Today’s connected-health solutions have dramatically improved patient care. Ensuring that they simultaneously protect patients from hackers requires a closer look at their security, especially as they move to command-and-control models using commercial smartphones.
Vinay Gokhale, Thirdwayv
(Image from Thirdwayv)
No one doubts that connecting medical devices in the Internet of Things (IoT) has delivered many benefits that have dramatically improved patient care. These devices, from insulin pumps to heart-rate monitors, have become critical elements in the continuum of care. But their benefits risk becoming liabilities if the security of these connected medical devices is in doubt, an afterthought, considered prohibitively expensive or, worse, assumed to exist when it does not.
These issues become especially critical as the industry moves to the convenience of using commercial smartphones for command and control. The key to protecting any connected-health system, and especially those used with commercial phones featuring Bluetooth connections, is to fully understand threats and mitigate them through end-to-end, multi-layered security.
Understanding the threat
Many of today’s heart defibrillators, insulin pumps, glucose meters and other devices can be wirelessly hijacked and reprogrammed. The FDA issued a safety warning about this issue in May 2019 when a type 1 diabetes patient landed in the hospital after exploiting a safety flaw in a commercially available, FDA-authorized pump. He used this flaw to re-program his pump for use with an unauthorized device so he could customize his treatment. The FDA warned that this type of customization could pose significant risks if not implemented correctly. Even more worrisome, this same type of safety flaw is an open door to hackers.
Consider the consequences if hackers were to gain access to a pacemaker and disrupt a patient’s heart rhythms. Or, if they intercepted the device’s telemetry data during transmission to acquire sensitive information about a patient’s condition. These and other threats are well within the realm of possibility unless the proper security procedures are followed when deploying a connected-health solution. The latest solutions address this challenge by providing the building blocks for implementing multi-layered, end-to-end security.
Three key security layers
A solid security strategy starts with the communications channel between the smartphone app, the medical device and the cloud. This application layer augments existing security mechanisms that are already built into operating systems such as Android and iOS and overcomes the security vulnerabilities of Bluetooth, NFC, LTE, Ethernet and other protocols. While these protocols do mitigate some breaches, other threats are far less contained. A secure channel gives connected-health solutions greater resistance to a variety of malware and wireless channel cybersecurity attacks.
The second security layer ensures that only authorized and trusted sources are sending information and issuing commands. This layer facilitates authentication of the smartphone app, cloud and any associated devices that are connected to the solution’s communication system. A unique digital cryptographic identity is given to all system elements, and each element can validate the authority and privileges of the other elements, also known as attestation. This creates a “root of trust” within and between all components in the system, protecting it against the risk of attack through connectivity to its cloud services, smartphone apps and other IoT devices. The platform validates the phone and app integrity while ensuring hackers cannot gain “root access” to privileges that enable them to modify the device’s software code or install other software.
The authentication layer is most effective when a hardware security module (HSM) is provisioned at the factory to each medical device for storing and managing cryptographic keys and digital certificates. The trusted cloud infrastructure uses the HSM to verify the integrity and authenticity of all smartphone apps and medical devices, issues digital certificates over the air that identify them as trusted and handles all associated identity lifecycle management.
The third layer of security ensures the high level of “always on” data availability and device control that is required for safety-critical applications. A combination of gateways is used, including traditional fixed gateways as well as having the smartphone itself serve as a soft gateway. This ensures that the system can always receive the most recent data that it needs to immediately change device operation based on patient requirements.
Simplifying security
Rather than being prohibitively expensive or complex, critical security measures can add just a few pennies to the cost of a patient’s insulin pump or other connected-health solution when deployed using today’s third-party IoT cybersecurity offerings as opposed to creating a solution from scratch. These capabilities are implemented in a building-block fashion that minimizes cost while simplifying the process of embedding connected-health solution security.
While it is always better to build security into a connected-health system from the ground up, today’s building-block solutions are flexible and simple enough for robust measures to be effectively retrofitted into legacy designs and infrastructures. The solutions also facilitate continuous improvement, which is a cornerstone of good security practices. As an example, if manufacturers are not using an HSM to protect keys now, they can incorporate the use of an HSM later.
Today’s IoT security solutions make it much easier to protect connected healthcare products and systems from increasingly dangerous cybersecurity threats. These solutions also create the opportunity for providers to meaningfully differentiate their connected-health products based on the strongest possible safety levels, at low incremental cost. Making this investment also enables healthcare providers to minimize the substantial expense of breach remediation and, most importantly, the likelihood of a breach-related injury or death.
Vinay Gokhale has more than 30 years’ experience in the wireless industry. Prior to Thirdwayv, he was vice president of global IC sales for Impinj, a provider of RFID solutions that connect billions of items from apparel to medical supplies in applications such as inventory management, asset tracking and item authentication.
The opinions expressed in this blog post are the author’s only and do not necessarily reflect those of Medical Design and Outsourcing or its employees.
