Medical devices are vital, but vulnerable

Enveloping legacy and newer medical devices with end-to-end protection assures they’re being used properly and for their intended purposes.

In current hospital systems, many devices are old, hard to see, and unprotected from vulnerabilities and hacking. Legacy medical devices were never designed to be connected—let alone secured—on today’s digital networks. Yet they hold sensitive, personal, and often times life sustaining information. Supporting medical needs ranging from a seemingly benign saline drip, to radiation targeting systems, continuous sedation during surgery, and recovery diets to eat at home after discharge, medical devices are closest to patients, second only to their primary care physicians.

Medical devices pose a unique cybersecurity risk in that attacks or hacks can directly endanger patient privacy and safety. What makes medical device security such a pressing issue are the network effects associated with connected platforms. Compromising the safety and wellness of one individual is problematic enough, but these vulnerabilities expose entire segments of patients and consumers using specific devices, applications, and services.

Emerging technologies, however, can identify medical devices, understand their vulnerabilities, and provide non-intrusive security on the network.

Smart technologies and streaming data are remaking  both provider-to-patient clinical devices and  business-to-health consumer wearables.

Connected consumers, disconnected devices

A subset of the Internet of Things (IoT), the Internet of Healthcare Things (IoHT) is the convergence and integration of sensor data collected by medical devices and mobile technologies, as applied to healthcare.  Devices linked to cloud platforms on which captured data is stored and analyzed has come to be known as the Internet of Medical Things (IoMT).

The healthcare consumer movement to participate in wellness rather than treatment—or value-based health—is one factor driving the adoption of new medical technology, a shift that started when personal activity trackers and wireless-enabled wearable technology devices became wildly popular.  But devices connected to cloud apps run the risk of exposing health networks to malware and other attacks.

Adding to the broader challenge of connected devices, manufacturers have little incentive to secure devices for the full lifecycle and instead outsource device support and maintenance. Ensuring integrity across the device lifecycle starts with manufacturers. Security is about integrating the supply chain from design to end of life of the device. Data management, product and service maintenance and support should be considered essential features of any device.

Consider the scale

There are 10-to-15 million medical devices in US hospitals, and an average of 10-to-15 connected devices per patient bed.  Multiplied by the hundreds of thousands of hospital beds nationwide,  the magnitude becomes clear. The number of global connected medical devices is set to exceed 50 billion in the next decade.  And that’s not just inside hospitals, as doctors treat patients via virtual medicine and consumer wearables send data to clinicians.

Especially jarring is that 82 percent of healthcare organizations have experienced an IoT-focused cyber attack in the last year, but only 6 percent say they have the resources to tackle cybersecurity challenges.

Cybersecurity for healthcare should be borderless,  extending to the safety of patients admitted and  those at home.

Bookmark this page  

Meet the authors

Beth Musumeci

Connect with author:

, Global Partner, IBM Security Services, Healthcare and Life Sciences

Ralph Ramsey

Connect with author:

, Global Associate Partner, IBM Security Services, Healthcare and Life Sciences

Stephen Brennan

Connect with author:

, Global Associate Partner, IBM Security Services, Healthcare and Life Sciences

Heather Fraser, Global Lead for Healthcare and Life Sciences, IBM Institute for Business Value

Originally published 27 February 2020