The thin 'The Healthcare Internet of Things: Rewards and Risks' by Jason Healey, Neal Pollard and Beau Woods for the Atlantic Council and Intel Security [
PDF] comments
The Internet of Things (IoT) of digital,
networked technology is quickly moving to the
forefront of society, the global economy, and
the human experience.
The IoT sometimes refers to colossal,
impersonal concepts like connecting electricity
grids to the Internet for economic or
environmental considerations. But the IoT can
be intensely personal as well. In the world of
healthcare, software engineers are weaving
networked medical devices into the fabric of the
IoT. These devices, which can be worn or even
implanted inside the body, are used to
medicate, treat diseases, and maintain general
health and wellness.
This report, a collaboration between Intel
Security and Atlantic Council’s Cyber Statecraft
Initiative at the Brent Scowcroft Center on
International Security, explores security risks
and opportunities that networked medical
devices offer to society. It also provides
recommendations for industry, regulators, and
medical professionals to maximize value to
patients while minimizing security risks arising
from software, firmware, and communication
technology across these devices.
Individuals wear networked devices to learn
more about themselves, their diet, their exercise
regimen, and their vital signs. Doctors can
adjust and optimize implanted medical devices,
such as pacemakers, quickly and accurately—
and often with no need for intrusive medical
procedures. In hospitals, new devices network
to provide more effective and less expensive
monitoring and treatments. According to one
estimate, these technologies could save $63
billion in healthcare costs over the next fifteen
years, with a 15-30 percent reduction in hospital
equipment costs.
The analysis in this report draws attention to the
delicate balance between the promise of a new
age of technology and society’s ability to secure
the technological and communications
foundations of these innovative devices.
The rewards of networked healthcare come
with four main overlapping areas of concern,
including accidental failures that erode trust.
Should any high-profile failures take place,
societies could easily turn their backs on
networked medical devices, delaying their
deployment for years or decades. Protecting
patient privacy and sensitive health data is a
second immediate concern, as malicious online
hackers consider healthcare information
especially valuable. A case in point: the number
of information security breaches reported by
healthcare providers soared 60 percent from
2013 to 2014—almost double the increase seen
in other industries—according to PricewaterhouseCooper’s (PwC) Global State of
Information Security Survey 2015.
Intentional disruption is also a concern because
networked medical devices face
the same technological vulnerabilities as any
other networked technology. Hacktivists,
thieves, spies, and even terrorists seek to
exploit vulnerabilities in information
technologies (IT) to commit crimes and cause
havoc. However, when a networked device is
literally plugged into a person, the
consequences of cybercrime committed via
that device might be particularly personal
and threatening.
Even more dangerous than the potential for
targeted killings, though also far less likely,
is the threat of widespread disruption.
Theoretically, a piece of targeted malware could
spread across the Internet, affecting everyone
with a vulnerable device. Such a scenario has
materialized in business IT and industrial control
systems; the sophisticated Stuxnet attack
against Iran’s nuclear program
is one example of this.
The current focus in medical device
development and production is on
manufacturers’ preferences and patients’ needs.
Industry and government should also focus on
implementing an overarching set of security
standards or best practices for networked
devices to address underlying risks.
Several recommendations will help foster
innovation while minimizing security risks. This
report makes the case that industry must build
security into devices from the outset, rather
than as an afterthought. As McAfee’s then-CTO
Stuart McClure testified before the US House
Committee on Homeland Security in 2012,
“Cybersecurity has to be baked into the
equipment, systems and networks at the very
start of the design process.”
The report recommends continued
improvements to private-private and publicprivate
collaboration. More coordination, not
more regulation, is warranted. Regulators do
not always keep pace with technological
progress. They should have feedback from a full
set of stakeholders through transparent
collaborative forums that assure the regulator’s
independent functioning without creating
concerns of collusion with industry. Likewise,
industry officials should continue to improve
communication among themselves.
The ultimate aim of enhanced cooperation is to
change the current approach to the security
elements of these devices. Security
considerations, along with the devices’ ability to
improve patients’ lives, must become an integral
part of the process of conceiving and
manufacturing these devices.
The report also recommends an evolutionary
change to the regulatory approval paradigm for
medical devices in order to encourage
innovation while meeting regulatory policy
goals and protecting the public interest.
Some medical device makers continue to push
old technologies and resist innovation because
they know regulators will approve the old
technology. A more streamlined regulatory
approval process could remedy this problem.
An improved process should encourage security
by design, as well as the ability to patch systems
after they are deployed.
Lastly, this report recommends an independent
voice for the public, especially patients and their
families, to strike a better balance between
effectiveness, usability, and security when
devices are implemented and operated.
