IoT use in healthcare grows but has some pitfalls

The future looks bright for the use of IoT in Healthcare. The global portable and remote patient monitoring market alone is expected to reach $43 billion by 2027. The Covid-19 pandemic has accelerated this scenario. According to IDC, by the end of this year, seven of the top ten wrist wearables companies will have launched algorithms capable of early detection of potential signs of infectious diseases.

Although the healthcare sector has taken longer to adopt Internet of Things technologies than other industries, the Internet of Medical Things (IoMT) is now at the heart of the digital healthcare ecosystem. This ecosystem includes patients and medical teams, medical devices (e.g., diagnostic and imaging), surgical robots, wearables, smart devices, and countless wireless sensors, all of which share confidential patient data.

When ordinary portable medical devices are connected to the Internet, they can collect essential data that can save lives. They also serve to provide extra insight into the symptoms and trends of any specific physiological or even psychological disorder.

Similarly, wearable devices are reshaping the way patients receive medical care. They help collect and transfer essential information to doctors, such as heart rate, oxygen level, blood pressure, weight, ECGs, and blood sugar levels.

From an industry perspective, all this data can help hospitals, pharmaceuticals, and life science companies make better decisions and gain a competitive advantage.

By 2023, 65% of patients will access care through a digital connection. By 2024, data proliferation will result in 60% of healthcare organizations’ IT infrastructure is built on a data platform that will use AI to improve process automation and decision-making. When coupled with AI (Artificial Intelligence) and ML (Machine Learning), IoT can help find potential cures and treatments for diseases.

But the use of IoT in healthcare has its pitfalls – in general, IoT devices cannot be centrally managed, patched, updated, or secured. They are simple and functional, making them vulnerable to exploitation by cybercriminals, as most of them were not designed with security in mind. The possibility that a zero-day exploit on a medical device could be used to harm or even kill someone undetected is real.

Therefore, data intrusion and loss and the potential to take control of a device should be top of mind for healthcare IT teams. Each type of connected medical device has its own set of complexities that need to be protected at the time of product design. Each device has an application programming interface (API), a user interface, a URL, and often interfaces for HDMI, Bluetooth, or WiFi, all of which can be exploited if not properly secured by the device manufacturer and users.

Concerned about this, the US Food and Drug Administration (FDA) released guidance in 2019 to assist the industry by identifying cybersecurity-related issues that IoMT device manufacturers should consider in designing and developing their products. The Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Guidance for Industry and Food and Drug Administration is aligned with NIST’s Cybersecurity Framework and recommends that medical device manufacturers consider detecting, identifying, recording, and recording, if possible, quickly correcting security compromises. In line with these essential functions, FDA suggests security measures that device manufacturers should consider for the protection of medical devices, which include:

• Ensure secure transfer of data to and from the device, using encryption where appropriate;
• Provide information to end-users on the appropriate actions to take upon detection of a cyber security event;
• Leverage hazard analysis, mitigation, and design considerations relating to cybersecurity risks associated with the device;
• Have a plan for validated software updates and patches as needed throughout the device lifecycle to continue to ensure its security and efficiency.

As cybersecurity risks for medical devices are constantly evolving, the FDA cannot fully mitigate the risks. Which makes effective cybersecurity risk management, protection, and monitoring of IoT devices, legacy operating systems, and health records for healthcare organizations a paramount concern. And this should be a shared responsibility among stakeholders, including medical device manufacturers and hospitals.

Everyone should invest time and resources to:

• The constant monitoring of cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risks;
• The implementation of robust software lifecycle processes that include mechanisms to monitor third-party software components for new vulnerabilities throughout the total product lifecycle;
• The design verification and validation of software updates and patches used to mediate vulnerabilities, including those related to off-the-shelf software;
• The understanding, assessment, and detection of the presence and impact of a vulnerability;
• The establishment and communication of processes to capture and address vulnerabilities;
• The use of threat modeling to clearly define how to maintain the security and core performance of a device by developing mitigations that protect, respond and recover from cybersecurity risk;
• The adoption of a coordinated vulnerability disclosure policy and practice;
• The implementation of mitigations that address cybersecurity risk at the outset and prior to its exploitation.

Network monitoring solutions with capabilities to integrate medical devices offer healthcare providers the ability to monitor vital data connections, servers, and the applications involving those devices. Not least because all medical devices require a classic IT infrastructure for communication. This infrastructure takes care of data transfer and provides the hardware for the system network. It requires cables, switches, servers, and storage systems, as well as WIFI and access points. But the hospital IT infrastructure imposes an additional challenge on IT professionals: it also takes care of the specialized healthcare systems, as often all elements and systems of a hospital, for example, coexist in the same infrastructure.

For example, Musgrove Park Hospital in the UK uses Paessler’s PRTG Network Monitor to oversee its network, following NHS Digital cybersecurity recommendations. PRTG monitors the internal and external network and is configured on 10,950 Digital Imaging and Communications in Medicine (DICOM) and Health Level Seven International (HL7) sensors.

These sensors empower IT professionals and healthcare administrators to monitor a variety of critical systems and functions, including:

• Hospital Information Systems (HIS, HIS): PRTG makes it possible to view what is happening across the integrated HIS, not only the relationship with data exchange but also the computing resources and devices involved. Notably, PRTG can be deployed on-premises or in the cloud and has specially designed sensors for many of the industry’s most widely used IT solutions, including those from Amazon Web Services, Cisco, Fujitsu, Microsoft, NetApp, VMware, and others. With PRTG, it has never been easier for hospital IT departments to fully monitor their medical, financial, and administrative systems.
• Laboratory Information Management Systems (LIMS): PRTG also facilitates oversight of all systems and devices integrated into laboratory processes, as well as the data transported between them, including information regarding sample management, testing, analysis, disposal, and compliance. Monitoring also ensures that clinicians and clinical teams have quick access to the findings they need.
• Radiology Information Systems (RIS): All radiology and imaging department systems, hardware and software, and associated workflows can be monitored through PRTG’s intuitive dashboard – empowering IT to easily determine the cause of any delays in image delivery between devices, departments, or clinicians.
• Picture Archiving and Communication System (PACS): PRTG also monitors the entire PACS, making it possible to ensure that all systems required for secure image movement, storage, and archiving are functioning as expected. This includes the workstations used to view and interpret scans.

Therefore, IoT in healthcare presents several security and confidentiality components that must be taken seriously and planned for in advance. The key to success is visibility. With so many potential points of failure, teams involved with the Internet of Medical Things (IoMT) need to be aware of any potential failures at all times and often be able to resolve issues before they occur.