Jun 27, 2021

How IoMT can protect healthcare from cyber attacks

Steeve Huin
5 min
How IoMT can protect healthcare from cyber attacks
Steeve Huin, CMO at Irdeto, explains how the IoMT industry can protect against cyberattacks in a post-COVID world

The adoption of technology in the healthcare industry increased at rapid rate in 2020 and as a result, the number of connected medical devices - an integral part of the Internet of Medical Things (IoMT) - is booming. The COVID-19 pandemic has reshaped how medical devices are deployed, with increasingly more devices being used by patients in their own homes.

A recent report by Mordor Intelligence predicts the connected medical devices market will balloon from $28 billion in 2020 to $94 billion by 2026. This rapid growth provides significant opportunities for medical device manufacturers, digital health companies, healthcare providers, and patients as the industry moves toward a more consumer-oriented, personalized and technology-enabled care model. However, the growing use of connected medical devices to improve patient care is clouded by the fact that IoMT devices are increasingly vulnerable to cyberattacks as the past year has proven.

Cyberattacks on IoT devices increased three-fold in 2019 alone, accounting for more than 2.9 billion events. Frost & Sullivan estimated that 20 to 30 billion connected IoT and medical devices would be a part of the healthcare ecosystem before the end of 2020, and it’s estimated that at least 50 billion medical devices will be connected to clinical systems within the next 10 years. The proliferation of connected devices and increasingly large attack surface make the IoMT industry an opportune target for hackers. 

Stealing health records is very lucrative for hackers. In fact, health records are currently the most valuable personal identifiable information (PII) asset being traded by cyber criminals. Medical records often include social security numbers, financials and other information and provide the most comprehensive picture of a person’s background and identity available today, and they can be sold on the dark web to forgers, human traffickers, terror organizations, hostile countries, drug cartels, and other criminal elements for upwards of $1,200 per record. In fact, medical records are up to 50 times more valuable than a credit card number

When cyberattacks are successful, patients and healthcare providers are at risk for care disruption, identity theft, financial fraud, and other types of criminal activity. They are also incredibly costly for healthcare organizations, both from a financial and reputation perspective. A healthcare data breach in the U.S. cost an average $7.13 million in 2020, including increasingly steep federal regulatory fines – which is a 10% increase from 2019 and higher than any other industry. 

With the rising use of connected medical devices, cybersecurity must be made a priority. Unfortunately, the rapid transition to connected healthcare is severely challenging medtech professionals globally.

IoMT executives not prepared for cyberattacks 

While a cyberattack can have severe consequences, the IoMT industry has yet to become more proactive about cybersecurity. According to a recent survey by Irdeto, in partnership with Censuswide and Guidepoint Global, only 13% of IoMT leaders said they believe their business is very prepared to mitigate future cybersecurity risks, while 70% believe they are only somewhat prepared at best. Shockingly, about one fifth (17%) said that their firm was not prepared at all. 

The data also showed that 80% of survey participants reported having suffered at least one cyberattack in the past five years, and it is all but certain that they face at least dozens of additional threats on a daily basis. Organizations have also fallen victim to several attack techniques, including ransomware, malware, phishing, spoofing and DDoS, with customer databases, employee information and even R&D platforms being exploited. 

Additionally, only four in 10 respondents rated themselves very aware/knowledgeable about forthcoming EU and US regulations, and 28% reported not knowing anything at all about forthcoming regulations. This is concerning, considering the fast-changing regulation across both regions.

How the IoMT industry can safeguard against cybersecurity threats 

With the breadth and magnitude of threats facing connected medical devices, professionals working in the IoMT industry must practice effective cybersecurity management. This begins with creating a holistic cybersecurity strategy including three key elements:

  • Implement security in the design phase 

It’s critical to protect software running on medical devices, as software applications are becoming a significant part of the attack surface and unprotected applications can leave a trail that can be reverse engineered to disrupt a virtual care platform. These protections should be built into devices during the design process whenever possible. Bolting on cybersecurity once a product is already on the market is much more difficult and typically not sufficient. This includes conducting a performance risk analysis, identifying any assets or functionalities that threat actors could potentially exploit, and shoring them up during the development phase. It’s helpful to maintain a list of security requirements that should be implemented into products to make this process simple and efficient.

  • Keep pace with the market

Connected medical devices need to continue to be managed once they are out in the market. This includes ensuring devices are up to date with the latest software versions and relevant with how the market is evolving. Currently the most important technologies for a post-COVID world are those that protect sensitive data, can’t be reverse engineered or exploited, and ensure that software remains a black box to attackers. 

  • Implement an incident response plan

Finally, an incident response mechanism is a critical element to a cybersecurity plan. If there is an issue, it’s important to be able to address it quickly. An incident response plan should outline how to reach customers through previously established channels and install updates if necessary. 

There is no such thing as “one and done” with cybersecurity. Even with protections in place, companies in the healthcare industry must continually monitor for threats, keep pace with industry developments, and evaluate their cybersecurity systems to ensure they are up to date. In this environment, IoMT stakeholders cannot successfully innovate without effective cybersecurity to protect the most sensitive data and devices from bad actors who want to access and corrupt it for personal gain. Ensuring the security of connected medical devices is critical, and it will take a concerted ongoing effort by the entire industry. 

Share article

Jul 25, 2021

Getting ready for cloud data-driven healthcare

 Joe Gaska
4 min
Getting ready for cloud data-driven healthcare
 Joe Gaska, CEO of GRAX, tells us how healthcare providers can become cloud-based and data-driven organisations

As healthcare continues to recognise the value of data and digital transformation, many organisations are relying on the cloud to make their future-forward and data-centric thinking a reality. In fact, the global healthcare cloud computing market was valued at approximately $18 billion and is expected to generate around $61 billion USD by 2025. 

At the forefront of these changes is the rapid adoption of cloud-based, or software-as-a-service (SaaS), applications. These apps can be used to handle patient interactions, track prescriptions, care, billing and more, and the insights derived from this important data can vastly improve operations, procurement and courses of treatment. However, before healthcare organisations can begin to dream about a true data-driven future, they have to deal with a data-driven dilemma: compliance. 

Meeting regulation requirements

It’s no secret that healthcare is a highly regulated industry when it comes to data and privacy – and rightfully so. Patient records contain extremely sensitive data that, if changed or erased, could cost someone their life. This is why healthcare systems rely on legacy technologies, like Cerner and Epic EHRs, to manage patient information – the industry knows the vendors put an emphasis on making them as secure as possible.

Yet when SaaS applications are introduced and data starts being moved into them, compliance gets complicated. For example, every time a new application is introduced into an organisation, that organisation must have the vendor complete a BAA (Business Associate Agreement). This agreement essentially puts the responsibility for the safety of patients’ information — maintaining appropriate safeguards and complying with regulations — on the vendor.

However, even with these agreements in place, healthcare systems still are at risk of failing to meet compliance requirements. To comply with HIPAA, U.S. Food and Drug Administration 21 CFR Part 11 and other regulations that stipulate the need to exercise best practices to keep electronic patient data safe, healthcare organisations must maintain comprehensive audit trails – something that gets increasingly difficult when data sits in an application that resides in the vendor’s infrastructure.

Additionally, data often does not stay in the applications – instead healthcare users download, save and copy it into other business intelligence tools, creating data sprawl across the organisation and exposing patient privacy to greater risk. 

With so many of these tools that are meant to spur growth and more effective care creating compliance challenges, it begs the question: how can healthcare organisations take advantage of the data they have without risking non-compliance?

Data ownership

Yes, healthcare organisations can adhere to regulations while also getting valuable insights from the wealth of data they have available. However, to help do this, organisations must own their data. This means data must be backed up and stored in an environment that they have control over, rather than in the SaaS vendors’ applications.

Backing up historical SaaS application data directly from an app into an organisation’s own secure cloud infrastructure, such as AWS or Microsoft Azure, makes it easier, and less costly, to maintain a digital chain of custody – or a trail of the different touchpoints of data. This not only increases the visibility and auditability of that data, but organisations can then set appropriate controls around who can access the data.

Likewise, having data from these apps located in one central, easily accessible location can decrease the number of copies floating around an organisation, reducing the surface area of exposure while also making it easier for organisations to securely pull data into business intelligence tools. 

When healthcare providers have unfettered access to all their historical data, the possibilities for growth and insights are endless. For example, having ownership and ready access to authorised data can help organisations further implement and support outcome-based care. Insights enabled by this data will help inform diagnoses, prescriptions, treatment plans and more, which benefits not only the patient, but the healthcare ecosystem as a whole. 

To keep optimising and improving care, healthcare systems must take advantage of new tools like SaaS applications. By backing up and owning their historical SaaS application data, they can do so while minimising the risk to patient privacy or compliance requirements. Having this ownership and access can propel healthcare organisations to be more data-driven – creating better outcomes for everyone. 

Share article