Advanced Search
Current and Breaking News for Professionals, Consumers and Media

Click here to learn how to advertise on this site and for ad rates.

Patient Issues Author: Staff Editor Last Updated: Sep 7, 2017 - 10:06:33 PM

What Can Patients and Providers Do to Make IoT Medical Devices More Secure?

By Staff Editor
Jul 28, 2017 - 2:51:33 PM

Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon Sign up for our Ezine
For Email Marketing you can trust

Email this article
 Printer friendly page

( - Internet-connected devices offer great promise to improve health.
Through connected devices, patients can communicate with their caregivers, and caregivers can monitor patients' health status and make changes to treatment protocols that help them stay out of the hospital. As more devices are developed that communicate over the Internet, however, the security of those devices becomes increasingly important.

The universe of objects interconnected via the Internet compose what is called the "Internet of Things" or "IoT."  It is difficult to overestimate the impact of this burgeoning digital ecosystem.  Gartner, Inc. estimates that 8.4 billion devices are connected in 2017, up 31% from 2016. By 2020, there will be 20.4 billion interconnected devices.  It is estimated that over half of all new major business processes will use these IoT devices by 2020.  This growth in scope and scale is staggering, and consumer products are the biggest driver of this phenomenon.

Each IoT device includes a small computer, which is vulnerable to a cybersecurity attack just like any other computer.  Following are some common ways that the IoT contributes to cyber insecurity and ways that patients and providers can help improve security when dealing with IoT devices.

Expansion of Attack Vectors

"Attack vectors" are the avenues or pathways used by criminals to try to attack computers and computer systems.  When IoT devices are added to a computer network, the criminals are given new avenues to attack.  Internet-connected medical devices are especially at risk.  For example, consider a situation where a diabetic patient receives a blood glucose meter (glucometer) that connects to the Internet.  This connection provides tremendous benefits by allowing caregivers to monitor the patient's glucose levels in real time.  However, a criminal could use that same connection to gain access to, and attack, other computers.  The attacked computer could be a caregiver's computer at the hospital that interacts with the patient's glucometer or it could be another IoT device.  Either way, malware is spread, and the cyber environment becomes less secure.  The same type of attack can take place against all types of IoT devices, such as a closed-circuit television or even an innovative, new smart refrigerator.

What Can You Do?

One of the most important things you can do to strengthen cybersecurity in the IoT is to change the password of IoT devices as soon as it is implemented.  Many of the IoT items you obtain will have a default password – a password that has been set at the factory.  Those passwords are readily available on the Internet, so they do not protect the IoT item from unauthorized access.  Change the password to a complex one that only you know.  A complex password uses upper and lower case letters, numbers and special characters and does not include any words that can be found in any dictionary.  If you need to, write it down – just don't keep your written reminder stuck to the device!

Expansion of the Attack Surface

The "attack surface" is the sum of all the attack vectors in a computer system.  When you have a number of connected devices, your attack surface gets much larger.  As your home and medical devices become increasingly connected, your attack surface is enlarging exponentially.  This is creating a huge cybersecurity risk on two fronts: first, the risk of being hacked; and second, the development of botnets, which can be used for distributed denial of service ("DDoS") attacks and other criminal activities.

What Can You Do?

For IoT devices that do not need to remain powered on and connected to the Internet at all times, turn them off and ensure that they are disconnected from the Internet when they are not in use.  Devices that are powered down and disconnected from the network are not available to be compromised; thus, the attack surface is smaller.

Contributing to Organized Crime

In many cases, organized crime is behind cyberattacks.  One method used is to compromise hundreds or thousands of computers to act as "slaves" or "robots" subject to the commands of a master computer controlled by the criminals.  This networks of enslaved computers, or "botnets," are then used to spread malware, spam or perpetuate DDoS attacks.  In DDoS attacks, a botnet is used to flood a target computer system with requests, making it unable to respond to legitimate users' requests for digital services (e.g., making a purchase from a website run from the targeted computer system).  This is not a problem existing only in theory – a recent botnet composed of IoT devices was able to bring down several major web-based companies through a DDoS attack in September 2016 – and the problem is expected to only get worse.

What Can You Do?

Smart firewalls are being developed that can identify infected IoT devices, and certain programs will scan for different types of malware, such as Mirai infections.  When evaluating new IoT device purchases, determine whether the device has been developed using "security by design."  Security by design principles take cybersecurity into account when designing the product, and the Food and Drug Administration has made it clear that medical devices should be developed with cybersecurity in mind.  Good cyber hygiene is as important in health care as handwashing is. Awareness of recent cyberattacks and means of protecting against similar future attacks should be monitored for both professional and personal devices.

Financial, Emotional and Even Physical Vulnerability

Some IoT devices have the ability to monitor your activities, either intentionally or incidentally.  Depending on what data is collected and how that data is used, this could benefit or harm you.  For example, a smart television enables you to access Internet-based entertainment and chat with distant friends and family via webcam, but it could also be used to listen in on your sensitive living room conversations.  Similarly, while your smart home devices allow you to monitor and control certain features within your house, they could also reveal when you are (or aren't) home.  This information could be exploited by criminals to commit physical, financial or emotional crimes.  Some connectedness is beneficial, but there need to be limits on how data is collected and used.

Finally, once possible only in exaggerated television crime dramas, the potential for a hacker to take control of an IoT device in order to cause physical harm to its user has become a reality.  The Food and Drug Administration released information in late 2016 about a correction to a vulnerability that would have allowed hackers to send modified commands to patients' pacemakers.  Hacks affecting glucometers and insulin pumps have also been demonstrated.  Now, reportedly, a briefing at the upcoming Black Hat USA 2017 event will reportedly demonstrate a hack that causes an IoT device itself to physically attack a person.  These possibilities are downright scary.

What Can You Do?

Be an educated consumer.  If you are a health care entity, review and negotiate the agreements by which you purchase your computerized assets – all of them.  Don't assume that you don't have negotiating power – you do.  If you are a consumer, read the Terms of Use and the Privacy Policy for the devices that you are going to use: what data about you are they collecting, and how will they use it?  If you are not comfortable with the intended data collection and use, consider how important that device is to you.  Ask your caregiver if his or her practice has scrutinized whether an IoT medical device you are using has been manufactured with cybersecurity in mind.  Do your own research as well: is there an alternative device that has privacy policies and security features that are more consistent with your beliefs and safety?  Consumers vote with their wallets; exercise your power as a consumer.

This article is educational in nature and is not intended as legal advice.  Always consult your legal counsel with specific legal matters.  If you have any questions or would like additional information about this topic, please contact:

· Melissa Markey at (248) 740-7505 or [email protected];

· Stephen Grothouse at (317) 977-1457 or [email protected]; or

· Your regular Hall Render attorney.


Melissa Markey and Stephen Grothouse are attorneys with Hall, Render, Killian, Heath & Lyman, P.C., the largest health care-focused law firm in the country.  Please visit the Hall Render Blog at for more information on topics related to health care law.


Top of Page

Patient Issues
Latest Headlines

+ Doctors and Nurses Work Together to Get Tonsillectomy Patients Home Faster
+ PA Must Maintain Funding for Hemophilia Treatment
+ Parents’ Views of Indoor Tanning
+ Patient 'Blown Away' by Surprise Wedding Shower
+ Kidney Stones on the Rise
+ Kidney Stones on the Rise
+ Direct Link Between Glands and Implanting Embryos Critical to Pregnancy
+ Placebo Pills Prescribed Honestly Help Cancer Survivors Manage Symptoms
+ Hope for Patients with Lymphedema
+ Patients Who Live Alone Can Safely Be Sent Home After Joint Replacement

Contact Us | Job Listings | Help | Site Map | About Us
Advertising Information | HND Press Release | Submit Information | Disclaimer

Site hosted by Sanchez Productions