Nurturing Cyber Security and Privacy in Connected Care

Nurturing Cyber Security and Privacy in Connected Care:

To what extent do public-private governance models between third

party medical IoT vendors and hospitals influence the development of

cyber security and privacy standards?

Student Number: s1649663

Email: g.s.s.marzano@leidenuniv.umail.nl

Word Count: 23 831 words

Supervisor: Prof. Dr. Jaap Reijling Second Reader: Asst. Prof. Dr. Niculescu Deloitte Supervisor: Gideon Teerenstra MSc.

3

Acknowledgements

I would like to thank Professor Dr. Jaap Reijling for his dedication to the process, and his constructive and helpful feedback.

Gideon Teerenstra MSc. for his shared passion for this topic and his insight into the field. The Deloitte Cyber and Privacy team for supporting me through the thesis trajectory. All the respondents who agreed to contribute to this project for their willingness to improve the security in the healthcare sector and the contributions they make to the field.

4

Abstract

Medical IoT is increasingly being implemented in the Dutch healthcare sector as a means of growing the remote care capabilities of hospitals, as well as relieving pressure off increasingly more strained healthcare professionals. However, medical IoT has been recognized as a possible vulnerability regarding cyber security and privacy within the medical supply chain. This thesis seeks to understand how the responsibilities and accountability are divided between IoT vendors and hospitals, and how this influences the maturity and development of cyber security and privacy standards regarding medical IoT devices. This thesis thus investigates the following research question; to what extent do public-private security governance models between third party medical IoT vendors and hospitals influence the development of cyber security and privacy standards within the Dutch Healthcare sector? It provides an exploratory, foundational research, wherein 9 key stakeholders of the medical IoT supply chain were interviewed on their perspectives on the division of accountability and responsibilities, as well as the maturity of standards. The findings of this thesis suggest that whilst responsibilities are largely divided in a clear and comprehensive manner, it is still largely unclear who is ultimately accountable for incidents or compliance. This latter factor depends largely on contracts, which are noted by the respondents to not be as all-encompassing as may be needed. Furthermore, it was found that the hierarchy observed in reality diverts from the hierarchy that is recommended in policy and in the studied models, which negatively impact the maturity of standards. Whilst the observed maturity of standards was found to be relatively high, some flaws were uncovered that could impact the accountability in case of incidents. This research thus suggests that hospitals maintain the hierarchy in outsourcing their non-core tasks regarding compliance to their vendors so as to reduce pressure on their internal governance and employees, as well as to increase incentives to ensure that compliance is maintained at the forefront of the business decisions, at the same level as healthcare provision, efficiency, and costs. Furthermore, from the field itself, and the government there should be more incentives for both vendors and hospitals to pursue compliance. Further research is needed with emphasis on specific case studies and possible working models for best practices of cooperation within this field.

5 Contents

Acknowledgements ... 3

Abstract ... 4

List of Abbreviations ... 7

List of Tables, Models, Graphs, Figures ... 8

List of Appendices ... 9

1. Introduction ... 10

1.1 Internet of Things and Healthcare ... 10

1.2 Relevance ... 11

2. Theoretical Framework ... 14

2.1 Governance ... 15

2.2 Security ... 16

2.3 Security Governance ... 17

2.3.1 Security Governance and Privatization of Security ... 17

2.4 Models of Security Governance in the Privatization ... 18

2.4.1 Junior-Partner Model ... 18

2.4.2 Responsibilized Model ... 19

2.4.3 Economized Model ... 20

2.4.4 Accountability as a Control Mechanism ... 21

2.5 Linking Public-Private Security Governance Models with Healthcare ... 23

2.6 Hypotheses and Sub-Questions ... 23

2.6.1 What can be included under the definition of Medical IoT? ... 24

2.6.2 What are the primary opportunities and risks surrounding medical IoT integration in the Healthcare sector? ... 24

2.6.3 How are responsibilities to maintain cyber security and data security shared between the various stakeholders? ... 25

2.6.4 What perception of accountability does each stakeholder have in times of crisis? ... 25

2.6.5 What governance model can be observed between IoT vendors and hospitals with regards to cyber and data security? ... 25

3. Methodology ... 26

3.1 Research Approach ... 26

3.2 Operationalization of Key Concepts ... 26

3.2.1 Cyber and Data Security Standards ... 26

3.2.2 Healthcare Security Supply Chain ... 31

3.2.3 Security Governance Models ... 32

3.3 Data Collection ... 32

3.4 Data Analysis ... 33

Tools Used ... 35

3.5 Limitations to Method and Research ... 35

4. Analysis ... 36

6

4.1 What is Medical IoT? ... 36

4.1.1 Medical IoT definitions ... 36

4.2 Opportunities and Risks ... 38

4.2.1 Opportunities of IoT ... 38

4.2.2 Risks of IoT ... 40

4.3 Hierarchy Model ... 46

4.3.1 What hierarchy models can be distinguished? ... 46

4.3.2 What are these models based on? ... 48

4.4 Division of Responsibilities ... 51

4.4.1 How are the responsibilities most often divided? ... 51

4.4.2 Basis of the Division ... 56

4.4.3 Who monitors responsibilities? ... 59

4.5 Accountability ... 61

4.5.1 How is accountability divided? ... 61

4.5.2 Why are they divided like that? ... 63

4.5.3 Accountable to whom? ... 66

4.6 Status Quo related to PPP models ... 67

4.6.1 What PPP Model can be identified ... 67

4.8.2 Model ... 69

Section 2: Maturity Levels related to Models ... 70

4.7 Maturity Levels ... 70

4.7.1 Are standards implemented? ... 70

4.7.2 Are standards and compliance deemed important? ... 70

4.7.3 Impact Standards ... 72

4.7.4 Maturity Model Level ... 74

4.8 Conclusion ... 77

4.8.1 Maturity Level and Model? ... 77

4.8.2 Public-Private Partnership Governance Models influence on Maturity ... 78

4.8.3 Why do we see this correlation? ... 79

5. Discussion ... 80

5.1 Discussion and Reflection ... 81

5.2 Reflection on Conceptual Model and Methodology ... 83

5.3 Recommendations for Policy ... 84

5.4 Recommendations for Future Research ... 85

Bibliography ... 87

7

List of Abbreviations

IoT Internet of Things

NHS British National Health Service

ENISA European Union Agency for Cyber Security

PMC Private Military Company

PSC Private Security Company

EHR Electronic Health Record

DPA Data Protection Authorities

DPIA Data Protection Impact Assessment

PPP Public-Private Partnerships

CMT Covenant Medical Technologies

8

List of Tables, Models, Graphs, Figures

Type Page number

Model 1: Theoretical Framework 15

Model 2: CIA Triad 27

Model 3: Capabilities Maturity Model 30

Model 4: Deloitte Compliance Maturity 30

Model 5: CIA Triad and Division of Responsibilities 51

Table 1: Junior-Partner Model Core Aspects 19

Table 2: Responsibilized Model Core Aspects 20

Table 3: Economized Model Core Aspects 21

Table 4: Accountability PPP Model 22

Table 5: Population 33

Table 6: PPP Core Characteristics 34

Table 7: PPP Models and Status Quo 67

Table 8: Capabilities Maturity Model and Case 75

Table 9: Deloitte Compliance Maturity and Case 75

Figure 1: Medical IoT Systems Environment 31

9

List of Appendices

Table Page number

Table 1: Hospital Responsible 90

Table 2: IoT Vendor Responsible 94

Table 3: Hospital and IoT Vendor Responsible 98

Table 4: Responsibility Influence – Standards 100

Table 5: Responsibility Influence – Contracts 102

Table 6: Responsibility Influence – Agreements 106

Table 7: Responsibility Influence – International Relations 108 Table 8: Responsibility Influence – Type of Responsibility 109

Table 9: Hospital Accountable 111

Table 10: Vendor Accountable 113

Table 11: Hospital and IoT Vendor Accountable 116

Table 12: Accountability – Quality 118

Table 13: Acocuntability – Standards 119

Table 14: Accountability – Contract 121

Table 15: Accountability – Incident 124

Table 16: Accountable to Third Party 126

Table 17: Accountable to Hospitals 127

Table 18: Accountable to IoT Vendor 128

Table 19: Accountable to Patients 129

Table 20: IoT Compliance is Important 131

Table 21: IoT Compliance is Not Important 135

Table 22: IoT Compliance in General 137

Table 23: IoT Coproduced 142

Table 24: IoT Bought in 145

Table 25: Interview Questions 147

10

1. Introduction

In 2017 the British National Health Service (NHS) was fell victim of the WannaCry ransomware (Slabodkin, 2017). The British Broadcasting Company (BBC) reported that hospitals and GPs were “unable to access patient data, after their computers were locked by a ransomware program demanding a payment worth £230” (BBC, 2017). Thus disrupting the “services of one-third of the UK's hospital trusts, and approximately 8% of GP clinics. It's believed that around 19,000 hospital appointments were cancelled as a result”, the delays that were caused could thus have serious impacts on human lives, as it could cause a “delayed ambulance or incorrect treatment” (Walker, 2018). The impacts of this attack were also felt financially, causing around 92 million pounds in damages (Field, 2018).

The 2017 WannaCry breach uncovered vulnerabilities within the global healthcare sector which could pose a significant threat to patient safety (Walker, 2018). Healthcare is increasingly relying on new technologies such as Internet of Things (hereinafter IoT) devices, to increase remote patient monitoring and care, aid independent living for elderly, and provide relief for an increasingly strained healthcare professionals workforce. Despite these benefits, medical IoT devices may also prove great threats, since:

“[IoT] devices, including networked medical devices, are highly interconnected and some devices even have the ability to automatically connect to other devices. Consequently, security decisions made locally for a specific device can have global impacts” (ENISA, 2016, p18).

As interconnectivity increases and more devices are connected to the internet, “web-enabled IT systems […] become increasingly vulnerable. This vulnerability is not just from malicious hackers, but from other threats such as malware and the computer virus” (Chachko & Hayajneh, 2018, p3).

1.1 Internet of Things and Healthcare

According to the scholar Chris Showell IoT is “an infrastructure of interconnected objects, people, systems and information resources together with intelligent services to allow them to

11

process information of the physical and virtual world and react” (Hofdijk, 2016). For the healthcare sector this is an especially luring new technological development as it “represents an emerging sociotechnical environment which will change the way in which information and communication technology (ICT) is used, and is likely to provide a range of functions, including diagnosis, monitoring, treatment, and ambient assisted living” (Hofdijk, 2016). As a result smart hospitals are emerging around the world, these are defined by European Union Agency for Cybersecurity (hereinafter ENISA) as hospitals which rely on “optimized and automated processes built on an ICT environment of interconnected assets, particularly based on [IoT], to improve existing patient care procedures and introduce new capabilities” (ENISA, 2016, p9).

However, despite the vast opportunities within the healthcare sector, more and more organizations are recognizing IoT as a critical vulnerability within the healthcare cyber security supply chain (ENISA, 2016). Since the focus of the healthcare sector remains with ensuring the health of the patients, tasks such as the maintenance and securing of new and old devices, are often overlooked (ENISA, 2016). IoT devices with lacking security pose a vulnerable attack vector for threats to enter the healthcare supply chain through enabling access to other dimensions of the healthcare sector (ENISA, 2016). With an increasing number of crucial devices being connected to the internet - devices such as pacemakers, smart continuous blood glucose meters, insulin pens, sensors, as well as mobile applications - there are more risks for attacks potentially causing casualties (ENISA, 2016). Furthermore, IoT devices can provide attackers with a good entrance into the health sector’s cybersecurity supply chain, accessing other networks and devices through their relationship with the compromised IoT device. It is therefore of importance that the securing of these devices is of high importance.

1.2 Relevance

Whilst medical IoT has been recognized as a potential vulnerability, academia has largely ignored the vulnerabilities within the healthcare sector related to IoT integration. Most studies on this topic have looked into securing healthcare’s cyber security from a technical point of view. The human and governance factor within this equation has been largely overlooked. As such the role that IoT vendors play in securing the cyber security supply chain of the healthcare sector is still unknown. Investigating how these stakeholders are involved can help lay the foundations for future research on this topic. This relation can be described as a public-private

12

partnership, since many IoT vendors are commercial start-ups or larger conglomerates such as GlaxoSmithKline or Philips Healthcare, distributing either to healthcare providers such as hospitals and insurance companies. Within the study of security, we can identify three main governance models of public-private security governance: the Junior-Partner model, the Economized model, as well as the Responsibilized model (Matthys, 2010).

Acknowledging both the rapid adoption of IoT devices within the healthcare sector, as well as the need to conceptually understand the governance structures that dictate the cyber security and privacy standards within the healthcare sector, this research examines how accountabilities and responsibilities are divided between third party IoT vendors and distributors such as hospitals and how this influences the development and maturity of cyber and data security, and privacy standards (hereinafter cyber security and privacy standards). The research question therefore reads:

To what extent do public-private security governance models between third party medical IoT vendors and hospitals influence the development of cyber security and privacy standards within the Dutch Healthcare sector?

Gaining insight in this topic will help lay the foundations for future research into governance within this field, and hopefully contribute to further securing the healthcare sector. The aim of this study is to explore the usefulness of applying public-private governance models to the case of the healthcare sector to explain behavior and divisions of responsibilities and accountabilities. We further seek to explore the motivations, barriers, and enablers of cyber and data security within the healthcare sector from the perspective of stakeholders. The remainder of this thesis is organized as follows; chapter 2 will lay the theoretical foundations and outline the current debates on cyber-security, as well as elaborate on the current public-private security governance models. This chapter will thus build the conceptual model that acts as the basis for the study. Chapter 3 will elaborate on the methodology used in this research, as well as the reasoning behind this, and the limitations that exist to using this methodology. This research will rely on qualitative research methods in the form of semi-structured elite interviews with various key stakeholders within the healthcare sector, combined with relevant document study of the studied regulations and standards. Chapter 4 will discuss the findings of these interviews, structured in sub-sections. The conclusions of which will be tied together in

13

chapter 5 where the hypotheses will be explored, the validity and relevance of the findings will be discussed, as well as recommendations for methodology, policy, and future research.

14

2. Theoretical Framework

This chapter will elaborate on the theoretical foundations upon which this thesis will rely, which largely depends on the conceptual understandings of security governance. This chapter will firstly look at “governance” as a concept before drawing correlations with the academic definition of “security governance”. Secondly the importance of privatization of security will be discussed, and the three main Public-Private Security Governance models will be elaborated on. These three models are identified as the Junior-Partner model, the Economized model, and the Responsibilized model. Lastly these concepts will be related back to the main topic of this thesis healthcare, to see how the two are connected and can be related. Model 1 below outlines the relations between the different theoretical conceptions, as well as how they will be used. The model starts with the concepts of security and governance, forking down to security governance and cyber security, and elaborates on the common concepts understood under the privatization of security and accountability. The blue circle represents the main concepts that this thesis will be exploring, namely the three characteristics of accountability as understood by Bovens, and the three main models of Public-Private Security Governance models. Whilst the orange square represents the aspect of maturity of standards, the left column listing the two main standard types this thesis focuses on; namely cyber security and privacy related standards. The right column on the other hand lists the main characteristics by which the maturity of the standards will be tested.

15 Model 1: Theoretical Framework (image by author)

2.1 Governance

As scholars Klein and Kloppenjan pinpointed: “[i]deas do not suddenly emerge, but rather tend to build on long traditions” (Klijn and Kloppenjan, 2012, p2). The idea of governance too has been developed over many years of research. “Its theoretical roots are various: institutional economics, international relations, organizational studies, development studies, political science, public administration and Foucauldian inspired theorists” (Stoker, 1998, p18). Gerry Stoker defines governance as being “about getting things done” (Webber, 2014, p19). He further notes that “[g]overnance is ultimately concerned with creating the conditions for ordered rule and collective action” (Stoker, 1998, p17). Mark Webber furthermore elaborates that governance is “task specific, problem-solving in orientation, and geared toward the setting of goals and the production of a desirable outcome” (Webber, 2014, p19). Webber then refers to Rosenau’s addition to Stoker’s understanding of governance as it also being “deliberate [;] the outcome of governance, strictly speaking, is neither spontaneous nor fortuitous but rather intended” (Webber, 2014, p19). Academia is stern to point out that “governance” does not equal “government”, despite overlap in definition and understanding (Webber, 2014, p20). If

16

there are multiple actors cooperating in governance, their cooperation can not only be explained through a primarily statal lens, but can also be explained by requiring “a minimum institutional framework” (Webber, 2014, p20). Webber is quick to point out that governance can be considered by investigating two parameters; consent and legitimacy. Consent is necessary as governance implies “a diminution of hierarchy and thus of coercion – it is ‘the capacity to get things done without the legal competence to command that they be done’” (Webber, 2014, p21). Consent is therefore impediment to this. Whilst governance does not need consent to function, Webber argues that consent is necessary for governance to work well. The second - legitimacy - is based on the idea that governance can only occur between actors that are seen as legitimate in the sense of being “desirable, proper, or appropriate” (Webber, 2014, p21). A way in which good governance can be judged is by referencing to its effectiveness, and to its “delivery of results” (Webber, 2014, p21).

2.2 Security

Security is often related to the elements of “risk” as well as “insecurity”. In the traditional realist understanding of security, security relates to national and primarily military issues (Palaver, 2017, p102). From a constructivist approach, security - or more specifically “threats” - can be broadened to anything that is perceived as being a threat after being vocalized as a threat, this is also known as the ‘securitization’ of threats(Floyd, 2019). As Rita Floyd explains: “[a]ll securitization scholars accept, [...] that security threats are socially and politically constructed, or in other words that: ‘Security issues are made security issues by acts of securitization’” (Floyd, 2019, p10). Security is sometimes also approached from the debate of whether it is a collective good, or rather a commodity (Krahmann, 2008). Here Krahmann distinguishes that “[n]on-excludable goods are those, such as fresh air, that are free for the taking: no one can easily exclude others from using them. Conversely, excludable goods can be restricted to a limited number of users or beneficiaries” (Krahmann, 2008, p383). Viewing security from a tradeable commodity point of view allows for competition over security, as well as exclusion from security. The collective good is usually connected to the provision of security by the public sector. The security we are studying in this paper - cyber security - is related to an emergent threat, brought about by technological advancements (Sperling et al, 2014). Cyber security has a relatively short, but sturdy history. At first the term ‘cyber security’ was used “by computer scientists in the early 1990s to underline a series of insecurities related to networked computers, but it moved beyond a mere technical conception of computer security

17

when proponents urged that threats arising from digital technologies could have devastating societal effects” (Hansen et al, 2009, p1155). Cyber security, within the collective good/commodity debate can be seen as both a common good, as well as a commodity, as individuals can be excluded from cyber security.

2.3 Security Governance

In line with Stoker’s understanding of governance, “Security governance, which has grown out of these debates, relates to a particular understanding of how myriad security problems (and resultant insecurities) are tackled” (Webber, 2014, p17). Webber points out that security governance can be seen as a concept, and thus as “pre-theoretical” rather than a fully-fledged theory (Webber, 2014, p36). Cyber security governance is a rising concept. As Louise Marie Hurel and Luisa Cruz Lobato explain: “[c]oncerns over practices in cyberspace are becoming central to the consolidation of an international agenda for cybersecurity. Responses come in different shapes and sizes, and are proposed by different actors. Whether it concerns intellectual property rights, the theft of trade secrets, collection of personal data, critical infrastructure protection, Domain Name System security, or geopolitical issues, the rise of cybersecurity as a multifaceted global issue has led to the proliferation of governance mechanisms aimed at responding thereto” (Hurel et al, 2018, p61).

2.3.1 Security Governance and Privatization of Security

Typically when speaking of security governance, academia has referred to Private Military Companies (PMCs) as well as Private Security Companies (PSCs). Krahmann points out that “[m]any Western democracies no longer hold the monopoly on the legitimate use of violence to protect their citizens. Instead, an increasing number of profit-oriented companies, such as risk consultancy firms, security firms and military contractors, have taken on the role of alternative suppliers of security to both citizens and states” (Krahmann, 2008, p380). Deborah Avant argues that “Although it was once assumed to be solely the province of the state, the private sector is increasingly involved in the use of force” (Avant, 2005, p121). However, when a broadening of security occurs, what other actors can be considered Private Security Companies? According to Hurel and Lobato “Private actors consist of different groups of actors that are not statist in nature, such as non-governmental organisations, for-profit organisations, academic institutions, research centres, groups of experts, and others” (Hurel, 2018, p82). They furthermore point out that “failure to recognise the role of private governance in public

18

policymaking ‘is to risk losing some of its contributions to providing high-level expertise needed for intelligent policymaking today, responsiveness to technological change, networks to reduce the global governance gap, and alternatives” (Hurel, 2018, p69). When relating this concept back to cyber security they underline that “the potential outcome of recognizing private governance in public policymaking is to frame private companies as a source of expertise, rather than actual stakeholders that are able to take part in the process of developing cyber norms” (Hurel, 2018, p69).

2.4 Models of Security Governance in the Privatization

Public-private partnerships have been used for elucidating financial cooperation and governance between public and private actors. Public-private partnerships (hereinafter PPP) can be defined as ”more or less sustainable cooperation between public and private actors wherein communal products and/or services are developed and wherein risks, costs, and revenue are shared” (van Montfoort et al, 2012, p6, translation by author). Recently there is a new trend wherein this line of thinking is used to shape our understanding of security cooperation and governance between public and private actors. Until recently this thinking has been limited to policing and surveillance. According to van Montfoort et al, PPP in the security sector has been powered by the ambition to find the most effective partnership model, wherein innovation, knowledge sharing, service, and quality of policy implementation is more important than cost reduction (van Montfoort et al, 2012, p7). Furthermore, increasing crime rates made public actors realize that they could not provide security alone (van Montfoort et al, 2012, p7). However, according to Madeline Carr “[c]yber security is emerging as one of the most challenging aspects of the information age for policy-makers” (Carr, 2016). Public-private partnerships have been adopted in many cases, beyond cyber security, to tackle non-traditional (security) issues (Carr, 2016). There are three main public-private governance models that we can identify in literature today: i) the junior-partner model, ii) the Responsibilized model, iii) the economized model (Matthys, 2010. van Montfoort et al, 2012). These three models are general models within the theory of governance, that have been adapted by their authors to fit the security governance standards.

2.4.1 Junior-Partner Model

The Junior-Partner model describes the outsourcing of futile tasks, also referred to as non-core tasks, so the main actor can focus on the crucial tasks (Kakalik and Wildhorn, 1971). Though

19

the Junior-Partner is the most studied form of PPP, it is not seen as often in the security industry as it is adopted in other industries like infrastructure (van Monfoort et al, 2012, p12). So far, the Junior-Partner model has been mainly applied in relation to policing. Private aid was seen as an “extension” of the police force in order to relieve some pressure from the police force when it comes to non-core tasks like administration (Kakalik and Wildhorn, 1971). Within the case as looked at by Kakalik and Wildhorn, the police stayed the central point of security provider. It’s contractual agreement maintained “rulership”, in order to seek efficiency. Any violation would be seen as a violation of regulation, thus making private actors accountable for their actions. The junior-partner model is defined by van Montfoort et al as the “contract- ” or ”concession model”. They identify this model as relying heavily on the control and management of the leading agent - which in this model always can be defined as the public actor (van Montfoort et al, 2012, p18). This is a centralized model where non-core tasks are outsourced. This model can only be successful if the scope, methods, and responsibilities are clearly defined prior to the start of the project (van Montfoort et al, 2012, p18). Weaknesses may include the tendency to rely heavily on contracts as the basis of decision-making, thus keeping a rigid regiment rather than exploring innovative ways of dealing with incidents and tasks (van Montfoort et al, 2012). Furthermore, outsourcing non-core tasks may risk the public partner of losing control and overview of these non-core tasks.

Table 1: Junior-Partner Model core aspects (table by author)

Hierarchy Division of

Responsibilities

Actor accountable

Public In power Core Not Accountable

Private Responds to Public

actor

Non-Core Accountable

2.4.2 Responsibilized Model

Contrary to the Junior-Partner model the Responsibilized model is decentralized, it is described as an “optimal power sharing” agreement wherein the private actor is given enough agency by the public actor to have a say over the security provision. Both actors sit at an equal level within the hierarchy, and set goals and aims together. Goals and methods are thus not defined through guidance and control of one party, “though such networked partnerships does necessitate coordination” (van Montfoort et al, 2012, p16). Furthermore, the choice to work together can be seen as a moral choice, as it stems from an inherent want of nurturing social responsibility (Matthys, 2010). The Responsibilized model is also known as the ”alliance” model (van

20

Montfoort et al, 2012, p16). This model is described by van Montfoort et al as the most active form of PPP in the security industry as it is a more diverse type of agreement and partnership (van Montfoort et al, 2012, p16). The Responsibilized model relies on the notion of smart cooperation, and not smart tendering. It furthermore thrives on the establishment of mutual trust between the various actors involved. Whilst the Responsibilized model encourages corporate social responsibility, it also reinforces unclear boundaries of what is whose responsibility. A high level of trust is thus necessary to properly establish a successful version of this model.

Table 2: Responsibilized model aspects (table by author)

Hierarchy Division of

Responsibilities

Actor accountable

Public Equal Core & Non-Core Accountable

Private Equal Core & Non-Core Accountable

2.4.3 Economized Model

Within the economized model public and private actors are seen as competitors. Herein private actors are included not only to outsource tasks, but also because the public actor lacks the necessary expertise to provide the right amount of security. Within this model, security can be seen as a tradable commodity, and public and private actors are thus seen as competitors. Cooperation between these actors would happen in the margin. Similar to the junior-partner model, efficiency is key to this model, on top of that the public sector will outsource core and non-core activities which will be done from a consumerist contract state point of view (Hood, 1997, p127). Public and private actors will both provide similar services, the competition between which will increase performance and innovation. Furthermore, tasks are often outsourced when the public sector does not have the right expertise. The contract is the most important part of regulation within this model, accountability for an incident would therefore be dictated by the contractual agreement. Because of the reliance on trust, as well as it’s horizontal relationship, this model thrives when accountability is judged by an external actor. This model demands a new definition of security, there might not be enough communication between the public and private actor, and the market regulates whether actors adhere to the contract or not.

21 Table 3: Economized model aspects (table by author)

Hierarchy Division of

Responsibilities

Actor accountable

Public Competing Core May be accountable

(contract)

Private Competing Core May be accountable

(contract)

2.4.4 Accountability as a Control Mechanism

Accountability has been widely accepted as an integral concept influencing security governance (Stenning, 2009). Despite this acceptance, its definition still varies to different scholars (Bovens, 2010, p946). It has largely “come to stand as a general term for any mechanism that makes powerful institutions responsive to their particular publics” (Bovens, 2010, p947). There are two ways in which accountability is largely defined; firstly, as a virtue, and secondly as a mechanism. This thesis relies on Bovens’ definition of accountability as a mechanism but subscribes to the idea that accountability as a concept is a virtue that is strived towards by parties.

‘Accountability’ as a term carries positive connotations, inducing thoughts of fair and equitable governance, making it a characteristic sought after by organizations to uphold or construct their image and reputation and gain trust (Bovens, 2010, p948). As a mechanism, accountability is defined by Bovens as a “relationship between an actor and a forum, in which the actor has an obligation to explain and to justify his or her conduct, the forum can pose questions and pass judgement, and the actor may face consequences” (Bovens, 2010, p951). Actors can thus be held to account “by a forum, ex post facto, for their conduct” (Bovens, 2010, p951). Integral to accountability are two actors: the actor itself – who can be an individual or an organization, and the forum – who can be an individual or an organization such as a court, or an audit office (Bovens, 2010, p951). To recognize an accountability relationship, three elements have to be in place: 1) the actor feels “obliged to inform the forum about his or her conduct”, particularly with regards to incidents, 2) the forum should be able to “interrogate the actor and to question the adequacy of the information or the legitimacy of the conduct”, and 3) the forum may “pass judgement on the conduct of the actor” (Bovens, 2010, p952). Thus, to utilize accountability as a mechanism the following three questions have to be asked with regards to an accountability relationship:

22 1) To whom is the account rendered? 2) Who should render the account?

3) Why is the actor compelled to render account? (Bovens, 2010, p953).

Both hierarchy and division of responsibilities are intrinsically connected to Bovens’ understanding of accountability as these aspects may influence the three core elements determining accountability. Therefore, hierarchy and responsibilities are part of the core qualifications regarding the PPP models. Hierarchy between actors, or partnering organizations, may influence both to whom the account is rendered, who should render the account, and why an actor is compelled to render an account. In the two main hierarchy schemes taken into account in this thesis – centralized and decentralized – we can see that within the centralized model, the actor may be compelled to render account as they are the actor making the decisions. Whilst within the decentralized model, we may observe that for this reason actors may feel less compelled to render accountability. Hierarchy is largely based on who has the power to make decisions and implement their policies. The main hierarchical models that were looked at are: centralized and decentralized hierarchy models. Where in the former decisions are largely made from one main overlapping party that is either the hospital, IoT vendor, or a third party, whereas the latter notes a decentralized relation where both or all stakeholders are equally involved in these decisions.

With regards to division of responsibilities, the question who is to be held accountable may influence who should render the account. If an incident occurred that was not intrinsically part of the main tasks set out by one actor, it can influence who will or will not be held accountable for these incidents. With regards to these three main elements, we can link the three main PPP models and Bovens’ accountability mechanism together in the following table:

Table 4: Accountability PPP model, table by author based on Bovens, 2010.

PPP Model To Whom? What Actor? Why?

Responsibilized Public or Watchdog Both Actors Cooperation Economized Public Actor Both Actors Contractual

agreements

Junior-Partner Public Actor Private Actor Contract and Vertical Hierarchy

23

2.5 Linking Public-Private Security Governance Models with Healthcare

Arguably the majority of the healthcare sector relies on public-private partnerships. However, academia has largely overlooked the element of security within this debate. Healthcare, as well as its procurers, are not generally seen as typical security providers. However, considering the various information that the sector deals with the health sector can be argued to be a security provider. From a non-traditional lens, the integrity of vulnerable data like health data can be seen as an important security factor (Neville, 2019). Furthermore, as was seen in the NHS case, the availability of health devices is integral to the assurance of health provision (National Audit Office, 2017). It is estimated that “55 million patient records held by the NHS today may have an indicative market value of several billion pounds to a commercial organization” (BBH, 2019).

So far, the concept of security governance has been limited to studies on policing, and private military firms. However, as Almeida et al point out: “[w]hile technological aspects of the IoT have been extensively published in the technical literature, few studies have addressed the IoT’s social and political impacts” (Almeida et al, 2015). This paper will seek to investigate both the social and security impacts of IoT adoption in the healthcare sector. To respond to the research question at hand this research will rely on qualitative research methods. It will study how the independent variable security governance models (accountability, hierarchy, division of responsibilities) impacts the dependent variable maturity of cyber and data security standards.

2.6 Hypotheses and Sub-Questions

On the basis of the discussion in this chapter, the following hypotheses were formulated:

Hypothesis A: Security governance models significantly impact the maturity of cyber security and privacy standards within the healthcare supply chain.

Hypothesis B: Centralized security governance will lead to a lower maturity of cyber and data security standards

Hypothesis A was based on the curiosity whether PPP models – influencing factors such as division of responsibilities, hierarchy, and accountability in such a way that may alter the incentives to implement and comply with standards – will influence the maturity of the

24

investigated cyber security and privacy standards. Whilst hypothesis B stems from the assumption that centralized governance as seen in the Junior-Partner model will negatively influence the maturity and development of such standards as the Junior-Partner model relies heavily on contractual agreements and leaves little room for development and novel situations like incidents.

To research this topic I propose the following sub questions which will help structure our answer to our primary research question in the analysis:

• What can be included under the definition of medical IoT?

• What are the most significant opportunities and risks surrounding medical IoT integration in the Healthcare sector?

• How are responsibilities to maintain cyber security and data security shared between the various stakeholders?

• What perception of accountability does each stakeholder have in times of crisis? • What governance model can be observed between IoT vendors and hospitals with regards to cyber and data security?

2.6.1 What can be included under the definition of Medical IoT?

This first question aims to gather a more comprehensive understanding of what the respondents see as what can be included in the definition of IoT in healthcare. The response to this question can impact further results and conclusions as it changes the scope that the respondents set for themselves and thus this thesis.

2.6.2 What are the primary opportunities and risks surrounding medical IoT integration in the Healthcare sector?

The second question ties in with the first question, whereby it aims to both lay the foundations of this topic and understand why IoT is being integrated in the first place. As well as to help us understand why it is important to be thinking about this topic, as it could have widespread impact. Furthermore, the responses to this question can give insight into what the stakeholders see as the most important risks, and thus can guide future research towards a more comprehensive and specific focus.

25

2.6.3 How are responsibilities to maintain cyber security and data security shared between the various stakeholders?

This third sub-questions strives to work towards uncovering what governance model can be observed between the various stakeholders by understanding the first part of the equation: how responsibilities are shared between the different actors in the healthcare supply chain. These responsibilities can touch on whose responsibility it is to keep up with the various certifications and standards, as well who is responsible to respond in times of incidents, crises, and who is responsible for providing updates.

2.6.4 What perception of accountability does each stakeholder have in times of crisis? The fourth question strives to shed light on the second part of the equation, and thus understand with what pillar in the healthcare supply chain lies the accountability if something goes wrong with the systems, and the sharing or division of responsibilities.

2.6.5 What governance model can be observed between IoT vendors and hospitals with regards to cyber and data security?

Finally, to reach a conclusion to our primary research question it is important to understand how then these responsibility division, and accountabilities come together in what governance model, based on the reasoning proposed by Bovens (Bovens, 2010). This can shed light on how then actions should be taken.

26

3. Methodology

3.1 Research Approach

The research question at hand seeks to explore how factors such as accountability and responsibilities are divided between third party IoT vendors and distributors such as hospitals, and how this division impacts the maturity of cyber security and privacy standards. Thus this thesis seeks to cross reference the PPP models as listed above to the current status quo in the Dutch healthcare sector, as well as recognize how mature the current ecosystem is with regards to compliance. By comparing this, the findings will provide the necessary insights to help recognize vulnerabilities, and opportunities for improvement. To respond to the research question and working hypotheses I will rely on a small-n study, which relies on semi-structured ´elite interviews with key representatives from the IoT and healthcare industries, in combination with document study of relevant standards and regulations. This method of interviewing was chosen out of its opportunity for flexibility and exploration in relation to our research question. In this thesis 9 key stakeholders were interviewed, who hold positions in the public, private, and professional services fields. This methodology will aid in shining light on the current status quo of IoT in healthcare, whilst concurrently allowing for valuable insights to provide recommendations for the future deeper adoption of connected healthcare.

3.2 Operationalization of Key Concepts

3.2.1 Cyber and Data Security Standards

For the purpose of this paper it is important to conceptualize cyber and data security as it is a crucial element of our dependent variable. The “CIA” triad model is used to outline the main tasks to maintain cyber security. CIA stands for “confidentiality”, “integrity”, and “availability”. Graph 2 below outlines the definitions of these principles. The CIA triad is a widely accepted framework of concepts. Where confidentiality refers to the act of safeguarding sensitive data from people without the right authority to access it, integrity to the consistency and accuracy of the data, and availability to the continued, uninterrupted access to the data and the systems.

27 Model 2: The CIA Triad (image by author).

There are various international and national standards that translate these three concepts into practical actions. There are various cyber and data security standards that are being utilized in practice today. Well known are the standards set by the International Organization for Standards (ISO), such as the ISO 27001 series. Within the Dutch healthcare sector the two most utilized standards for cyber and data security are the NEN 7510, as well as the “MedMij Afsprakenstelsel”. Furthermore, the European-wide General Data Protection Regulation (hereinafter GDPR) largely regulates how data should be processed and collected.

3.2.1.1 Security Standards ISO 27001

The ISO 27001 standard focuses on information security management. It strives to help organizations maintain information security, by setting requirements for ”information security management systems” (ISO 27001)

NEN 7510

The NEN 7510 was developed by the Dutch Royal Normalization Institute in 2017. It outlines the cyber security standards that are expected to be upheld by Dutch health institutions (NEN 7510, 2017). The NEN 7510 further relies on the ISO 27001, but adopts the ISI notions to a more local scale. The NEN 7510 defines the types of data that are included under its mandate as being:

• Personal health data;

• Pseudonymized health data; • Statistical and research data;

Confidentiality

Availability

CIA triad

28 • clinical/medical knowledge;

• Data on health professionals, staff, volunteers; • Information related to public health surveillance; • Audit Trail data;

• System security data for health information systems; (NEN 7510, 2017)

Covenant Medical Technologies

The Covenant Medical Technologies (CMT) is a covenant drawn up by the Dutch Ministry of Public Health and Wellbeing, commissioned by the Dutch Organization of Hospitals, and the Dutch Federation of University Hospitals to aid with the effective and safe implementation of a Safety Management System (SMS), with regards to risk management, and safe application of Medical Technologies in direct patient healthcare (CMT, 2011, p2). The Covenant was published in 2011 following a fire in an operating room in a Dutch Hospital [Respondent 6]. It outlines best practices and advice from the ministry to standardize and help secure the medical sector with regards to new Medical Technologies. The CMT solely applies to Dutch Hospitals and the Dutch healthcare sector.

3.2.1.2 Data Security Standards MedMij

On the other hand, the MedMij Afsprakenstelsel was drafted to help ensure that “personal, sensitive and confidential health data can be exchanged between personal health environments and healthcare providers in a safe and user-friendly manner. The exchange takes place in two directions; people can collect and share data” (MedMij, 2019). MedMij strives to achieve interoperability between stakeholders in the healthcare sector, its framework consists of legal, organizational, financial, communicative, semantic, and technical agreements to assure safe data exchange between healthcare providers (MedMij, 2019). The MedMij regulations also incorporate the General Data Protection Regulation (GDPR) standards on the processing of personal and special data (MedMij, ”Toelichting AVG Normen).

29 General Data Protection Regulation

The GDPR came into force in the European Union on the 28th of March, 2018, and dictates appropriate data processing of personal data throughout the European Union (GPDR). The GDPR is having significant effects on non-European privacy regulations as well. The American Health Insurance Portability and Accountability Act (HIPAA). Other countries have also been inspired by the GDPR and have adopted principles in their own national regulations, take for example the Singaporean PDPA. Furthermore, the GDPR forces any organization processing and collecting personal data in the European Union to be GDPR compliant, thus also necessitating international companies to comply with the regulation.

Within this thesis, these standards will be utilized in the following way: the NEN 7510, ISO 27001, GDPR, and the MedMij standards are used as the cyber and data security standards set on a European level on IoT security and healthcare security. Through interviews with stakeholders we seek to understand both how accountabilities are shared, as well as how responsibilities to uphold these standards are divided.

3.2.1.3 Maturity of Standards

To test the maturity of these standards this thesis relies on the assumptions of whether standards are a) implemented, b) deemed as important or not by the respondents, c) whether these standards aided in determining how accountabilities and responsibilities are shared. Furthermore, the answers from the respondents will be cross-referenced to two maturity models to aid in responding to the research question at hand. The first maturity model was developed by scholars Le Ngoc and Hoang, based on the Capability Maturity Model developed by Watts Humphrey in their article “Capability Maturity Model and Metrics Framework for Cyber Cloud Security” will be used to provide more structure to the conclusions gathered from our data ((Le Ngoc & Hoang, 2017, p280). Though this model was originally used to understand the maturity of Cloud Security, it is applicable to our medical IoT case study as it has been used previously to gauge the maturity level within other supply chains. For the purpose of this thesis the model will be further subdivided in low maturity, medium maturity, and high maturity, whereby the first two steps are considered to be “low” maturity, the defined stage as medium maturity, and the final two steps as high maturity. This model was chosen because it is one of the most used and proliferated maturity models in use.

30

Model 3: Capabilities Maturity Model Processes Levels (figure by author, based on Le Ngoc & Hoang, 2017).

The second maturity model that will be used to test the maturity of compliance, is the compliance maturity model, developed by Deloitte Enterprise Compliance and Life Sciences Compliance Advisory in 2015. This model strives to make it more accessible for businesses and organizations to check the maturity of their compliance in a more comprehensible fashion. The same division counts with this maturity model as with the first one, where the first two levels encompass “low” maturity, the middle tier “medium” maturity, and the top two constitute “high” maturity.

Model 4: Compliance Maturity Models (Deloitte Enterprise Compliance and Life Sciences Compliance Advisory, 2015). In iti alAd hoc, inconsistent Re pe at ab leBasic and consisted processes are established. Processes are repeated. D efi ne

dProcesses are well-defined, documented, standardised, integrated fully into entire organisation Ma na ge dStrategic analysis through data collected. Processes are clearly quantified O pti m is in gPro-active processes improvement and implemented through feedback. New ideas and technologies are developed with the aid of this insight.

31 3.2.2 Healthcare Security Supply Chain

“Information technologies are widely utilized in supply chain management to facilitate information exchange, to reduce cost and to improve productivity” (Zhou, 2017, p141). Within this thesis healthcare security supply chain refers to the information exchange between IoT vendors and healthcare providers such as hospitals. For the purpose of this paper it is important we narrow down what we mean by IoT devices. These are any devices that are connected to the internet, which share information ranging from system information, environmental information, and healthcare data. “IoT has largely been articulated as an approach that allows objects in the physical world to interact in a manner similar to the coordination between humans and information within the traditional Internet” (Blake, 2015). It is estimated that by 2025, there will be around 100 billion connected devices (Almeida et al, 2015). Analytics India describes the vulnerabilities of IoT devices as the following; “IoT devices interact with the web in ways conventional IT devices usually do not. The effectiveness of cybersecurity and privacy features are often different for IoT devices than conventional IT devices as they may run on different (or no) operating systems. IoT security is one of those features that is still thought to be a costly add-on or idea in retrospect in the development of both chips and frameworks associated with systems. The IoT’s security difficulties are especially overwhelming in light of the fact that they require shielding devices outside of conventional enterprise boundaries. Additionally, these endpoints are intended for lightweight information transmissions - not enterprise-grade security norms” (Chawla, 2019). In this paper the healthcare security supply chain refers to the relationship between the vendors and distributors (IoT and hospitals respectively). This will provide the baseline of which relationship we are studying.

32 3.2.3 Security Governance Models

In the Theoretical Framework of this paper we have elaborated upon the various security governance models that exist within the study of security governance. These three models will be referred to in order to identify the type of governance models that exist between different partners within the healthcare security supply chain. The PPP models as defined by Bovens aid in identifying the main distributions and divisions of accountability and responsibilities with regards to cyber security and privacy compliance, the outcomes of the conducted interviews can thus be cross-referenced and compared to these divisions in order to come to a better understanding of which PPP model is most prevalent in the Dutch Healthcare sector.

3.3 Data Collection

This thesis will investigate the research question through qualitative research methods, by conducting semi-structured elite interviews with experts in the field. This method was chosen as very little is yet known about the relation between IoT vendors and other stakeholders. Interviews aid in exploring the views, experiences and beliefs of individuals and groups, and helps the researcher explore a topic - rather than confirm (Gillham, 2005). The combination of semi-structured elite interviews over Skype and in person was chosen as elite interviews are described as the method of “talking to people who are especially knowledgeable about a particular area of research or about the context within which you are researching” (Gillham, 2005, p54). On the other hand, semi-structured interviews “is the most important way of conducting a research interview because of its flexibility balanced by structure, and the quality of the data so obtained” (Gillham, 2005, p70). With semi-structured interviews all questions are asked to the interviewees, but probes can be used to dive more in depth in certain topics (Gillham, 2005, p70). The population I will interview 9 key representatives from the IoT and healthcare industries respectively. Their roles differ from hospital CISOs, project managers, consultants, and IoT CISOs. This population was chosen as these are experts on the subject of security within this field, who will be able to explain the relations that exist between the various actors within the healthcare cyber security supply chain.

33 Table 5: Population (table made by the author)

Area of Expertise Public/Private Number

Hospitals Public 2

Large IoT vendors Private 2 Small IoT vendors Private 2

Professional-Services Companies

Private 3

Total 9

Furthermore, the results from the interviews are supported by policy documents and the legal documents of the relevant standards studied in this research, such as the ISO, the NEN 7510, as well as the MedMij and the GDPR. These will be investigated through a brief document study of the relevant policy documents and standards to triangulate the data collected from the respondents.

3.4 Data Analysis

In order to analyze the data collected in the interviews I will firstly transcribe them to text. Bill Gillham points out that transcribing interviews is not as simple as “producing a valid written record of an interview” (Gillham, 2005, p121). But rather that it is an act of translation as well. As such he points out that “the first few interviews throw up most of the categories you derive, and that subsequent interviews add content but little in the way of new categories”, as such Gillham opts selective transcription after the first few interviews (Gillham, 2005, p121). We will conduct a thematic analysis of our findings. “[Y]ou can [...] break up a total narrative into particular themes” (Gillham, 2005, p130). Themes here are defined as “a kind of horizontal category – something that exists as a ‘sub-plot’ within the main narrative, perhaps dealt with (in a research report) as a section or chapter. Abstracting these subsidiary narratives focuses attention on the structure of the overall narrative” (Gillham, 2005, p130). A thematic analysis of interviews findings means codifying our data, so as to properly analyze afterwards. Coding data “allows researchers to engage in data reduction and simplification. It also allows for data expansion (making new connections between concepts), transformation (converting data into meaningful units), and reconceptualization (rethinking theoretical associations ) [...] Further, through coding, researchers make connections between ideas and concepts” (Decuir-Gunby, 2011, p138). Coding data is defined as “tags or labels for assigning units of meaning to the descriptive or inferential information compiled during a study” (Decuir-Gunby, 2011, p137). Codes are assigned to data “usually phrases, sentences, or paragraphs that are connected to a

34

specific context or setting” (Decuir-Gunby, 2011, p137). This thesis will rely on theorydriven, as well as data-driven code defining; meaning the codes will both rely on a priori set theory, as well as emerging from the collected data. Decuir-Gunby et al outline the main steps for developing both theory-driven and data-driven coding: “[d]eveloping theory-driven codes involve three steps: (1) generate the code; (2) review and revise the code in context of the data; and (3) determine the reliability of coders and the code”, whilst “[d]ata-driven codes [...] involve five steps to inductively create codes for a codebook: (1) reduce raw information; (2) identify subsample themes; (3) compare themes across subsamples; (4) create codes; and (5) determine reliability of codes” (Decuir-Gunby, 2011, p141). Furthermore, we will attempt to use triangulation in order to validate the information gathered through interviews. “Even if we accept that an interview, at least in terms of feelings, attitudes, understandings and perceptions, provides access to a person’s subjective world– a self-construction – the question remains 12 as to why they ‘construct’ them-selves as they do” (Gillham, 2005, p165).

Table 6: PPP characteristics (table by author, based on Bovens, 2010)

PPP Model Accountability Responsibilities Based on (based on

“why” from

Bovens, 2010) Responsibilized Both Parties Both Parties Cooperation

Economized Both Parties Public Actor Competition

Junior-Partner Private Actor Private Actor Contracts

35 Tools Used

For our data collection we will rely on recordings of the interviews. These interviews will be first roughly transcribed using an AI open source software known as ”Otter.AI”, the contents of which will then go under another review by the author to ensure that the transcription is accurate. This data will then further be analyzed and encoded using DeDoose software. The codebook that was referred to throughout the methodology can be found in appendix table 26.

3.5 Limitations to Method and Research

Limitations to this method and research is the fact that very little is known about this topic. This forces us to resort to explorative research methods to investigate what knowledge is held by practitioners about security governance models within the healthcare sector. Whilst this method can elucidate many factors that influence governance and accountability, the methodological undertone of interviews is that it is able to uncover subjective views and opinions, and not necessarily objective truths. Furthermore, semi-structured interviews are costly in time, as the development of the questions and preparing for the interviews is time consuming. On the other hand elite interviews also have downfalls, as access to the interview subjects may be more difficult. Their answer may have political motives and may not be completely transparent.

36

4. Analysis

This chapter will elaborate on the findings of this research. It is divided in two overarching sections; the first section seeks to identify the common characteristics observed in the Dutch Healthcare sector with regards to the PPP models. The second section is dedicated to the maturity of the studied standards, as well as how the PPP models help make sense of this maturity. Section 2 will therefore also provide an answer to the research question at hand. Each section will be composed of the findings from the interviews, as well as findings from the standards and regulations.

Section 1: Current Status Quo

4.1 What is Medical IoT?

It is important to firstly respond to the sub-question: what can be included under the definition of medical IoT? as this uncovers what the interviewed stakeholders and standards view as medical IoT. The provided answers will streamline the scope of this thesis, as well as the response to the research question. Though some wider definitions were observed, the findings support that IoT is presumed to be the devices and sensors connected to each other or a database through inter- or intranet.

4.1.1 Medical IoT definitions Standards

The studied standards do not explicitly define Internet of Things devices in their definitions sections. According to the Covenant Medical Technology (hereinafter CMT), Medical Technologies include IoT devices, which are defined as the “application of organized knowledge and skills in the form of devices, […] procedures and systems, who were developed to solve healthcare-related issues to improve the quality of life” (CMT, Art. 1.1, translation by author). The Medical Device Regulation (hereinafter MDR) defines Medical Devices – including IoT devices as “any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following specific medical purposes” (MDR, 2020, p15).

37

During the interviews various definitions of IoT were proposed. The primary characteristic being that IoT devices have to be connected to the internet. Devices can include devices such as sensors. One of the interviewees pointed out that the term “IoT” is largely an umbrella term for various concepts [Respondent 1 – Professional Services]. As such not only sensors, and devices connected to the internet were mentioned, but also concepts such as Artificial Intelligence, Electronic Health Records (EHR), platforms, applications. However, some also pointed out what IoT is not; for example: platforms or mobile phone applications only become part of the IoT-ecosystem once they are connected to a device, or become a health-monitoring device.

“[…] in my opinion, IoT is not a medical app on a cell phone. IoT is not a platform. IoT is […] the moment that an app is connected with a device with a monitoring device, heart rate device… […] IoT [is] more than just connected telephone application.”

[Respondent 1, Professional Services]

Examples of these are for example Fitbit, as well as heart monitoring devices, but also sensors that monitor various vital signs in an operation room. One stakeholder argued that “sensors are also sort of IoT I think. And they are not connected to a person, but to an object… [or] devices and apps that patients or wear an implantable or that collect information from the patient and send them to the hospital.” [Respondent 2, Professional Services]. Another interviewee argued that “it doesn't really matter what means IoT in healthcare” [Respondent 1, Professional Services] as it is such a broad concept and definition.

38

4.2 Opportunities and Risks

To understand the conditions surrounding IoT integration into the healthcare sector it is important to understand what the primary opportunities and risks surrounding medical IoT integration in the Healthcare sector are. The main findings show that all stakeholders recognized opportunities in implementing IoT into the healthcare sector, especially regarding broader obstacles that the field faces. On the other hand, multiple risks were named, such as the loss of data, as well as the unavailability of systems.

4.2.1 Opportunities of IoT

IoT integration provides opportunities regarding some overarching persistent problems within healthcare. Particularly, staff shortages, lack of funding, and a growing number of ageing population. For example, staff shortages inhibit the possibilities of giving sufficient care to all the patients. A lack of funding further emphasizing this issue, as well as making long term patient stays in hospitals expensive and less desirable. Furthermore, a growing ageing population is putting a strain on traditional healthcare providers such as hospitals and retirement homes. In this debate IoT can play an important role. As was pointed out, IoT can be “a solution that directly have an impact on the process, so it can show directly a benefit in the process” [Respondent 1, Professional Services].

IoT can further be particularly helpful in proliferating and developing: “healthy living prevention, diagnosis treatment, homecare” [Respondent 3, Large IoT vendor]. With regards to costs and resources in healthcare, one respondent from professional services argued that:

“[…] costs and resources in healthcare are scarce so […] the demands become much more coming years, and the employees are scarce to find. So they have to find new solutions to deliver at the minimum the same level of care, so they decide to do the same work or more work with less employees.”

[Respondent 2, Professional Services]

This respondent further argues that “lots of hospitals […] have the strategy to move their patients to their own homes. So they don’t have to use expensive beds in the hospital.” [Respondent 2, Professional Services]. This can be a particularly fruitful venture for IoT implementation, as IoT devices can help remote monitoring and care of patients. IoT not only