Medical devices are vital, but vulnerable
In current hospital systems, many devices are old, hard to see, and unprotected from vulnerabilities and hacking. Legacy medical devices were never designed to be connected—let alone secured—on today’s digital networks. Yet they hold sensitive, personal, and often times life sustaining information. Supporting medical needs ranging from a seemingly benign saline drip, to radiation targeting systems, continuous sedation during surgery, and recovery diets to eat at home after discharge, medical devices are closest to patients, second only to their primary care physicians.
Medical devices pose a unique cybersecurity risk in that attacks or hacks can directly endanger patient privacy and safety. What makes medical device security such a pressing issue are the network effects associated with connected platforms. Compromising the safety and wellness of one individual is problematic enough, but these vulnerabilities expose entire segments of patients and consumers using specific devices, applications, and services.
Emerging technologies, however, can identify medical devices, understand their vulnerabilities, and provide non-intrusive security on the network.
Connected consumers, disconnected devices
A subset of the Internet of Things (IoT), the Internet of Healthcare Things (IoHT) is the convergence and integration of sensor data collected by medical devices and mobile technologies, as applied to healthcare. Devices linked to cloud platforms on which captured data is stored and analyzed has come to be known as the Internet of Medical Things (IoMT).
The healthcare consumer movement to participate in wellness rather than treatment—or value-based health—is one factor driving the adoption of new medical technology, a shift that started when personal activity trackers and wireless-enabled wearable technology devices became wildly popular. But devices connected to cloud apps run the risk of exposing health networks to malware and other attacks.
Adding to the broader challenge of connected devices, manufacturers have little incentive to secure devices for the full lifecycle and instead outsource device support and maintenance. Ensuring integrity across the device lifecycle starts with manufacturers. Security is about integrating the supply chain from design to end of life of the device. Data management, product and service maintenance and support should be considered essential features of any device.
Consider the scale
There are 10-to-15 million medical devices in US hospitals, and an average of 10-to-15 connected devices per patient bed. Multiplied by the hundreds of thousands of hospital beds nationwide, the magnitude becomes clear. The number of global connected medical devices is set to exceed 50 billion in the next decade. And that’s not just inside hospitals, as doctors treat patients via virtual medicine and consumer wearables send data to clinicians.
Especially jarring is that 82 percent of healthcare organizations have experienced an IoT-focused cyber attack in the last year, but only 6 percent say they have the resources to tackle cybersecurity challenges.
Meet the authors
Beth Musumeci, Global Partner, IBM Security Services, Healthcare and Life SciencesRalph Ramsey, Global Associate Partner, IBM Security Services, Healthcare and Life Sciences
Stephen Brennan, Global Associate Partner, IBM Security Services, Healthcare and Life Sciences
Heather Fraser, Global Lead for Healthcare and Life Sciences, IBM Institute for Business Value
Originally published 28 February 2020