By John Grimm
A patient is rolled to the waiting room ahead of a routine surgery. The nurse takes their vital signs and assures them everything will be fine. Suddenly, something seems not quite right and the nurses are rushing around to read admission charts and adjust devices. The wrong dosage of medicine has been administered. This may seem like the plot of a sci-fi movie, but IoT medical device vulnerabilities are real.
It is no secret that connected healthcare technology can provide a pathway to improved care, higher patient satisfaction, and reduced clinical costs: it is the future of the healthcare industry. The desire to move quickly to begin to reap those benefits must be balanced with a pragmatic view of the associated risks, and the need to protect patient safety and private patient data. Whether it is electronic health records (EHR), remote diagnosis, or lifestyle management and monitoring apps, the Internet of Things (IoT) is undeniably catapulting medicine into the future, and transforming the landscape for hospitals, clinicians, and medical device makers alike.
Technology companies working to improve operational efficiencies and create a more personalized level of care have given rise to the ‘Connected Health’ market which is estimated to be worth $612 Billion by 2024. In this new age of technology-driven healthcare, success requires health systems to build an interoperable, encompassing digital health ecosystem. The challenges lie in connecting devices and systems from different providers that might have previously had limited or no connectivity, creating unanticipated or unpredictable blind spots. In seeking to connect systems to more easily share information and try to produce better analysis and outcomes, new risks to privacy and even patient safety can inadvertently be introduced.
EHR: Virtual Health Roadmaps
While we’ve witnessed breaches in retail for some time, the rise of cyberattacks against health systems and healthcare companies is an emerging phenomenon. Hospitals are required by law to protect personally identifiable information (PII) but, internet connected devices are fast becoming the way into the system to get around those core protections. A vulnerability in something as small as a thermometer gives hackers a window directly into the system, sometimes completely undetected. One study found that over the past year, two out of every five hospitals (39%) reported a data breach. While that may not be as high as the number of retail attacks, one must consider what information is stored in your electronic health record (EHR).
An EHR serves as the digital footprint of a patient’s medical history, everything is listed from their current medications to their social security number. Think of it as a golden chest of information for a hacker, one keystroke can unlock an immense amount of personal data that would have otherwise had to come from multiple sources. And unlike a credit card number which can simply be revoked and replaced with a new one, personal information loss can cause months or even years of headaches for the victim.
Implanted Devices at Risk
No doubt, having your identity stolen is a traumatic and irritating situation, but the compromise of certain types of medical devices can literally put lives at stake. For example, last year the FDA issued a voluntary recall of 465,000 connected pacemakers after exploitable security vulnerabilities were discovered. With the rise of connected pacemakers and other devices that directly impact the health and safety of a patient, it is imperative that security is part of their core design, and that proper security throughout the projected lifecycle of the device is accounted for.
Beyond introducing a newly connected device, and, therefore, a potential new pathway for a would-be attacker onto a hospital’s network, assuring correct operation is paramount as well. For example, it is critical that the right data from the right clinician goes to the right device to instruct it to perform the right procedure or administer the correct amount of medication to the right patient. There must be no question at any point over the data’s or device’s integrity, or the proven identity of the devices and patients involved. Patients and practitioners must be able to trust that devices and interconnected systems will do what they are supposed to do. So, what then is the solution?
Updates, Digital Certificates, and Keys
It is clear that patients and practitioners alike require a level of assurance that medical technology is being implemented in a trustworthy way, and that any and all data being transferred or processed is protected from compromise. Despite new security regulations and increased scrutiny, healthcare will need to go a step beyond. Fortunately, there are ways that companies, regardless of industry, can protect their devices:
Digital certificates (cryptographic credentials that establish a unique identity for each device) and associated private keys installed at the point of device manufacture provide a root of trust so that devices can be identified and authenticated when put into operation, and also a means to assure the integrity and authenticity of software updates and security patches that are necessary to maintain security throughout a device’s lifetime.
Encryption of data is fundamental to protect the confidentiality and privacy of data stored in and shared by medical devices. Medical data encryption, with proper encryption key management, ensures that even if data is stolen, it is useless to the attacker.
Key management, which can be the Achilles heel of an encryption solution, must ensure that keys are available only to authorized users and processes, protected from all others, and specifically accounted for at every stage of their lifetime (from generation to retirement and every step in between). Best practices for key management that include regular key rotation and proper key destruction, for example, are vital to underpin encryption solutions that protect data in motion or data at rest.
From cost reduction and increased efficiency to encouraging a healthier life and reducing the margin of error, there’s no taking away technology’s application in healthcare is improving the patient experience. At the same time, however, the number of opportunities for cyber-crime is growing, along with the risk of compromised data. While regulations can serve as a baseline for healthcare security they alone cannot mitigate all the risk. Since medical devices have the potential to impact patients’ lives as well as their wallet and identity, healthcare providers must take every possible step to understand and minimize risk, including ensuring the devices they use are secured by design and capable of being updated to protect against any discovered vulnerabilities.
John Grimm is senior director of IoT security for Thales eSecurity.