Medical Device IoT Security: Guarding Your Health
By Carsten Brockmann
November 15, 2023
By Carsten Brockmann
November 15, 2023
Medical Internet of Things (IoT) device security is critical to the health care system and patient care. One cyberthreat can have far-reaching consequences. It can be life-threatening and even disrupt the entire ecosystem.
Cyberattacks can erode patient trust in health care security and safety. In addition, it could cause a patient to hesitate or stop using certain medical devices.
Planning and building a secure connected medical device can mitigate risks from cyberthreats and attacks.
One of the biggest global targets and threats for health care IoT is patient data, including electronic health records.
In 2021, San Diego’s Scripps Mercy Hospital experienced a major ransomware attack described as the “blast radius” effect. This type of attack spreads way beyond the target.
Stealing the data of 3.5 million patients was the target. In addition, it also shut down critical care systems that caused medical devices and scanners to stop working.
Patients’ well-being and safety were at risk. Emergency rooms had to turn away trauma patients. The number of strokes doubled. These effects continued for weeks after the attack.
The COVID-19 pandemic exposed the urgency of cybersecurity in the health sector. Patient data and medical devices used for monitoring and treatments must be protected. The potential cyberattack risk increases as more medical IoT devices connect to the internet and health care systems.
In 2022, the FBI released a report called “Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities.” They discovered that 53% of connected medical and IoT devices, such as insulin pumps and mobile cardiac telemetry, have known critical vulnerabilities.
Most of these vulnerabilities were traced to device hardware design and software management gaps. Some challenges resulted from the devices’ lack of embedded security features and the inability to upgrade them.
Medical device hardware and software can have long life cycles. There is potential for software going out of date and a lack of security update support. Not updating the device creates opportunities for bad actors to exploit vulnerabilities.
Moreover, many medical devices were not designed with security, increasing their attack surface. As medical devices become more software-driven and interconnected, they become even more vulnerable. While manufacturers work to enhance cybersecurity strategies, hackers continue to develop sophisticated tactics to target these devices.
The European Union Agency for Cybersecurity (ENISA) studied the health care threat landscape. It found that 80% of health care organizations cited that most threats were due to software or hardware vulnerabilities. Only 27% of health care organizations have a dedicated ransomware program. At the same time, 95% of organizations face risk assessment challenges.
Threats can’t be eliminated. However, they can be managed, starting with legal regulations for medical device manufacturers and other organizations in the supply chain.
Different countries have regulations and certifications for medical devices. It can vary based on the device classification, the data flow and where that data resides.
New cybersecurity standards and regulations are emerging for medical IoT devices. These are two of the most recent changes.
On March 29, 2023, the U.S. government passed a law granting the FDA the authority to issue “refuse to accept” decisions for non-compliant new devices. Vendors must comply with the new regulations by October 2023.
The law also mandates the inclusion of a software bill of material (SBOM) in new devices. The SBOM will ensure transparency and accountability in software security and supply chain risk management. It suggests regular device updates to address security vulnerabilities.
In 2021, the European Union (EU) released NIS 2 and the Medical Device Regulation (MDR) for stronger cybersecurity measures. It now considers health care providers “essential entities.” These entities include manufacturers of critical medical devices. They must take certain measures to manage the risks of network and information security.
These new rules aim to improve the safety of medical device design and manufacturing. Protecting patient care and data is crucial to maintaining trust in the system.
IoT medical device security must be built into the connected device during development and manufacturing to manage and mitigate risks. In other words, security by design.
The encryption starts at the device level, from hardware to software. Then it leads to secure connectivity and data transit. Another vital stage is securing comprehensive data visibility across the organization. It takes an end-to-end approach to protect medical IoT devices, patient data and network infrastructure from internal and external threats.
With Telit Cinterion’s modules, connectivity plans, platforms and custom solutions, you can have devices built with security by design. We can create an end-to-end strategy to minimize risks and ensure reliable communications.
The world’s largest medical equipment manufacturers use cloud-connected medical devices as patient gateways and to treat health conditions. Telit Cinterion certifies millions of 4G cellular modules globally for devices commonly used to address respiratory conditions like sleep apnea and COPD.
These devices provide evidence to care providers and insurers regarding adherence to device usage and patient outcomes. Moreover, the modules are used in patient gateways for continuous cardiac rhythm monitoring in cardiac implants. Caregivers can remotely observe irregularities or potential emergencies.
Telit Cinterion also helps medical device companies prepare for new connected medical device laws worldwide. We offer white hat hacking and penetration testing to identify potential vulnerabilities and analyze security gaps.
Speak with our experts about your IoT health care device and evaluate your medical device security strategy.