will be kept in a secure state through effective management, review, testing and change management. It must address communication and deployment plans for security vulnerabilities on the device, and how any issues will be mitigated.
The plan should take into account the potential that there will be a breach or similar event that will cause the device to not function correctly, and must include annual risk assessments of the entire infrastructure, not just the devices themselves. Pay close attention to account supporting processes, staffing, training and technology.