We know that IoT is transforming the landscape for MSPs. MSPs that once simply had to monitor and maintain a bare-bones network, now must contend with everything from connected coffeemakers to myriad BYOD items. There is a sub-variant of IoT that’s growing so fast, it has its own letters: IoMT, the Internet of Medical Things.
IoMT turbo-charged growth
Global consulting team Frost & Sullivan’s recently released a study illustrating the explosive growth of IoMT in numbers:
An estimated 4.5 billion IoMT devices existed in 2015, accounting for 30.3 percent of all IoT devices globally; this number is expected to grow to 20-30 billion IoMT devices by 2020.
This growth has caused many thin-on-tech medical organizations to approach MSPs in helping to secure and manage the devices. Galen Healthcare is an MSP that specializes solely in health IT. They outline the role of MSPs in healthcare succinctly:
“The goal of any MSP is typically to implement process and systems to identify potential issues proactively – thereby potentially saving the client costly downtime, and in the healthcare IT space, mitigating compromising of patient safety.”
That applies to involving medical wearables in your MSP service packages. When it comes to wearables, MSPs can lower cost, improve health outcomes, and increase efficiencies. As with all new frontiers, there are pitfalls to avoid and considerations to be thoughtfully measured.
IoMT has essentially torn down the traditional walls of the hospital. Sophisticated medical transactions can now occur at home, school, the supermarket, or while on a run. IoMT devices are generally wearable, but sometimes implanted or mobile. They measure everything from a person’s blood sugar, to implanted pacemakers, to camera capsules, and on.
Questions for MSPs
Many MSPs already have medical clients, but the expanding sphere of related IoMT devices adds additional layers and questions. Should an MSP get involved in securing a patient’s pacemaker, or leave that up to the patient or healthcare organization entirely? How is data from patients safeguarded? What about connected IoMT devices that enter a workplace, are they treated as any other BYOD? MSPs that can answer these questions will find themselves trusted trailblazers in a rapidly changing IoMT world.
Smarter MSP caught up with Jason Jaskolka, Ph.D. and an Assistant Professor, Systems and Computer Engineering at Carleton University in Ottawa, Ontario to talk about the changing IoMT landscape. Jaskolka is Director of the Cyber Security Evaluation and Assurance (CyberSEA) Research Lab at Carleton University within the Department of Systems and Computer Engineering. Jaskolka specializes in cybersecurity and has researched the security vulnerabilities of IoMT devices.
The first thing that often comes to mind when talking about the security of medical wearables are ripped-from-fiction scenarios about pacemakers being held hostage by hackers. Unless your title is POTUS or some other high value target, most people don’t have to worry about having their dialysis machine shut down by a hacker.
“For the average person, the likelihood of this event is expected to be quite low; the payoff is likely to be too small, which means such an attack is probably not worthwhile for an adversary,” details Jasolka. He admits that these concerns can’t be ignored, especially when it comes to more safety critical-devices (e.g., pacemakers, infusions pumps, etc.) where there is the potential for an adversary to take control of the device and threaten the lives of patients.
Instead, Jaskolka’s concerns revolve more about data and privacy. The fast pace of innovation in digital health technologies, like wearables and implantables, has brought once secure medical devices into the realm of cybersecurity with complex software and increased connectivity.
The fast pace of innovation in digital health technologies has brought medical devices into the realm of #CyberSecurity with complex software and increased connectivity. #IoMT
“Many of these devices now provide unprecedented access to the human body to gather personal health data anywhere and anytime. With this comes the concerns about the privacy of the individual from which all of this information has been collected,” details Jaskolka.
This trove of data combined with lack of consumer awareness about what precisely is being collected, where the data goes, and who is looking at it are among the pressing concerns. For instance, if insurance companies can access this data, a customer might see premiums raised.
The devices Jaskolka sees as most vulnerable to being compromised are smart devices in the home that collect health information from consumers. The data would be appealing to an adversary. Securing these devices needs to be the focus of all stakeholders involved in manufacturing and using the devices.
“A combination of safeguards needs to be put in place to have comprehensive protection for sensitive health data harvested from devices. Certainly, safeguards to protect the sensitive information such as encryption, access control, and integrity checks can help,” advises Jaskolka. He does not believe that technical solutions alone are sufficient.
“Additional safeguards in the form of managerial and operational controls such as training and awareness, incident response, and compliance (through legislation, regulation, etc.) all have a role to play,” says Jaskolka.
A role for MSPs in IoMT?
The biggest danger Jaskokla sees in MSPs inserting themselves into medical device management is consumer perceptions. On one hand, MSPs often have many more resources to focus on securing the apparatus and infrastructure. Jaskokla warns that just because an MSP is brought in, it does not absolve the client from any responsibility for their security of their devices.
“This seems to be the perception,” notes Jaskolka. A client may just assume that because an MSP is involved that they don’t need to take precautions on their end. An analogy might be people who use security services connected to home alarms — just because they have such a system doesn’t absolve them of the responsibility to lock their doors at night. Customers still need to do their due diligence when it comes to keeping their medical wearables secure. MSPs can’t be expected to do it all.
MSPs must really work at building trust with the client, because handling sensitive medical data requires a secure partnership.
#MSPs must really work at building trust with the client, because handling sensitive medical data in #IoMT devices requires a secure partnership.
A question of liability
One of the biggest beneficiaries and recipients of IoMT devices are the Baby Boomer generation in the USA, who are living longer, and often healthier, lives. Jaskolka worries that the complexities and security concerns of these devices could “leave an already vulnerable population more vulnerable.”
Seniors who might not be as tech savvy could benefit from a partnership with an MSP. Still, liability issues need to be figured out ahead of time (who is responsible for a security breach). MSPs need to work to cultivate trust and build a culture that truly puts patient interests ahead of the bottom line.
Some MSPs leave portable and wearable medical device security to the medical organization and manufacturers, but MSPs that can answer the crucial questions, build trust, and find a way to balance profit and privacy will find themselves at the forefront of an exciting and developing informational ecosystem.
Photo: sfam_photo / Shutterstock