The global internet of things (IoT) healthcare market size is expected to reach nearly $270 billion by 2023, according to a report published by P&S Market Research. This growing market is driven by trends such as the need for remote patient monitoring services, a demand for advanced healthcare information systems, and the demand for mHealth technologies. As IoT continues to grow in the healthcare industry Patty Nichols, Medical Technology Practice Lead for Travelers, and Kirstin Simonson, Global Technology Cyber Lead for Travelers, delve into a host of unintended consequences and risks that few are talking about.
For instance, although equipment maintenance software can help prevent MRI machine outages, it also exposes the machines to increased vulnerability to hackers. Smart wearables and screens may track patient information in real time, but outages and errors can lead to incorrect patient treatment. RFID-equipped cabinets track supplies and optimize inventory, but tampering or human error can lead to a shortage of critical medical products. All of these occurrences leave healthcare companies and patients vulnerable to different consequences and risks.
“Hospitals are vulnerable because they have so much on their network beyond their IT infrastructure, from tablets to MRI machines,” says Nichols. “In addition, medical devices are typically more expensive and specialized compared with other industries. There can be fewer providers to choose from and equipment can be more difficult to replace. All of these factors can ultimately affect an organization’s security profile.”
Another challenge healthcare organizations have is their legacy systems may be from outdated devices and operating systems, which can reveal vulnerabilities that can be exploited.
“Criminals can take advantage of any holes in the integration between physical security and clinical devices,” says Simonson. “There are numerous touch points that need to be considered and managed appropriately. However, budget and resource issues can sometimes impact an organization’s ability to identify these kinds of vulnerabilities.”
These vulnerabilities can be hard to budget for since the primary mission of healthcare facilities is to save lives, therefore, the priority of cyber security varies for each organization.
As organizations continue to realize the binding need for security standards, they must also look at what is currently working and what is falling short when it comes to companies protecting their data and equipment as IoT grows.
“We’re seeing healthcare companies being more proactive in building out robust infrastructures for managing risks across their digital and equipment assets,” says Simonson. “They’re developing business continuity plans, testing protocols and identifying who is responsible for testing, monitoring and implementing these technologies. What they may not be doing is testing equipment assets before they put them into production.”
The testing of equipment becomes a larger issue of debate between healthcare delivery organizations and medical device manufacturers when determining who is responsible.
“Most rely on the healthcare organization’s IT team but they’re pushing back, saying medical device companies need to take more responsibility,” says Nichols. “As a result, we are seeing some healthcare organizations include security questions in the procurement process for medical devices.”
Simonson believes that all equipment assets should be treated this way in terms of security, not only medical devices. But, even if security protocols are put in place from the manufacturer, the equipment stills needs to be maintained and looked after appropriately.
“When you flip that switch, what are you going to do if it shuts down your ER? Healthcare organizations need to own that responsibility for any device that they connect to the network,” says Simonson. “If an organization is working under the assumption that the liability falls under the third-party device manufacturer, but they themselves don’t have the network set up properly, there can be security gaps.”
Ultimately, the big picture that companies should be thinking about when it comes to the consequences and risks of healthcare technology is compliance and regulations. If companies are not doing what they need to do, they risk being non-compliant. Additionally, there are financial and reputational impacts that companies can endure if shortcuts are taken with security.
“Consider an event, like ransomware knocking down your operating room,” says Simonson. “It’s not just that you can’t operate, you also can’t accept patients, and you will immediately start losing revenue and credibility. Organizations really need to discuss these worst-case scenarios that could happen, consider how they would impact their financials and reputation, and identify what needs to be done to not only prevent the situation from happening, but also how to get back up and running as soon as possible if it does.”
As the healthcare industry continues to discuss the “what if” questions, they must also prepare for the “what now.” With IoT peaking as a trend in medical technology, the healthcare industry must revamp their security strategies to mitigate the oncoming consequences.