A medical device can be anything from a tongue depressor to an implantable neurostimulator. But what cybersecurity and health care attorneys are concerned about are the Bluetooth-ready devices that speak to other devices or systems. While connected devices present more efficient patient care and sharing of data, each device presents another possible opportunity for a security breach that could compromise that data — or worse.
Connected medtech is already everywhere. Medical technology companies estimated that by 2021, more than two-thirds of their devices will be connected through the Internet of Things, according to a Deloitte survey released last summer. The IoT medical tech market was $15 billion in 2017, but could triple by 2022 to $52 billion, the study predicted.
“You walk into a hospital, and so much of the equipment in those facilities has the ability to connect to something else,” said Jodi Scott, a partner at Hogan Lovells’ Denver office whose practice focuses on life sciences and medical devices. An example of a connected device would be an electrocardiogram monitor that sends the heart signal data directly to medical records. But hospitals now have a “huge population” of devices that have been used for decades but are now connected, Scott said.
For years, health care organizations have been dealing with data breaches involving HIPAA-protected personal health information. Medical device breaches represent a new worst-case scenario.