Technical advances, including Internet of Things (IoT) and Internet of Medical Things (IoMT) data and devices, are revolutionizing healthcare. Many of these devices include those worn or used by patients outside of medical facilities, typically in their own homes, giving rise to the term “hospital at home.” From insulin pumps to pacemakers, these devices are increasingly network connected, and anything connected to a network can be vulnerable to cyberattacks.
Under the guidance of the IEEE Standards Association (IEEE SA) and Underwriters Laboratories (UL), technology experts recently published a new standard – IEEE 2933 – that provides a framework with TIPPSS principles (trust, identity, privacy, protection, safety, and security) for Clinical Internet of Things (IoT) data and device interoperability.
The Rise of Cyberattacks
While the advancements of home healthcare IoT devices offer unprecedented benefits, they also expose healthcare systems and patients to new cybersecurity risks. Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users. These cyberattacks can result in compromised patient safety, data breaches, research integrity, and even patient injury or death.
A 2023 study by the Ponemon Institute, on behalf of cybersecurity firm Proofpoint, revealed that 66% of healthcare organizations experienced disruptions in patient care due to cyberattacks, including those involving home medical devices, and 88% of organizations had at least one cyber-attack over the past 12 months. But this is not a new problem. As examples, the FDA recalled 465,000 pacemakers in 2017 and recalled 80,000 insulin pumps in 2019, both due to cyber hacking fears.
Some key points and recent statistics to consider:
- Increase in Healthcare Data Breaches: From 2010 to 2022, there were 385 million patient records exposed due to various breaches, with hacking incidents being the most common type, according to U.S. Department of Health and Human Services data. The number of breaches reported each year has more than tripled from nearly 200 in 2010 to more than 700 in 2022.
- IoT and IoMT Cyberattacks: According to analysis by Statistica in 2023, about 25% of surveyed healthcare institutions in the United States experienced nine to 15 cyberattacks from 2020 to 2022 that involved IoT and IoMT devices. Another 24% reported experiencing four to eight cyberattacks during the same period.
- Hacking Incidents and Patient Records: A study, published on JAMIA Open, found that between 2013 and 2017 there were 1,512 data breaches affecting 154,415,257 patient records, with 363 hacking incidents alone affecting 130,702,378 records.
Unfortunately, but not surprisingly, numerous studies and articles point to a consensus that these cyber threats and incidents will rise due to growing device connectivity and integration into healthcare systems.
IEEE 2933: A New Standard Grounded by TIPPSS
The IEEE 2933 standard, titled “IEEE Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS,” establishes a comprehensive framework for ensuring the interoperability of clinical IoT devices and data. The new standard is grounded in the principles of TIPPSS: Trust, Identity, Privacy, Protection, Safety, and Security.
The scope of IEEE 2933 includes wearable clinical IoT devices, in-hospital devices, and future connected healthcare systems. The standard enables seamless integration of these devices with healthcare IT systems like Electronic Health Records (EHR) and Electronic Medical Records (EMR).
The TIPPSS principles are a set of guidelines designed to enable improved security, privacy, and interoperability of Clinical IoT devices. Here’s a detailed breakdown:
Trust:
- Definition: Enabling trusted connections for devices and systems to reliably interact with each other.
- Implementation: This involves establishing secure communication channels and verifying the authenticity of devices and data sources.
Identity:
- Definition: Providing consistent methods for device identification.
- Implementation: This includes using unique identifiers for devices and ensuring that these identifiers are securely managed and verified.
Privacy:
- Definition: Protecting personal and sensitive data from unauthorized access.
- Implementation: This involves encrypting data both at rest and in transit and allowing only authorized individuals and systems to access sensitive information.
Protection:
- Definition: Protecting devices and users from various harms, including cyber threats.
- Implementation: This includes implementing robust security measures such as firewalls, intrusion detection systems, and regular security updates.
Safety:
- Definition: Safeguarding devices, infrastructure, and people.
- Implementation: This involves rigorous testing and validation of devices to enable them to operate safely under all conditions, implementing fail-safes to prevent harm in case of device or connectivity failure.
Security:
- Definition: Maintaining the security of data, devices, and users.
- Implementation: This includes comprehensive security policies, regular security audits, and adherence to best practices in cybersecurity.
Healthcare providers, device manufacturers, and regulators can follow TIPPSS guidelines. Healthcare providers can ensure that all devices used in patient care adhere to TIPPSS principles to protect patient data and ensure reliable operation. Manufacturers can design and produce devices that meet TIPPSS standards to enable secure, interoperable, and safe use in healthcare. Regulatory agencies can use TIPPSS as a framework to assess the compliance of clinical IoT devices with security and safety standards.
By adhering to these principles, healthcare organizations and device manufacturers can significantly enhance the security, privacy, and interoperability of Clinical IoT devices, ultimately improving patient care and safety, while enabling leverage of data and insights to improve healthcare outcomes.
Learn More and Get Involved with IEEE SA
The Engineering in Medicine and Biology Standards Committee (EMB-SC), also known as EMB/StdsCom, is a standing Committee within the EMB Society and recommends standards of engineering practices to be followed in the field of Engineering in Medicine and Biology by the electrical, electronic, medical and allied industries, and by health care providers. This Committee is responsible for the development and coordination of standards projects, including their maintenance after their approval as standards by the IEEE Standards Association Standards Board (IEEE-SASB) for which EMB-SC has been identified or assigned as either the sole technical sponsor or the primary sponsor to oversee its standards Working Groups.
To learn more or get involved, please visit the EMB Standards Committee (EMB-SC) website.
Florence D. Hudson
Florence D. Hudson is a renowned technology and data science leader, currently serving as the Executive Director of the Northeast Big Data Innovation Hub at Columbia University and the Founder and CEO of FDHint, LLC. With a rich background that includes roles as Vice President and Chief Technology Officer at IBM, Senior Vice President and Chief Innovation Officer at Internet2, and aerospace engineer at NASA, Florence has made significant contributions to the fields of cybersecurity, data science, and healthcare technology. She holds a B.S.E. in Mechanical and Aerospace Engineering from Princeton University and has completed executive business education at Harvard and Columbia. Florence is also the chair of the IEEE/UL 2933 working group on Clinical IoT Data and Device Interoperability with TIPPSS, and she actively promotes diversity and inclusion in technology through her various leadership roles, speaking engagements and publications.