Article | Telemedicine, Remote Patient Monitoring, IoT, and Patient Data Security
Article by IoTSF Partner Organisation.
With the numerous advancements in technology today, we now have capabilities that, just a few decades ago, would have likely been thought impossible. It’s easier than ever to access the internet, video chat, call, and text from almost anywhere. Often taken for granted, these advancements are nothing to scoff at. The Internet of Things (IoT), for example, which is now easily available to many consumers, is a technology that can reconstruct people’s daily lives. Not only has the IoT reshaped many aspects of our day-to-day, but it has also changed access to healthcare. With this new technology, doctors and healthcare staff are able to monitor patients remotely—a huge step forward in access to healthcare for the elderly, isolated, and even low income patients. With the ongoing Covid-19 pandemic, remote patient monitoring (RPM) means that at-risk patients can remain safe in their own home while still receiving the care they need.
Although access to remote patient monitoring with the IoT is transformative in many ways, there are some potential vulnerabilities that need to be considered. One of the biggest vulnerabilities is the continuous flow of data that streams from these devices. It’s pertinent to think about how secure health information is from malicious intent, what regulations are in place to prevent misuse or misappropriation of that data, and who is responsible should protections fail.
IoT in the hands of consumers
The IoT has seen many changes and improvements since its inception. Devices such as smart thermostats, refrigerators, and watches are just a few of the ways that the IoT has become available for consumer use. Back in 1990, John Romkey connected a toaster to the internet and introduced what is considered to be the first IoT device. However, the term “Internet of Things” wasn’t used until it was coined by Kevin Ashton in 1999. Since then, a lot of innovation has occurred in the IoT industry. In 2014, only 6 years ago, the number of IoT devices surpassed the number of people in the world at 7.2 billion. Shortly after that in 2016, the first IoT malware, Mirai, was found and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including the October 2016 Dyn cyberattack. In the world of the Internet of Things, security threats have been a concern for a few years. With the IoT’s boom in popularity, we must work quickly to bring security measures up to speed with that of malicious intent.
When we think about “data” these days, a lot comes to mind. It’s difficult to comprehend just how much data flows from our devices and where it is all going. Messaging, location services, bank transactions, and social media are all massive data streams of our personal information. Many users may not consider or simply don’t know where this data is being sent. Even more alarming, many users may not realize that these data streams are vulnerable to interception and blindly send personal information insecurely.
In our world of connected technology, the channels in which this mass of personal data flows must be scrutinized constantly, kept in check, and required to uphold ethical standards. This not only goes for our personal information from household devices, but for the practices and data security in IoT devices used for RPM, as well.
IoT devices for RPM
All patients have different needs and require specific methods of care. This also goes for patient monitoring. Cardiac patients may require regular checks of their blood pressure, and in order to do that remotely, a remote stethoscope can be used to check the heart. For diabetics patients who need to gauge their glucose levels multiple times per day, remote IoT devices can transmit updates to their physicians directly. With telemedicine apps, individuals can receive meal recommendations from nutritionists, and help transform their quality of life.
Regular check-ins with several specialists and meticulous planning is paramount to treat a rare disease like mesothelioma. Telemedicine and RPM can help get them ahead of treatment options and be life saving for mesothelioma patients, whose prognosis is poor. The ability to speak to numerous doctors from the comfort of one’s home makes accessibility to care more feasible for patients. Some may have to travel more than an hour for care, and instead of delaying appointments because of travel restrictions, telemedicine helps patients make regular check-ins. No matter a patient’s needs, the IoT has made it more possible than ever to monitor and care for them remotely.
Some RPM programs use a device similar to a modem to collect information from numerous IoT monitoring devices. This data is then transmitted back to a monitoring facility or primary care office. Regardless of how it arrives at your healthcare provider, the information is stored in a central computer where it can be accessed by nurses and doctors. This allows doctors to monitor patients on a daily basis. With this constant stream of patient data, doctors are able to deal with problems before they turn into serious health issues.
Vulnerabilities in RPM
When one sees these advances from a distance, it’s easy to admire the transformation in accessibility to care. Naturally, this will help the elderly, who are generally more at-risk. Seniors having better access to care while able to stay isolated during a global pandemic, at surface level is certainly positive, right?
Unfortunately, these devices often lack a high level of security, especially when used from home. Many home networks are not well protected from malware and ransomware which can make the largest demographic of telemedicine users, seniors, particularly vulnerable.
One notable example of this is a report on St. Jude Medical’s pacemakers that was released by Muddy Waters and MedSec which demonstrates the vulnerabilities in medical technology. St. Jude Medical initially denied the claims that pacemakers could be manipulated by hackers and drain battery life, or even alter the beat rate of the device. Shortly after the initial report came out the FDA confirmed these potential security risks to be accurate. “St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters,” said Muddy Waters founder Carson Block, adding “[this] reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities.” Although some repairs have been announced, Block said “it doesn’t address some of the major flaws revealed in the MedSec report.” It’s imperative that security risks like this one be remedied, as hackers could cause serious harm or kill someone by manipulating their heart rate.
With over 3 million patients around the world that presently use RPM devices, the system can become overwhelmed. The global pandemic has put strain on this system even more. With limited data security protections already, providers now more than ever have an unprecedented amount of patients to serve that can leave even more patient data liable. If companies that are designing and deploying these technologies are not transparent about their technology’s vulnerabilities, the results could be devastating.
Who is responsible?
In many countries around the world it is unclear who is legally responsible for patient data being passed over the internet. In some cases, technology providers hold responsibility. However, in some lawsuits, physicians have been held accountable. Of course, HIPAA continues to protect patient confidentiality and medical records; although it’s not clear whether these protections translate to telemedicine and RPM. Likewise, if IoT devices are not on a hospital’s home network because the device is in a patient’s home, who has left that data vulnerable? The patient or the doctor? These are questions that must be answered as telemedicine and RPM continue to grow in prominence.
With so much scrutiny around consumer data being collected through social media platforms or surfing the web, it seems that patient data security would be equally, if not more so, important. A great example of regulation that makes it clear who is responsible for patient and consumer data and privacy is the European Union (EU), General Data Protection Regulation (GDPR). The regulation contains provisions and requirements related to the processing of personal data of individuals who are located in the European Economic Area and applies to any enterprise—regardless of its location. Controllers and processors of personal and sensitive data must put in place appropriate technical and organizational measures to implement the data protection principles.
Looking to the future
Remote patient monitoring, telemedicine, and the IoT have forever changed the way patients receive healthcare. Accessibility to doctors and health information is more widely available than ever before. As remote patient care continues to grow in popularity, the need for increased patient data protections will grow, too. It is beholden on RPM device and service provider designers and developers to adopt and implement security best practice to protect patients and their sensitive data.
Resources & Best Practices for RPM designers and developers
For designers and developers of RPM products and services there are IoT security best practice guides and standards available. The IoT Security Foundation publishes free best practice guides their IoT Security Compliance Framework, a comprehensive checklist to guide an organization through the IoT security assurance process and IoT Security Reference Architecture for the Healthcare Industry.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the IoT Security Foundation.