Internet of Medical Things - how to prepare your product for cybersecurity evaluation

The Internet of Medical Things (IoMT) has transformed the healthcare sector worldwide by allowing continuous remote patient monitoring, real-time data collecting, and improved treatment results. According to a recent analysis by Grand View Research, Inc., the global IoMT market is predicted to reach USD 861.3 billion by 2030 and to increase at a 16.8% CAGR from 2023 to 2030.

However, the growing expansion of Internet of Medical Things devices has increased cybersecurity concerns and threats as well. According to the result of Cynerio’s latest research survey with the Ponemon Institute on IoMT threat and defense trends, 43% of hospitals have suffered a data breach in the past two years. Even more concerning is that 76% of ransomware-attacked hospitals were attacked three or more times. 

As a great amount of the data collected by IoMT devices are stored on hospitals’ or healthcare institutes’ data storage, this is why developers and manufacturers have a bigger responsibility than ever to assure IoMT device security. This article provides a complete guide to Internet of Medical Things devices security, from product design through a vulnerability assessment.

Besides it introduces CCLab, our agile and experienced cybersecurity lab that provides comprehensive services to support manufacturers and developers in preparing and evaluating their Internet of Medical Things devices for the related cybersecurity standards. 

What is the Internet of Medical Things?

Before delving into IoMT cybersecurity, it is important to clarify what the Internet of Medical Things actually is. Internet of Medical Things is a network of interconnected devices and applications that utilize internet-enabled connectivity to collect, transmit, and analyze patient health data. 

IoMT is a subcategory of the consumer Internet of Things (IoT) in the healthcare sector that utilizes sensors to remotely monitor and communicate with patients, effectively storing and analyzing their data. Its real-time patient information monitoring improves data accuracy, providing numerous benefits to patients. Additionally, it reduces healthcare costs while enhancing operational efficiency.

‍

‍

Internet of Medical Things devices includes:

• Wearable devices such as smartwatches, wristbands, smart shoes, and smart shorts are frequently used to measure physical activity and fitness objectives. 
• Remote patient monitoring technologies enable healthcare practitioners to constantly monitor their patient's health indicators, allowing for quick action in the event of any problems.
• Smart pills with sensors are a game changer in healthcare since they can monitor medicine administration and send real-time data to healthcare professionals. 
• Point-of-care devices and kiosks have also grown in popularity, allowing patients to track their health and obtain medical advice in their comfort.
• Other popular Internet of Medical Things devices include smart inhalers, linked glucometers, and smart thermometers. They assist patients with respiratory ailments, diabetics, and caregivers in tracking body temperature and detecting fever spikes.

Overall, the adaptability and convenience of Internet of Medical Things devices are transforming healthcare delivery, making it more accessible, patient-centered, and efficient.

‍

Internet of Medical Things vs. Medical Devices: what's the difference?

Medical devices and IoMT devices share the use of technology to enhance healthcare. There are, however, significant differences between the two. Medical devices are mainly utilized in hospitals or other clinical settings and must be operated by a healthcare expert. Infusion pumps, ECG machines, and blood glucose monitors are examples of smart medical devices.

Another important difference is that medical device manufacturers must comply with stricter regulations in order to receive the CE mark on their products, which is one of the conditions for placing them on the market in the EU. One of these is that the given medical device has to comply with MDR/IVDR Cybersecurity Regulations.

The MDR/IVDR cybersecurity regulations aim to protect the reliability and security of professional medical devices by addressing possible cybersecurity risks. These regulations compel medical device manufacturers to establish necessary steps to secure their devices against cyber attacks, as well as to offer continuing upgrades and maintenance. Compliance with these standards is essential in the healthcare business to avoid security breaches, ensure patient security, and maintain regulatory compliance.

At CCLab we provide conformity assessments for multiple standards related to medical devices’ cybersecurity resilience.

‍

Major Internet of Medical Things security concerns

The fast expansion of Internet of Medical Things devices has raised cybersecurity concerns and various security vulnerabilities that must be addressed. 

Security flaws

Numerous IoMT devices lack adequate security upgrades, authentication procedures, and suitable encryption measures making them vulnerable to cyber-attacks. This is particularly worrying since the Internet of Medical devices collects massive amounts of highly-sensitive data including personal health information, biometric data, and location data, which cybercriminals potentially can use for identity theft or targeted attacks.

Integrated systems

The interconnected nature of the Internet of Medical Things devices also creates a risk of cascading failures, where a single compromised device can lead to the malicious attack of an entire network of devices. IoMT devices are frequently integrated into healthcare facility systems operated by multiple suppliers, making it difficult to coordinate security measures across different platforms. This fragmented approach to cybersecurity may result in security flaws increasing the risk of data loss or cyber attack.

Human factor

Another possible risk is the human factor. Doctors, nurses, patients, and other end users may raise security risks and vulnerabilities by failing to follow correct security policies or using weak passwords.

Lack of a comprehensive set of cybersecurity standards for IoMT

While there are some cybersecurity standards and guidelines for Internet of Medical Things devices, there is no single comprehensive set of standards that all manufacturers are required to follow. Regardless of that, IoMT manufacturers are still responsible for complying with the available standards and guidelines and implementing measures to ensure their devices are secure. 

‍

Learn more from our previous article about why Internet of Medical Things cybersecurity is more important than ever.

‍

‍

‍

Manufacturers have a crucial responsibility in securing the Internet of Medical Things. This involves complying with related cybersecurity standards, improving authentication protocols, user education, and implementing security updates and patches to prevent cyber attacks. Complying with internationally recognized standardized cybersecurity measures, such as ETSI EN 303 645, also plays an essential role in ensuring the security of Internet of Medical Things devices.

ETSI EN 303 645 is the first internationally applicable cybersecurity standard for consumer IoT devices, including the Internet of Medical Things. It offers manufacturers a framework for improving device security and mitigating cybersecurity threats. The standard not only provides instructions for device security but also includes suggestions for managing security threats. This includes identifying and analyzing risks, adopting controls to minimize those risks, and regularly monitoring the risks to assure continued protection. 

By adhering to the requirements outlined in ETSI EN 303 645, manufacturers can take a proactive approach to secure their devices and defend against possible attacks, eventually lowering the risk of data breaches and other security issues.

Doctors

What are the main advantages of ETSI compliance for manufacturers?

Compliance with the ETSI EN 303 645 standard is beneficial for IoMT manufacturers for various reasons. To begin, the ETSI evaluation process supports manufacturers in identifying and mitigating security flaws in their products before they are distributed to the market. This helps to limit potential data breaches and security risks, which could be costly both financially and in terms of reputational harm post-release.

Besides that having ETSI-compiled devices can help the Internet of Medical Things manufacturers to build trust in end-users in their products as people are increasingly concerned about the security of the devices they use, especially the ones that store and transmit highly sensitive data.

Furthermore, establishing standardized cybersecurity measures when designing the IoMT devices can decrease development and testing costs by easing the process of introducing security features into products. 

‍

How to prepare for Internet of Medical Things cybersecurity evaluation? 

In order to get your IoMT device ETSI EN 303 645 certified you need to complete multiple steps. 

Meet ETSI 303 645 requirements

First of all, you must implement the requirements defined by the ETSI 303 645 standard in your device or devices that you are planning to certify. The standard includes 33 cybersecurity requirements and 35 recommendations grouped over 13 categories:

1. No universal default passwords
2. Implement a means to manage reports of vulnerabilities 
3. Keep software updated
4. Securely store sensitive security parameters 
5. Communicate securely 
6. Minimize exposed attack surfaces 
7. Ensure software integrity
8. Ensure that personal data is protected
9. Make systems resistant to outages
10. Examine system telemetry data 
11. Make it easy for consumers to delete personal data
12. Make installation and maintenance of devices easy
13. Validate input data

Documentation

There is multiple documentation that has to be prepared and provided for your IoMT device assessment. 

• Device Under Test (DUT) Identification document
• Implementation Conformance Statement (ICS): In this document, you have to state which capabilities are implemented or supported in your product based on the provisions from ETSI EN 303 645.
• Implementation eXtra Information for Testing proforma (IXIT): IXIT contains the additional required information to assess your product. It especially provides design details for the testing laboratory and it is the basis for the grey-box testing procedure which is used during the ETSI evaluation process.

‍

‍

Assessment 

After completing the above steps, the assessment can begin. In this step, an accredited cyber security laboratory evaluates your Internet of Medical Things product against the requirements defined in the ETSI EN 303 645 standards and then issues an evaluation report on the results.

Get your IoMT product certified

If, based on the result of the evaluation, your product complies with the standard, the laboratory issues a statement of conformity for your Internet of Medical Things device which is a good base for further ETSI certification.

How can CCLab help?

If you are looking for a professional and experienced laboratory for your IoMT device cybersecurity project, then CCLab could be the right partner for you. With our agile methods and comprehensive knowledge, we provide you with a broad solution for the entire ETSI EN 303 645 conformity process.

Training and Consultancy 

We provide professional workshops, training, and consultancy to guide you through and get your product ready for the evaluation process. CCLab can support your ETSI EN 303 645 documentation needs by providing you the templates of the DUT Identification, ICS, and IXIT, with guidelines on how to fill them out.

Gap Analysis

Our assessment involves a thorough examination of the products to identify any variances between the existing security implementation and the requirement outlined in ETSI EN 303 645.

Product Evaluation

We conduct a comprehensive assessment of your IoMT product to determine its compliance with the relevant provisions of ETSI EN 303 645. Subsequently, we provide you with a detailed conformance evaluation report, which includes any identified security gaps.

Statement of Conformity

We provide a Statement of Conformity for your evaluated product when it's in compliance with the standards and requirements set forth in ETSI EN 303 645.

If you have any additional inquiries or concerns regarding cybersecurity and assessment of the Internet of Medical Things, please do not hesitate to reach out to us. Our team is readily available to assist you.

Cue

The healthcare industry is going through considerable technology developments, notably the Internet of Medical Things, which has allowed real-time remote patient monitoring and care. Improved patient care and comfort are supported by IoMT, however, it has heightened concerns about cybersecurity risks and potential data breaches. Manufacturers and developers of Internet of Medical Things devices have a significant responsibility for ensuring the security of their devices in order to avoid potential cyberattacks and secure patients' sensitive health data.

Compliance with related cybersecurity standards is critical for the security of IoMT devices and the patient data they store. ETSI EN 303 645 is one of the standards that manufacturers and developers should consider to comply their IoMT devices with. Going through the evaluation process allows manufacturers to be proactive in protecting their devices and lowering the possibility of data breaches and other security concerns.

It is not only the responsibility of manufacturers and developers to ensure the security of IoMT devices, but it also helps them by increasing trust in their products, which raises their market value. 

‍