The Internet of Things (IoT) of digital, networked technology is quickly moving to the forefront of society, the global economy, and the human experience.
The IoT sometimes refers to colossal, impersonal concepts like connecting electricity grids to the Internet for economic or environmental considerations. But the IoT can be intensely personal as well. In the world of healthcare, software engineers are weaving networked medical devices into the fabric of the IoT. These devices, which can be worn or even implanted inside the body, are used to medicate, treat diseases, and maintain general health and wellness.
This report, a collaboration between Intel Security and Atlantic Council’s Cyber Statecraft Initiative at the Brent Scowcroft Center on International Security, explores security risks and opportunities that networked medical devices offer to society. It also provides recommendations for industry, regulators, and medical professionals to maximize value to patients while minimizing security risks arising from software, firmware, and communication technology across these devices.
Individuals wear networked devices to learn more about themselves, their diet, their exercise regimen, and their vital signs. Doctors can adjust and optimize implanted medical devices, such as pacemakers, quickly and accurately— and often with no need for intrusive medical procedures. In hospitals, new devices network to provide more effective and less expensive monitoring and treatments. According to one estimate, these technologies could save $63 billion in healthcare costs over the next fifteen years, with a 15-30 percent reduction in hospital equipment costs.
The analysis in this report draws attention to the delicate balance between the promise of a new age of technology and society’s ability to secure the technological and communications foundations of these innovative devices. The rewards of networked healthcare come with four main overlapping areas of concern, including accidental failures that erode trust. Should any high-profile failures take place, societies could easily turn their backs on networked medical devices, delaying their deployment for years or decades. Protecting patient privacy and sensitive health data is a second immediate concern, as malicious online hackers consider healthcare information especially valuable. A case in point: the number of information security breaches reported by healthcare providers soared 60 percent from 2013 to 2014—almost double the increase seen in other industries—according to PricewaterhouseCooper’s (PwC) Global State of Information Security Survey 2015.
Intentional disruption is also a concern because networked medical devices face the same technological vulnerabilities as any other networked technology. Hacktivists, thieves, spies, and even terrorists seek to exploit vulnerabilities in information technologies (IT) to commit crimes and cause havoc. However, when a networked device is literally plugged into a person, the consequences of cybercrime committed via that device might be particularly personal and threatening.
Even more dangerous than the potential for targeted killings, though also far less likely, is the threat of widespread disruption. Theoretically, a piece of targeted malware could spread across the Internet, affecting everyone with a vulnerable device. Such a scenario has materialized in business IT and industrial control systems; the sophisticated Stuxnet attack against Iran’s nuclear program is one example of this.
The current focus in medical device development and production is on manufacturers’ preferences and patients’ needs. Industry and government should also focus on implementing an overarching set of security standards or best practices for networked devices to address underlying risks.
Several recommendations will help foster innovation while minimizing security risks. This report makes the case that industry must build security into devices from the outset, rather than as an afterthought. As McAfee’s then-CTO Stuart McClure testified before the US House Committee on Homeland Security in 2012, “Cybersecurity has to be baked into the equipment, systems and networks at the very start of the design process.”
The report recommends continued improvements to private-private and publicprivate collaboration. More coordination, not more regulation, is warranted. Regulators do not always keep pace with technological progress. They should have feedback from a full set of stakeholders through transparent collaborative forums that assure the regulator’s independent functioning without creating concerns of collusion with industry. Likewise, industry officials should continue to improve communication among themselves.
The ultimate aim of enhanced cooperation is to change the current approach to the security elements of these devices. Security considerations, along with the devices’ ability to improve patients’ lives, must become an integral part of the process of conceiving and manufacturing these devices.
The report also recommends an evolutionary change to the regulatory approval paradigm for medical devices in order to encourage innovation while meeting regulatory policy goals and protecting the public interest. Some medical device makers continue to push old technologies and resist innovation because they know regulators will approve the old technology. A more streamlined regulatory approval process could remedy this problem. An improved process should encourage security by design, as well as the ability to patch systems after they are deployed.
Lastly, this report recommends an independent voice for the public, especially patients and their families, to strike a better balance between effectiveness, usability, and security when devices are implemented and operated.