Caution: Your PHI May Be at Risk Using At-Home Medical Devices (IoMT)

Over the last few years, personal medical devices used at home have facilitated monitoring and transmitting patient health data from home using the internet. Devices part of the so-called "Internet of Medical Things" (IoMT) trend include insulin pumps, heart and glucose monitors, defibrillators, pacemakers, and more.

These particular medical devices are meant to create efficiencies for both patients and healthcare professionals alike. However, according to Help Net Security, "researchers have identified a growing number of software vulnerabilities and demonstrated the feasibility of attacks on these products," leading "to targeted attacks to both individuals and entire product classes."

Home Medical Device IoMT Security

Photo Attribution: The Cute Design Studio/

With that being said, is the risk of sensitive data interception a real threat? How secure are these devices?

High risk medical devices that connect to the network

Medical devices are connected at many key points including:

  • The Internet
  • Hospital networks and intranets
  • Other related medical devices

These connections were designed with the hope of improved health care and to expedite the process of providing patient care.

What type of information can be stolen from IOMT devices?

Though the list can be far more extensive, the following are just a few sensitive pieces of information that might be compromised when hackers gain access to at-home medical devices:

  • Social Security number
  • Health insurance information
  • Contact information
  • Information about health conditions

What are the biggest IoMT vulnerabilities for PHI when using at-home medical devices?

  • Home WIFI networks

    Since information will be traveling over "home WIFI" as opposed to a hospital or doctor's office network, the level of security will be diminished. According to Dark Reading, risks of home WIFI include "insecure passwords, default IP addresses, and lack of software updates," which "make home routers notoriously insecure and easy to hack, which puts all devices on that network at risk, including home-based medical devices." Therefore, it is important to use best-practices in securing home networks.

  • Outdated software

    Like many of today's technological devices, medical devices need updating. These updates keep devices running at optimal performance and patch known security flaws. Unlike a laptop nagging users to "restart" to complete an update, these medical devices may rely on the healthcare provider to push critical updates to the device, sometimes without patient knowledge. The risk of not completing these critical updates can result in the loss of highly sensitive PHI or the disruption of information flow.

  • Disreputable manufacturers

    One of the best ways for an individual to remain protected is to ensure that the healthcare provider is working with a reputable manufacturer. Be sure to insist on a product manufacturer with an excellent track record for product upkeep, especially when it comes to software updates.

    What steps can a manufacturer take to protect your PHI?

    In a guidance document titled, Pre-market Requirements for Medical Device Cybersecurity, released by the Government of Canada, they list four areas which manufacturers should consider when developing at-home medical devices:

    • Secure design: Considering cybersecurity from the point of product design
    • Risk management: Identify potential risks and develop plans to manage them
    • Verification and validation testing: Cybersecurity risk control measures should be tested using the actual device
    • Planning for continued monitoring of and response to emerging risks, vulnerabilities, and threats: Manufacturers should never rest in their defense against hackers. Cybercriminals are always looking for new ways to "break and enter" into devices and operating systems.

    Consequently, the manufacturer does maintain some level of responsibility for monitoring, assessing, and mitigating potential cybersecurity risks throughout the lifecycle of their product.

The final word about home use medical devices and IoMT security

The protection of sensitive data that is collected, stored, and transmitted through an at-home medical device is a shared-responsibility. Manufacturers, regulators, healthcare providers, and device-users all share some of the responsibility when it comes to protecting sensitive PHI.

As these types of devices continue to prove their convenience and efficiency, they will also continue to grow in popularity, both amongst users and bad actors. With this in mind, device-users are continually encouraged to "do their homework" on at-home medical device manufacturers and consult with their healthcare practitioners before proceeding with usage.