Author: Rebecca Banagala, ANU

If you’re reading this, you’re on the internet. As such, you’re a user of the Internet of Things (IoT)– the network of physical devices connected to the internet. 

While the internet brings us joy and efficiency to our daily lives, it also poses a significant number of vulnerabilities and concerns. From issues surrounding data to privacy, ethics and legal complexities, we face many risks on IoT. 

These risks increase significantly when you merge the IoT with the human body. The Internet of Bodies (IoB) is an archetype of IoT, connecting the internet to the human body. IoB is the technology that we voluntarily allow into our bodies, by ingesting, implanting or wearing.  In doing this, we transform our bodies into the newest data discovery platform. 

IoBs can be split into three generations — body external, body internal and body embedded. Body external consists of wearable devices such as insulin pumps, Apple Watches or Fitbits. Body internal includes devices that are inserted into the human body to monitor or control various health aspects, including pacemakers, smart contact lenses or cochlear. Finally, body embedded describes technologies that merges the human body and technology together to a remote machine. An example is embedded RFID microchips, such as those that a Bioengineering company introduced, which enable employees to gain access to their work building without a swipe card or key. 

These devices no doubt have a positive impact on human health and lifestyle. But there are significant concerns present. 

Increasingly on the news are stories of ransomware attacks on critical infrastructure or major industries, including the Colonial Pipeline, JBS Foods and, more recently, IT company Accenture. We’ve seen the impact that cybercriminals can have on the security technology of multi-billion companies and assets. But it’s not only multinational companies at risk. Vulnerabilities can similarly affect individuals with IoB devices.

In 2013, former United States Vice President Dick Cheney replaced his Wi-Fi-connected defibrillator with one without Wi-Fi capacity. He did this due to fears that a rogue cybercriminal would hack into the device and assassinate him by electric shock. It’s likely that this put Dick’s fears to bed, but there are also other ways that cybercriminals can exploit devices without Wi-Fi. Cybercriminals can steal data through memory operations and Wi-Fi receivers, or jump the air-gap. 

This was exactly what was experienced in the 2010 Stuxnet attack, in which USB-delivered malware was able to compromise nearly a fifth of Iran’s nuclear centrifuges. Alternative methods also include, but are not limited to, radio waves, electromagnetic waves, the Global System for Mobile Communications network, and even heat sensors.

Despite this, University of Texas Professor Dean Sittig says that there aren’t many incentives for cybercriminals to attack a single medical device, unless it’s connected to a celebrity, or someone of a notable or prestigious background. But, being complacent when it comes to information security can also present privacy concerns. Access to an IoB can enable a cybercriminal to monitor, extract or exploit patient data or health records. Once a cybercriminal is in, they can steal private health records, release malware into the system, disrupt operations at a hospital, or even launch a ransomware attack. It could also be used to modify existing patient records leading to incorrect prescriptions and dosages, and possibly the provision of deadly treatments using an inaccurate electronic health record system. 

IoBs also present significant ethical considerations. Researchers El-Khoury and Arikan seek to answer the big questions around the balance between an increasingly appealing technological capability, and the need for vital human safety and autonomy. Matwyshyn also shines the light on the imminent legal uncertainties and impacts surrounding IoB, and the many inconsistent legal decisions made already in IoB litigation.  

With all these concerns, it’s clear that more needs to be done. Stakeholders involved include manufacturers, cloud service providers, health care organisations, civil society, governing bodies, insurers, end-users and more. These actors all need to be on the same page to ensure that cyber mitigations in place can keep pace with rapidly emerging technologies and tackle the corresponding threats. On top of that, basic cyber security training and education for health practitioners and medical students is vital. This will boost the awareness of health professionals, and provide more accurate guidance to patients in determining their choice about introducing an IoB into their lives. 

Cybersecurity risks or not, it’s clear that IoB is here to stay. We will continue to see impacts on the health, cyber, legal, ethical, and political domains. Policymakers should act now, as Australia’s health security relies upon it.

Rebecca Banagala is an ANU Masters of Strategic Studies student and works in policy and strategy for a Federal Government Department.