Skip Ribbon Commands
Skip to main content
Skip over global navigation links
U.S. Department of Health and Human Services


Opportunities and Cybersecurity Risks for the Healthcare and Public Health Sector

Author: Bob Bastani, CISSP, CISM, CRISC, Senior Cyber Security Advisor Healthcare and Public Health Sector, Critical Infrastructure Protection, HHS Office of the Assistant Secretary for Preparedness and Response
Published Date: 11/1/2019 9:40:00 AM
Category: Cyber Security;

Next-Generation Medical Technologies and Emerging Health Security Threats

Cutting-edge innovations in medical technology help medical professionals improve patient health outcomes during disasters and every day. While these new, evolving technologies bring great promise for patient care, they also introduce an element of risk into your hospitals and healthcare systems.

The Internet of Medical Things (IoMT), artificial intelligence (AI), and machine learning (ML) are all transforming the way healthcare is provided, but is your hospital or healthcare facility ready to face the new cyber security and privacy challenges associated with the use of these revolutionary technologies?  

The IoMT is comprised of interconnected medical devices and applications that collect data, which is then provided to healthcare IT systems through online computer networks. For example, smart beds, wearable medical devices, infusion pumps, and embedded devices are all new technologies in IoMT. These devices  present major benefits to providers and patients such as improved drug management, process automation, and enhanced data analytics across multiple domain’s, improved patient outcomes, and remote patient monitoring. IoMT devices connect to a variety of healthcare systems, networks, and other tools within a healthcare delivery organization.

However, the increased connectivity provided by IoMT also creates cybersecurity risks such as potential for unauthorized access to patient health information, changes to prescribed drug doses, and interference with the device’s function. Cyber security and privacy professionals must address the IoMT risks not only for the “device” but also holistically, across the entire network of systems and applications, which include physical security, mobile interfaces, authentication, and authorization.

An additional challenge for the IoMT is patching and updating the embedded operating systems and applications of the devices as some provide critical patient care and require specially handling. If your hospital or healthcare facility use IoMT devices, check out the Health Industry Cybersecurity Practices document on Managing Threats and Protecting Patients or the National Institute of Standards and Technology (NIST) project on Securing Telehealth Remote Patient Monitoring Ecosystem for references to help you better protect patient health while leveraging these new technologies. Check back periodically for progress because this project will result in a Cybersecurity Practice Guide with practical steps to address IoMT challenges.

Recent developments in AI and ML have led to smarter autonomous systems which can learn for themselves and keep up with the velocity and volume of data that networked systems produce. The introduction of AI and ML in health care have led to the development of new applications and tools that are starting to have a significant positive impact on chronic disease management, cancer diagnostics, radiology, and interventional medicine.

There are, however, very distinct and new vulnerabilities associated with AI and ML tools and applications. For example, data poisoning, logic corruption and data manipulation can introduce data that causes a ML-based system to make mistakes or introduce specific data patterns that are designed to be misclassified by learning systems. The most common defensive techniques for these attacks include “data sanitization” and “anomaly detection”, which themselves are in the process of maturing. To learn more about the evolution of recommendations on AI and ML, see Artificial Intelligence at NIST.

While attention to fundamental cyber security and privacy principles such as defense in depth, non-repudiation principles, encryptions, continue to be critical, it is equally important to become familiar with the innovative technologies in the HPH sector and the new cybersecurity threats that come with these technologies.   


Add Comments:

This is a moderated blog-we will review all comments before posting them. To learn more, please see ASPR Blog and Social Media Comments.


Please validate the following expression by entering the correct numeric value.
Question: What is one + ten ?