Volume 2011, Issue3 Newsletter | Voler Systems
In This Issue:
IoT technology continues to transform every aspect of our daily lives. While most associate the Internet of Things with innovative home technology and other flashy tech gadgets, one of the largest sectors of this technology is healthcare.
A focus on patient-centric care and cost-control measures in hospitals resulted in an IoT healthcare market share of about 34.6 percent in 2020. There are no signs of slowing down, either. Thanks to advancing technologies like Artificial Intelligence and Machine Learning, it's only the beginning.
Despite all the good that can come from innovative medical devices, they also have inherent risks. Cyberattacks are more common than most realize. Medical systems are a prime target, with almost 600 data breaches reported in 2020 alone.
Unfortunately, security risks for medical devices became even more prevalent than ever during the pandemic.
Those high-profile cybersecurity breaches only highlight the need for robust security features in the age of healthcare IoT.
When designing a new medical device, cybersecurity should be an integral part of the product. The average hospital room contains between 15 and 20 network-connected medical devices. That's not counting wearables and implanted devices.
All of those items are a goldmine of high-stakes information. Considering just how sensitive that data is, it's not hard to see why medical devices are a target.
Many hackers seek to steal Personally Identifiable Information (PPI) and Protected Health Information (PHI). That data is then a source of blackmail or ransom. In cases of blackmail, the target is typically a public figure with a medical history that could damage their reputation.
Attackers can also hold PHI for ransom. Not only does this bring healthcare organizations to a standstill, but it prevents physicians and nurses from administering potentially life-saving care. In 2020 alone, healthcare hackers demanded nearly $4.6 million in ransom for stolen data.
Stealing medical information is reprehensible in its own right, but what about hackers with more nefarious goals? IoT technology offers the chance to monitor and control devices remotely. When access gets into the wrong hands, those medical devices can lose functionality and pose more problems than they solved.
The FDA published a statement in 2019 warning patients and providers of these vulnerabilities. According to researchers at Vanderbilt University, hacking is already responsible for an uptick in fatal heart attacks at hospitals that experienced a data breach.
It took nearly three minutes longer to receive an electrocardiogram for suspected heart attack patients in those facilities, which is valuable time that could have saved a life.
Cybersecurity threats in medical devices are not theoretical or hearsay. They're genuine issues that have real-world effects.
Security risks continue to evolve, and policies help to guide makers in the right direction. FDA, CE, and HIPPA requirements all exist to ensure that modern medical devices cover the basics. However, that doesn't mean that securing these gadgets is any easier. Due to the nature of how they work, there are many challenges to overcome.
One glaring issue is varying safety protocols across the board. To provide the best healthcare possible, providers typically share data electronically. There's nothing wrong with that as long as everything complies with HIPPA.
The problem, however, is that the level of authentication can differ from one location to the next. Just because the data is safe locally doesn't mean it will be secure when viewed by another provider elsewhere.
Medical devices are long-lived, with an average estimated useful life of seven to ten years. The issue here is that security threats continually evolve.
A medical device needs continual patches and updates to stay secure throughout its life. It's a fundamental security protocol that isn't always easy with deployed products.
Patients and providers who set up devices on their own aren't always aware of cybersecurity threats. As a result, some do not comply with recommended security measures. They may choose weak authentication methods, refuse to update security patches, and more, resulting in unnecessary risk.
Not only that, but it's challenging to monitor the state of the device after deployment. Even with data synchronization, there's no way of seeing who has accessed the device in most cases. It is also hard to confirm who is wearing or using a wearable device.
If a device is easy to hack, it can be used as a gateway to the healthcare provider’s network. If a user does not properly secure a device, it can make the entire network insecure. Hackers often gain access to a network through a weak point. Once they have access, they can attack other devices and services on the network. This is one way that ransom attacks are started. Hackers may disable critical data and hold it for ransom.
In an office or hospital setting, it's easy to control security standards of wireless protocols. But what about when a patient is at home or in public? Many devices have connectivity protocols like Bluetooth, NFC, Wi-Fi, and cellular. All of those are vulnerable to attacks without the right technology in place.
If your device synchronizes data through the cloud, it's vulnerable to a myriad of threats. Cloud computing and storage are becoming more widespread in the healthcare sector, which only increases the risks. Poorly secured cloud servers are vulnerable to DDoS attacks, account hijacking, malware, and more.
Ultimately, security should be a top priority whenever you're designing a medical device. Rather than treating it as an afterthought, security measures should work seamlessly with the device's core functionality.
Here are some IoT security features worth building into your next medical device.
PKI, or Public Key Infrastructure, is critical for securing connected medical devices. This technology has been around for a while and is likely in many devices you use daily. Essentially, it provides encryption and authentication to any connected device.
A PKI works by using both keys and certificates. The cryptographic key is responsible for scrambling and unscrambling data. Even if hackers were to get hold of the data, the key would prevent them from reading it.
The certificates act like digital passports. The PKI issues certificates to authenticate the identity of users and/or devices that are trying to communicate on a bigger unsecured network. This ensures the device/person is the rightful owner of the encryption key. Think of it as the identifying mechanism to share keys. It authenticates the identity of the user and device, resulting in much safer communications across the board. It also facilitates compliance with regulatory guidelines and standards.
To take your data scrambling even further, you can implement hardware-based encryption. It's more secure than software-based encryption, as it relies on a dedicated processor for authentication.
When a medical device operates normally, there are many windows for hacking and data theft. Typically, this occurs as the device processes and generates information.
To keep the data from prying eyes, you can implement safety measures to isolate, separate, and obfuscate it. During hardware-enforced isolation, the device's CPU and RAM are inaccessible by hosts or intruders. It's a more secure alternative software security solution, as those measures share resources with the host.
Your device's software can help to separate applications and hide the true nature of the data. Obfuscation and masking automatically disguise sensitive information as simple production data, making it useless to would-be hackers.
Integrating networking protocols is a must. Medical devices need to manage communication attempts and control who gains access. Older devices lacked even basic firewalls, limiting the security to nothing more than authentication passwords. A setup that is rudimentary is no longer possible.
All IoT medical devices should have embedded firewalls that provide rule-based filtering. They should limit access to only known and trusted sources. Current FDA security guidelines state that devices also need remote management of firewalls. That way, firewall services can block unused ports and protocols while keeping up with evolving threats.
Deploying a monitoring feature goes a long way to providing long-term security for medical devices. As mentioned earlier, security threats are complex and ever-changing. Even as technology improves to become safer for the masses, threat actors develop more ways to get around security measures.
A monitoring and intrusion detection system identifies vulnerabilities as they occur. They monitor in-network traffic, log firewall activity, and report suspicious activity to appropriate management systems.
The goal is to catch potential security threats before they become widespread problems. Intrusion detection systems are becoming more popular within the IoT environment, and medical devices are the types of devices with the most to gain.
Medical devices can continue to serve patients and providers for several years. To maintain cybersecurity integrity, they must feature remote management and update capabilities.
Managing the firmware allows you to update security provisions that follow evolving threats in the healthcare landscape. Management features also let you incorporate new features and monitor the status of devices while staying one step ahead of hackers.
When designing medical devices, you need to plan for every possible outcome. These products directly impact the well-being of vulnerable patients. IoT technology is about improving healthcare, so you must make devices as secure and safe to use as possible.
Historically, hacking attempts are a matter of when, not if.
Let Voler Systems help you implement the IoT security features you need to meet compliance and safety requirements. We offer design and development services for medical devices, wearables, and more.
With decades of experience working with sensors and wireless communications, we have the know-how to create safe and reliable products.
We provide full-service R&D consulting from concept and design to production of devices...