Do No Harm. Matthew Webster
long before they become bad enough for us to be aware of them. The potential for cost savings in the future, I believe, lies with telemedicine.
But what is telemedicine? For some, it means doctors talking to patients over a computer or an app on a cell phone. It can also include, in specific situations, diagnosis over radios. This is definitely a strong part of what telemedicine is about—and is not to be understated. With COVID-19 many people do not want to leave their homes and potentially be infected. The safest way to not be infected is to not be around COVID-19, and telemedicine allows doctors to assess and treat patients remotely.
Telemedicine comes in two primary varieties: real time and store and forward. Real time is information that is very close to real time that is sent to devices. An example of this could be Zoom where people are talking to one another in near real time. Store and forward refers to devices that provide the information when the patient is in proximity to a device that will submit the information when possible. For example, some internet-connected medical devices are paired with Bluetooth and are only send information when the Bluetooth device is paired. It isn't always live information. For some devices, this makes much more sense.
If we kept this definition as the only definition of telemedicine, we would be missing key parts of why it is so important. Telemedicine also includes many types of monitoring tools, such as wearable devices, implanted devices, and, yes, ingestible devices. They allow doctors to detect medical problems as they come up and, more importantly, before they become emergencies. They can even be used to determine if patients are taking their medicine.
The wearable device market is all about monitoring a patient's vitals. Typically, they are worn on the wrist, but variations can be included on clothing or placed on the skin. What is great about wearables is that they do not require a significant amount of interaction other than wearing the devices. This includes, but is not limited to, heartbeat, stress levels, respiration, blood pressure, and temperature. Many of these devices use wireless technologies.
Implanted medical devices are devices that are stored within us, such as cardiac pacemakers, cardiac defibrillators, insulin pumps, and gastric stimulators. As with the wearables, many of these devices utilize wireless technology. They also cross over into medication management because they can help release medicine based on what they are sensing.
Ingestible IoT is critical for diagnosing and treating certain kinds of problems. It involves swallowing a pill with a camera or sensors. Even tiny X-rays can be used with ingestible devices. The information is then relayed wirelessly to nearby devices for analysis.
Data Analytics
Technically data analytics are not IoMT devices themselves, but they are tied into many IoMT systems. There are two types of technology that data analytics can rely on—machine learning and artificial intelligence. Think of machine learning as a stepping stone to artificial intelligence. Quite often machine learning can be used to sense trends more quickly than a human and, more often than not, reasonably accurately. With exceptions, machine learning is typically being used in most cases.
What is important about data analytics is how it is rapidly changing the playing field in medicine. The stream of data from IoMT devices is helping the medical community to identify not only problems but solutions at a faster pace than ever before. From a scientific perspective, it allows the medical community to use more fact-based cases to study, which will only improve the overall process.
Data analytics is also valuable from a population perspective. If a medication is causing problems in a population or for a particular pharmacy, data analytics is probably the best place to make that discovery. Another example is a medicine that may not be as effective for a particular case of a specific disease. This makes diverse populations like NYC especially attractive because we have a range of ethnic diversities, which may provide more insights related to diseases than focusing on a single demographic.
For many patients, especially the elderly, medication management is extremely important. It helps patients take the right amount of medication at the right time. And yes, there can be a connected component to this. Other devices, such as ingestibles, can actually monitor if the patient is really taking the medication or not.
The term stationary medical devices refers to the range of medical equipment that stays in the hospital setting. This can include everything from MRI systems to X-ray machines. Even beds are connected to provide additional information related to the status of a patient.
Asset management refers to the tracking and monitoring of high-value devices within hospitals. While this can be related to IoMT devices, it can also be related to tracking other valuable equipment such as wheelchairs.
Obviously, a tremendous number of IoMT devices have proliferated over the last few years. All of them bring value to hospitals and other organizations or they would not be there. In general, the IoMT is greatly reducing the costs of medical care today and allowing people to live better, more fulfilling lives. What is not always recognized are the risks that these modern technologies bring. For that, it is helpful to look at the history of IoMT and put IoMT technologies in context.
Historical IoMT Challenges
We have all heard the phrase that history repeats itself. Unfortunately, that is true for the security of IoT/IoMT as well. While not true for all companies and there has been a great deal of recent innovation related to IoT/IoMT security, historically this has not been the case. Historically speaking, companies do not want to invest more into the product than they have to. It is an additional cost and hurts the overall bottom line. Since cost is a factor when making business decisions, going the extra mile is not always a wise business decision. Combine with that the slow approval rates by the FDA, and it is no wonder that security is not as high as it could be.
Those in the software development space or the security space may be familiar with something called the Open Source Web Application Security Project (OWASP). It helps developers and security practitioners with secure programming practices. In 2018 OWASP released the Top 10 internet of things (IoT) vulnerability list.4 It is one of the best aggregated lists of problems with IoT (and thus IoMT) devices. As we will explore, the IoT vulnerability list is an egregious list of challenges. From a security practitioner's perspective, it is appalling to design a system this way. The problems cited here are so severe, it is worth exploring all of them because they all apply to the historical challenges of IoMT. They also hint at the cultural challenges surrounding the IoT market, which, from a security standpoint, is very different from other IT markets such as Microsoft, which takes security very seriously.
Number one on the list is “Weak, Guessable, or Hardcoded Passwords.”5 Security practitioners have known for more than 20 years the importance of good password hygiene. Leaving the default password in place means that almost anyone with access to the network can own the device. Weak or easily guessable passwords are also just as unforgivable. Every year the top passwords used are published and they do not vary a great deal. Unsurprisingly, weak passwords tend to be the most hacked. This means a hacker can gain control of that data in many instances.
Second on the list is “Insecure Network Services.”6 This refers to vulnerabilities that could be exploited over a network that allow the system to be compromised. Not surprisingly, in some cases this refers to components that are not required for functionality of the device.
Third on the list is “Insecure Ecosystem Interfaces.”7 The ecosystem refers to all of the interconnections that device may have to other devices that could allow the device to be compromised. This includes various wireless communication, cloud connections, no authentication (no username/password), no encryption in the communication, and lack of input and/or output filtering. Lack of authentication means