The internet of things holds many promises.
Per the OECD, IoT has the potential to impact “almost all major economic sectors: health, education, agriculture, transportation, manufacturing, [and] electric grids” through a combination of network connectivity, widespread sensor placement, big data analysis, and machine learning.
In its broadest sense IoT describes every device connected to the internet, but more specifically refers to those that can talk to one another. Security cameras, thermostats, fridges, and light bulbs have all come online in the last few years, but the industry perhaps most ripe for an IoT revolution is, fittingly, first in the list above: healthcare.
This potential transformation comes not a moment too soon, with an aging and increasingly unhealthy population straining our current system to breaking point, and debates about staffing levels insufficient to combat these macro trends.
Changes in healthcare delivery, however, necessarily bring serious cybersecurity and privacy concerns that lawmakers, NHS Trusts, hospitals, and device makers will need to grapple with in order to realise this promise at any meaningful scale.
Ask your doctor if the internet of things is right for you
Imagine an ambulance that can analyse a patient’s condition on the way to the hospital. A smartwatch app that monitors for depression. Pills that transmit data to your smartphone, and remind you when you forget to take them. Scales that measure your cardiovascular health.
If you haven’t paid attention to the healthcare tech space in the past few years, you could be forgiven for assuming we were still in the realm of science fiction, but though Takeda Pharmaceuticals’ Apple Watch app is still being trialled, everything else is available right now.
And we’re barely scratching the surface.
IoT, and the artificial intelligence and machine learning behind it, has the potential to radically reduce doctor and nurse time spent on routine reviews or collecting basic data from patients. Free from this lower-skilled drudgery, doctors will be able to spend more time on the treatment areas where they can make the most difference, and on patient interaction.
Wearable and ingestible sensors will allow doctors to track patients’ adherence to treatment plans; to send reminders and personalise treatments; to monitor chronically-ill patients remotely and in real time, reducing the need for costly, time-intensive appointments.
Needless to say, the cost angle will be critical. Though the UK spent ‘only’ 9.9% of its gross domestic product (GDP) on healthcare in 2015, according to BMJ, this still amounts to north of £125 billion. IoT can play an important role in keeping this figure under control in the face of increasing demand.
But as much as IoT can improve care once we get to the hospital, equal promise lies in helping us avoid the doctor in the first place. Giving people the underlying data of their own health has the potential to be transformative, and to usher in a new era of personalised, holistic care.
Putting the patient in control helps them understand the impact of their lifestyle on their health – eat that chocolate bar and watch your insulin spike – and to adjust their behaviour accordingly before medical intervention becomes necessary. At the other end of the spectrum, an IoT device could alert you when you definitely do need to call the doctor, or even place the call itself in a pinch.
Another intriguing possibility lies in gamification: turning health and wellbeing into a video game-style challenge. As Pokémon Go took sofa-bound gamers on 10km walks to hatch eggs, and Uber keeps drivers on the road with in-app trophies, so too could connected medical devices help keep us active, eating well, and stress-free with the promise of virtual rewards; perhaps even turn keeping healthy into something approaching fun.
For all its potential benefits, it remains crucially important that cybersecurity concerns are addressed before IoT can, or should, become mainstream in healthcare
The OECD’s report highlights a 2015 incident in which “a security firm investigated a hospital information system where attackers exploited a vulnerability in a networked blood gas analyser to ultimately infect the entire hospital IT department’s workstations”. In short, IoT does not exist in isolation: every device connected to the internet is an additional point of vulnerability in the entire system. The recent WannaCry ransomware attack that crippled hospitals across the UK is another stark reminder of the importance of getting IoT cybersecurity right.
A 2016 report from Forrester Research gives four major threats to healthcare IoT: denial-of-service (DoS), patient data theft, therapy manipulation and asset destruction. Three of those are at least recognisable, though they carry far nastier consequences when the systems being shut down control life-support machines or insulin pumps. Therapy manipulation, however, is perhaps the most viscerally frightening of all, and while the idea of cyber attackers being able to alter drug dosages to cause harm seems straight out of science fiction, it’s now a genuine concern. It seems inevitable that, at some point, we’ll get our first murder-by-medical-hacking, and our collective response remains an open question.
Connected medical devices are often hopelessly unsecured. As Charles McLellan notes for ZDNet, many healthcare devices run ageing or embedded operating systems that don’t get patched or updated, especially when that involves taking vital equipment such as MRI machines offline for some period of time. When equipment keeps functioning despite a lack of updates, combined with a genuine desire to help patients, it’s easy to see how complacency sets in.
In the wake of the WannaCry attacks, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, penned an op-ed in the New York Times in which she notes “in the current regulatory environment, the people who write the insecure software and the companies who sold the “things” bear no liability”. That in the rush to market, the companies that profit handsomely from selling us IoT devices don’t bother, and aren’t forced, to focus on the security of their products. It’s fine for Facebook to “move fast and break things” when all we’re talking about is an Instagram filter, much less so when a bricked or hackable device has life-and-death consequences.
The more devices we connect, the greater and more personal the data we share, the more enticing the target. Just last week, the BBC reported that “[m]ore than 25,000 private photographs have been posted online following a data breach at a plastic surgery clinic in Lithuania in March”. Patients from Denmark, Germany, Norway and the UK received ransom demands of up to 2000 euros to keep the photos offline, in what was surely a traumatic experience for those involved. But what happens when far-more-sensitive, actionable data is within hackers’ reach? How much would you pay to keep your hacked medical records away from the eyes of insurers, employers, or neighbours? What about your genomic data?
The internet of things could be the sci-fi future we’ve been promised for decades… if we get it right
It’s certainly alluring, this shiny future in which billions of intelligent, connected devices dramatically improve the way we deliver healthcare, move us into a more patient-centric future, and keep spiralling costs under control.
But current hacks that take down Xbox Live for a few hours, render an app inaccessible, or even leak online passwords – while troubling, and in need of addressing – are small game compared to the potential impact of similar attacks on IoT pacemakers or morphine drips.
For IoT to take off in healthcare, we need to start with a regulatory framework that pushes device makers to build in robust security from the ground up, rather than bolting it on as an afterthought; devices that must include a mechanism for pushing out updates and patches; companies that support devices – which are often expected to last decades – for their entire lifetime.
Cybersecurity is, by its nature, unsexy, never-ending, and rarely appreciated by the end user, by that doesn’t make it any less crucial. Protecting new and existing devices will also be a gradual process, with a steep learning curve for everyone connected to the healthcare industry.
The potential for IoT, in healthcare as elsewhere, to meaningfully impact our lives is both real and fraught. In reaching for this potential future, we therefore have to make sure incentives are properly aligned and that we aren’t putting our connected cart before the cybersecurity horse.