The potential of the IoT in the healthcare sector is vast. From wearable devices which can measure individuals’ vital health statistics and enable remote monitoring of their conditions, to major hospital equipment which can transmit and receive information, sharing health data dynamically across and between healthcare organisations, myriad applications are being developed.
However, these applications are not without their challenges. Clearly, any device which is ultimately involved in delivering healthcare needs to be utterly reliable and high-performance – the damage potential of a fault or flaw could really be a matter of life or death. And more insidiously, when it comes to considering the data collection and transmission which is at the heart of all IoT ecosystems, the information generated and harnessed by IoT medical ecosystems is particularly vulnerable.
There are two main reasons for this. First, healthcare data is particularly sensitive data. Healthcare organisations are subject to stricter regulatory compliance frameworks than those in many other industries precisely because of this. Healthcare organisations have moral, ethical, legal and compliance requirements to process individuals’ medical data carefully.
Second, healthcare data is a particularly juicy target for cybercriminals, precisely because of the sensitivity of that data, as well as the mission-critical status of the IT systems and infrastructure underpinning healthcare organisations. Several healthcare organisations have paid sums of tens of thousands of dollars to cybercriminals in order to restore access to key systems in the wake of a ransomware attack, including Hancock Healthcare in January2018. Unfortunately, such incidents merely go to underline to malicious actors how lucrative targeting the healthcare sector can be. The IoT, of course, dramatically introduces the number of endpoints that a cybercriminal can potentially target within the industry.
As such, the designers and manufacturers of IoT medical devices need to think very carefully about how to bake robust security into their products from the ground up, and make their devices as resilient as possible in the face of attack. Unfortunately, there is no single ‘silver bullet’ solution, and nor can designers simply hope that their customers will never become targets. In the healthcare sector, a ‘when’, rather than ‘if’ approach with regard to cyberattacks is more sensible.
What are the key principles to follow? First, IoT medical devices should be secure by default – that is, they should not require specialised configurations on the part of the user to activate their security measures. Elements like default passwords, which were once commonplace, should be avoided, with users forced to set their own before they can activate their device at all.
Second, developers and manufacturers need to think about data protection – and this protection needs to follow the entire data chain, from the point of generation, to transit, to storage. Data should be encrypted throughout.
Third, it is important to consider the complex partnerships of hardware and software developers who sit behind the typical IoT ecosystem. In practice, this means that multiple stakeholders are collectively responsible for the security posture of each individual IoT medical device – and so a collaborative approach is essential to ensure that no single organisation damages the overall security chain.