The Internet of Things market is exploding as the number of devices that connect to the Internet continues to grow. Just last year the IoT market was $235 billion. Projections are that it will swell to about $520 billion by 2021.
One of the markets that is expected to benefit from this explosion is medical devices. The more Internet-connected devices that monitor an individual's health the better the outcomes for patients. But there’s a lot of security risk for an industry that is still beholden to legacy systems with little to no safeguards in place. Without the help of regulation on the part of the Federal government, it could create more problems than just a data breach.
“An increasing number of new medical devices are getting connected to the Internet,” said Sagar Patel, Cybersecurity Software Engineer at Battelle, the nonprofit applied science and technology development company in Columbus, Ohio. “A big downside of this is that the numerous security risks being faced as internet connected devices get introduced to the traditionally insecure medical devices.”
Legacy Systems Is The Industry’s Current Problem
As it stands now, the most immediate threat for medical device companies is focused on patient safety and privacy via larger hacks of healthcare companies and botnets that target individual medical devices. While there haven’t been targeted attacks on a specific medical device category yet, the industry is far from safe. In August security researchers said they discovered flaws in Medtronic’s pacemaker which would leave the device vulnerable and place patients lives at risk.
“One major concern lies with existing devices in the market, originally designed for more than 5-10 years of lifecycle, which are vulnerable from a security standpoint,” said Patel. “The industry and government bodies are still grappling with the issue of how to deal with those devices, provide software patches to fix issues, and/or issue recalls without majorly impacting – from an economic standpoint - the consumer or the companies themselves.”
In a scathing report issued in early November by the Department of Health and Human Services, it said the FDA’s policies and procedures for handling hacks of medical devices in the market fell way short. “The FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices; and, in 2 of 19 district offices, FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cyber threats,” the Department of Health and Human Services said. HHS called on the FDA to step up its game by assessing the cybersecurity risks to medical devices, updating the plans and strategies, establishing written procedures and practices for securely sharing sensitive information about hacks and data breaches and working with the Department of Homeland Security’s cyber emergency response team.
Protecting Medical Devices The Role Of Government, Industry
The FDA has been taking steps to provide more oversight with Patel pointing to the government agency’s release of cybersecurity guidance for premarket and postmarket cybersecurity management of medical devices as evidence. It requires the companies to address security risks throughout the lifecycle of the medical device. What’s more, Patel said trade groups including the Association for the Advancement of Medical Instrumentation has released cybersecurity standards for medical devices. Industry is also playing a role.
“There is an uptick in the number of medical device manufacturers leading the way in securing their devices and demonstrating their approach at conferences,” said Patel. “Department of Homeland Security (DHS) has established NH-ISAC (National Health Information Sharing and Analysis Center) to facilitate medical device manufacturer to share vulnerabilities analysis and mitigation techniques, and alert other companies whose devices may have similar security vulnerabilities.”
Despite the efforts, Patel said the biggest problem which has yet to be resolved is the lack of economic incentives on the part of the device makers to add security to products. And that is why the government’s role is vital. Without the proper oversight, companies tend to gravitate toward the cheapest and fastest to implement option.
Still, Patel is optimistic that the medical device market will respond, with an assist by federal and local governments, creating products that are safe and secure and that the data they are collecting is also protected. “It’s not all gloom and doom scenario as described by some security professionals at various conferences,” said Patel. “With the combined efforts of the regulatory bodies, the industry, and better consumer awareness we can guide the industry in the right direction.”