The healthcare industry is undergoing a revolutionary change, in large part due to the emergence of the Internet of Medical Things (IoMT). A major impediment to obtaining the potential benefits of this technology is maintaining the privacy and security of sensitive healthcare-related data. This article will look at the unique challenges involved in keeping IoMT devices secure and maintaining regulatory compliance.
What Is the Internet of Medical Things?
IoMT encompasses the wide variety of medical devices and applications that can be connected via online networks to healthcare providers’ information technology (IT) systems. Machine-to-machine communication provides the foundation for IoMT systems, as with more general Internet of Things (IoT) implementations.
Equipping medical devices with Wi-Fi connectivity allows data to be stored, analyzed, and processed by cloud computing platforms. This connectivity is at the heart of the IoMT, where mobile devices autonomously communicate with healthcare applications and systems to monitor vital patient information and administer various types of treatment.
IoMT devices can be categorized in a variety of ways:
- On-body devices include consumer-focused as well as medical and clinical-grade wearables. Examples are activity trackers like Fitbit and smart devices that can alert healthcare professionals to a patient’s fall.
- In-home devices include personal emergency response systems (PERS), remote patient monitoring (RPM) systems, and those used to conduct telehealth virtual visits.
- Community devices are comprised of those that promote patient mobility, emergency response intelligence for first responders, and facilitate the transportation and delivery of healthcare products and services.
- In-clinic devices are used for both administrative and clinical functions during physical or telehealth patient visits.
- In-hospital devices are used for assets or personnel management, inventory and patient flow management, and environmental monitoring.
As you can see, a wide range of healthcare-related devices falls under the umbrella of the IoMT.
HIPAA and IoMT Devices
Healthcare organizations in the United States are required to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to protect the privacy and security of sensitive patient data. HIPAA designates the privacy and security measures that need to be taken to safeguard protected health information (PHI) and electronic protected health information (ePHI).
PHI is defined as individually identifiable health information that is associated with:
- An individual’s past, present, or future physical or mental health or condition;
- The provisions of healthcare made available to the individual;
- The past, present, or future payment made for an individual’s healthcare.
The HIPAA Privacy Rule lists 18 identifiers which make healthcare information subject to the guidelines for protecting PHI. These identifiers include names, dates, telephone numbers, email addresses, Social Security numbers, and other items that allow an individual to be identified by the information.
A related rule, the HIPAA Security Rule, establishes the standards by which HIPAA-covered entities and their business associates are required to conform to protect an individual’s ePHI. It outlines the administrative, technical, and physical safeguards that must be in place when processing, storing, and transferring ePHI using computer systems and networks.
The Challenges of Securing IoMT Devices
The diversity and mobile nature of IoMT devices make them harder to secure than other types of systems that process ePHI. The following items are among the many challenges faced when attempting to establish a secure IoMT environment.
- Insufficient access control – Improper access controls enable unauthorized and potentially malicious actors to gain control of an IoMT device.
- An extremely large attack surface – Each IoMT device provides an attack surface from which hackers can gain access to ePHI and the networks and systems that process it.
- Lack of encryption – ePHI needs to be encrypted when at rest and when being transferred across the network. Failure to fully encrypt the data from IoMT devices can make it available in plain text to unauthorized personnel.
- Outdated and vulnerable software – IoMT devices rely on applications that need to be updated and evaluated for vulnerabilities that may allow hackers to extract information or take control of the equipment.
- Absence of a trusted execution environment – Connecting IoMT devices to general-purpose computer systems exposes sensitive healthcare equipment to malicious code that may have been embedded by hackers for other purposes.
- Lack of vendor conformity – Many different medical device vendors contribute products to the IoMT. The unique characteristics of these devices and the variable level of security implemented to make it difficult to develop security guidelines.
- Insufficient physical security – Attackers can gain physical access to IoMT devices, destroying their components or uncovering information that enables further intrusion into connected healthcare systems.
Dangers of Compromised IoMT Devices
Data breaches are a problem for any organization that handles sensitive information and need to be addressed for IoMT devices. But the repercussions of compromised devices can be far more serious than the loss of sensitive data.
Patients’ lives can be put at risk by hacked IoMT devices. Heart monitors, infusion pumps, and ventilators that have been attacked and compromised can directly lead to the death of a patient. This level of risk makes it imperative that every available measure is taken to ensure the security of IoMT implementations.
The rise in the incidence of ransomware focused on healthcare facilities during the COVID-19 pandemic illustrates the depths to which cybercriminals will go to achieve their malicious ends. An attack targeting a healthcare organization’s IoMT systems makes it virtually impossible for the victimized company to ignore the criminals’ demands without risking the health of its patients. This fact highlights the importance of protecting IoMT devices and the information they contain and transmit.
Improving IoMT Privacy and Security
For society to gain the maximum advantages from telemedicine solutions, concerns about data privacy and security must be addressed. The following basic measures need to be implemented to improve the privacy and security of ePHI used with IoMT devices.
- Perform a complete inventory of an organization’s IoMT devices. Teams need to be aware of where devices are located as well as other details like their status and security patching levels. All devices should have the most recent security patches installed to provide the maximum level of security.
- Strengthening the passwords on all devices is an essential first step for maintaining their security. There is an alarming tendency to install the devices using the manufacturers’ default passwords. This needs to be avoided at all costs, and strong and unique passwords should be defined on all devices.
- Network segmentation limits the risk to ePHI by storing it on dedicated systems not accessible by general users. This makes it more difficult for hackers to gain access to sensitive data.
- Multifactor authentication is useful to bolster the defense of individual IoMT devices. Even if a device’s password has been compromised, multi-factor authentication will prevent a hacker from gaining control.
- Strong encryption is a HIPAA requirement when processing ePHI and needs to be implemented on IoMT devices and the networks that carry their data.
- Monitoring network traffic enables organizations to determine if devices are sending or receiving abnormal amounts of data. This information may indicate that an attack is underway and allow the security team to take proactive measures to protect ePHI.
- Implement an anomaly-based intrusion detection system to monitor the network for abnormal activity. Systems with artificial intelligence and machine learning capabilities can alert organizations to new and evolving risks.
Protection Is Key
The benefits afforded to healthcare providers and patients by IoMT devices are too great to ignore. Organizations and their IT partners need to take the necessary steps to ensure the privacy and security of sensitive PHI to achieve the real value of the IoMT. It’s a challenge they must accept and negotiate successfully to protect themselves and their patients.
Robert Agar is a regular contributor and blogger for Atlantic.Net and specializes in various information technology topics. He brings over 30 years of IT experience to the table with a focus on backup, disaster recovery, security, compliance, and the cloud.
Take the CE Quiz