When the first pacemaker was implanted in 1958, it set off a wave of medical engineering innovation that has saved lives and reduced disability for millions of people. But today’s cardiac defibrillators and insulin pumps, working quietly inside people’s bodies, are being cast aside for the next generation of medical technology: connected, implanted medical devices that combine medical science with 24/7 connectivity through wireless networks.
The Internet of Medical Things promises better, less invasive control of chronic conditions by delivering real-time data on a person’s insulin levels, heart rate, blood pressure, treatment compliance and other factors. However, unless things change as quickly as this technology is coming online, these devices threaten the health and security we’re trying so hard to protect.
As BlackBerry Chief Evangelist Mark Wilson wrote, unsecure medical devices are common in today’s hospitals, even though the technology is fairly young. But the field is set to explode; Forbes reported last year that it’s expected to become a $117 billion market within four years. Unsecured connected medical devices threaten not only our health, but our very lives. For example, consider what might happen if an IoT-enabled insulin pump was hacked to suddenly dump an entire vial of insulin into a diabetic patient’s bloodstream, or a terrorist organization hacked into a major political leader’s connected cardiac defibrillator, altered the rhythm and killed him or her.
Medical device security is a topic we’re deeply concerned with at BlackBerry, and Chief Security Officer David Kleidermacher (pictured below) has taken a leading international role to address the issue.
He is co-chair of MEDSec the first international conference covering security and privacy for the Internet of Medical Things. He has been collaborating with an international consortium of leaders in the medical and IT communities – as he says, “the widest range of healthcare stakeholders ever assembled to tackle this problem,” including government regulators and agencies, healthcare providers, academic researchers, patient organizations, ethical hackers, medical device manufacturers, and technology and cybersecurity experts.
Next week, at MEDSec, Kleidermacher will present the first fruits of the consortium’s work: DTSec, the first consensus cybersecurity standard for a medical device with security and assurance requirements.
As Kleidermacher wrote this week in Medical Device and Diagnostic Industry (MDDI) Online, unless Internet of Medical Things makers embed strong security in their devices, physicians demand it and regulators enforce it, all of the initiatives around connected medical devices “are doomed to failure because we lack the fundamental ability to evaluate whether a technology, process or policy can protect our digital systems against modern sophisticated attackers.”
Kleidermacher wrote in MDDI Online, “DTSec is different from other failed security standards [because] it includes a methodology for specifying – via risk-based multi-stakeholder collaboration – product-dependent security requirements, as well as a program for efficient evaluation of those requirements against actual products, to gain the high levels of assurance we need at reasonable cost and at the speed of digital innovation.”
MEDSec will be held May 23-24 in San Jose, Calif., providing an opportunity to network with the world’s greatest minds working on the security of connected medical devices and hear firsthand about DTSec and related initiatives. For more about MEDSec, including registration details, please visit the MEDSec 2016 website. And stay tuned to BlackBerry’s blogs for more about securing the Internet of Medical Things.