What You Should Know About Medical IOT

Depending on your source, there are between 12 and 60 billion IoT devices in the world today. And growing. Some of the count discrepancy comes from the definition of an Internet of Things (IoT) device, so let’s just say an IoT device is anything that can be accessed from a remote login, app, web UI, etc. that is connected to the Internet. In other words, if it is connected to the Internet in any way and does not require a direct connect console cable for configuration access, it qualifies as an IoT device.

In 2018 people were terrified to learn that their IoT baby monitors were hackable, that security system they just installed at home shipped with a firmware virus that could not be removed, or that new smart speaker was recording everything they said, even before they called it by name. All those things are scary, and most of them have some level of control or remediation in 2022. Even better, many IoT device manufacturers have started taking your privacy and security seriously. This means that you can choose secure WiFi, management account names that are not Admin or Administrator, and you can choose your deletion policy for many things that record your voice, though not all of them.

The benefits of IoT are clearly worth the risk to millions or billions of people, as evidenced by the continued market growth. It is understandable that people almost do not care that their voices are recorded, or even that someone might have access to their doorbell camera. However, IoT does not stop at these convenience items. IoT has worked its way into the core design of many healthcare and medical devices.

IoT medical devices might serve as wearable glucose monitors, patient health systems in hospital rooms, or even control systems for an implanted pacemaker to help patients manage their heart conditions. All of these systems collect and analyze data. Some of these systems can cause irreparable harm or death if not properly managed. And most importantly, many of these systems can be hacked.

Hacking With Ransomware

Why would someone want to hack your glucose meter or pacemaker? Ransom. Everyone has read or heard ransomware stories since COVID found its way into the world. Whether a pipeline, local township, or a commercial command and control center, ransoms have been paid to regain control of IoT systems. So consider what you might pay if someone hacked your insulin pump and threatened to disable it or worse, start increasing the dosage to the point of causing a coma or other horrific medical trauma. Moreover, imagine the threat of remotely causing your pacemaker to deliver shocks to your heart when they are not needed. How much ransom would you pay to stop this or to get the password to regain control and save your own life? Welcome to the world of Medical IoT.

How or why is this possible? The answers weave a story as long and complex as the billions of IoT devices on the planet today. Let’s just say some IoT medical device manufacturers may not have started design with security in mind. Moreover, upgradability, future functionality, and the possibility that one person would want to hurt another using a device designed to improve or save lives, just did not enter the design story. And there is one more thing, the Food and Drug Administration (FDA).

What does the FDA have to do with IoT? The FDA approves and regulates medicine, medical equipment, and yes implantable medical devices. This means the medical devices have to undergo years of trials to prove a benefit that outweighs any risk for the general population. Unfortunately, once approved a device has to go through new trails to make changes that might impact functionality, e.g. updating a firmware, adding a security layer, or otherwise helping to reduce the hackability of any approved device. In other words, if your medical IoT device was approved in 2016, it has 2016 security that cannot be upgraded without new rounds of FDA approvals. Just pause to think about all of the software, firmware, operating system, and hardware updates that have occurred since 2016 with security in mind. This is a legitimate and growing threat in healthcare. The reality that someone can hold your health at ransom from a web browser nine time zones away, should cause you to want to learn more about how to protect your own healthcare IoT security.

If you or someone you care about is considering a Medical IoT device, contact the manufacturer and ask for the date the device was approved by the FDA. Then ask how the manufacturer controls device security. Also, ask your medical professional if the device they are suggesting has alternatives, why they are suggesting this particular device, and why they are comfortable with the security manufactured into this specific device. With added focus on IOT security, all manufacturers, especially healthcare vendors, are ensuring all new devices are safe and secure but remember, this device will be with or inside of you for a very long time. Asking questions now can give you peace of mind and secure your health well into the future.

If you’re looking for IT solutions, contact iT1 today to learn more about our Communications & Collaboration, infrastructure optimization, cybersecurity, and Cloud services.

AUTHOR BIO
Dr. Mike Lewis serves as Chief Information Officer, EVP of Informatics, Security & Technology for Trillium Health Resources, a managed-care organization serving more than 350,000 members in North Carolina. He earned his Doctor of Management degree from George Fox University and is a former MBA adjunct professor at Maryhurst University. Mike has worked in the IT field for more than 25 years with stints at IBM, Merisel, and Dell.