Do No Harm. Matthew Webster
target="_blank" rel="nofollow" href="#ulink_8a6a5b6e-1ec6-5f6b-a983-a0fe5e46c141">42 “CVE Details The ultimate security vulnerability datasource,” accessed October 2020, https://www.cvedetails.com/vulnerability-list.php?vendor_id=26&product_id=32238&version_id=&page=23&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=1111&sha=41e451b72c2e412c0a1cb8cb1dcfee3d16d51c44.
43 43 “CloudPassage Study Finds U.S. Universities Failing in Cybersecurity Education,” Cloud Passage, April 7, 2016, https://www.globenewswire.com/news-release/2016/04/07/1312702/0/en/CloudPassage-Study-Finds-U-S-Universities-Failing-in-Cybersecurity-Education.html.
44 44 Todd Fitzgerald, CISO Compass: Navigating cybersecurity leadership challenges with insight from pioneers, CRC Press 2019, page 5.
45 45 Barry Phegan, “314 - How Fast Can a Culture Change,” https://companyculture.com/314-how-fast-can-culture-change/.
46 46 Dan Patterson, “Why Microsoft spends over $1 billion on cybersecurity each year,” 2018, https://www.techrepublic.com/article/why-microsoft-spends-over-1-billion-on-cybersecurity-each-year/.
47 47 Greg Murphy, “No Time to Waste: Why Automation Will Shape The Future of IoMT Security,” https://www.healthitoutcomes.com/doc/no-time-to-waste-why-automation-will-shape-the-future-of-iomt-security-0001.
48 48 Bethany Corbin, “When ‘Things’ Go Wrong: Redefining Liability for the Internet of Medical Things,” March 2019, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3375070.
CHAPTER 2 The Internet of Medical Things in Depth
Leaving a broken system the way it is, that's not a solution.
—Barack Obama
In order to understand the risks related to internet-connected medical devices, it is important to understand what medical devices are. That requires not only understanding the individual components that comprise internet-connected medical devices, but also how the parts fit into the larger ecosystem of devices and technology and, in some cases, ultimately services. This, in turn, has a huge impact on the security of healthcare organizations and potentially our very lives.
To accomplish this, we'll explore a bit of the evolution into internet-connected medical devices and the current challenges with the various kinds of devices and technology—including the vulnerabilities. Think of a vulnerability as a weakness in the system. Those vulnerabilities are such a pervasive part of the building blocks of internet-connected medical devices that it may seem hard to understand how to get past them from a layperson's perspective. This is such a critical chapter because it sets a central foundation that will be explored throughout this book—how we protect medical devices, our medical institutions, our data, and our lives.
What Are Medical Things?
The first device to be connected to the internet was not a medical device. Of all things, it was a toaster. This was back in 1990.1 The only capability it had was to turn on and off over the internet. For historical contrast, it would not be until 1991 when the first web page was created. These were very early days. The idea for having devices connect to the internet is quite old—the idea was around even during the 1970s. It was often referred to as the “embedded internet” of “pervasive computing.” In 1999, Kevin Ashton was giving a presentation to sell an idea he had to Proctor & Gamble.2 He knew executives thought this internet was going to kick off so he wanted them to quickly understand what he was talking about. For the presentation he coined the phrase “internet of things.” Now internet-connected devices are commonly referred to as IoT for short.
The primary consideration for an IoT device is that it is a physical object. In the consumer market we can see examples of IoT devices such as thermostats, physical security systems, and appliances. This only scratches the surface of what IoT can do. Now IoT is used in a vast array of applications. There are IoT cars, energy management systems, industrial applications, manufacturing, agriculture, environmental monitoring, military equipment, and so on. IoT is so pervasive that there are many offshoots of the technology. Medical devices are only one such offshoot. They are typically called the internet of medical things, or IoMT.
But what differentiates IoMT from IoT? Not considering the connectivity and sufficient to forward our discussion, the FDA defines a medical device as
“An instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:
1 recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
2 intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
3 intended to affect the structure or any function of the body of man or other animals, and
which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes. The term “device” does not include software functions excluded pursuant to section 520(o).” 3
But we have not touched on the connected medical devices. Many medical devices are connected, but not necessarily directly connected to the internet. In many cases the connection is through Bluetooth, a short-range wireless network that can be accessed over a few feet. In other cases, Near-Field Communication (NFC) is used, and one must be as close as 10 centimeters (roughly 2.5 inches) in order to connect.
From an internet-connected medical device perspective, there are two primary types of devices: telemedicine and data analytics. It is important to explore them as they are fundamental to future discussions.
Telemedicine
One of the most profound revolutions in Medicine 2.0 is telemedicine. It involves a range of technologies that has revolutionized how we diagnose, monitor, and treat patients today. We have only seen the beginnings of where this technology will eventually go. Right now it is limited by the types of technology we have for monitoring and communicating. Imagine one day when we have powerful nanotechnology capable of detecting, diagnosing, and treating