For the past twenty years, medical testing has been mostly centralised in laboratories. Whether private or hospital-based, these labs could process dozens of different tests on thousands of samples every day. Automation and robotics provided rapid and reliable testing. It was cost-effective, and data security was tight. Medical device security was not an issue.
But the world of healthcare is rapidly changing. The latest medical technology is growing ever more portable and interconnected. Testing devices may be hand-held or strapped to the patient like an armband. A visiting doctor or nurse could be taking readings – such as glucose and blood pressure – and immediately transmit them to a hospital or surgery. Or a patient may be sitting at home and being monitored remotely. The Internet of Medical Things (IoMT) is driving a hand-held boom as technology gets smaller, smarter and closer to the patient.
The scope of connected medical devices
At a recent international Trade Show, more than forty companies promoted ‘wearable technologies’. There were wristbands and armbands for blood pressure and fertility monitoring. An earpiece could monitor five variables, including heart rate and blood pressure. A finger ring could detect atrial fibrillation. Many of these high-tech tools use Bluetooth and Wi-Fi to upload data and allow remote monitoring. Telemedicine and telehealth are driving similar connectivity, enabling doctors to see more patients more efficiently by internet links.
Primarily driven by advances in wireless communications, mobile devices, and cloud computing, IoMT has the potential to transform the healthcare industry. Near-to-the-patient testing and monitoring can deliver more targeted and personalised medicine and reduce costs.
It is relatively simple for a laboratory to ensure the security of its high throughput testing systems. They can run on a stand-alone network. Results can be delivered by paper print out. Ensuring the healthcare cybersecurity of a connected network of devices is a far greater challenge. They may be used in the home, in the doctor’s surgery, or a clinic. And they may be connected to domestic or office and clinic networks.
Healthcare systems collect and process sensitive information to make critical decisions. Cybercriminals targeting weak points can obtain unauthorised access to personal healthcare data.
Each device is a point of vulnerability in itself. Device security has to be ensured for every component on the network. But these smaller tools are aiming to push down costs. So their software and hardware are often based on multiple free software or open-source utilities. Such software is often adapted, not really patched, and not well maintained.
Medical devices connected in the home may lack basic security features and virus protection. And they run on a home Wi-Fi network without the security features that would be typical in a major hospital or laboratory. Hacking, ransomware and simple sabotage are some of the threats that unsecured devices and networks face.
Whilst we all know that our smartphone apps come with regular upgrades and patches, medical devices are not smartphones. You will want to depreciate that capital expenditure over ten or twenty years. And so their vulnerabilities will multiply as they age. Medical device security must begin at the design stage and continue through to the end of its working life.
IoT security challenges start when medical technology companies manufacture the product. Manufacturers need to create devices that are patched and equipped with adequate security capabilities. But in many cases, securing these devices is an afterthought for manufacturers. Purchasers must double-check that they will stand up to the challenges of today’s complex healthcare environments. Because once unsecured IoMT devices are placed into hospitals, the responsibility shifts to hospital IT staff.
Protecting devices and patients
An important step is to follow the standard protocols for risk management. The international standard IEC 80001-1 (application of risk management to IT networks of medical products) provides a guide to follow. It presents a unified approach to the safety of medical devices connected to networks. You can use it as a guide for medics, technicians, and IT specialists to work together on reducing risk.
The ongoing development of security analytics can provide an extra level of support for IT staff. Cybersecurity analytics is analysing data to detect anomalies, unusual user behaviour and other threats. A network may include hundreds or even thousands of connected devices providing real-time data – too much data for individuals to process.
Analytics tools can watch and monitor network activity, looking for anything out of the ordinary. The incorporation of machine learning means that such security tools can develop a playbook of what is normal behaviour. Such security support can highlight where devices are located on the network and how they are behaving. IT departments can investigate possible security threats before they get out of hand.
Ransomware, data breaches, and Distributed denial of service (DDoS) attacks are just some of the threats facing hospitals and healthcare facilities. A recent survey found that more than half of the healthcare organisations contacted had experienced a Cybersecurity threat in the previous year. The increasing use of connected devices within and beyond the hospital makes hospital networks and data even more exposed. But there are ways in which you can increase your security. It pays to protect the integrity of your systems before you get found out.