Valley way,” 2016, https://www2.deloitte.com/us/en/insights/topics/innovation/tapping-into-silicon-valley-culture-of-innovation.html#endnote-4.37 37 Tom Van De Belt, Lucien Engelen, JLPG, Rafael Mayoral, Sivera AA Berben, Lisette Schoonhoven “Definition of Health 2.0 and Medicine 2.0: A Systematic Review,” 2010, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2956229/.
38 38 https://www.statnews.com/2018/11/25/medical-devices-pain-other-conditions-more-than-80000-deaths-since-2008/#:~:text=The%20media%20partners%20found%20that,FDA%20over%20the%20last%20decade.
39 39 “Medical devices for pain, other conditions have caused more than 80,000 deaths since 2008,” Associated Press, November 25, 2018, https://www.statnews.com/2018/11/25/medical-devices-pain-other-conditions-more-than-80000-deaths-since-2008/#:~:text=The%20media%20partners%20found%20that,FDA%20over%20the%20last%20decade.
40 40 Chistina Jewett, “Reports Of Patients’ Deaths Linked To Heart Devices Lurk Below the Radar,” 2019, https://khn.org/news/reports-of-patients-deaths-linked-to-heart-devices-lurk-below-radar/.
41 41 David Mikkelson, “General Motors Replies to Bill Gates: General Motors responds to Bill Gates,” https://www.snopes.com/fact-check/car-balk/.
42 42 “CVE Details The ultimate security vulnerability datasource,” accessed October 2020, https://www.cvedetails.com/vulnerability-list.php?vendor_id=26&product_id=32238&version_id=&page=23&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=1111&sha=41e451b72c2e412c0a1cb8cb1dcfee3d16d51c44.
43 43 “CloudPassage Study Finds U.S. Universities Failing in Cybersecurity Education,” Cloud Passage, April 7, 2016, https://www.globenewswire.com/news-release/2016/04/07/1312702/0/en/CloudPassage-Study-Finds-U-S-Universities-Failing-in-Cybersecurity-Education.html.
44 44 Todd Fitzgerald, CISO Compass: Navigating cybersecurity leadership challenges with insight from pioneers, CRC Press 2019, page 5.
45 45 Barry Phegan, “314 - How Fast Can a Culture Change,” https://companyculture.com/314-how-fast-can-culture-change/.
46 46 Dan Patterson, “Why Microsoft spends over $1 billion on cybersecurity each year,” 2018, https://www.techrepublic.com/article/why-microsoft-spends-over-1-billion-on-cybersecurity-each-year/.
47 47 Greg Murphy, “No Time to Waste: Why Automation Will Shape The Future of IoMT Security,” https://www.healthitoutcomes.com/doc/no-time-to-waste-why-automation-will-shape-the-future-of-iomt-security-0001.
48 48 Bethany Corbin, “When ‘Things’ Go Wrong: Redefining Liability for the Internet of Medical Things,” March 2019, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3375070.
CHAPTER 2 The Internet of Medical Things in Depth
Leaving a broken system the way it is, that's not a solution.
—Barack Obama
In order to understand the risks related to internet-connected medical devices, it is important to understand what medical devices are. That requires not only understanding the individual components that comprise internet-connected medical devices, but also how the parts fit into the larger ecosystem of devices and technology and, in some cases, ultimately services. This, in turn, has a huge impact on the security of healthcare organizations and potentially our very lives.
To accomplish this, we'll explore a bit of the evolution into internet-connected medical devices and the current challenges with the various kinds of devices and technology—including the vulnerabilities. Think of a vulnerability as a weakness in the system. Those vulnerabilities are such a pervasive part of the building blocks of internet-connected medical devices that it may seem hard to understand how to get past them from a layperson's perspective. This is such a critical chapter because it sets a central foundation that will be explored throughout this book—how we protect medical devices, our medical institutions, our data, and our lives.
What Are Medical Things?
The first device to be connected to the internet was not a medical device. Of all things, it was a toaster. This was back in 1990.1 The only capability it had was to turn on and off over the internet. For historical contrast, it would not be until 1991 when the first web page was created. These were very early days. The idea for having devices connect to the internet is quite old—the idea was around even during the 1970s. It was often referred to as the “embedded internet” of “pervasive computing.” In 1999, Kevin Ashton was giving a presentation to sell an idea he had to Proctor & Gamble.2 He knew executives thought this internet was going to kick off so he wanted them to quickly understand what he was talking about. For the presentation he coined the phrase “internet of things.” Now internet-connected devices are commonly referred to as IoT for short.
The primary consideration for an IoT device is that it is a physical object. In the consumer market we can see examples of IoT devices such as thermostats, physical security systems, and appliances. This only scratches the surface of what IoT can do. Now IoT is used in a vast array of applications. There are IoT cars, energy management systems, industrial applications, manufacturing, agriculture, environmental monitoring, military equipment, and so on. IoT is so pervasive that there are many offshoots of the technology. Medical devices are only one such offshoot. They are typically called the internet of medical things, or IoMT.
But what differentiates IoMT from IoT? Not considering the connectivity and sufficient to forward our discussion,
