Estimated reading time: 8 minutes
Medical Internet of Things (IoT) device security is vital for patient safety and the integrity of the health care system. A single cyberattack can have devastating consequences, such as:
- Compromising patient data
- Disrupting health care delivery
- Endangering lives
Security breaches can undermine trust in connected medical technology, leading patients to hesitate or abandon their use. Proactively designing and deploying secure connected devices reduces the risk of cyberattacks.
Change Lives with Real-Time Health Data
Table of Contents
Patient Data Is a Target
One of the top global targets and threats for health care IoT is patient data, including electronic health records.
Patient health data is now shared electronically with:
- Health care providers
- Insurance companies
- Pharmacies
- Medical laboratories and imaging centers
- Public health agencies
- Third-party health apps
- Occupational health and wellness programs
COVID-19 highlighted the importance of cybersecurity in the health care sector. During the pandemic, cyberattacks surged globally. Health care and banking were the sectors most at risk. Cybercriminals used a wide range of attacks, including:
- Ransomware
- Phishing
- Distributed denial of service (DDoS)
- Malware
In 2024, ransomware group ALPHV Black Cat targeted data processing firm Change Healthcare, owned by UnitedHealth Group. Change Healthcare was the largest health care clearinghouse when it suffered the second-largest health data breach of that year.
Change Healthcare contracts with a broad range of health insurers and providers to facilitate:
- Payment processing
- Prior authorizations
- Insurance verification
- E-prescribing
The attack severely disrupted the U.S. operations of hundreds of thousands of:
- Physician practices
- Hospitals
- Pharmacies
Ascension Health was hit with a cyberattack three months after the attack on Change Healthcare. Cybercriminals stole data from over five and a half million patient records. Their electronic medical record system was offline for a month.
These attacks demonstrate the “blast radius” effect, where harm spreads far beyond the initial target. The consequences can be severe and often continue for weeks.
Emergency rooms may be forced to turn away trauma patients. Critical care systems might shut down. Medical devices and scanners could stop operating.
Patient data and IoT medical devices used for monitoring and treatments must have security. The risk of cyberattacks increases as more medical devices connect to the internet and health care systems.
Security Vulnerabilities for IoT Medical Devices
Major security organizations have highlighted increasing cyberthreats. At the 2024 ISC2 Security Congress, experts emphasized the growing threat of nation-state-sponsored cyberattacks. The HIPAA Journal’s H1, 2024 report revealed 387 health care data breaches in the first half of 2024. Each involved 500 or more records — an 8.4% increase from 2023.
Rapid adoption of connected medical devices has outpaced cybersecurity protections. Hospitals are vulnerable to:
- Ransomware
- Data theft
- Device manipulation
Medical device hardware and software have long life cycles. Software becomes outdated and loses support for security updates. Not updating the device creates opportunities for bad actors to exploit weaknesses.
Many medical devices prioritize functionality and patient care, not cybersecurity. They may lack strong protections against hacking or unauthorized access, increasing their attack surface.
As medical devices become more software-driven and interconnected, they become more vulnerable. While manufacturers work to enhance cybersecurity strategies, hackers continue to develop sophisticated tactics to target these devices.
Eliminating threats is not possible. However, they can be managed. There must be legal regulations for medical device manufacturers and other organizations in the supply chain.
Emerging Medical Device Standards and Regulations
Medical device regulations and certifications vary across countries, determined by factors like:
- Classification
- Data flow
- Data residency requirements
Devices that manage patient data or operate across borders often face stricter compliance standards. As more data-centric medical devices connect to the internet, authorities adopt new cybersecurity standards and regulations.
Cybersecurity Medical Devices Act in the U.S.
On December 29, 2022, the U.S. government enacted the Consolidated Appropriations Act, 2023. The legislation included Section 3305, “Ensuring Cybersecurity of Medical Devices.” This new section granted the FDA the authority to enforce cybersecurity standards for certain connected medical devices as of 29 March 2023.
Since the passage of the act, the FDA has made significant progress in implementing the regulations.
Key developments include:
- Issuing detailed guidance to help manufacturers comply with new cybersecurity requirements
- Collaboration with cybersecurity organization MITRE to address legacy device security risks
- Partnering with the Cybersecurity and Infrastructure Security Agency (CISA) to enhance vulnerability monitoring
- Mandating cybersecurity plans for premarket submissions of internet-connected medical devices
- Requirements for manufacturers to monitor, identify and address cybersecurity vulnerabilities through the device life cycle
The law also mandates the inclusion of a software bill of materials (SBOM) in new devices. The SBOM will ensure transparency and accountability in software security and supply chain risk management. It suggests regular device updates to address security weaknesses.
Network and Information Security System (NIS 2) Directive in Europe
In 2021, the European Union (EU) released NIS 2 and the Medical Device Regulation (MDR) for stronger cybersecurity measures. It now considers health care providers “essential entities.” These entities include manufacturers of critical medical devices. They must take certain measures to manage the risks of network and information security.
These rules aim to improve the safety of medical device design and manufacturing. Protecting patient care and data is crucial to maintaining trust in the system.
While the EU MDR doesn’t explicitly mandate SBOMs, it does require robust cybersecurity measures. To align with best practices, manufacturers of globally deployed medical devices often follow the International Medical Device Regulators Forum (IMDRF) guidelines.
Zero Trust and Security by Design
As patient health data becomes increasingly connected, the importance of zero trust and security by design grows. It takes an end-to-end approach to secure medical IoT devices, patient data and network infrastructure from internal and external threats.
Zero Trust
Zero trust is the concept that no device or user — whether inside or outside the network — should be automatically trusted. Ongoing verification and identity management grant the minimum access level required to perform tasks.
Security by Design
With security by design, security must be built into each stage of the connected medical device’s development and manufacturing process to manage and mitigate risks.
Encryption begins at the device level, encompassing both hardware and software. This protects the data at rest and in transit.
Security then extends to network connectivity and data transmission. Communication between devices, apps and cloud systems must be safeguarded.
Comprehensive data visibility across the organization enables efficient monitoring of data. How the data flows and who has accessed it is tracked.
Meeting Medical Device Regulatory Requirements: Challenges and Solutions
Medical device manufacturers face several hurdles to meet evolving cybersecurity regulations. Obstacles include:
- Resource limitations
- Unclear or changing federal guidance
- Integrating security practices into existing development
Organizations can opt to collaborate with a partner for assistance with compliance requirements, such as:
- Guidance on regulations
- Support with technical documentation
- Recommendations for security integration
The right partner efficiently handles requirements while ensuring smooth product development.
Telit Cinterion and End-to-End IoT Security
Build devices with security by design with Telit Cinterion’s:
- Modules
- Connectivity plans
- Platforms
- Custom solutions
Our end-to-end strategy minimizes risks and ensures reliable communication.
Telit Cinterion prepares health care device companies for new connected medical device laws worldwide. Our white hat hacking and penetration testing identify potential vulnerabilities and analyze security gaps. We pioneer technologies to improve medical device security and patient care.
Our blockchain implementation powers secure patient data communication through smart modules and advanced power management. We deploy edge artificial intelligence (AI) for real-time patient monitoring and emergency response through our partnership with Alif Semiconductor. Our 5G health slicing technology — developed with the 6G Health Institute — creates secure
