The total number of internet-connected devices jumped to 22 billion last year, according to the consulting firm Strategy Analytics, which predicts that the number of devices will rise to nearly 39 billion by 2025 and 50 billion by 2030.
Many of these devices are medical in nature. Internet-connected cochlear implants, IV pumps and pacemakers are vulnerable to cyber attacks that could directly harm patients.
The exponential growth in the internet of things and connected devices—many of which are not properly secured against hackers—is cybersecurity expert Marc Goodman’s top digital security concern today.
“Think about how many devices are now in the average home that are connected to the internet,” he says. “People used to just have a computer. Now we have smartphones, smart thermostats, smart TVs, and so on. You might have a connected sprinkler system and home security system.”
Goodman, the New York Times bestselling author of Future Crimes, will speak to DOs at OMED 2019 on Oct. 26 in Baltimore. In this edited Q&A, he shares the top things we can all do to protect ourselves against digital security threats and what physicians should know about implantable medical devices.
Why is the growth of connected devices so concerning?
We’re adding so many new devices to the internet insecurely. It’s not just in houses. This is also happening in hospitals. IV pumps, MRI machines, cat scan machines, Da Vinci surgical robots—all these things are connected to the internet, which is posing a real challenge for hospitals and physicians in small- and medium-sized practices.
And the internet of things is coming to the human body. Defibrillators, cochlear implants, insulin pumps, pacemakers, and so on. We’re getting into scenarios where the human body is at risk of being attacked.
What are the top steps we all need to be taking to ensure our digital safety?
Many people think there’s nothing they can do to protect against hackers, but we know now that small steps can actually make a huge difference. Update your software, use a password manager, use two-factor authentication, turn off your computer when you’re not using it, don’t click on stupid links and be aware of what you’re downloading. Basically, use your brain when you’re using the internet.
The overwhelming majority of scripted attacks come from members of organized crime groups and amateur criminals, and these basic cybersecurity steps can thwart many of their attempts to get our data or get into our systems.
On my website, I share eight basic steps people can take to reduce their cybersecurity risks.
Future Crimes was published in 2015. How has digital security changed since then? Are we becoming more or less safe?
Unfortunately, we’re less safe today. In the book, I predicted the exponential growth of connected devices. And things have changed even more quickly than I imagined.
All of the tools we have developed are mostly ineffective against cyberattacks. We need to start focusing on educating people about these risks and how to protect themselves. That’s where the next frontier is in terms of making us safer.
Do you think HIPAA does enough to protect patient privacy? Are there more steps the health care field needs to take to keep patient information secure?
HIPAA is a good starting point, but we really need to be going much further to protect hospitals, devices and patients. Technology is evolving much more quickly than HIPAA is. Despite the creation of HIPAA in 1996, we’ve had millions of medical records leak. So from that standpoint, it has been painfully ineffective.
The goal should be security of medical devices, hospitals, patient information and provider information. And achieving this goal is going to take a vast reimagining of how we use technology in the practice of medicine and how we protect the privacy and security and health of patients.
We need to be thinking about cybersecurity holistically. Osteopathic physicians take a holistic approach to treating patients. They are the experts in this regard. We need to take the same approach to digital security.
You’ve written a lot about the vulnerability of implantable medical devices to hacking. What should physicians who have patients who need these devices be thinking about?
It’s helpful to try to understand how these devices work at a deeper level. If you put in a diabetic pump or a cochlear implant, how do you update the software? Does the manufacturer update the firmware? If the firmware can’t be updated, then any security vulnerabilities are locked inside the patient’s body and the only way to fix them is to remove the device and implant another one. Think about the upgradability of these devices.
Physicians should be ready to ask questions about the cybersecurity of implantable medical devices before they insert them in patients’ bodies. Equally important is to think about how to have conversations about potential cybersecurity risks with your patients in a non-alarming way.
Think about when the risks might outweigh the rewards, and when the rewards outweigh the risks. We have lots of data to share with patients about the risks of different surgeries and medical procedures. We don’t really have that yet for implantable medical devices, and that’s something that I’d like to see more medical researchers studying. We need to think ethically about what we are putting into people’s bodies.