Connected medical device makers need to step up security

The internet of things (IoT) shows huge promise in the healthcare sector, but there are serious security implications. Device manufacturers need to do more to secure devices and hospital CIOs need to demand better security.

medical devices
Credit: Thinkstock

The healthcare industry is adopting internet of things (IoT) devices at a rapid rate. But while the value of connected devices in the medical sphere is becoming increasingly clear, device makers and hospitals need to step up their game in a big way when it comes to security.

Management consulting firm McKinsey & Company estimates that by 2025, just the remote monitoring enabled by IoT medical devices could create as much as $1.1 trillion a year in value by improving the health of chronic-disease patients.

Connected glucometers, blood pressure cuffs and similar devices can collect all sorts of vital sign data on patients automatically, allowing nurses and doctors in the hospital setting to respond early and quickly to patient needs. Devices like connected infusion pumps that deliver precise dosages of drugs can respond to changing conditions as needed. In-home medical devices can allow hospitals to discharge patients from hospitals sooner, while still monitoring patients' conditions.

[ Related: Are healthcare CIOs being cut out of the analytics loop? ]

But healthcare IoT isn't limited to medical device integration. It will play a role in inventory management — particularly in areas like pharmacy. It will also have a dramatic effect on workflow optimization. For instance, RFID tags in wrist bands and ID badges could help a hospital better understand the flow of people through their facilities.

"When you're using connected devices, it makes it a lot easier for doctors and nurses to enter patient information into patient health records," says Vlad Gostomelsky, a network security professional and managing consultant with Spirent Communications, a specialist in network, device and services testing.

That's important, because as of October of last year, the U.S. Department of Health and Human Services has mandated that U.S. healthcare providers use ICD-10-CM, a new and much more detailed version of the International Statistical Classification of Diseases and Related Health Problems (ICD), which is a medical classification list by the World Health Organization (WHO). The new codes can tell healthcare professionals whether a patient was bitten by a squirrel (W53.21XA), struck by lightning once (T75.01XA) or even struck by lightning a second time (T75.01XD).

The idea is to create much more granular data that allow researchers to better understand trends and outbreaks. It could be scientists seeking to understand the pattern of an infectious disease or researchers looking for patterns of injury with regard to particular products.

The thieves are watching

The uses of such data are myriad. But the data is also extremely sensitive and  valuable to thieves. In the case of devices like infusion pumps or pacemakers and implantable defibrillators, the consequence of a security vulnerability could be deadly. Other data can be used for identity theft or even blackmail.

[ Related: Should hospitals pay up when it comes to ransomware? ]

"The vendors are trying to aggregate as much information as they can electronically," Gostomelsky says. "Obviously, security is not their first concern. They're trying to be the first to market."

To make matters worse, the hospital has some unique challenges when it comes to locking things down.

"A hospital network is filled with HIPAA information and data," Gostomelsky says. "But in a hospital, you have a large number of workstations that can't be locked [when someone isn't using them]. They're connected to things like crash carts that allow doctors or nurses to type in a password or scan a thumbprint and grab whatever drugs they need for a patient in an emergency."

It's not up to only the hospitals

Hospitals can do more to secure their environments, he says. They can do a better job isolating their networks using VLANs and they can deploy intrusion detection. But fundamentally, he says, the onus will rest on device manufacturers to get their houses in order.

"Hospitals don't necessarily have a huge IT budget," Gostomelsky says. "Their focus is on buying medical equipment, paying doctors and delivering the best patient experience. Hospitals alone cannot solve the problem. Anything they're trying to fix is an afterthought. Device manufacturers who actually create the medical devices need to have comprehensive testing. They need to build more secure devices."

Getting there, he believes, is going to take the development of industry standards.

"It's only a matter of time," he says. "If the industry doesn't create standards, the FDA will step in. If we don't do it ourselves, the government will set standards and we may not like the results."

What hospitals can do, though, is put pressure on medical device makers to create standards and certify their adherence to those standards.

"Hospitals need to require certified devices," he says. "I think that will drive the industry. People have reported vulnerabilities to medical devices before, sometimes over several years, and they have not been fixed. They simply don't have the pressure on them to secure the device."

As an example he points to a penetration test he performed several months ago in which he discovered a medical device used by a Philadelphia hospital was operating on a radio frequency outside the ISM band reserved for industrial, scientific or medical purposes other than telecommunications.

"The frequency they chose was way too close to the frequency used by the Philadelphia Fire Department," Gostomelsky says. "Every time the fire department used that frequency, it jammed the device and reset it. It violated laws and went against best practices."

"Good decision-making starts right at purchasing," he adds. "Hospital CIOs need to demand to know whether the device passed security testing — independent security testing by a reputable organization."

He also notes that hospital CIOs need to use the 'stick' approach when it comes to contracts. They need to ask questions about how the manufacturer deals with security vulnerabilities and the update policy for patches. CIOs need to ensure that the contract specifies that the manufacturer is responsible for delivering timely patches for devices if security vulnerabilities are found.

Download the CIO October 2016 Digital Magazine
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies