While the proliferation of intelligent medical devices, wellness platforms, and cloud computing is certainly advancing health IoT, they lag when it comes to cybersecurity protocols. As the field evolves, promising technologies may unknowingly contain cybersecurity vulnerabilities that can range anywhere from creating legal concerns to even injury and fatalities. It is vital to realize how vulnerabilities manifest, identify modes of attack, and act on fixing these vulnerabilities without delay.
Understanding the root cause of cybersecurity risks in health
As developers design innovative digital health platforms, security often tends to be an afterthought, thereby overlooking vulnerabilities that pose critical risks later. As the platform continues to mature, it can become increasingly hard to correct these flaws. The fundamental reason for this is the basic design process:
- Designers create tools solely from a healthcare perspective. Healthcare professionals and engineers are not experts in the security field and therefore are unable to properly protect their technologies against cyberattacks. In addition, they can also carry a false belief that there are fewer malevolent players in the healthcare field. For example, who would think about hacking a Bluetooth pacemaker?
- Cybersecurity is not top of mind for medical device startups. Developing a medical device is a costly endeavor, and factoring in regulation can reach the range of $31 million to $94 million. For startups, it isn't economically possible to keep up with the latest security protocols, especially after the first stages of development, where most of the design specifications are being solidified. Therefore, until an investor or partner asks about how they are securing data, it is not a priority.
- The transition from wellness to health is blurring product lines. As healthcare continues to become more decentralized, players are moving from traditional wellness platforms to healthcare offerings. Fitbit used to just count your steps, but now it is marketing itself as a healthcare solution. This shift is causing a regulatory gray area, affecting privacy and product validity.
The proliferation of IoT healthcare and cybersecurity considerations
Fig. 1. The growing interconnectedness of healthcare. Centralized care consisted of treating patients on-site. Current platforms are interfacing informational devices through data sharing, which is enabling users to track health indicators. Connection most commonly happens through wireless mediums and accessing storage. Because individual devices are not isolated, data is able to freely propagate and exit. These health platforms are progressing toward integrating clinical devices capable of treatment, achieving decentralized care.
Healthcare is increasingly becoming more decentralized, which is directly reflected in medical device and platform design, as visualized in Fig. 1. In the past, medical devices were isolated systems and usually only had their physical design as a potential point of failure. Digital transformation is enabling much more information to be leveraged when looking at an individuals' health. Currently, wellness platforms are being developed to monitor user health outside geographic medical centers. While beneficial overall, such platforms compound cybersecurity flaws and add points of failure.
Two main areas where vulnerabilities manifest themselves in relation to medical devices are connection junctures and information storage:
- Wireless transmission mediums like Wi-Fi, RF, Bluetooth, and NFC are widely used to connect devices but are frequently targeted because of security flaws. By manipulating how signals are being transmitted, the control of the device can be altered. For example, the FDA recalled Abbott's RF-enabled cardiac pacemakers in 2017 due to the possibility of remote unauthorized use, requiring an update to be administered by a healthcare professional.
- Once the data is stored, it can be accessed and transferred to different servers easily, and who/what has access to it is also targeted frequently. By leveraging flaws in back-end security, sensitive data can be accessed and manipulated. DICOM, a common file format for medical images used by the healthcare industry, can theoretically "hide" malware and spread it through the network.
Additionally, a platform may say it is robust because data is secured through one pathway, but data can easily move translationally as well as vertically. For example, the biometrics collected by your Apple Watch may be secured by the default health app on your phone, and can be uploaded to your iCloud; however, other applications can also gain access to the stored data, and they can then move it up to their own servers. Zimperium, an app security company, found that 14% of apps using public cloud services had been exposing user information, including passwords, and health data.
Common modes of cybersecurity attacks for medical platforms
There are many ways that malevolent players target the healthcare industry, with threats encompassing the entire informational range of platform design. Below are some of the most common modes of attack and what threats they pose:
At the device level, integration mediums pose a significant risk. For some time now, medical devices have been transitioning toward becoming "smart" and "connected" via use of Wi-Fi, Bluetooth, and NFC technologies. These wireless transmission methods can easily connect devices and share information. However, they can carry significant security vulnerabilities. For example, the "SweynTooth" vulnerability, which took advantage of Bluetooth Low Energy communications, enabled unauthorized users to access medical device functions.
At the server level, data access and storage flaws enable breaches. One of the most vital components of smart and connected health platforms is storing and analyzing large data sets. However, the management of patient data is getting increasingly difficult. Legacy systems and lack of software updates enable unauthorized access and ransomware in hospitals. Universal Health Services, one of the U.S.'s largest hospital groups, reported $67 million in losses due to a cyberattack on their computer systems in 2020. In addition, as smart devices make their way into the digital health space, looking at how data is accessed and shared is essential.
Cloud-level models are not inherently secure and can be manipulated as well. As AI and machine learning progress, companies are looking at the potential of digital biomarkers to extract insights about health. These continuous data collection methods are powerful tools, but they are not infallible. By marking or modifying certain aspects of incoming signals, malicious players can intentionally cause AI systems to malfunction. Adversarial attacks have a significant impact on health platforms, especially as they are increasingly being used to diagnose diseases and conditions.
What should INNOVATORS do?
It is becoming increasingly difficult to keep track of security vulnerabilities, and there is no complete solution in place. There is also a significant lag time between regulation and technology advancements, and in this cybersecurity landscape, it is better to be proactive than reactionary. There are a few ways for companies to mitigate risk:
- Partner with established medical security companies – Companies like MedCrypt and Armis specifically offer cybersecurity platforms and solutions for medical devices. Working with these companies from the beginning, as those interested develop digital health solutions, allows a security-by-design approach. Additionally, these solutions can be integrated to match the most up-to-date security protocols, ensuring that the devices stay secure against the latest and most imminent threats.
- Use regulatory compliance as the minimum for cloud security – A monumental amount of data is being stored on the cloud, and that can pose significant security risks in the long run. Following regulatory requirements like HIPAA in addition to servers that provide their own security can protect both the company and user data in the event of a breach. Offerings like AWS and Microsoft Azure would be worth looking into.
- Containerization/partitioning as a strategy to mitigate risk – Taking advantage of new technologies can enable staying ahead of the curve in security. Partitioning device storage or using containers for running servers, for example, could dissuade potential security breaches.