Securing IoMT for Healthcare
By Gil Vidals, , HIPAA Blog
We live in an amazing time, one in which a growing number of sophisticated, ‘Internet of Medical Things’ (IoMT) are facilitating critical treatments to improve patient health.

Consider just two: difficult-to-monitor, chronic conditions like diabetes and heart failure are benefitting from “smarter” insulin pumps and pacemakers – both aided by real-time, remote monitoring and feedback loops.

Faster data processing is key: imagine having instant access to your body’s most basic functions (your “vitals”) through an assortment of “wearables” that can monitor heart rate, breathing or respiration rate, glucose levels, and more.

This important data, combined with immediate access to your medical history provides physicians the capability to quickly respond to critical alerts, without requiring an office visit.

Unfortunately, the threats to these connected devices are also real; just like any computer, IoMT software can be hacked and viruses may crash critical systems.

But unlike the typical computer that gets bumped offline – albeit with potentially costly downtimes – in this case, the consequences may be deadly: think dangerous loads of insulin delivered to diabetics, or sabotaged pacemakers for already erratic heart conditions. (Remember former VP Dick Cheney’s very real concern about potential assassination plots via his implanted defibrillator? He knew the threat was real).

To make matters worse, the issue of security updates for IoMT is also concerning: one study showed that “more than 70% of IoMT devices run Windows operating systems that are no longer supported (e.g. Windows 7), and can’t be patched.” 

A side note: in a twist on security, some diabetics have taken it upon themselves to hack their own, older insulin pumps to achieve automated control of blood sugar levels – either because of the exorbitant cost of new tech ($7,000 or more before insurance), or an unwillingness to wait for FDA approvals. While this is understandable (parents and diabetic children may sleep better, knowing levels are maintained throughout the night), physicians and device manufacturers can’t legally stand behind non-FDA-approved devices.   

Practical Security

With millions of connected devices (and growing) currently in healthcare, the challenges involved in classifying and securing them are real. This concern is the special focus highlighted in the National Cybersecurity Awareness Month’s 3rd week, as we examine potential vulnerabilities in the healthcare industry’s internet-connected healthcare devices.

As a starting place, one recent study of IoMT in healthcare offered the following practical steps: 

  • Begin by highlighting ‘the diversity of connected devices, operating systems and device vendors in today’s complex healthcare environments.’
  • Take the time to ‘Identify common vulnerabilities associated with legacy operating systems, lack of segmentation and common services left turned on.’
  • Make the case for ‘complete device visibility across the extended enterprise, not just medical devices.’

What about patients themselves? Those with wearable IoMT can also become proactive, insisting on the latest, patched devices with strong access controls and privacy policies.

Some specific concerns to address:

  • has the default password for the device been changed (ie, made stronger)? 
  • is the device’s network secure? 
  • do you have active logging and a response team in place to respond to abnormalities (or outliers) revealed in the monitoring?
  •  is the above done in real-time?

A Bright Future – with Concerns

IoMT is a rapidly growing global market, with an estimated value of around $113.8 billion in 2019. Driven by such factors as an aging population that can benefit from medication alerts, as well as improved treatment-delivery for chronic conditions like diabetes and COPD, the future for IoMT looks promising. Faster diagnosis can mean faster care, without requiring in-office visits. This also stands to reduce healthcare costs on a broad scale. 

That said, security must keep pace with IoMT advances, and not take a back seat. Issues of safety and data privacy must occupy center stage, requiring managed security in coordination with IT, manufacturer, physician, and patient oversight as connected devices are increasingly linked to direct patient care.    

HIPAA Vault is the leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing secure infrastructure and compliance for health companies, HIPAA Vault provides a full array of HIPAA compliant cloud solutions, including secure email, HIPAA compliant WordPress, secure file sharing, and more.