The Internet of Things has a great deal of potential where the healthcare industry is concerned. From new treatment methods to more efficient patient flow to better outcomes, connected medical devices can do a lot of good. At the same time, they come hand in hand with a range of cybersecurity threats, which left unchecked can cause great harm.
IoT Is the Future of Healthcare
Imagine a future in which hospital staff immediately know which beds and rooms are occupied and can move patients from arrival to treatment like a well-oiled machine. Imagine a future in which people who live in remote areas, away from hospitals and specialists, can still receive treatment through Internet-connected devices. Imagine a future in which doctors can track everything from a patient’s prescription schedule to their physical health, without needing to be physically present.
We’re fast approaching that seemingly far-off vision of the future of healthcare. According to a report by Allied Market Research, the IoT healthcare market will hit $136.8 billion worldwide by 2021. Even today, there are approximately 3.7 million medical devices used by hospitals and physicians to monitor patient wellness.
That’s not even the exciting part. All the examples we’ve provided above? They’re only the beginning.
As more and more of the healthcare industry comes online, we’ll continue to see new innovations in patient care and greater improvements in patient outcomes. Sounds incredible, right? There’s just one catch: Cybersecurity threats.
Connected Medical Devices: Opportunities and Threats
Connected medical devices represent a larger threat risk than anything the health industry has seen before. At the time of writing, no one seems quite sure what to do about it – and that’s an enormous problem.Connected medical devices represent a larger risk than anything the health industry has seen before. || #IoMT #IoT #Healthcare Click To Tweet
“IoT security is a headache, a mess, and several other flavors of annoying for any enterprise, but in healthcare, it can be literally life and death. Medical IoT poses additional security risks [over traditional IoT]. For one, connected records systems are attractive targets for identity thieves […] under certain circumstances, an attacker could exercise direct control over medical equipment, with potentially fatal consequences.”
— Jon Gold (Network World)
Hospitals and healthcare providers have long had a tenuous relationship with IT. Many IT departments in the health space are understaffed, underfunded, and overworked. Compounding this is the fact that many healthcare facilities utilize infrastructure that can best be described as slapdash—a combination of legacy systems, medical equipment, and physical documentation.
Healthcare IoT and Security: A Precarious Union
The first step to addressing the underlying security threat of IoT, then, is to digitize, homogenize, and upgrade. To effectively use connected medical devices, hospitals must first fully digitize their record systems, while also moving away from older infrastructure that may be laden with security holes. Likely as not, this will involve hiring additional IT staff—and it must involve a HIPAA compliance officer to ensure everything is done to the highest standards.
From there, hospitals that seek to incorporate connected medical devices both within their walls and without must understand that these devices are subject to HIPAA the same way a cell phone or laptop would be. That is to say, they must meet the following criteria:
- Encrypt all data, both in motion and at rest, which means they must always establish a secure connection, no matter where they are
- Remain visible and under the control of the hospital’s IT staff at all times
- Require two-factor authentication, with idle state protection and access limited exclusively to authorized parties
- Be subjected to regular security updates
- Be included in a hospital’s risk assessments
- Allow for remote data erasure
- Regularly scan for security issues such as malware, unauthorized access, etc.
As you may have guessed, manufacturers must play their part as well. Care providers and covered entities must ensure they work exclusively with vendors that develop HIPAA-compliant solutions. It also goes without saying that a vendor from which a hospital purchases IoT devices should sign the same contract as a covered entity or business associate.
IoT will change the face of healthcare, but it’s not a change that will come easily. Healthcare organizations and healthcare vendors alike need to be aware of the security risks represented by a connected future. And they need to take action to address those risks before that future fully arrives.