Connected Health: How to Secure Booming Medical Devices for Remote Patient Monitoring

remote patient monitoring devices

Recent shifting from in-hospital care to remote monitoring solutions has brought chaos to the whole healthcare sector. Cybercriminals took advantage; four out of five reported breaches in 2020 occurred in healthcare, affecting about 13.5 million patients. Medical devices remain the main target for cyberattacks. Today, healthcare IoT startups and companies must make security a top priority. Here’s how.

Why Securing a Remote Patient Monitoring Solution is Crucial Now

COVID-19 has increased the role of telehealth and remote patient monitoring (RPM) solutions. Prior to the pandemic, healthcare IoT mainly targeted seniors by helping them stay safe at home and alerting caregivers in emergency cases. These days, a variety of patients monitor their vital signs at home and communicate with doctors remotely. Multiple telehealth solutions became necessary tools for treating non-COVID patients and checking in on people with mild symptoms. These include:

  • Monitors for managing people with chronic conditions like diabetes, asthma, and heart disease
  • Post-surgery patient monitors that track the recovery process
  • Apps for physical therapy and remote consultations

On the business side, last year in the US, four times more consumers used telehealth solutions than in the previous year. This will continue to expand: the market size is predicted to hit $194 billion by 2023, according to the Business Research Company. In the meantime, the multiplying number of medical devices without proper healthcare security measures risk data breaches, malware, or viruses.

What are the Main Security Threats and Vulnerabilities?

On the tech side, medical devices drastically differ from traditional endpoints. It's possible to take a laptop offline and lockdown when compromised, but you can’t do that with RPM solutions. A remote patient monitoring system consists of multiple elements that need to be protected. This includes biometric monitoring devices, mobile devices, electronic health record (EHR) systems, connection to networks and cloud-based services, and virtual servers. Vulnerabilities on any of these sides lead to cybersecurity risks for both providers and patients.

Without proper protection, unauthorized individuals may expose sensitive data or disrupt patient monitoring services. One or more intrusions may result in fraudulent use of healthcare information, delays in delivering biometric information to healthcare providers, inaccurate patient diagnosis, or even lack of medical care.

According to the Nozomi Networks OT/IoT Security Report, the most hackable IoT solutions are infusion pumps, implantable devices, and wireless vital monitors.

The National Cybersecurity Center of Excellence (NCCoE) has released a guide for companies creating remote patient monitoring devices. According to this document, the main threats to RPM ecosystems include:

  • Phishing attacks, when attackers disguise themselves as trusted parties
  • Malicious software, an unauthorized code introduced into a system to disrupt its functioning 
  • Ransomware, which is usually presented in the form of software demanding payment to restore normal functioning
  • Credential escalation that targets user account capabilities 
  • Data exfiltration, obtaining sensitive data from vulnerable devices with the help of malware

And for all IoT devices (including RPM solutions), the OWASP Internet of Things Project, which helps startups and large enterprises improve security when building IoT devices, names the top vulnerabilities. These involve:

  • Weak, guessable, or hard-coded passwords—publicly available, unchangeable, and easy to select by trial and error
  • Insecure network services running on the device itself and connecting to the Internet
  • Insecure ecosystem interfaces, including easy-to-comprise back-end API, lack of authentication, authorization, or encryption tools
  • Lack of a secure update mechanism like embedded and mobile software updates or absence of firmware validation
  • Insecure third-party software/hardware components or outdated software components and libraries

Where to Start: Actions to Protect Healthcare Data

To secure an RPM platform properly, it’s important to protect each element of the system. It means protecting devices, gateways, connections, cloud environments, and user accesses. Armored security protocols, compliance with required healthcare standards, and robust data management practices are here to help. The main approaches and tactics that can ensure this include:

Keeping technology updated. The problem is the vulnerability of old devices that the manufacturer no longer supports. It's hard to protect solutions developed without a security-first approach—with no proper protection on the hardware level and firmware update mechanisms. For example, malware threats put IoT devices at risk when embedded and mobile software updates are absent.

Protecting the cloud environment. A poll shows that over half of organizations are falling on cloud security. The main ways to increase healthcare data security are encryption, multi-factor authentication, and strong configuration. Also, it can be useful to consider shifting data processing towards the edge. Thanks to 5G, data can be processed locally or on the nearest server by using AI algorithms, which leads to lower latency, faster overall speed, and better security. In particular, edge computing allows for distributing data, filtering sensitive information at the source, and sending less data over a network to the cloud.

Securing network connections. Wireless connectivity like Wi-Fi, Bluetooth, and cellular networks make devices for remote patient monitoring easy to use but vulnerable. An RPM solution may be connected to the healthcare provider platform through a device interface or a mobile app to transfer information. And it’s crucial to make data exchange between patient and clinician software more reliable. For example, the first thing to do is to prevent users from creating weak, hackable passwords on the tech side and create additional security layers for broadband communications.

Implementing OTA updates. It’s clear that IoT companies want their devices to remain on the market longer so they have a chance to upgrade functionalities and fix bugs. OTA technology is here to ensure this. This mechanism brings the ability to download applications, settings, configurations, and security patches “over-the-air”—through mobile or cellular networks. With OTA, developers can keep firmware and software up-to-date and secure. OTA updates also help comply with the changing regulations.

Embracing a zero-trust approach. Traditional security practices don't suit connected devices; IoT has lower processing power and more access points for breaches because it connects to multiple networks and sends data to the cloud. A zero-trust method suggests verifying each connected medical device and offers multiple tech tactics to secure IoT. It treats all connections as malicious and requires proof of identity every time the device accesses the network. With zero trust, the identity of users, devices, virtual infrastructure, and the cloud environment are supposed to be verified. To achieve this, developers can separate access to network parts, deploy asset and cryptographic key management, add multi-factor authentication, and use artificial intelligence techniques.

Newsletter
 

What Regulations Say

Today, several standards and requirements regulate the protection of health information in the US. IoMT solutions must comply with a variety of industry-specific standards and regulations to secure data. This includes HIPAA, HL7, GMP, DICOM, and FDA requirements. HIPAA regulations, in particular, establish the criteria for protecting data while storing and traveling. It requires the protection of various types of health information, including:

  • Names, birth dates, and death dates
  • Contact information
  • Photographs
  • Medical record numbers
  • Finger and voice prints

There are also some optional guidelines for better healthcare data security. For instance, compliance with the Continua Design Guidelines requires that a personal medical device enables secure and interoperable data exchange. The program validates the protection of data flows among sensors, gateways, and services. This initiative drives manufacturers to develop solutions based on a common communication platform.

At Softeq, we pay considerable attention to the vulnerability of remote monitoring solutions and have extensive experience delivering secure IoT solutions in line with industry standards and best practices. Get in touch with our team to develop a hack-proof medical device from scratch or schedule a consultation with one of our experts.