The Internet of Medical Devices – a Security Challenge for Healthcare?

Last week, I published a post on LinkedIn for the first time on the topic of the Internet of Things (IoT). The essence of that inaugural post was, to quote myself, “The question [of IoT] is whether the slight increase in convenience is worth the increased security risk, the potential loss of privacy, and the possibly greater loss in control?”

Many comments on the post dealt with Internet-connected medical devices. (Curiously, the comments came in via InMail rather than on the post itself?).

Regardless, with respect to medical devices, all of these factors are certainly at play.

Internet-connected Medical Devices

When dealing with human life, a steep price for even slight increases in convenience (the ability to monitor a patient’s condition) or capability (the speed of a lifesaving response) can certainly be justified.

And by the same token, the security and privacy concerns are only magnified as well.

If an Internet-connected medical device is hacked and taken offline or its data stream corrupted to the point where it reports erroneous values – the consequences for the patient can be severe. Further, compromises to a lifesaving device, such as a pacemaker or other implantable cardiac device, may lead to significant health complications, including death.

Security Countermeasures

The industry is aware of the risks. The FDA has released cybersecurity recommendations for medical device manufacturers, and an industry group, I Am The Cavalry, has even released a Hippocratic Oath related to medical device security.

In addition to improving the hardware and software security of medical devices, the need to provide Internet-connectivity to medical devices in the first place needs to be more carefully considered. Perhaps the devices can be designed to work on a closed network? Or be restricted to point-to-point one-way communications. This would ease the authentication issues involved as well.

Perhaps the use of higher grade encryption is something to consider. One potential complication of encryption is that chips that encrypt/decrypt tend to run hotter because of the high number of calculations required (encryption is complex math, after all). And hotter devices may be uncomfortable if they have to come into contact with the human body.

All is not Lost, There’s Still Time

Luckily, medical devices makers & the security experts they partner with have time. Large scale compromise of medical devices has not yet happened – or at least it hasn’t become publicly known. So now is the time for the industry to get ahead of the problem. Otherwise, patients may start refusing potentially lifesaving devices both putting themselves and their health further at risk as well as complicating physician’s efforts to treat them.