Assessing the risk from Chinese-manufactured IoT-connected healthcare devices

As the medicine and healthcare sector is being transformed by IoT-connected medical devices, the risk posed by Chinese-manufactured devices has drawn the attention of the Federal Communications Commission (FCC).

There can be no doubt that IoT (Internet of Things) is transforming medicine and healthcare. The remote capture of patient information is easing pressure on staff shortages and high patient demand, while enabling much greater convenience and functionality to patients and the remote tracking and monitoring of new patient data without the need for a visit.

That’s why, according to a report from SNS Insider, the IoT medical devices market is predicted to grow from around $36.6 billion in 2022 to $239.7 billion by 2030 – a CAGR of 26.5% over the period^[1].

IoT-connected medical devices: Potential security threats

However, with that opportunity comes challenge, namely the security of IoT medical devices, including monitoring devices, imaging systems, respiratory devices, implantable cardiac devices, patient monitors, infusion pumps, fetal monitoring devices, neurological devices, ventilators, and so on. Likewise, further vulnerabilities come from the multiple connectivity technologies used, including cellular, Bluetooth, Wi-Fi, and Zigbee. For example,

• In the U.S. there are an estimated 20–30 billion IoT-connected devices, but according to a report from Deloitte, the number of vulnerabilities attached to these devices grew 59% in 2023 compared to the previous year^[2]. This cost the healthcare industry nearly $21 billion in downtime in 2020 alone, and $2.1 million in ransom for patient data.

Likewise, in the UK, a recent Freedom of Information request from 154 NHS Trusts found that one-third of UK NHS Trusts had no way of tracking IoT-connected medical devices, potentially exposing patient data and creating service security risks. Put simply, breaches of medical devices not only expose patient data, but could also be a matter of life and death.

The Chinese government’s well-documented surveillance of citizens has also been a topic of interest in the IoT medical device sector, with observers believing that Beijing could leverage data from connected medical devices. China already accounts for 25% of the total market value for IoT-connected medical devices in the Asia-Pacific region and 8.3% of the global total at around $44.8 billion in 2023^[3].

China’s IoT-connected healthcare sector is growing rapidly

An aging population, more affluent middle classes, changes in lifestyle such as increased drinking and smoking, and increased deployment of such devices will drive growth in the sector in China at a CAGR of 5% over the next two years.

However, according to the same report, China still imports 80% of its IoT-connected high-end medical devices – local manufacturers tend to focus on Class 1 devices, which have lower cost and complexity. But Beijing wants to change that in the name of its far-reaching strategy to become largely technologically self-reliant.

Under the Chinese Communist Party’s (CCP) Made in China 2025 plan, Beijing is aiming to boost local production of core materials and components for high-tier medical devices by 70% (between 2020 and 2025) and by 95% by 2030. Part of this plan also involves utilizing the large volumes of patient held by the government and local health offices.

It also means, however, that alongside the US Secure and Trusted Communications Networks Act of 2019, the 2019 Supply Chain Order, and the bipartisan Secure Equipment Act of 2021, which are aimed at telecom and networking equipment, the US Congress is setting its sights on expanding similar bans to Chinese-manufactured IoT devices.

FCC sets its sights on Chinese-made IoT medical devices

In a letter dated 7 August 2023, the US House Select Committee on the Chinese Communist Party detailed the threat that cellular radio modules manufactured in China pose to IoT devices, including vehicles and medical equipment: “Tackling PRC cellular IoT modules is a natural next step for the FCC, in consultation with appropriate national security agencies. For one, Quectel and Fibocom supply companies whose equipment is already on the FCC’s Covered List. The equipment on this list poses a national security threat to the U.S. and may not receive authorization for importation or sale in the U.S. Similar scrutiny should be considered for any PRC cellular IoT modules in this equipment.”

IoT devices are essentially radio modules generally connected via 4G LTE or 5G, so there is an obvious threat that data could be communicated back to the manufacturer or country of origin.

That’s why on 22 February 2024, the FCC released a public draft that would establish a voluntary labelling program for IoT products whereby eligible products would be authorized to display a newly created US Cyber Trust Mark that would indicate conformance with baseline cybersecurity standards.

Such a landmark initiative would have a significant impact on IoT-connected medical devices. The White House wants to ensure that eligible products are displaying the mark by the end of 2024, and so the initiative is being rolled out on an accelerated basis. It would also apply to IoT devices in every other sector.

Given the importance of patient health data, it’s an important move by the FCC which means that Chinese and other state-manufactured IoT-connected medical devices are clearly marked as the healthcare digital transformation gains pace.

Pamir provides risk assessment and strategic advisory for U.S. companies looking to take advantage of the Chinese market opportunity. As well as applying unique research methodologies, Pamir has business relationships with local suppliers and manufacturers built up over decades. To find out how we can help to advise your strategic approach the IoT healthcare in China, contact us today.

^[1] https://www.snsinsider.com/reports/iot-medical-devices-market-1773?utm_source=whatech&utm_medium=refferal&utm_campaign=shorturl&utm_content=whatech-com-778778

^[2] https://www2.deloitte.com/us/en/blog/health-care-blog/2022/as-life-sciences-goes-digital-new-cyber-threats-emerge.html

^[3] https://www.globaldata.com/store/report/impact-of-china-on-medical-devices-industry-theme-analysis/?_gl=1*16m9fxs*_ga*MTQ4ODc4MzI3NS4xNzA5NTU3MTM5*_ga_8SZ1HHP33J*MTcwOTU1NzE1Ni4xLjEuMTcwOTU1NzI4NC41OS4wLjA.