As we have seen, the Internet of Things will disrupt and change every industry and how actors within it do business. Along with new paradigms in services and products that one can offer due to the proliferation of IoT, come business risks as well as heightened security concerns – both physical and cyber. In our prior column, we spoke about this topic in the context of the Smart Electric Grid. Today we’re taking a look at how IoT is disrupting the health care market and how we can take steps to secure it.
IoT projects in health care
Let’s first look at how IoT is being used within the health care industry – after all, IoT is simply a technological concept, not an end product or process. According to a recent Gartner report (“Market Insight: Healthcare IoT in 2018 — Sell to CEOs and Set Realistic User Expectations”) most IoT deployments in healthcare are what is called internal implementations – for use within a health care facility and organization, versus external use such as for purposes related to management of outside vendors, communications with third parties, etc. Workforce and patient tracking for productivity and efficiency enhancement are the primary use-case. A great example is tracking bracelets given to doctors, nurses and patients, along with readers that capture the position of these within a medical building, or at a given medical station. This helps capture data on say, the amount of time a patient spent in a waiting room, or the time a doctor spent in front of a terminal. This can then be used to improve patient workflows or reduce wait time – and can lead to a direct cost reduction per patient.
There has been a lot of focus recently on improving in-house medical care, especially in the field of elder care or geriatrics. There are various newer products that use a combination of trackers – proximity, weight, sound and vibration – to capture a person’s general movement within a house. Over time the data is used to create a model of one’s expected behavior and movement within a home, throughout the day. This can then be actively monitored. If an anomaly is detected – for instance a fall, or someone is unable to get up from their bed at the right time, medical staff can be alerted. The appeal of these connected sensors is that they are non-intrusive. No cameras are placed within the home and patients aren’t required to wear a bracelet, arm band or other body tracking device.
Finally, one great example I’d like to mention that is directly related to medical health is a product called the EVA bra. This bra has several biosensors that detect skin temperature and then send it to a smartphone app. This data is then analyzed to see if the recorded temperature is above the norm, which happens due to increased blood flow – a sign indicating the possibility of a tumor. Still undergoing clinical trials, this is a great novel application of a connected device helping to combat disease.
The need for cybersecurity
Connected medical devices are increasingly being deployed within healthcare facilities. Apart from the aforementioned examples, there are several devices that are used for patient monitoring. Most of these are for bedside monitoring and actively capture, transmit and record patient medical data. This brings up the first issue which is around data privacy and security. Data, whether in transit, in rest or under processing needs to be protected – not just as a best practice but now also required under federal law. The FDA guidance “Management of Cybersecurity in Medical Devices – 2016” requires that data be protected. Encryption is the first step by which we can make sure that data and communications between medical devices cannot be easily intercepted and eavesdropped upon.
Apart from passively capturing information, some medical devices also actively administer drugs or physical care to a patient, thus more directly, and sometimes autonomously, affecting patient health. A connected infusion pump is one such device. This leads to more complex security issues. We need to now ensure that we are able to identify a given pump, ensure that we are talking to the right one, that any command to update dosage is sent to the correct one, and only the care provider with the authority to do so, is allowed access. There have been several well publicized attacks on insulin pumps.
How PKI can help
The first thing we need to do is add on a layer of identity to connected medical devices. Next, we want to ensure that any data coming from these devices is encrypted. Then, we want to be able to prove that the device that is sending data is actually who it claims to be – essentially to authenticate it. Finally, we want to ensure that only authorized users are able to send commands to a device.
These four security tenets – identification, encryption, authentication and authorization – are the cornerstones of public key infrastructure delivered via digital certificates. It starts of by giving a meaningful digital certificate to each connected device as well as the monitoring and control software that is managing it. Then we configure these systems to only accept incoming connections from devices that are able to produce this certificate, enabling authentication (we have to of course protect the device’s private keys, and ensure that the certificate provisioning step was done in a secure manner). A TLS tunnel now gets established between the server and medical device, giving us a blanket of privacy. Finally, we can add metadata to digital certificates that specify policy on who is allowed to provide commands to which device. In this way, we can enforce authorization.
Conclusion
The smart medical devices market is expected to reach $25 billion by 2025. This not only brings business opportunity, but leads to a new paradigm of services and administration of healthcare. The ultimate goal is improved health and increased patient satisfaction. However, cybersecurity should not be an afterthought and bolted on after these devices have been designed. As we have shown, integrating PKI into your device design is an easy, affordable and key first step in ensuring compliance and security for your medical devices.
This article is published as part of the IDG Contributor Network. Want to Join?
