IoMT: Exposing Vulnerabilities & Cybersecurity Challenges

Recent advancements around the Internet of Medical Things (IoMT), medical devices, smart sensors, device manufacturing, and big data technologies have enabled the design and manufacturing of devices for a wide array of disease-specific applications in health care. 

These devices can be used to remotely monitor, diagnose, and eventually predict various diseases and aid in the rehabilitation of patients. They can often offer an unobtrusive and affordable alternative to costly and time-consuming healthcare efforts, such as hospitalisation and late diagnosis. 

There is no doubt that the future of healthcare is digital, and that IoMT devices are a game changer, driving down costs and helping improve patient care. But their widespread use will make them a huge target for cybercriminals, exposing vulnerabilities and posing various security challenges.

Due to the complex component architectures, manufacturers of these devices face a number of challenges when developing their devices, and speed-to-market is typically the overarching business imperative when maturing these modern devices.  

As well as ensuring devices have connectivity capabilities, manufacturers have to consider minimum sensor configuration, data security (including data loss), security breaches, battery life, appropriate user interfaces, user acceptance, accurate diagnoses, and much more. 

The Challenges Ahead

As IoMT devices are capable of managing and monitoring masses of personal health data, it is just as important to protect that data. However, lack of computational power means many of these devices lack the necessary encryption needed to do so. Physiological data and sensitive user information are usually transmitted wirelessly, making that data prone to invasion and alteration, posing major challenges to secure the transfer and storage for both consumers and manufacturers. 

Currently, the computational power of IoMT devices limits the ability of manufacturers to embed complicated security mechanisms on the device, meaning that authentication (PIN, password, or biometric security) is overlooked, leaving them susceptible to unauthorised access.

Furthermore, these devices tend to connect to smartphones or tablets wirelessly via Bluetooth^Ⓡ, ZigBee, NFC, or Wi-Fi. The need for regular communication and data synchronisation creates another entry point into the device, making it further prone to information leakage. 

Finally, many IoMT devices run their own operating system and need to be patched and updated to avoid falling prey to the latest security vulnerabilities. This ability and frequency needs to be factored into manufacturers’ roadmaps when developing these devices. 

To effectively solve these problems, manufacturers must engineer devices with data security baked into their fabric. This can be accomplished by developing devices that include custom security settings, Bluetooth encryption and remote erase features, and by encrypting data elements such as passwords, user IDs, user information, and PINs.

Implementing security best practices

DMI has been working with medical device manufacturers to scope, define, and apply best practice data security frameworks before devices are released to the market. Some of the recommendations contained within the framework include a methodical risk management and design process that can appropriately capture and communicate design, implementation, and risk management decisions and rationale, as well as ensuring data authenticity and integrity.

We apply this framework across our IoMT connected health projects and ensure devices implement each of the recommendations listed: 

• Device pairing and user authentication: Implement access controls that determine who or which mobile device can access the IoMT device or provide granting of privileges 
• Physical Access: Implement controls that prevent access of the device by an unauthorised person.
• Data in transit: Consider how the IoMT device will interfere with other devices and networks which support less secure communication. Factor in prevention of unauthorised access and modification when it comes to data transfer to and from the device.
• Online and offline modes: Consider how the IoMT device will interact and send information when the mobile application is in background mode. 
• Data Protection: Consider whether a level of protection or encryption is required for data stored or transferred on the IoMT device and if the device needs risk control measures.
• Firmware updates: When implementing regular updates, how will the software on the device be updated or controlled and to secure it against emerging vulnerabilities. 
• Device integrity: Consider risks that affect the integrity of the device, evaluate the system-level architecture to look for necessary design features, and consider anti-malware controls.
• Reliability and Availability: Consider design features that allow the device to detect, resist, respond, and recover from cybersecurity attacks.

As an ISO27001 accredited organisation operating in the healthcare space, we understand the growing complexity and security risks of the IoMT and connected medical devices.

Whether you need help:

• Taking your device through the FDA approval process for Software as a Medical Device (SaMD) classification of Software In a Medical Device (SiMD).
• Carrying out feasibility studies 
• Designing and building a robust security framework and roadmap for future device production
• Integrating smart devices with mobile applications

Our subject matter experts can help you overcome barriers to successfully digitize your IoMT products and services. We have significant experiences with a variety of communication protocols including Bluetooth^Ⓡ, WiFi, and Zigbee and have the resources and expertise needed to help organisations achieve true interoperability. 

Learn how DMI can help you improve patient outcomes and generate additional revenue streams. Contact us today or click here to learn about our IoMT expertise.