The rise of sensor-based post-operative care can deliver significant benefits in patient outcomes, but is also rife with potential security risks.
It’s no secret that the global population is aging and the number of people living with multiple – often chronic – long-term conditions is escalating rapidly. As a result, healthcare costs are skyrocketing and providers are looking to technology to help reduce costs as well as improve patient outcomes.
One area of focus is cardiovascular diseases (CVDs), which accounted for over 30% of the world’s deaths in 2012. Heart failure is the most common cause of hospitalisation for the over 65s and half of patients will need multiple unplanned hospital visits after they’ve been discharged. This puts a huge strain on a hospital’s budget but can also lead to financial penalties for readmissions, particularly in the US. However, it’s been estimated that three quarters of repeat emergency hospital admissions could be avoided.
The main problem is that there is no way of knowing how patients are faring once they have left the hospital. Are their vital signs steady and in line with defined parameters? Are they sticking to their exercise programme and taking the right doses of the right medications at the right times?
The risks of remote health monitoring
These issues are driving demand for medical technology that will remotely measure and monitor a patient’s vital signs, and alert the healthcare provider of any potential problems before they get serious. This is clearly a very positive development, but it also creates significant risks.
While sensors that simply read data might present a low level of security risk in and of themselves, they must be connected to a secure network so that patient data is safe and cannot be tampered with. Implantable medical devices (IMDs) such as pacemakers are a different matter altogether. If such a device were hacked, the attacker would literally have the patient’s life in their hands and be able to hold the patient, their family or their healthcare provider to ransom.
There have been no known real-world cases of malicious interference with an IMD, but in January 2017 the US Food and Drug Administration (FDA) confirmed the potential cybersecurity vulnerabilities of St. Jude Medical’s Merlin@home Transmitter and associated IMD.
St. Jude Medical, which has now been acquired by Abbott Laboratories, faced months of negative publicity concerning the security of its implantable heart devices after being called out by investment firm Muddy Waters. It has since released a security patch that has been approved by the FDA. It’s not alone, nor is the problem confined to IMDs. In October 2016 Johnson & Johnson took the unprecedented step of issuing a public warning that one of its insulin pumps for diabetics could be hacked.
It’s clear that there is a need for a well thought out strategic response to these security issues. The risks are significant, and it could be that bad publicity rather than stricter regulation will be the main driver for deeper scrutiny and investment into the security of IMDs and other connected healthcare products.
It’s also apparent that these new security threats could lead to new security models and business opportunities specifically developed for the healthcare sector, including the potential for third parties to provide innovative new security services. For example, there is clear potential now for companies that have test tools to go a step further and test multiple threat vectors. Test equipment or security companies could also assume a degree of financial liability, effectively transforming a security offering into an insurance policy. Indeed, by showing their willingness to stand behind their product and take responsibility for breaches, third parties are likely to generate considerable interest from medical device vendors.