IoT device security is the next MedTech gold rush

Internet-enabled medical devices (collectively the Internet of Medical Things, or IoMT) hold the keys to decreasing the cost and improving quality of healthcare. But in order for these devices to be successful in the market, they need to keep patients and their data safe from malicious hacking. The companies and products that successfully secure IoMT devices from hacking will have a tremendous impact on the future of healthcare.

A few years ago I first learned about internet-enabled door locks. What a great idea! Who wouldn’t want to be able to see if their home front door is locked from the office, or program the door to automatically unlock when you pull in the driveway. But independent security researcher Anthony Rose found most of these devices could be hacked remotely, according to his 2016 DefCon conference presentation, which is pretty bad considering the device’s sole purpose is to secure your house.

These kinds of IoT devices have a sordid history of security flaws, sometimes resulting in baby monitors be accessible by anyone, credit card systems being compromised, or even the entire internet being shut down. But what happens when medical devices, like pacemakers and glucose pumps, start becoming victims of similar attacks? The recent recall of 465,000 pacemakers from medical device company Abbott due to security concerns is likely just the tip of the iceberg.   

In the last five years, the focus in healthcare has turned toward decreasing costs. National healthcare expenditure accounts for 17.8% of GDP. There isn’t much room for that number to increase, even as our population is growing and living longer. One way to decrease healthcare costs is to move treatment from hospitals, which are expensive, to outpatient facilities and even patients’ homes. This means that medical devices and IT systems need to be internet-enabled in order for clinicians to access data.

It’s estimated the U.S. spends 86% of the nation’s $2.7 trillion annual health care expenditures on treating chronic and mental health conditions. These diseases can be better managed with constant streams of data, allowing clinicians to prevent costly complications before they begin. This means heart rate monitors, glucose monitors, and the dozens of other ambulatory medical devices will be connected to the internet shortly (if they’re not already).

The fact is, computers can be hacked, especially when connected to the internet. Another fact: most internet-enabled medical devices weren’t designed with security as a top priority. This is due to many factors, such as being rushed to market, because customers haven’t demanded security transparency, or because regulatory agencies didn’t historically address data security. The costs of ignoring security risks in medical devices, though, are huge, placing patients’ data and lives in harm’s way. 

In 2016, researchers identified security vulnerabilities in a St Jude Medical pacemaker and proactively partnered with a hedge fund to short the stock before disclosing the product vulnerabilities to the press. Once revealed, St. Jude lost over one billion dollars in market capitalization overnight. Its stock price later recovered, and the acquisition by Abbott was completed. But, as noted before, Abbott ended up recalling over a half million of these pacemakers in 2017 in an effort to address these vulnerabilities. It’s hard to argue against implementing security features into devices when doing so would have been cheaper than fixing vulnerabilities post-FDA recall.

I regularly hear the question, “How likely is it someone would actually hack a medical device?”. While I’m confident it will happen soon, if it hasn’t already, we don’t need a device to be targeted in order for patient safety to suffer. Consider the WannaCry ransomware attack which brought down the NHS hospital network earlier this year. Many of the computer systems affected were in fact medical devices running Windows XP or Windows 7. The ransomware didn’t recognize the device it was infecting was a medical device, only that it ran Windows. 

IT experts know nothing is unhackable. If you put $20 million into securing a device, a government agency can put $40 million into breaking it. We shouldn’t expect medical devices to be perfect. But we should expect them to have basic cyber hygiene, such as encrypting data at rest and in transit, cryptographically signing data and commands, and being patched regularly. 

Basic cyber hygiene is not easy for medical device vendors to grasp. They’re experts in clinical technologies, not cryptography. Just as cloud computing spawned an ecosystem of companies that help get products and organizations into the cloud (Heroku, New Relic, Okta, etc.), we need an ecosystem of companies to help healthcare technology companies connect devices to the internet securely. There are companies working in this space (MedCrypt, Thingworx, Ayla, etc.), but we have a long way to go before it’s easy for device vendors to connect a pacemaker, for example, to the internet securely.

Historically, medical device vendors assumed that devices operated in a safe network environment. This placed the burden of securing patients and their data on hospital IT systems. But the FDA and others have acknowledged this is not a safe assumption any longer; device vendors can’t rely on hospital networks being secure.

Imagine if Apple told you your iPhone was secure as long as your home network was secure. How many people would trust their phone with personal and financial data? Instead, Apple has made security an almost silent selling feature, adding security features that make it difficult for even the FBI to access users’ information. If only our medical devices were so hard to break.

Recently, influential hospital systems have started using security assessments in their procurement procedures. In order for device vendors to start prioritizing product security too, they need to start hearing demand from customers. Concurrently, in order for hospital administrators to start demanding secure devices, they need to hear from their IT staff that they can’t promise the devices on their network are secure. 

Healthcare is moving out of the hospital into the home and that means we'll have many, many more connected devices in the future than we have today. It’s clear there is lots of work to be done securing these devices from hackers, and that work will be have to be done by healthcare providers, device vendors, and innovative companies working in the space. Preferably (to the patient) sooner rather than later. 

Mike Kijewski,CEO and Co-Founder of MedCrypt

Image Credit: Everything Possible / Shutterstock