Do No Harm. Matthew Webster
Care Act (PPACA), which President Obama signed into law in March 2010. There were a few key provisions within this bill. The first provision was to create a Patient-Centers Outcomes Research Institute (PCORI), which would compare clinical effectiveness of medical treatments. The goal was to help the healthcare profession determine the most effective strategy for providing treatments. The second provision was a penalty that prohibited payments to states for hospital-acquired infections. Other provisions included reduced payments for hospital readmissions.17
As a result, hospitals were more incentivized to stay clean and to improve what they were doing—not just in the cleanliness, but how care would be administered. This required rethinking through many of the processes, changing hospitals' approach to technology, and catching medical issues more proactively than reactively. It would involve rethinking how they currently approach treatment and becoming more proactive. It would also involve the use of more connected technology and devices to treat and monitor patients, not just when they come to doctor's offices, but also remotely so conditions could be detected prior to onset of a more serious illness. America needed to revolutionize its way of caring for patients. Doctors would have to rely on a new generation of medical devices for their transformation effort—devices that would be internet connected to provide real-time capabilities or more real-time capabilities than they already do.
America responded as it always does by being innovative and thoughtful about the approach to help the medical community achieve its goals. The new generation of medical devices not only met the goals needed by physicians, but it jump-started continual changes in the technology. These new devices helped to lower per-patient costs, improve efficiency, provide better response care, offer greater convenience, and provide a better overall patient experience. In short, the existing value we are getting from medical devices will fuel the desire for more medical devices. But let us look at these positives, because within the desire for positive changes lies the seeds of the challenges related to the security of internet-connected medical devices.
Types of Internet-Connected Medical Devices
If we step back in time a hundred years, there were only a small number of electronic medical machines. They were bulky, crude, and not able to store or send information. Everything had to be done by hand. By modern standards, this is painstakingly slow and inefficient. Now we have streamlined systems that not only can alert, but help with centralization of alerts meaning that, for example, a nurse does not have to be in physical proximity to a patient and/or device to be aware of a potential problem. While not everything connects together harmoniously, many devices are centralized to create alerts. In a hospital setting this is particularly important because a nurse does not have to hear an alarm from the physical machine in order to know there is an issue with a patient. A random walkthrough of the environment is not required. Nurses can be more focused on patients. Not only that, but patients who need long-term monitoring and want freedom from being at a hospital can get the care they need thanks to remote monitoring. This means the patient has a better quality of life.
Four types of medical monitoring devices are important to consider—wearable, on the skin, ingestible, and implanted. Some of these are sensory in nature, which means they can collect information or detect problems and relay them back to a centralized information source and potentially provide an alert. They are electronic in nature and can have a variety of follow-on actions such as alert for emergency medical systems.
Other systems are more protective and can respond, in a limited way, to the environment. These are referred to as smart systems. A good example of this is implanted insulin-releasing needles. If the blood sugar levels are off, the smart system can release the appropriate level of insulin to best protect the patient. In some cases, this can literally transform the lives of those who are diabetic, making it possible for them to have almost near normal lives.
With these kinds of transformations, you can imagine that the demand is very high from the patient. From the hospital's perspective, they can do more with less staff than ever before. The automated alerts mean that they do not necessarily need around-the-clock care watching over the patients if they are not in the hospital. This reduces cost for the hospital and the patient, so all-in-all this is a win-win situation.
COVID-19 Trending Influences
COVID-19 has only accelerated some of the existing trends in the market. For example, prior to the pandemic, telehealth utilization for Medicare patients was roughly 0.1%. By April 2020, visits were up to 43.5%. Some of the changes were due to relaxing the regulations around telemedicine—partially in response to consumer demand.18 The Center for Medicaid and Medicare Services (CMS) made some significant changes. Since then, it has added some 135 services to be permitted via telehealth.19 What is more eye-opening is that doctors can treat patients by phone or radio.20
What sometimes goes hand-in-hand with telehealth is the need for in-home testing. It helps to limit exposure from people who may have COVID-19 and in some cases lower transportation costs for hospitals that may previously been inclined to move the patient for testing purposes. Many healthcare organizations were offering this as a service, but the trend has been accelerated by the pandemic.21
By the Numbers
What is more staggering than the technological trends themselves is just how pervasive those trends are. More than 430 million internet-connected medical devices have already been shipped worldwide.22 Presently, the compound annual growth rate (CAGR) of internet-connected medical devices is growing by 25%, and that is expected through at least 2023.23 The data is not out yet, but COVID-19 is expected to accelerate some of those trends as hospitals and doctor offices are experiencing pressure to not only be remote, but often are expected to do more with less. Let's take a look at those trends. A Zingbox survey stated that there are an estimated 10 to 15 internet-connected medical devices per patient bed. By itself that is staggering and a statistic worth remembering as we dig further into the issues related to these devices.24
What many people do not realize is how often healthcare companies are the target of attacks. That trend is only increasing. The HIPAA Journal published some fantastic statistics for the United States. For example, between 2009 and 2019 for breaches larger than 500 records, there have been more than 3,000 healthcare data breaches. Figure 1-2 shows a chart they published detailing the number of healthcare data breaches that occurred in those years.
Figure 1-2: Number of healthcare data breaches of 500 or more records
While 510 cases may not seem like a lot, healthcare organizations are one of the most attacked verticals. One survey demonstrated that over a two-year period, 89% of healthcare organizations suffered a data breach. Another source that echoes that information is the Verizon Data Breach Investigations report. It has one of the largest data sets available and covers global rather than local numbers. Verizon's 2020 Data Breach Investigations Report showed 521 breaches in 2019 versus only 304 breaches in the previous year.25 So the issue with healthcare being one of the most attacked sectors is not just a local