Rise of Patient-Connected Devices Requires Commitment to Proven Cybersecurity Practices

Household IoT systems create new vulnerabilities

Healthcare is increasingly moving to the household: Driven primarily by testing, screening and monitoring products, the global home healthcare market is expected to surpass $364 billion by 2022, up from just over $239 billion today, according to a forecast from MarketsandMarkets.

Network connected devices – particularly those considered part of the Internet of Things (IoT) – account for a great deal of this demand. By 2019, 87 percent of healthcare organizations will have adopted IoT technologies, as three-quarters of executives believe IoT will transform the industry, according to research from Hewlett Packard Enterprise’s Aruba Networks. Patient monitors have emerged as the most common use of IoT (currently deployed by 64 percent of organizations). As indicated, this adoption surge has extended into the home, with medical practitioners remotely monitoring just over 7 million patients worldwide – a figure that is projected to increase to 50.2 million by 2021, according to research from Berg Insight.

Life-threatening risks

If the bad guys start hacking patient-connected or embedded devices, there could be life-threatening outcomes. An adversary may, for example, manipulate a machine to inject a lethal dose of drugs. Or exact a ransom from a patient or their family. What’s more, it would be extremely difficult to identify the source of such a horrible attack. Patient-connected and/or implanted devices are rather rudimentary in terms of technology sophistication. They will not contain detailed log files of everyone and everything that has somehow connected to them, and they certainly won’t store enough information about IP addresses to lead investigators from an incident to a likely culprit.

Relatively recent recalls speak to the potentially dangerous risks which inadequately secured devices bring, including those used at home: In September last year, Abbott announced a voluntary recall impacting 465,000 pacemakers due to a possible hacking threat. In October 2016, Johnson & Johnson sent an official notification to 114,000 diabetic patients that a cyber attacker could exploit one of its insulin pumps, the J&J Animas OneTouch Ping, disabling the device or altering the dosage, according to the company.

Network separation and patching

While the scary scenarios call to mind something out of a sci-fi movie, our responses to the threats require a commitment to old-school remedies: network separation and patching

Through separation, vendors, hospitals, home healthcare providers, etc. work with patients to ensure the devices run within their own network, with their own routers and connective components. They will not, for instance, interact with other wireless networks in the home, such as a virtual personal assistant. The medical device is sealed off by firewalls and segmented setup/implementation so it only maintains connections between the patient and the healthcare provider who is monitoring the device.

Then, vigilant patching of the standalone network assures that the device remains current and well-defended. Because we cannot entrust patients with this role – most would not be capable of the patching, and, besides, a number of regrettable things could happen if they tried – the vendor and healthcare provider must proactively pursue this.

At Merlin International, we stay on top of the latest trends in healthcare technology and cybersecurity to offer the most timely and effective solutions and services to our customers. We understand and appreciate all of the good that medical devices can do – as well as the risks they introduce – and we plan and design our products to directly address this. If you’d like to learn more about what we do, then please contact us.