As connected devices proliferate within health care enterprises and across the health care ecosystem, cybersecurity risks abound.
During the first year of the COVID-19 pandemic, the health care sector was profoundly affected by cyber-attacks on connected devices, we learn in the report, Rise of the Machines 2021: State of Connected Devices – IT, IoT, IoMT and OT from Ordr.
For this annual report, Ordr analyzed security risks across over 500 deployments in healthcare, life sciences, retail, and manufacturing sectors for the 12 months June 2020 through June 2021.
In health care, outdated operating systems present some of the greatest risks: 15% of medical devices and 32% of medical imaging tools run on outdated operating systems. “This is because many medical devices remain in operation for a number of years and cannot be easily replaced for cost reasons,” Ordr explains in the report.
In medical facilities, one-half of the cyber-attacks were on medical devices, the circle graph illustrates. The next most-likely connected devices to be attacked in health care were IP Phones (22%), followed by network devices (11%).
During the pandemic, health care providers needed to deal with the security of devices rapidly procured and deployed within institutions and also outside the walls of providers, such as in field hospitals meeting the surge of coronavirus patients.
“During the chaos and confusion, threat actors launched cyberattacks,” Ordr observed in the wake of the public health crisis.
In this Rise of the Medical Machines, the major risks for health care organizations were that,
- 68% of health care deployments had more than 10 FDA recalls
- 32% of medical imaging devices were running on unsupported operating systems, and
- 15% of medical devices were running on unsupported operating systems.
Among the top medical devices most threatened were infusion pumps (48%), patient monitoring (15%), and glucose monitors (just under 5%).
Ordr’s CEO Greg Murphy warns: “As the number of connected devices climbs, the number and sophistication of attacks targeting them will grow.”
Health Populi’s Hot Points: Beyond the Internet of Things, RAND has been thinking about the Internet of Bodies, how wearable (external) and digestible or implantable (internal) sensors can help people track wellness and illness with the promise of benefiting overall health.
These can cover us head-to-toe, inside and outside as the drawing from RAND’s report on IoB illustrates. The IoB ecosystem includes the technologies that are part of the health care Internet of Things, as well as EHRs, robotic surgery systems, and smart ventilators which also generate data about peoples’ health and wellness.
These technologies are emerging from both the medical-tech developers as well as consumer-grade and -facing companies: think HIMSS and RSNA vis-a-vis CES/the Consumer Technology Association. I noted the Yin-and-Yang-and the Blur of this health data ecosystem in 2013 when I attended CES, HIMSS and South-by-Southwest in a matter of weeks, kicking tires on digital health developments at all three events.
Back to the Ordr report, noting the rise of also the Internet of Stranger Things, abounding. In addition to a proliferation of Alexa devices, which we know are also part of consumers’ and providers’ health care voice-enabling devices, Ordr points to connected cars, connected fitness, and connected games.
Take Peloton, which grew like topsy during the pandemic: the connected fitness category, which Peloton exemplifies, is fast-expanding based on the Consumer Technology Association’s latest forecast on consumer electronics, 2017-2022: connected exercise equipment was scarcely quantifiable in 2017 (selling 284,000 units with revenue of $142 million). By 2022, CTA projects that connected exercise equipment will reach sales of 2.5 million units with revenues of $4.5 billion.
That $4.5 bn is akin to four and a half blockbuster drugs in the pharma world.
We can expect connected fitness, gaming, voice, and autos will all connect to our health care in the growing Internet of Healthy Things. The supply and demand side for this is clear to forecast in my scenario planning these days.
What’s unclear is how public policy and regulation can/will meet this moment. There are ethical and privacy/security issues abounding as the Internet of Healthy Things abounds. How to protect vulnerable groups of people? How to ensure that devices are meant for well-being and not exploitation? How to protect peoples’ privacy, using perhaps the GDPR or CCPA (California’s privacy protection) as models for a national approach to American health citizens’ privacy? How to ensure insurers, employers, and others use IoHT and IoB data in the context of health and wellness with the opt-in of health citizens?
Let’s ensure the inevitable Rise of the Machines bake in trust and privacy-by-design to benefit all health citizens.