IoT in Healthcare: Tutorial & Best Practices
In March 2020, nearly three weeks before COVID-19 was officially announced in the United States, one company saw it spreading nationwide, according to an article published by Euronews in March of 2021. Kinsa, a company producing smart connected thermometers, had been tracking temperatures throughout the United States for over a decade. According to the Euronews interview with its CEO, what the company saw in March 2020 was “an unusual outbreak everywhere, a complete black swan event.” The next time an epidemic is about to start, could the world be informed more quickly thanks to the real-time data sent by IoT devices?
IoT in healthcare, like most other forms of IoT, is a relatively recent phenomenon, with the earliest devices, smart pacemakers, developed in the 2000s. However, its growth and adoption have been rapid, thanks to the comprehensive benefits it offers to patients, physicians, and hospitals. For patients, the benefits include personalization, goal-tracking, and alerting. For physicians, the benefits include tracking patients’ progress and adherence to treatment plans and recognizing the need for immediate attention. IoT enables better resource allocation, improved hygiene maintenance, and more accurate inventory control for hospitals. For all of these stakeholders, the increased efficiency introduced by IoT promises lower costs and faster treatment.
With IoT growth continuing, this article explores the types of healthcare IoT devices, their lifecycle management, security considerations, and operational best practices.
Summary of key aspects of IoT in healthcare
| Concept | Description |
|---|---|
| Types of healthcare IoT devices | IoT devices can be broadly classified into three categories: devices that monitor (mostly wearables), therapeutic devices (handheld and implantable), and devices that support safe and secure hospital operations. In general, IP security cameras and badge-scanning devices used in hospitals fall under this last category |
| Need for managing healthcare IoT devices | The risk to patient safety due to a malfunctioning smart device makes managing IoT devices in healthcare more critical than in other domains. Adherence to compliance and ensuring device interoperability and better operational efficiency are some of the other reasons that make device management vital. |
| Importance of security in healthcare IoT | IoT devices provide an additional attack surface for hackers, who can try to exploit vulnerabilities to make a device malfunction, steal data, or cause system downtime. Past security incidents have cost hospitals millions of dollars and compromised the healthcare records of millions of patients. |
| Best practices | Patients, physicians, and hospitals can follow some basic guidelines to drastically reduce the possibility of experiencing damage due to healthcare IoT devices. Hospitals, in particular, can benefit from physical management software solutions for managing and securing their IoT devices. |
Types of healthcare IoT devices
Although the healthcare IoT device field is very broad and diverse, the general categories are below.
Health and mood-monitoring devices
Smartwatches and fitness bands that track your steps, heart rate, and oxygen levels are the most popular devices in the health monitoring category. However, this category also includes more specialized devices, like glucose monitoring devices for diabetics and the connected thermometers referenced above. Most of the devices in this category are handheld and battery-powered, so their primary mode of communication is Bluetooth Low Energy (BLE). To use BLE, the devices need an intermediary like an app or a gateway to send the data to the cloud.
A sister health monitoring field is mood monitoring, where similar vital information—such as heart rate and blood pressure—is used to determine patients’ mental state. Advanced mood monitoring devices even monitor patients’ eye movements.
-
Monitor the health of physical security devices and receive alerts in real-time
-
Automate firmware upgrades, password rotations & certificate management
-
Generate ad hoc and scheduled compliance reports
Smart therapeutic devices
While monitoring devices measure, therapeutic devices act while being monitored and controlled remotely. Some examples are IoT inhalers, smart insulin pens, and smart physiotherapy devices. They can regulate dosage and frequency of use and track adherence to prescribed treatment.
Some therapeutic devices can also be implantable. Examples are smart pacemakers that regulate heart rhythms to treat arrhythmias or neurostimulators that manage chronic pain, epilepsy, or Parkinson’s disease.
Devices in this category are also typically battery-operated and rely on technologies like BLE for data transmission.
Smart hospital equipment
Smart beds, intelligent ventilators, and automated IV pump systems are examples of generic IoT-enabled hospital equipment. Of course, there are also several types of specialized equipment. Robotic surgery, an example of advanced healthcare IoT implementation, is gaining traction and promises ultra-high precision. Smart imaging systems—IoT-integrated MRI, CT, and X-ray machines—can upload images directly to the cloud and facilitate remote consultations.
Smart environment monitoring systems like air quality, temperature, and humidity sensors can also enhance hospital environments and help reduce the chances of infection. Several administrative and operations functions can also benefit from IoT. Example implementations include smart asset tracking systems, IoT-connected nurse call systems, and bedside patient engagement systems.
One often neglected aspect of smart hospital equipment is physical security. As hospital equipment becomes smarter, security infrastructure should also evolve in tandem. IP cameras, access control systems, smart visitor management systems, alarm systems, and edge analytics to detect suspicious activity are all part of the physical security necessary to upgrade to a smart hospital.
Need for managing healthcare IoT devices
Like IoT devices in other domains, healthcare devices also need regular management. The criticality is often higher in the case of healthcare IoT devices because the patient’s health is at stake. Some of the key reasons why effective management is essential are described below.
Patient safety
A smart insulin pump delivering incorrect dosages or a smart pacemaker failing to regulate heartbeat properly are nightmarish scenarios that must be avoided at all costs. Suppose a particular device’s firmware behaves erratically in certain corner cases, and an update is available to fix the behavior. If so, it should be applied immediately, even if the likelihood of encountering the corner case is negligible.
Similarly, data misreporting can lead to incorrect decisions on the part of patients and physicians. Regular calibration and correct device configuration are, therefore, essential.
Device interoperability
As more devices in an ecosystem become smart, it becomes beneficial that they work together. For example, a smart bed in a hospital that is compatible with the smart infusion system in the room can better serve the patient. Management efforts—including firmware updates, replacing outdated devices, and checking interoperability when making purchase decisions—can help deliver superior experiences to patients and physicians.
Compliance
Regulatory frameworks like HIPAA and GDPR mandate strict data handling and security measures, and they are updated periodically. Device management is essential to ensure adherence to the necessary regulations.
Operational efficiency and cost control
Regular management extends device lifespan and helps you keep track of devices nearing their end of life. If the devices work with consumables like batteries, proper management helps maintain an adequate inventory of the consumables and prevents downtime.
Managed devices’ utilization can be determined, which helps hospitals allocate resources better and correctly plan capacity for future readiness.
Importance of security in healthcare IoT
Any security flaw in healthcare IoT devices can be exploited in a variety of ways.
Device malfunction
Attackers can exploit device vulnerabilities to make the device work in unintended ways, risking patient safety and leading to an increase in mortality. According to Cynerio’s “The State of Healthcare IoT Device Security 2022” report, almost three-quarters of IV pumps have vulnerabilities that could threaten patient safety if exposed.
Obviously, even a simple denial-of-service attack against pacemakers can result in mortality. In October 2018, the FDA issued a Safety Communication informing patients and healthcare providers about the cybersecurity vulnerabilities related to Medtronic’s cardiac implantable cardiac device programmers. While the issue was fixed with a software update, it wasn’t the first vulnerability that made its way to FDA Safety Communication status: Four communications associated with popular implantable devices have been issued since 2017.
Luckily, there is no documented example of a hacker harming a patient by exploiting a medical IoT device. However, the related vulnerabilities cannot be overlooked, as even an accidental exploit can be life-threatening.
Data breach
Attackers can access confidential health records of many patients at once and sell them online. Per a Censys report, more than 14,000 IP addresses belonging to healthcare devices are exposing data to the public internet, with nearly 50% of the exposed hosts located in the United States. More than a third of the exposures involve Digital Imaging and Communications in Medicine (DICOM) ports and DICOM-enabled web interfaces. DICOM is a legacy protocol used to exchange and view medical images. Nearly another third of the exposures are related to EHR systems.
A staggering 124 million health records were breached in 2023, with chains like HCA Healthcare in the USA and MediSecure in Australia alone reporting breaches of more than 10 million records each.
Downtime
Attackers can bring devices to a standstill, typically to extract a ransom (ransomware attacks). This can lead to longer stays in hospitals for patients, an increase in medical complications, and an increase in mortality.
In July 2024, a ransomware attack on OneBlood, a major non-profit blood donation service, affected critical software systems and forced a shift to manual operations. As a result, over 250 hospitals activated critical blood shortage protocols.Similarly, in February 2024, the BlackCat ransomware attack on Change Healthcare disrupted payment processes across US healthcare providers. Change Healthcare paid the attackers $22 million in Bitcoin to regain access to its systems.
Best practices
Having established why managing and securing medical IoT devices is very important, let’s look at some best practices for all key stakeholders.
For patients
- If using any smart healthcare device proactively—for example, smart wearables—ensure its firmware is up to date.
- Change the default password of all smart healthcare devices, and set strong passwords that are not easy to guess.
- Beware of phishing attacks by bad actors trying to gain access to your healthcare devices. Check the validity of each source before clicking on any link.
- If recommended, ensure that your smart devices are regularly calibrated and serviced.
- Make sure that the battery levels of battery-operated devices are regularly monitored, the batteries are replaced/recharged in time, and spare batteries are always available.
- Consult your hospital/physician before allowing anyone to view the data generated by your smart device.
For physicians
- Ensure that the IoT devices you recommend to patients comply with the applicable regulations like HIPAA and GDPR.
- View the data shared by patients’ IoT devices on a secure connection, preferably on systems designated for data viewing.
- Use strong passwords to access EHR data and keep rotating the passwords regularly.
For hospitals and healthcare organizations
- Maintain the asset inventory for all smart devices and ensure that it is revised from time to time.
- Deploy an enterprise-level management solution to cover traceability, firmware upgrades, patch application, compliance checks and adherence, threat intelligence, automated password rotation, and monitoring for IoT devices. If possible, the solution should auto-discover new devices added to the network.
- Segregate networks, preferably keeping an isolated network for the IoT devices that is accessible only to trusted internal members.
- Enforce strict physical security measures, including visitor management, video surveillance, access control (following the principle of least privilege), and an incident response plan.
- Include physical security devices such as security cameras and badged access control devices in your overall IoT device security program. These devices are IP-connected, so attackers can exploit them to gain network access.
- Alert physicians and patients if any vulnerability is detected in an in-use IoT device and guide them with appropriate remedial measures.
- Adopt modern physical security management software to centralize device discovery, password rotation, firmware upgrade, and compliance reporting. The diagram below visually summarizes the features of the SecuriThings physical security management solution. Visit this page to learn more about its application in the healthcare industry and hospital environments.
SecuriThings physical security management solution (learn more)
Conclusion
Healthcare IoT is a young but rapidly growing field with numerous branches and exciting applications. While its advantages are numerous—ranging from faster recovery and more transparent treatment to precision surgery and better resource allocation—care must be taken to secure and manage healthcare IoT devices comprehensively. For organizations like hospitals, engaging an enterprise management solution makes a lot of sense for managing devices and taking care of cybersecurity and physical security concerns. This is especially true given that the healthcare sector is among the top targets for hackers, and IoT devices only increase the attack surface.
