The Internet of Health Things (IoHT)
According to a survey created by Accenture Consulting, the Internet of Health Things (IoHT) is the integration of the physical and digital worlds through objects with network connectivity in the healthcare industry. IoHT transforms raw data into simple, actionable information and communicates with other objects, machines or people. If you believe you have never encountered such IoHT, just think of your Fitbit or wireless blood pressure monitor, and there you are.
Moreover, the number of health sensors, trackers, and wearables on the market is multiplying. Around a hundred million wearable units to measure health parameters were sold in 2015. It is predicted that 245 million wearable devices will be marketed in 2019. But it’s not only wearables. The Accenture 2017 Internet of Health Survey emphasized that almost three-quarter of healthcare executives say IoHT will be disruptive within the next three years; first of all in three areas: remote patient monitoring, wellness/prevention – where the health sensors and wearables come into play – and healthcare operations, such as managing inventories of medical supplies. In sum, Accenture expects it to reach a $163 billion market in 2020! That’s a number you cannot ignore.
The possibility of hacking medical devices should alarm healthcare providers
As the internet of health things is expanding, the points of vulnerabilities keep multiplying through a swarm of endpoints, networks, and channels. Some analysts say medical devices, in particular, have been identified as highly vulnerable and hacked medical devices may now be the single biggest threat to healthcare IT. Serious security threats are prevalent in the case of X-ray systems, blood refrigeration units, CT scanning equipment, implantable cardioverter defibrillators (ICD) or implantable neurological devices.
In 2011, a researcher from the McAfee tech company demonstrated at a conference in Miami how insulin pumps might be hacked to deliver fatal doses to diabetes patients. Software and a special antenna designed by him allowed for locating and seizing control of any device within 300 feet.
In an interview with the TechTarget Network, Scott Erven, associate director at Protiviti, a California-based consulting firm told the single most threatening story for me so far. There were two individuals in Austria in a hospital that were hooked up to an infusion pump and felt their pain management wasn’t under control; so they went online, found service documentation, got the hard-coded service credentials to their infusion pumps, logged in and upped their doses. Their activity poorly backfired as the overdoses caused respiratory problems, but the single fact that these patients were able to figure out how to log into the devices is alarming enough.
It signals that it is not difficult to clear up how an infusion pump works and the device is not appropriately protected. Both are scary, to say the least. But this is only the tip of the iceberg.
The labyrinth of connections, networks, passwords
While more and more sophisticated, wireless and digital devices reach healthcare, the health IT is not keeping up with the developments. According to Forbes, the problem is that medical professionals are either not aware of security risks or (naturally) do not have IT skills to ask the “sensitive” questions. Moreover, IT security is not supported adequately in the case of hospitals and other medical facilities; as such teams are both understaffed and underfinanced. I seriously hope that the recent NHS ransomware attack will open the eyes of healthcare providers in many countries and massive investments in cybersecurity will follow. I cannot emphasize it enough how badly we all need that.
If the vulnerable nature of single medical devices was not enough, imagine how many points of vulnerabilities are created through the army of new endpoints, networks, passwords, synchronization of data and more. One problem is devices entering hospitals through a variety of channels, with some of these avenues being unknown, said Karl West, chief information security officer at Intermountain Healthcare located in Salt Lake City to TechTarget. He mentioned that more often than not, devices do not go through “common controls”, meaning to have passwords, encryption, the latest hardware or software updates. Moreover, there are different connectivity issues, while some data automatically migrates to some devices, while others not. It sounds like a total chaos, which might be the best playground for hackers.
How to prevent data breaches and medical devices being hacked?
An American Action Forum report indicates hacks concerning the electrical medical records (EMR) have more than doubled since 2014, with more than 94 million EMRs being compromised. These breaches have cost the American healthcare system an estimated $50 billion. And the non-financial consequences might be even more serious. I believe if we do not pay more attention to the IT security aspects of interconnected and data-driven medical devices, we might easily find ourselves in situations such as the one in the US television series Homeland where the US Vice President was killed through manipulation of his pacemaker.
So what steps should stakeholders in healthcare – patients, medical professionals, healthcare providers, medical device manufacturers, and regulators – do in order to prepare and potentially prevent the next hacking attempt?
1) Patients and medical professionals
I believe that data privacy and IT security should start with our very own devices. See, if you are not paying attention to your own data security as a private person, you will most probably not care about it as a patient or as a medical professional at your workplace either. It is simple: if you want some change, start it with yourself!
Do you share cute cat videos on Instagram without hesitation? Or do you check in on Facebook countless times a day? Perhaps you like to fill out quizzes and reach new levels in Candy Crush? Most of us are careless when using social media channels and downloading smartphone apps that ask for permission. If you want to manage your permissions consciously, go to mypermissions.com. It shows what apps you have given access to your private information through Facebook, Linkedin, Google and more. It goes without saying that you should never post personal information like your address, phone or credit card number on a social network in any form.
Also, only if you lived under a rock in the past decade, have you not heard about the importance of safe passwords. Istvan Lam, Founder and CEO of Tresorit, Hungarian data privacy company recommends to make sure you never reuse the same password for multiple services; and always use strong passwords. You can easily do this with a trusted password manager, such as LastPass, 1Password, and KeePass, that generate random passwords and help you keep track of them.
2) Healthcare providers
It goes without saying that IT departments and cyber security teams in hospitals and other medical facilities should have the appropriate budget and professional expertise in order to effectively control all networks and devices under their auspices. As I mentioned in the first part of the article series, as human error can occur at any organization and data loss is always a possibility, it is important that healthcare organizations prepare, test, and perform backup and recovery operations.
But it is equally important to update passwords. Myles Bray, EMEA VP at ForeScout Technologies Inc. commented to Security Newsdesk that MRI machines, operating room equipment, security cameras, patient monitors and wireless printers often come with a default password, and unless they are regularly updated with the latest security software, offer a vulnerable back door into an organization’s wider systems. In order to protect against this threat, it is necessary to understand and control these devices across the whole network. However, as many devices lack this level of security, healthcare providers have to take care of such issues themselves.
3) Medical device manufacturers and health tech companies
The CEO of Tresorit told me that even though there are improvements, developers, in general, do not pay enough attention to security. He believes that one of the reasons for it is that most of the time, IT security is the responsibility of separate people or teams within a technology company. Those developers who are not dedicated security engineers usually lack the skills needed to write secure code – while to create secure systems, all modules should be properly secure. It is important to raise awareness on IT security in all teams that are responsible for product development, he explained.
I agree with Lam in saying how important it is for manufacturers to pay more attention to IT security. They should prepare better for data breaches, map out possible vulnerabilities and in general design their products and services in line with the “privacy by design” principle. The CEO of Tresorit recommends end-to-end encryption as well. The technology, which already protects messages and emails from mass data breaches of hackers and snooping governments, can similarly secure medical records in health databases or digital health apps such as diabetes or fertility trackers, Lam said. He added that they recently launched ZeroKit to help all developers including health app developers add secure user authentication and encryption to their tools.
4) Health regulators and governments
In general, the strategic management of health IT structures has to be taken to a more elevated level, where for example the above mentioned “common controls” could take place as the general rule. I believe that regulators in countries aiming to incorporate digital health on a systemic level should come up with a long-term health IT strategy as well as standards for health IT systems in order to enable easier management of data and networks.
Regarding devices themselves and their developers, the CEO of Tresorit believes that security audits by trusted companies are crucial for all hardware and software that handle sensitive data such as medical data. Lam said hefty fines in case of a data breach could also be an effective method to motivate companies to pay more attention to data protection. For example, with the coming General Data Protection Regulation (GDPR) in Europe, companies who fail to protect personal data will face more severe regulatory fines. Public bug bounty programs could also help improve the security of these tools.
Beyond the building of a high-level data security system, securing the Internet of Health Things must become the number one priority of every connected healthcare network. We should do everything in order to efficiently secure patient data in the age of the digital tsunami, as the accumulation of data will only accelerate in the years to come.