Connected medical devices are ubiquitous in healthcare settings where providers digitally monitor patients’ compliance and treatment. But, in today’s unprecedented context, the need to shift workloads to the cloud and protect all endpoints has never been more essential.
There is a healthy fear that hackers can exploit vulnerabilities, thereby endangering patients and compromising data assets. In March 2020, the U.S. Health and Human Services Department suffered a distributed denial of service (DDOS) attack on its computer system. The attack, carried out by automated users, or bots, involved overloading servers in order to slow the system down or paralyze it.
Concerns over cybersecurity are warranted, considering that 25 billion connected things will be in use by 2021, according to a Gartner forecast. The potential risk can be devastating as the heightened dependency on digital infrastructure raises the cost of failure.
As the COVID-19 pandemic triggers a rapid retooling in industries to support the call for medical IoT—diagnostics systems and device support—the rush amplifies existing security challenges the industry has been working to solve.
Ellen Boehm, senior director of IoT product management at Keyfactor, a provider of secure digital identity management solutions, sees the reality behind the statistics every day.
“Any new connected device expands IoT attack vectors; cyber-attackers are exploiting the global crisis, and hardening device security is critical,” says Boehm. “In the case of connected medical devices, security risks can be life-impacting. Devices that relay regulated signals, like pacemakers or insulin pumps, can be intercepted. Attackers can change the data or alter the device’s firmware and software. For example, if an attacker accesses an insulin pump, they can alter the data that a doctor receives, potentially changing dosage requirements and impacting patient safety. Manufacturers need to plan and properly secure devices that are fast becoming more complex machines with complex functions.”
In a virtual conversation with Machine Design, Boehm discusses the importance of being vigilant in uncertain times by touching on ways to maintain compliance through IoT-powered technologies, nudging industries to take stock of their security protocols and freeing up IT teams so they can make progress on pressing issues.
Machine Design: Please tell us about the security risks. What are the motivations behind and intent of these threats? What are the latest tactics and techniques they’re using?
Ellen Boehm: Each year, more and more devices are becoming connected to the internet, as companies see opportunities to deliver improved outcomes, including device optimization, data analytics or customized functionality from their IoT products. When more devices are connected, it creates a larger target for hackers to exploit, spreading the impact of their malware or interruption of servers to a broader landscape. Tactics involve exploiting the weakest link in the software or firmware in the IoT system, whether that’s at the device, application or cloud layers.
Oftentimes device manufacturers who aren’t as established with connected products find themselves with issues around authentication, lack of sufficient code signing or weak encryption, making it easy for others to take advantage. These types of threats are old news for web applications and the enterprise space, but are resurging in the launch of new IoT devices for those with lack of experience in the cybersecurity space.
EB: When it comes to medical device security, the U.S. Food and Drug Administration (FDA) guidance around cybersecurity has been very informative and helped medical device manufacturers think about how to incorporate the right level of cybersecurity into their products. Additionally, the recent California IoT security regulation bill (SB-327 Information privacy: connected devices) requires unique credentials for each device. It all starts with establishing trust in every device that’s manufactured, using a different digital certificate for each one.
MD: What can manufacturers and a multi-disciplined design ecosystem do to protect their firmware/software? What proactive steps should they take?
EB: When it comes to protecting IoT device communications, unique digital identities utilizing asymmetric certificates and a method for generating IoT device credentials based on a designated root of trust is a recommended method to implement trust within IoT devices and endpoints they communicate with.
MD: Can you explain how it is possible for a hacker to compromise patient safety?
EB: We must think beyond only the physical device and how it functions, because that is only one angle. We obviously don’t want hackers to change settings on a device that’s connected to a person and impact their health, but we also don’t want that same exploiter to get into medical records—access health history or other personal information that might be tied to that individual through the system. That is why it’s so important for all communications between endpoints in an IoT system to use encrypted methods to transfer critical data or commands.
MD: You’ve stated that the pandemic will alter the way industry operates in future. How is it affecting industry now, and what should manufacturers do to pivot in future? What will they need to alter going forward?
EB: I think this pandemic has been an eye-opening experience for many of us and has made us think differently about how we work and how healthcare is provided during a time of emergency. With so many “stay at home” orders, patients have a greater need for telemedicine to connect with their provider since a physical visit is often infeasible or risky due to infection. This is perhaps truer for elective procedures or non-essential consultations that are being postponed. If these consults could be held remotely, then health and wellbeing visits can be maintained as planned and not backlogged until a later date.
With regards to COVID-19, patients with a higher risk of complications from the virus can remain safely in their homes and yet take advantage of remote healthcare options. Additionally, connected devices can be leveraged to provide doctors and clinicians with patient vitals and information through a secure platform, all without having the patient needing to leave their home. It’s essential that all patient data and information are being securely protected throughout each of these connected experiences.
MD: Any tips you can provide on what to be wary of? Are there any tipoffs?
EB: As the opportunities for telemedicine will likely be increasing in the future, the need for strong encryption of any communications around patient health and safety is only going to grow. Consider what we’re hearing in the news recently about Zoom—the video conferencing company that is under scrutiny for their lack of security around end-to-end encryption. While there are many benefits to remote consultations, when it comes to the healthcare industry and people’s life and well-being, there is little room for error.