Skip to Main Content
Have library access? Log in through your library
Research Report


Jason Healey
Neal Pollard
Beau Woods
Copyright Date: Mar. 1, 2015
Published by: Atlantic Council
Pages: 18
  • Cite this Item

Table of Contents

  1. (pp. 7-8)

    The medical industry is evolving rapidly. Not only do more kinds of devices exist today, but they are increasingly interconnected. Almost half (48 percent) of healthcare providers polled in a PricewaterhouseCoopers survey said they have integrated consumer technologies such as wearable health-monitoring devices or operational technologies like automated pharmacy-dispensing systems with their IT ecosystems.¹

    Though the underlying technology in many of these devices overlaps, as graphic 1 shows, the devices generally fall into four main groups: consumer products for health monitoring; wearable external medical devices; internally embedded medical devices; and stationary, but networked, medical devices.

    These technologies hold the key...

  2. (pp. 8-11)

    Society’s ability and desire to exploit networked technologies has always outpaced its ability to secure the underlying technology. Networked medical devices are no different with exposed security gaps in the integration of operational technology (e.g., medical devices), consumer technology (e.g., smartphones), and networked information technology (e.g., hospital networks).

    Malicious actors could soon have the same hold here as they do elsewhere so that we could soon see a booming market in medical zero-day exploits, a security hole known to the attackers and for which there is no defense. This is what the future will look like if security officials and...

  3. (pp. 11-12)

    The software and firmware underlying networked medical devices have evolved in much the same way as other technologies: as an uneven and inconsistent mix of different versions, standards, and approaches to implementation. The developments were driven by manufacturers’ preferences and patients’ needs, as opposed to an overarching set of security standards or best practices.12

    No one standard operating environment, architecture, communications method, or networking backend exists as a widely accepted standard for any class of networked medical devices. Where mobile phones or tablets operate on a relatively small set of standard technologies (Android or Apple, WiFi only or WiFi and...

  4. (pp. 12-17)

    As with security challenges accompanying other new technologies, open collaboration and communication are key to managing and reducing risk. This includes collaboration and communication among regulators, as well as between regulators, industry, and medical and healthcare practitioners. Several recommendations will help foster innovation while minimizing exposure to security risks:

    Stress security at the outset, rather than as an afterthought

    Improve private-private and public-private collaboration

    Move toward evolutionary change of the regulatory approval paradigm for medical devices

    Introduce an independent voice for the public

    Medical device manufacturers must adopt a “secure-by-design” approach to research and development.

    In the past, security has...

  5. (pp. 17-17)

    Networked medical devices have bridged the human-machine interface, delivering the most personal of benefits. They literally embed the Internet into people’s lives, improving medical outcomes, offering better quality of life, and lowering healthcare costs. They also potentially introduce security flaws along with those benefits. However, these flaws can be managed and even reduced with a handful of steps: a focus on security by design; better collaboration among industry, manufacturers, regulators, and medical practitioners; a change in the regulatory approval paradigm; and encouraging feedback from patients and families who directly benefit from these devices.

    The medical profession stands to benefit from...