Business Insider defines the Internet of Things (“IoT”) as ‘a network of internet-connected objects able to collect and exchange data using embedded sensors’. Healthcare is a key area in which the IoT is set to revolutionise the way we live. The so-called Internet of Medical Things (IoMT) has an astonishing range of applications: for example, monitoring medical imaging equipment via remote servers over the Internet can detect problems before they occur, thus reducing downtime; while the vast amounts of data that can be generated by IoMT devices embedded in wearable electronics can be used to spot never-before seen trends in chronic diseases.
One of the first major adoptions of the IoMT by healthcare providers was that of remote healthcare. Self-monitoring devices remove the need for routine check-ups and appointments, and IoMT sensors in our homes and on our bodies can track vitals and heart performance, monitor chemical concentrations (eg. glucose) in the blood, as well as monitoring activity and sleeping levels. The introduction of such capabilities is a key focus of the NHS, with several ‘test bed’ programs piloting the use of the technology for patients with diabetes and mental health problems launched in 2016. Such capabilities are likely to be essential in the future to keep patients out of NHS wards.
Given the potential of these applications to improve patient outcomes and reduce the costs of diagnostics and treatment, it is not surprising that many are touting the IoMT as the solution to a looming global healthcare crisis.
Nevertheless, there are naysayers. Many point to several recent high profile cyber-attacks, including that of the ransomeware “Wannacry” last year, and question the shrewdness of connecting potentially vulnerable medical devices, which may also act as potential entry points to larger hospital networks, to the Internet. Risks include the theft of sensitive medical records, which can be used for tax fraud or identity theft, or a devastating ransomware attack that holds vital systems hostage.
Unfortunately many medical devices are notoriously trivial to compromise; historically, there was not much concern regarding the security of medical devices, and as a result manufacturers were not compelled to build in any of the typical endpoint security features that we find in PCs. Often antivirus software is impossible to install on medical devices. In addition to this, many medical devices run legacy operating systems like Windows 2000 and Windows XP, and can no longer be patched.
One current exploit which takes advantage of these vulnerabilities is known as MedJack. In these attacks the attacker infects medical devices with malware through a variety of methods (malware laden website, infected USB stick, socially engineered access, etc.). Once inside the attacker can then establish command and control to then fan out across a network.
And these attacks are only becoming more common. The March 2018 McAfee Labs Threats Report reported that there had been a 210% increase in reported security attacks targeting healthcare.
So what is the solution? What can we do to enable ourselves to continue to harness the enormous power of the IoMT in healthcare in a safe and secure way?
Many argue that the responsibility is on both manufacturers and healthcare workers. First, manufacturers could ensure that medical devices, like PCs, have security defenses like virus scanning, built in. They could also develop an easy mechanism for downloading patches and updates. It is then down to health care organisations to ensure that patches are downloaded in a timely manner, and that best practice with regards to how the devices are used, are followed. Perhaps, governments may first have to legislate to compel manufacturers to improve defenses.
For manufacturers of medical devices, developing security defences suitable to the health sector’s specific requirements will demand active innovation. Intellectual Property Rights (IPRs) Patents will play a key role here in spurring this innovation by enticing companies to invest in R&D for device security. Manufacturers will need to protect their innovations through the patent system, whilst also being aware of competitor’s rights. Due to the exponential rise in the value of the IoT, many global players are involved. The control of data will be as important as the control of technology. Other Intellectual Property Rights, including trade marks, confidential information and database rights will all also prove to be important.