The adoption of technology in the healthcare industry increased at rapid rate in 2020 and as a result, the number of connected medical devices – an integral part of the Internet of Medical Things (IoMT) – is booming. The COVID-19 pandemic has reshaped how medical devices are deployed, with increasingly more devices being used by patients in their own homes.
A recent report by Mordor Intelligence predicts the connected medical devices market will balloon from $28 billion in 2020 to $94 billion by 2026. This rapid growth provides significant opportunities for medical device manufacturers, digital health companies, healthcare providers, and patients as the industry moves toward a more consumer-oriented, personalized and technology-enabled care model. However, the growing use of connected medical devices to improve patient care is clouded by the fact that IoMT devices are increasingly vulnerable to cyberattacks as the past year has proven.
Cyberattacks on IoT devices increased three-fold in 2019 alone, accounting for more than 2.9 billion events. Frost & Sullivan estimated that 20 to 30 billion connected IoT and medical devices would be a part of the healthcare ecosystem before the end of 2020, and it’s estimated that at least 50 billion medical devices will be connected to clinical systems within the next 10 years. The proliferation of connected devices and increasingly large attack surface make the IoMT industry an opportune target for hackers.
Stealing health records is very lucrative for hackers. In fact, health records are currently the most valuable personal identifiable information (PII) asset being traded by cyber criminals. Medical records often include social security numbers, financials and other information and provide the most comprehensive picture of a person’s background and identity available today, and they can be sold on the dark web to forgers, human traffickers, terror organizations, hostile countries, drug cartels, and other criminal elements for upwards of $1,200 per record. In fact, medical records are up to 50 times more valuable than a credit card number.
When cyberattacks are successful, patients and healthcare providers are at risk for care disruption, identity theft, financial fraud, and other types of criminal activity. They are also incredibly costly for healthcare organizations, both from a financial and reputation perspective. A healthcare data breach in the U.S. cost an average $7.13 million in 2020, including increasingly steep federal regulatory fines – which is a 10% increase from 2019 and higher than any other industry.
With the rising use of connected medical devices, cybersecurity must be made a priority. Unfortunately, the rapid transition to connected healthcare is severely challenging medtech professionals globally.
IoMT executives not prepared for cyberattacks
While a cyberattack can have severe consequences, the IoMT industry has yet to become more proactive about cybersecurity. According to a recent survey by Irdeto, in partnership with Censuswide and Guidepoint Global, only 13% of IoMT leaders said they believe their business is very prepared to mitigate future cybersecurity risks, while 70% believe they are only somewhat prepared at best. Shockingly, about one fifth (17%) said that their firm was not prepared at all.
The data also showed that 80% of survey participants reported having suffered at least one cyberattack in the past five years, and it is all but certain that they face at least dozens of additional threats on a daily basis. Organizations have also fallen victim to several attack techniques, including ransomware, malware, phishing, spoofing and DDoS, with customer databases, employee information and even R&D platforms being exploited.
Additionally, only four in 10 respondents rated themselves very aware/knowledgeable about forthcoming EU and US regulations, and 28% reported not knowing anything at all about forthcoming regulations. This is concerning, considering the fast-changing regulation across both regions.
How the IoMT industry can safeguard against cybersecurity threats
With the breadth and magnitude of threats facing connected medical devices, professionals working in the IoMT industry must practice effective cybersecurity management. This begins with creating a holistic cybersecurity strategy including three key elements:
- Implement security in the design phase
It’s critical to protect software running on medical devices, as software applications are becoming a significant part of the attack surface and unprotected applications can leave a trail that can be reverse engineered to disrupt a virtual care platform. These protections should be built into devices during the design process whenever possible. Bolting on cybersecurity once a product is already on the market is much more difficult and typically not sufficient. This includes conducting a performance risk analysis, identifying any assets or functionalities that threat actors could potentially exploit, and shoring them up during the development phase. It’s helpful to maintain a list of security requirements that should be implemented into products to make this process simple and efficient.
- Keep pace with the market
Connected medical devices need to continue to be managed once they are out in the market. This includes ensuring devices are up to date with the latest software versions and relevant with how the market is evolving. Currently the most important technologies for a post-COVID world are those that protect sensitive data, can’t be reverse engineered or exploited, and ensure that software remains a black box to attackers.
- Implement an incident response plan
Finally, an incident response mechanism is a critical element to a cybersecurity plan. If there is an issue, it’s important to be able to address it quickly. An incident response plan should outline how to reach customers through previously established channels and install updates if necessary.
There is no such thing as “one and done” with cybersecurity. Even with protections in place, companies in the healthcare industry must continually monitor for threats, keep pace with industry developments, and evaluate their cybersecurity systems to ensure they are up to date. In this environment, IoMT stakeholders cannot successfully innovate without effective cybersecurity to protect the most sensitive data and devices from bad actors who want to access and corrupt it for personal gain. Ensuring the security of connected medical devices is critical, and it will take a concerted ongoing effort by the entire industry.