actions that hospitals and doctors’ offices would otherwise need to create on their own. While sometimes there is a significant customization effort, these tools can provide companies with huge cost savings. Many of these companies also provide the compliance and security necessary to secure the data. Of course, these third-party vendors are far from perfect. Atrium Health had to notify 2.65 million individuals of a data breach as a result of AccuDoc being breached.34 So, due diligence related to the vendors is a must just as with any technology.
Mobile Devices and Applications
The use of mobile applications in medicine is becoming more common with each passing year. They cover everything from information and time management, access to records, communication and consulting, patient management and monitoring, to aids for clinical decision-making. They are helping to lead the charge for better decision-making and improved patient outcomes. With digitalization of records, healthcare professionals can access the information from anywhere. For some this is a marvelous miracle. For devices that are heavily controlled by corporations, the risks are relatively low. The challenge comes in with consumer technology. We do not necessarily have the most up-to-date versions of the software. While some people buy the latest technology, keep up to date with patching, and have antivirus installed on their devices, others do not. There is also a tremendous number of risks from downloading applications with malicious software in them. Review 42 identified that one in 36 phones had a high-risk application in them.35 If you tie that back to phones that are not patched or protected, this is a very large volume of phones at high risk.
Let's take a look at this from another perspective. Science News had an article where a research team from the University of Sydney, the University of Toronto, and the University of California studied how top-rated medicine tracking mobile apps shared data. They looked at the top 24 apps on the Android platform within the United States, United Kingdom, Canada, and Australia. They were looking for potential data leaks beyond the apps themselves. They found that 19 out of 24 of the apps shared data outside of the apps. A total of 55 unique entities were receiving the data. Those unique entities were owned by 46 parent companies. The entities they analyzed could share the information with 216 fourth parties, including multinational technology companies.36 What they did not state in the article was whether those 216 parties had limitations about the data that is shared. Nonetheless, this is fairly concerning as it does shed light on how many companies do business this way from one app.
Clinal Monitors
Clinical monitors are the lynchpin that helps to coordinate a wide range of IoMT devices so that medical information regarding a patient is all together in one location. They also make sure that the records are fed directly into Electronic Health Record (EHR) systems. The data can then be reviewed by specialists at a later point in time. Almost predictably at this point, vulnerabilities have been found in clinical monitors, too. In September 2020 DataBreachToday reported about several vulnerabilities in a Philips monitor.37 While the problems may be the equivalent of speaking a foreign language to some of you, the mitigations step should give a better idea about how bad these vulnerabilities are. Paraphrasing, they recommend that the device essentially be quarantined (from a network perspective) until it is patched. They also want the device to be physically blocked off to prevent unauthorized login attempts and only allow access on a must-have basis.38 The list is more extensive (and more technical as I am trying to save my non-technical audience), but the mitigation steps are non-trivial in many environments. Some hospitals have the equivalent of a flat network, which means the network is essentially wide open, and trying to block the devices is time-consuming from a network standpoint, but also from a physical standpoint. If a large manufacturer like Philips is making these kinds of mistakes, it is even more difficult for the smaller companies.
Websites
Part of the connected world is a need for instant access to data—especially when it comes to hospitals. The more up-to-date the information, the more valuable that information is. There are numerous ways of collecting that information, but quite often with IoMT, that information's repository is an EHR system. That means the mobile devices, which are quite often connected via cellular technology, will need a way to access the data from the internet. Websites are a common tool to collect that information—whether it is directly through the EHR or through an independent website. Websites have all the flaws that we have previously mentioned and tend to be dependent on hardware or the cloud, an operating system, and software development.
Putting the Pieces Together
Just like a car, the more parts there are in the system, the more things can break. Similarly, in the electronic world, each piece of the system adds complexity and more room for vulnerabilities. Not only can they break, but they may have unforeseen vulnerabilities. Since one or more of the systems identified in Figure 2-1 are part of the IoT ecosystem, they all can have potential issues. When considering the security of a hospital, this is a daunting and growing challenge.
Current IoMT Challenges
A few might argue that recent legislation may have solved the problems related to vulnerabilities found within connected medical devices. While improvements have been made, there are still enormous challenges related to securing these devices. Legacy systems pose tremendous risks for organizations. With IoMT devices providing more value, especially in the time of COVID-19, the problems are only going to grow over time.
Figure 2-1: The interconnection of IoMT technologies
On January 23, 2020, the FDA released a warning on GE Healthcare's Central Stations and Telemetry Servers—essentially medical equipment that monitors patients.39 Just the day before on January 22, 2020, GE posted the list of devices that are much broader. They listed six vulnerabilities that can allow an attacker to:
“Make changes at the operating system level of the device with effects such as rendering the device unusable, otherwise interfere with the function of the device, and/or
Make certain changes to alarm settings on connected patient monitors, and/or
Utilize services used for remote viewing and control of multiple devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could result in missed or unnecessary alarms or silencing of some alarms.” 40
In this case machines used to monitor blood pressure, heart rate, temperature, and patient status had a flaw that could allow a person to tamper with the devices and interfere with the standard operations of the device. Examples include, but are not limited to, creating false alarms and silencing alarms.
At the time of this writing, in 2020 alone, GE has had eight critical vulnerabilities released. These are easily explorable on their website, so I will not list each one. I can also look at a host of
