Trends in the Internet of Medical Things: Security, Privacy, and Data Ownership

Healthcare Security, Internet of Things, Data Ownership

Understanding how security, privacy, and data ownership interact with each other in the IoMT space.

The Internet of Medical Things (IoMT) is the product of three convergent trends:

1. Microprocessors are getting smaller and cheaper

2. Data transmission is becoming faster

3. Powerful new AI and machine learning algorithms can now extract meaningful patterns from the resulting torrent of data

But as entrepreneurs rush into this space and forecasters breathlessly predict trillion-dollar markets, the challenges to implementing IoMT solutions are becoming more salient. Lack of expertise, difficulties with interoperability, and regulatory issues have all created barriers for IoT investment. In addition to these technical hurdles, the healthcare sector carries a set of unique dangers—users can lose control of their health data through hacking, unintentional leakage, or voluntary concession. It’s important to understand how security, privacy, and data ownership interact with each other in the IoMT space.

Security and Privacy Challenges

In a 2018 survey of IoT customers, security was ranked as the leading barrier for adoption. And among healthcare executives polled, 45% had significant or extremely significant concerns related to IoMT security. This should come as no surprise. Greater connectivity means greater vulnerability, especially when that communication is wireless. And because these devices act as a conduit between the virtual and the physical worlds, they can represent a direct threat to human health and safety. Denial-of service (DoS) attacks, medical device hacking and manipulation, and the theft of personal health data are among the most common security violations in IoMT. Given the variety of these threats in terms of motive, means, severity, and scale, it’s critical to have a framework for identifying and addressing them before implementing any security measures.

Alsubaei et al (2019) have built a useful tool for recommending IoMT security measures based on a well-defined ontology (Fig. 1). It allows stakeholders and security specialists to input hypothetical scenarios based on variables such as stakeholder, component or device, and architecture, and generate security recommendations and identify vulnerabilities. For example, if a system administrator using Lumada, an enterprise IoT platform, wanted to identify security measures and issues using this tool, they would input the following:

• Stakeholder type = ‘System Administrator’

• IoMT Solution Type = ‘Platform’

• Medical Device Type = n/a

• IoMT Architecture type = ‘Cloud-based’

The tool then outputs the attack surface (Back-end), the security issues (malware, etc.), and security measures (intrusion prevention, secure updates, etc.)

Figure 1. Recommendation Tool based on IoMT Security Ontology. Reprinted from “Ontology-Based Security Recommendation for the Internet of Medical Things” by F. Alsubaei, A. Abuhussein, & S. Shiva, 2019, IEEE Access, 7, 48948–48960.

Each new innovation in the IoMT space can also create a new point of vulnerability for malicious actors to exploit. A useful example is the transmission of 3D medical images— predicted to become more prevalent with the expansion of 5G networks and IoMT. A team of developers has proposed a new digital watermarking algorithm for the images that will ensure a more secure transmission. This perpetual arms race between hackers and security experts will continue to drive demand for innovations in cybersecurity.

Device and Data Ownership

The issue of data ownership is closely related to privacy. As companies realize the value of user data, a 21st-century gold rush is underway as they jostle to stake their claim. This system of incentives has serious implications for any medical devices connected to the internet. Companies are incentivized to extract and hoard their users’ data, and there are many ways for them to do this legally. For example, they can provide ‘free’ services in return for customer data. They can also bury the requisite warnings in a 5,000-word privacy statement that the user ‘accepts’ without reading.

A 2017 Deloitte survey found that 97% of respondents aged 18-34 accept legal terms and conditions without reading them. These exploits allow IoMT vendors to legally collect user health data with minimal difficulty.

In addition to data ownership, device ownership can also be problematic with IoMT. As more devices become computerized and interconnected, the internet’s business models are applied to medical devices, blurring the line between products and services. Vendors will be responsible for continuity of software support, and subscription models for IoMT products are growing in popularity. This has the potential to transfer power from consumers to companies, and some device-makers argue that users don’t actually own them, but are merely buying a license to use them.

A notorious example illustrating the difficulties of data and device ownership in IoMT is the case of Hugo Campos, who was given an implanted cardioverter-defibrillator (ICD) in 2007 that could be monitored online, but was refused access to his data when he requested it. When he lost his health insurance in 2012, he tried to hack his ICD to retrieve the data using hardware purchased from eBay and a few test ICDs retrieved by an undertaker. Since then, device makers have put a stop such at-home tampering by encrypting the data stream. Campos’ case exemplifies the fraught environment surrounding security, data ownership, and device stewardship in IoMT.

IoMT in 2021

All of these challenges above can be framed as clashes between domains. When the virtual world permeates the physical world, the distinction between goods and services can be lost, along with customers’ control of their data. And as Silicon Valley pivots towards health care, the “move fast and break things” mentality can pose a risk to health and safety. And the scale and urgency of these challenges are only increasing. The IoMT market is expected to grow to $136.8 billion worldwide by 2021, and the COVID-19 pandemic is accelerating this trend. These also challenges present opportunities for entrepreneurs, innovators, and regulators to make progress in the field while safeguarding consumer rights.