Cybersecurity in the Internet of Medical Things

Abstract

Abstract Background The Internet of Things has spawned a new fleet of medical devices replete with improved sensing and actuating capabilities. Preemptive mitigation of the cyber risks that arise in this hyperconnected space is needed to ensure continued patient safety. Objective The aim of this paper is to analyse the robustness of existing policy measures in securing the Internet of Medical Things technologies. The regulatory ecosystem in the US is primarily discussed herein and includes regulatory frameworks for industry, public-private partnerships, and transparency initiatives. Methods A qualitative review of the medical cybersecurity literature was performed with collation of federal and international legal documents, policy reports, industry frameworks, cyberbreach analyses, and scientific journal articles. Results Regulatory guidance documents introduced to date that address cybersecurity in the Internet of Medical Things place a key emphasis on device identification, legacy device management, enhanced physical security, and breach detection. Recent oversight trends aim to bolster federal authority around the enforcement of baseline security safeguards. Conclusions Additional regulatory guidance is needed to mitigate risks in the Internet of Medical Things devices conferred by retrofitted IT infrastructures, edge-to-cloud interfaces, and off-the-shelf device components. Recent advancements in the cyber realm also raise the possibility of novel attack vectors, autonomous cyber-physical systems, and quantum computing threats. Interventions to promote awareness and security hygiene around the Internet of Medical Things devices can empower end users and facilitate smooth incident response. Lay summary The rise “Smart” technologies such as voice assistants and adaptable at-home appliances moves us closer to a more personalized world that can enhance our daily lives. The field of medicine will be changed by these next generation “Internet of Things” technologies that possess the ability to interact with their users and their surrounding environment. These technologies are important because the precision with which medical devices interact with patients, healthcare workers, and other technology can have huge impact on patient care. For all of their promise, the increased interconnectivity that these devices possess also confers additional cybersecurity risks. Policy regulation and public health preparedness are critical for ensuring the benefits of these emerging technologies do not come at the expense of patient safety and privacy. In this Review, we discuss cybersecurity regulation in the Internet of Medical Things and highlight novel threats still in need of address at the policy and public-health levels.