There was a time when healthcare was all about manual recordings and heavily reliant on the doctor’s opinion. Come 2021, and instead, the tables have turned. There hasn’t been another time in history where doctors and other healthcare practitioners are more reliant on technology to improve the lives of their patients. The Internet of Medical Things (IoMT) industry has connected healthcare with technology in one of the most ingenious manner. As per the Frost and Sullivan IoMT forecast to 2021 report, it’s expected that almost 40 to 50 billion IoMT devices will be part of the network by the end of the year. Right now, 48% of IoMT devices use mobility to connect to the cloud, and that number is expected to rise to 68%, with most of them using artificial intelligence and machine learning to spear ahead.
Given that the industry will only see a considerable boom year after year, many concerns are surrounding the IoMT technology in itself. With device security incidents involving data breaches and device misuse increasing with time, it’s high time we understand the risks associated with IoMT devices and what we can do to mitigate them.
Simply put, IoMT devices are those that improve the entire healthcare network and infrastructure. It’s very common to see that when these devices are spoken of, only those that help the patient are accounted for. But that’s far from reality. IoMT devices include both—those that help patients and those that help healthcare providers. Examples include health monitors, lab devices, nurse calling monitors, sensors, controllers, and the like. The current forecast of the market for 2022 is $52.2 billion and is expected to rise as the years pass by. With its increasing impact on people’s lives, it won’t be surprising if it surpasses its forecasted valuation as well.
Under IoMT again, there are multiple classes—Class I, Class II, and Class III. Class I includes non-invasive devices that post low to moderate risk to the patient, such as manual stethoscopes, enema devices, etc. Under Class II, we can include those that are invasive in nature and do post a moderate to high risk to the patient. Examples of those include air purifiers, infusion pumps, etc. Class III, better known as ‘active devices,’ literally helps the patient live. These could be your heart monitors, pacemakers, pulse generators, etc. With our increasing reliance on such devices, the concern of device security seems more real with time.
The main concern with IoMT devices is that a huge amount of personal data is being generated daily. With such intimate data being recorded and saved in cloud servers, device security is expected to be top-notch. Yet, that isn’t always the case. For example, the Wannacry ransomware attack in 2019 was deployed in over 150 countries affecting 300,000+ devices. Even a year after the cyberattack took place, Microsoft’s serves still continue to find vulnerabilities in such systems.
If that isn’t horrifying enough, another attack, Bluekeep took place in 2020 in the US, where a vulnerability in the Microsoft Remote Desktop Protocol service was exploited to steal medical records. Since these are deployed as worms that take over the system in the sneakiest of manners, it’s very hard to identify and fight them. The most concerning part is that patient medical records are valued at millions to the right stakeholder, and it’s just being sold like hotcakes. In most cases, hospitals have had to turn away patients because of such cybersecurity attacks.
Here, we have nobody else to blame apart from ourselves. Most of these device security issues can be mitigated by employing simple defences. In 56% of most healthcare security breaches, it has been found that simple things such as using different passwords could’ve mitigated the whole issue altogether. That being said, deniability is the main source of these issues. Most organizations tend to be lax in their attitude towards IoMT device security, which is evident from the fact that only 51% of device manufacturers in the U.S. use Food and Drug Administration (FDA) regulations to protect their gadgets. The sheer lack of ignorance and accountability is costing people their lives.
Given all the risks and concerns that were put forward above, it’s reasonable to wonder whether or not we can completely protect ourselves from such cybersecurity attacks. It is a possibility with the right defence, such as those listed below:
i. Comprehensive IoMT management: It’s very easy to forget about the basics because it seems so obvious. But most organizations are unaware of the complex network that they make use of. The first thing they must do is create a live inventory for all their assets. It can include information about what devices are present, where they are present, what security gaps exist, etc.
ii. High-end encryption: It goes without saying that encryption is key. Any data that is created, stored or even passed through the network must be encrypted. It reduces the likelihood of breaches, although that is highly dependent on how strong the encryption is, so make sure that it’s fool-proof.
iii. Network segmentation: Segmentation is the simple process of dividing the IoMT network with encryption at each level of the network. This ensures that even though vulnerabilities might be present in one part of the network, the others aren’t affected. Only authorized users can access these networks and even their authorization levels can vary between different parts of the network.
iv. Regular software updates: No network can be protected forever, no matter how much you encrypt and segment them. Eventually, the vulnerabilities will show, and they will need to fix. This is why it’s important to carry out regular penetration testing to see how vulnerable the current system is and fix any bugs or introduce new security features. Data integrity is key and an integral part of secure IoMT devices.
v. Accountability: It’s always best to just admit it if there are any bugs or gaps in the network and fix them as soon as possible. No system is completely fool-proof but it can be managed well. For example, there are many vulnerabilities present in the Microsoft systems, but they continually identify and fix any gaps that they discover in their accountability testing.
In short, it’s a yes and no. IoMT is the future of healthcare, and companies all across the world are jumping on the bandwagon. This also means that every single day, tons of data is being generated but not necessarily protected. Most cyberattacks also use existing vulnerabilities in such devices, making it virtually impossible to keep up with them. With more people becoming aware of the device’s security concerns, the general public could soon become risk-averse, drastically reducing its valuation over time. Securing IoMT devices can be a simple process yet, many organizations fail to implement the necessary precautions. It could be because they either don’t consider it an issue, don’t have the budget for it, or don’t have a strategy in place. It’s high time that they implement IoMT device security as a prime strategy in their development process because a life-saving device is only as good as its ability to save a life.