More Related Content Similar to Andy-Bridden-IoMT-Canterburyv1.pptx Similar to Andy-Bridden-IoMT-Canterburyv1.pptx (20) Andy-Bridden-IoMT-Canterburyv1.pptx1. 1
© PA Knowledge Limited | PA Confidential – Internal use only
Bringing Ingenuity to Life
paconsulting.com
THE INTERNET OF MEDICAL THINGS
(IoMT)
Securing medical devices in a increasingly connected world
Andy Bridden
21st January 2020
2. 2
© PA Knowledge Limited | PA Confidential – Internal use only
We’re an innovation firm. It’s core to everything we do. And it’s
something we’ve been at for over 75 years. In that time, we’ve
shown what it takes to be truly innovative. For us, it’s the human
mindset of ingenuity that enables us to identify opportunities that
take our clients further, faster.
Whether it’s working shoulder-to-shoulder on-site with clients, or
in our innovation labs, our diverse teams of experts apply that
ingenuity to our end-to-end innovation offering, helping
organisations go from idea to delivery, at pace. It’s something no
other firm can match.
One example of where innovation comes alive is at our Global
Innovation and Technology Centre (GITC) in the UK. It’s home to
more than 300 strategists, scientists, designers, technologists and
engineers. They work across 11,000 square metres of design
studios, laboratories and engineering workshops, to accelerate
revenue streams for clients – from user need and business
strategy, to prototyping and development, through to
manufacturing and launch to market.
A global commitment
to innovation
3. 3
© PA Knowledge Limited | PA Confidential – Internal use only
The world of IoT is proliferating with an estimated 35 billion connected
devices by 20211
Numbers of IoT devices are increasing rapidly:
• 71% of global businesses are now gathering IoT data in
some form or other, and 90% expect to increase spending
over the next 12 months.
• 2018 Gartner survey found that nearly 20 percent of
organizations observed at least one IoT-based attack in the
past three years2
• The IoT healthcare market is forecasted to be worth $136
billion by 20213
IoT technologies have been adopted across industries:
• Health Care & Life Sciences
• Consumer & Home
• Building Management
• Energy & Utilities
• Industrial Manufacturing
• Transportation and Logistics
• Retail
1. https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-devices-now-7b/ 2. https://www.gartner.com/newsroom/id/3869181
3. Allied Market Research: World Internet of Things in Healthcare market 2014-2021 https://www.alliedmarketresearch.com/iot-healthcare-market
4. 4
© PA Knowledge Limited | PA Confidential – Internal use only
Digital Health is transforming healthcare
Technological progression is opening opportunities to change the way healthcare operates. This
transformation will deliver more personalised, efficient and cost-effective care services. Most of all, it is
pushing care services out of hospitals. The Global digital health market is expected to attain a size of $223.7
billion by 20231
1. https://www.businesswire.com/news/home/20181017005582/en/223-Billion-Digital-Health-Market---Global
• Digital Health promises to:
• Improve patient experience
• Increase quality of care
• Improve access to care
• Reduce inefficiencies and
costs
• Digital health includes:
• Telemedicine and remote
monitoring via IoT
• Healthcare analytics
• Mobile Health
• Electronic Health Records
5. 5
© PA Knowledge Limited | PA Confidential – Internal use only
Traditional medical devices and consumer devices are converging into the
Internet of Medical Things (IoMT)
Traditional medical equipment manufacturers and consumer
devices with increasingly sophisticated features aiming to
disrupt traditional approaches are converging towards a
common digital health ecosystem.
The competing movements within the IoMT market are:
• Current drug delivery, monitoring and diagnostic equipment
is increasingly enriched with features which demand
network and cloud connectivity.
• Mass market medical devices with some form of diagnostic
capability for personal use are now a reality. Increasingly
these are acquiring more sophisticated capabilities.
• Between them, disruptive start-ups are promising to bring
both consumer and medical grade devices at a mass
market scale.
• Crowdsourced and Open source initiatives are challenging
the traditional approaches e.g. the artificial pancreas
Big-data analysis based on machine learning, AI and cloud
infrastructures offer the backbone for this convergence.
Traditional
medical devices
with connectivity
Personal
health care
devices
Innovative /
disruptive
solutions
Open
source
initiatives
6. 6
© PA Knowledge Limited | PA Confidential – Internal use only
Scanners are capital intensive (typically £0.5M to
£2M) and working lifetimes are 10-15 years.
• Scanners are typically network connected to
allow imaging to be shared
• Over the lifetime of the scanner the OS used will
typically go out of long-term support
• Scanners are problematic to patch to protect
against vulnerabilities are there is a need to
maintain medical compliance / approvals
• The current approach in healthcare environments
is to segregate the network to protect the
scanners
MRI and CT Scanners
7. 7
© PA Knowledge Limited | PA Confidential – Internal use only
Connected medical devices empower new service models
The Internet of Medical Things enables the creation of new services models for each phase of the
care lifecycle: awareness, prevention, diagnosis, treatment and management.
Monitoring Prevention
Diagnosis
• Exercise and activity trackers
• Educational mobile apps
Awareness
• Behaviour Analysis
• Preventive Care
Prevention
• AI-driven Diagnosis
• Virtual GP
• Medical Imaging
Diagnosis
• Chronic Disease Management
• Home-based Care
• Patient compliance
Treatment
•Chronic disease monitoring
•Post-treatment monitoring
•Surveillance monitoring
Management
8. 8
© PA Knowledge Limited | PA Confidential – Internal use only
IoMT innovation drives the rise of new innovative players with current
market leaders racing to connect their devices.
RAPIDSOS
Emergency tech company providing a rich
data link from any connected device or IoT
to 911 and first responders.
DEPUY SYNTHES
DePuy Synthesis SENTIO MMG enables
motor nerve monitoring for a variety of
spine procedures, including non-fusion
procedures such as discectomy and both
minimally invasive (MIS) and open spinal
fusion surgery.
MEDTRONIC
The Insight Link telehealth solution brings
American Well telemedicine technology
into the Medtronic Care Management
Services remote patient monitoring
program.
AIRA
Aira develops transformative remote
assistive technology that connects the blind
with a network of certified agents via
wearable smart glasses and an augmented
reality dashboard that allows agents to see
what the blind person sees in real time.
GraftWorx
GraftWorx is bridging the communications
gap between patients and clinicians.
Graftworx’s first product allows for the
automated, wireless remote monitoring of
dialysis patients with fistulas via a wearable
device.
RESMED
ResMed produce cloud-connected medical
devices that transform care for people with
sleep apnoea, COPD and other chronic
diseases.
9. 9
© PA Knowledge Limited | PA Confidential – Internal use only
The new EU Medical
Device Regulations
(MDR and IVDR)
have a number of
new requirements to
cover information
security, data
breach, data
security, electronic
programmable
systems and
software
development
New EU Medical Device Regulations demand cyber security expertise
10. 10
© PA Knowledge Limited | PA Confidential – Internal use only
Medical devices in the US market
The FDA works closely with other federal government agencies to increase the security of medical
devices and critical infrastructure. However, medical device manufacturers and HDOs (Healthcare
Delivery Organizations) are responsible for cyber security.
Cybersecurity for connected medical devices is at an early stage of
maturity with more guidance than regulation being applied:
• Medical device manufacturers need to comply with federal regulations including QSR
(Quality System Regulations) which address general risks. Cybersecurity guidance from
the FDA is available for pre and post market devices.
• Pre-market testing of the medical devices is the responsibility of the manufacturer.
• Pre-market guidance splits devices into two broad categories
• Tier 1 (Higher cybersecurity risk): Devices which are connected where a cyber
security incident could directly result in patient harm to multiple patients
• Tier 2 (Standard cybersecurity risk): Devices were the Tier 1 criteria are not met
• The use of commercial off the shelf software (COTS), which may contain cyber security
vulnerabilities, is the full responsibility of the device manufacturer.
• As recently as October 2019, the FDA flagged an example of the use of 3rd party
software under the “URGENT/11” vulnerabilities found in IPnet. Device manufacturers
are required to assess the risk and take remedial action.
11. 11
© PA Knowledge Limited | PA Confidential – Internal use only
There isn’t the same degree of maturity when addressing safety and
security for medical devices
Safety-critical processes and regulations for traditional products are mature and well understood.
Cybersecurity risk however requires a new set of assessment methodologies and mitigation best
practices, that are not yet defined and acknowledged at industry level.
Medical devices have safety-critical requirements that depend on their mission
and usage and are enforced at regulatory level.
The producers have developed a robust appreciation for safety risk and
mitigation. There are well established standards, best practices and regulatory
and legislative requirements in place.
Cybersecurity for connected medical devices is at an early stage of maturity
introducing a range of risks. Manufacturers working with IoMT need expertise
which is outside of their traditional capability e.g.:
• Hardware and software security including encryption and key management
• Cloud security and authentication
• Connected medical product development
• Privacy protection across a complex ecosystem
• Secure networking and device updates
12. 12
© PA Knowledge Limited | PA Confidential – Internal use only
Security incidents are expected to grow as the IoMT market accelerates
2018: Poor security on PACS
systems
PACS (picture archiving and
communication system) are used
for picture archiving and
communication system. Security
researchers found several
vulnerabilities both in commercial
and open-source PACS.
2019: Implanted defibrillators
telemetry protocol flaw
Some implanted defibrillators were
found to contain vulnerabilities that
would allow them exploited by
attackers who had the right
knowledge of the devices and close
proximity to an individual
possessing one.
2014: Anaesthesia delivery
system bugs.
The anaesthesia delivery system is
used in hospitals to deliver oxygen,
anaesthetic vapor, and nitrous oxide
to during surgical procedures.
Software bugs were found so
serious that they could cause
severe injury or death, even just
plugging a phone into the USB port.
Additional connectivity capabilities and software features open the route to an increasing number of
vulnerabilities.
2016: Insulin pumps remotely
exploitable
Rapid7 and Johnson & Johnson
disclosed three vulnerabilities in an
insulin pump system that could be
remotely exploited.
13. 13
© PA Knowledge Limited | PA Confidential – Internal use only
Device designers, manufacturers and service providers need to offer a service that ensures the security and privacy of their
customers data in order to meet legal and regulatory requirements. It is also important to have a secure method to update
devices to prolong their life and defend against them being compromised by attackers.
The need to maintain trust and establish an end-to-end security
architecture for IoMT
Devices
Secure
Communications
Analyse/Visualise Act/Automate
Edge
Integrate with
healthcare
systems &
processes
Healthcare
practitioners,
patients & end
users
Applications
• User Interface
• APIs
• Messaging & Alerts
• Storage
Platforms
• PACS
• RIS/CIS
Security
• PKI
• SW updates
• Security monitoring
• Access control / Authentication
• Cellular
• 2G/4G/5G
• NB IoT
• LTE Cat M1
• Wireless
• Wi-Fi
• Bluetooth
• LoRaWAN
• Encryption and key
management
• VPNs
End-to-end security
Risk based assessment
Security and device
updates
Secure architecture Security tested Privacy by design Business continuity
Collect
Cloud
/
Internal
Third parties /
supply chain
CT scanner
Hospital
MRI scanner
Connected
IVD
Insulin Pump
Home
Implanted
Defibrillator
Diabetes
monitor
Premises
Hub /
Device Gateway
Analyse
• Analytics
• Machine learning
14. 14
© PA Knowledge Limited | PA Confidential – Internal use only
The way ahead?
1
Step 1: ecosystem
engagement
Regulators, device manufacturers, cyber
security experts, IoT experts, clinicians,
COTS software providers
Step 2: Review existing
standards and guidance
Step 3: Current and Future
state / gap analysis
Step 4: IoMD best practice
guidance
Step 5: IoMD secure reference
architectures
Step 6: IoMD further artefacts
2
3
5
4
6
15. Corporate Headquarters
10 Bressenden PlaceLondonSW1E 5DN+44 20 7730
9000
paconsulting.com
This report has been prepared by PA Consulting Group on
the basis of information supplied by the client, third parties
(if appropriate) and that which is available in the public
domain. No representation or warranty is given as to the
achievability or reasonableness of future projections or the
assumptions underlying them, targets, valuations, opinions,
prospects or returns, if any, which have not been
independently verified. Except where otherwise indicated,
the report speaks as at the date indicated within the report.
All rights reserved
<b>© PA Knowledge Limited 2018
This report is confidential to the organisation named herein
and may not be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, electronic,
mechanical or otherwise, without the prior written
permission of PA Consulting Group. In the event that you
receive this document in error, you should return it to PA
Consulting Group, 10 Bressenden Place, London, SW1E
5DN. PA Consulting Group accepts no liability whatsoever
should an unauthorised recipient of this report act on its
contents.
About PA.
We believe in the power of ingenuity to build a positive human future
in a technology-driven world.
As strategies, technologies and innovation collide, we create opportunity from complexity.
Our diverse teams of experts combine innovative thinking and breakthrough technologies
to progress further, faster. Our clients adapt and transform, and together we achieve
enduring results.
An innovation and transformation consultancy, we are over 2,800 specialists in consumer,
defence and security, energy and utilities, financial services, government, healthcare, life
sciences, manufacturing, and transport, travel and logistics.
We operate globally from offices across the Americas, Europe, the Nordics and the Gulf.
PA. Bringing Ingenuity to Life.
Editor's Notes HITECH Act and increasing use of EHRs are driving device connectivity Photo by Simone van der Koelen on Unsplash
Photo by Jair Lázaro on Unsplash
DePuy - https://www.irishtimes.com/business/technology/cork-hip-joint-factory-among-world-s-best-due-to-internet-of-things-1.3618490
https://www.depuysynthes.com/about/news-press/qs/depuy-synthes-expands-spine-portfolio-with-nerve-assessment-platform--designed-to-identify--avoid-nerves-during-spine-surgery-
GraftWorx is bridging the communications gap between patients and clinicians. Graftworx’s first product allows for the automated, wireless remote monitoring of dialysis patients with fistulas via a wearable device. Photo by Arif Riyanto on Unsplash
Photo by Arif Riyanto on Unsplash
The ARKON anaesthesia delivery system
PACS Picture Archive and Communication System.
RIS Radiology Information System
CIS Clinical Information System
DICOM Digital Imaging and Communications in Medicine