Toward a Safe and Secure Medical Internet of Things
1.
INTRODUCTION
The landscape of modern medicine is dramatically changing with the advent of networked
medical devices. This change brings the promise and the challenge of next-generation integrated
medical systems that will interoperate efficiently, safely and securely. It is anticipated that it will
significantly lower the rates of preventable medical errors, now estimated to be as high as the
third leading cause of death in the U.S. [1]; and by providing improved patient outcome at lower
costs [2]. Such improvements include, but are not limited to, support for real-time clinical
decision support and automatic diagnosis, real-time checking of adverse reactions to
medications, reduced false alarms and physiologic closed-loop control systems [5][6].
The grand vision of the Medical Internet of Things (MIoT) is to enable the deployment of patientcentric and context-aware networked medical systems in all care environments, ranging from
homes and general hospital floors to operating rooms and intensive care units. Heterogeneous
devices in each care environment would effectively share data – efficiently, safely and securely
to minimize preventable errors that are often induced unknowingly by human operators. As
medical devices move between different care environments or from patient to patient, they
would securely discover other devices that they need to interoperate with, and then verify and
execute safe, authorized and compliant operational profiles. The key to realizing this vision is
coming up with standardized architectures that balance utility, reliability and safety
requirements with those of security and privacy, and providing this information as a roadmap.
The Integrated Clinical Environment (ICE) framework, as defined by the ASTM F2761-09 standard
[1], is a significant step toward enabling this interoperable MIoT vision. Most recently, with
support from the US Government, we have been making advances to integrate security into ICE.
Security considerations for interconnected and dynamically composable medical systems are
critical not only because laws such as the Health Insurance Portability and Accountability Act
(HIPAA) [4] mandate it, but also because security attacks can have serious safety consequences
for patients. As these medical devices will be brought together and mixed/matched in an ad hoc
fashion to serve the needs of a given patient (dynamically composed systems), additional security
mechanisms will be required. They will need to support automatic verification that the system
components are being used as intended in the clinical context, that the components are
authentic and authorized for use in that environment, that they have been approved by the
hospital’s biomedical engineering staff and that they meet regulatory safety and effectiveness
requirements.
As far as medical device communications is concerned, few of the existing or proposed standards
for dynamically composed and interoperable medical devices and information systems include
sufficiently comprehensive or flexible security mechanisms to meet current and future safety
needs. There are significant gaps between required security properties and those that can be
fulfilled even by combinations of currently standardized protocols [2]. Safety considerations in
IIC Journal of Innovation
-5-