Medical devices are fraught with direct threats to the lives and well-being of people. In addition, medical data privacy is a hot-button topic among consumers. The security challenges are daunting, particularly as more health care migrates into the home environment, driven by desires to reduce the length of hospital stays and keep health care costs under control. This report explores these issues and includes survey data regarding OEM attitudes toward the safety and security of connected medical devices. Leading security solutions vendors discussed include Intel Security (McAfee), QNX, RSA, and SafeNet.
What questions are addressed?
- Where are the lines drawn between fitness devices and medical devices, and what are the implications for secure product design and development?
- Which categories of medical devices are most ripe for connectivity?
- How are regulatory requirements affecting market advancements in institutional and home care products?
- What are OEM attitudes toward designing security and privacy for medical devices?
- How will liability concerns impact the market for embedded medical devices as connectivity becomes ubiquitous?
Who should read this report?
This research program is written for those making critical decisions regarding product, market, channel, and competitive strategy and tactics. This report is intended for senior decision-makers who are developing embedded technology, including those in the following roles:
- CEOs and other C-level executives
- Corporate development and M&A teams
- Marketing executives
- Business development and sales leaders
- Product development and product strategy leaders
- Channel management and channel strategy leaders
Vendors Listed in this Report
- Icon Labs
- Intel Security (McAfee)
- Mentor Graphics
- Philips Healthcare
- QNX Software
- Sansa Security
- Trend Micro
- Ventana Medical Systems
The medical device and health care industry will be one of the fastest growing markets for embedded security solutions through the next 5 years, prompted by the evolving threat landscape and the lagging capabilities of OEMs, systems integrators, and end users. Security issues facing the medical sector span several dimensions: threat and vulnerability awareness, motivation and funding for investment, embedded technology availability and adoption, and social responsibility. There are misconceptions among manufacturers and end users that some (connected) medical device classes do not produce valuable information or data and thus do not require security - underestimating or completely ignoring the potential for their devices to act as a backdoor for malicious use. In fact, most manufacturers today do not have a program or system in place for implementing embedded security within their medical devices.
Did You Know? A single networked medical device can potentially compromise an entire hospital network or integrated systems like EHR
Only in the past couple of years has the Food and Drug Administration (FDA) begun its attempt to support the secure development of medical devices with new guidelines and requirements for manufacturers. However, the reach of such regulatory bodies does not extend beyond the device to network security for health care data - that is where other regulatory bodies such as HIPAA and HIMSS take over with the objective to preserve data privacy and confidentiality. Health care facilities need to implement many of the same security technologies as large enterprises including firewalls, authentication/encryption, intrusion detection/prevention systems, and security protocols as well as a variety of others to satisfy increasingly difficult regulatory compliance and mitigate the risks and liability associated with developing medical systems.
- The global market for embedded security software for medical devices is expected to be among the fastest growing industries with a compound annual growth rate (CAGR) of 24.5% from 2014 to 2019.
- Most medical devices today are not designed with security in mind and leverage low-cost off-the-shelf operating systems or customized software that are not sufficient for protecting against the modern threat landscape.
- The most common security vulnerabilities include obvious default and hard-coded passwords, unencrypted or unauthenticated communications, and a lack of firewalls and other network security technologies.
- Ensuring proper medical device protection will require a long-term commitment and philosophical shift in how OEMs and others view and design in security.
- Embedded engineering organizations within the medical device sector expect to use more security-oriented professional services 3 years from now to contend with growing medical design complexity and standards requirements.
About the Authors
Daniel Mandell supports a variety of syndicated market research programs and custom engagements in the IoT and Embedded Technology practices. He leads the research services for IoT gateways, embedded processors, and other computing hardware in addition to supporting programs such as embedded/real-time operating systems. Daniel also develops, programs, and manages end-user surveys to embedded engineers and uncovers useful and interesting insights regarding buyer behaviors, technology adoption, and device/application requirements. His working relationship with VDC dates back to 2005 and includes stints with Business Development as well as the AutoID practice. Daniel holds a B.S. in Information Systems Management from Bridgewater State University.
Steve Hoffenberg is a leading industry analyst and market research professional for Internet of Things technology. He has more than two decades of experience in market research and product management for technology products and services. Prior to joining VDC, he spent 10 years as Director of Consumer Imaging and Consumer Electronics Research at the firm Lyra Research, where he led industry advisory services providing extensive market research on consumer technology trends, user adoption, market sizing, marketing strategy, and competitive analysis for major consumer electronics manufacturers. Previously, he worked in product management for electronic design companies that developed and licensed embedded digital imaging and audio products. Steve holds an M.S. degree from the Rochester Institute of Technology and a B.A. degree from the University of Vermont.
Chris Rommel is responsible for syndicated research and consulting engagements focused on development and deployment solutions for intelligent systems. He has helped a wide variety of clients respond to and capitalize on the leading trends impacting next-generation device markets, such as security, the Internet of Things, and M2M connectivity, as well as the growing need for system-level lifecycle management solutions. Chris has also led a range of proprietary consulting projects, including competitive analyses, strategic marketing initiative support, ecosystem development strategies, and vertical market opportunity assessments. Chris holds a B.A. in Business Economics and a B.A. in Public and Private Sector Organization from Brown University.