Many of us are concerned about the way various Internet-connected devices we install in our homes listen to us, but far less worried about what information connected medical devices may be sharing with third parties. Personal medical information is currently sold for hundreds or thousands of dollars on the black market. In comparison, credit card data or identification numbers are sold for 25 cents and 10 cents, respectively. And compromising a patient's information not only puts privacy and personal data at risk, but individual safety as well. Hacking of medication infusion pumps can be used to administer lethal doses and pacemaker vulnerabilities can result in cardiac shock. Additionally, the crisis generated by the COVID-19 pandemic has severely impacted health systems and has attracted cybercriminals, generating a dramatic increase in the attack vector.
A first step to securing sensitive medical information is to provide confidentiality to Internet-connected medical devices (IoMT), such as infusion pumps, pacemakers, and other monitoring devices. Many of these devices have completely outdated software and the constant flow of new devices being connected makes their management extremely difficult. There are currently around 10 billion Internet-connected medical devices, but this number is expected to quintuple by 2028, approaching 50 billion.
Digital certificates can encrypt information and authenticate legitimate users.
Digital certificates can help secure devices through encryption of sensitive information, authentication of connections to devices before allowing access, and ensuring the integrity of data being transmitted. For example, DigiCert recently received a request from a client to help them safely and quickly distribute an analysis that detects COVID-19 antibodies and share it with healthcare providers around the world. This client had developed laboratory equipment distributed worldwide that could perform these antibody tests, but the devices needed to be updated to perform these new tests.
Due to the urgency of having this testing capability available across different healthcare providers, this device update had to be developed remotely, rather than having to send engineers to each physical location to update them. DigiCert worked with this client to develop a solution that would allow for remote updating using code signing certificates, to ensure that the update arrived intact and unmodified during the transmission process. That antibody analysis was securely distributed in just a few days after contacting DigiCert and is now used in patients around the world.
This is a relatively simple example of a solution that was developed in just a few days. But as more and more devices connect, we face problems because manufacturers develop devices with different standards that don't necessarily work in a coordinated manner. Over the next 2 to 5 years we won't only worry about device connectivity from different providers, but about the entire ecosystem.
How home smart device manufacturers achieved interoperability and security at the same time.
When smart home device manufacturers faced similar problems, they came together to create an interoperability standard that also emphasized security. Consumers today demand connectivity; they want smart lights, televisions, and thermostats that connect to voice assistants, regardless of who manufactured them. When Amazon, Google, and Apple started receiving complaints from consumers because their IoT hubs (Alexa, Google Home, and HomeKit) wouldn't connect with many of their smart devices, they realized they all had the same problem and needed to do something together to solve it. They also noticed that consumers started analyzing and approaching their purchases based on device security. Therefore, they united under the Zigbee Alliance and formed the CHIP project (Connected Home over IP) aimed at developing a standard that allows any smart home device that complies with that standard to work safely without the need for any royalty payments. Since the project's inception, dozens and dozens of leading smart home device manufacturers, chip suppliers, and security experts have joined it. The group's goal is to have standard drafts and the first open-source implementations by the end of this year.
To ensure that devices are properly authenticated and communications are confidential, DigiCert has been invited to participate in the CHIP project. DigiCert is working with other project participants to ensure that the design and architecture of the Public Key Infrastructure (PKI) and the use of digital certificates is correct and has the appropriate root hierarchy and governance documents for that hierarchy. Once the standard is finalized and distributed, manufacturers will be able to simplify their development and consumers won't need to worry about whether their smart devices can connect with hubs, because they will be interoperable safely with any other device that complies with the standard.
What the healthcare industry can learn from home smart device manufacturers.
The demand for connectivity is also a problem for the healthcare industry. We need to look ahead and plan today for an interconnected system with standards that make future interconnection possible. And security must be fundamentally included in the design from the beginning. In this case, we can learn from what smart home device manufacturers did to solve the challenge they had in common and apply it to the healthcare industry. If a group of medical device manufacturers collaborate to jointly develop specifications that encompass the entire industry, everyone can benefit from this standardization, allowing devices to be secure, reliable, and interconnected.
The challenge of change in any sector is who takes the first step. Who is responsible for initiating the standardization process and how? There are two possible solutions: either a regulatory body or market leaders, or both, take a step forward.
- First, a regulatory body can take the first step and develop rules that lead manufacturers to adopt best practices in security. Or that same regulatory body, instead of developing rules, can urge industry leaders to commit to developing safe standards.
- Second, leaders in the medical device manufacturing market can follow the example of the appliance industry and convene a group similar to what has happened with the CHIP project. It only takes a few segment leaders to agree on the project and assemble the right collaboration to develop an industry standard. Once the sector sees major players sitting at the same table, many more will follow.
Both regulatory bodies and industry leaders have a role to play. Someone with the power to convene key players and direct this collaboration is necessary to move forward and lead the process. DigiCert supports the creation of an interconnected world and has the technology necessary to keep communications and transactions secure, at scale. The way to create interoperability across an industry is through the use of a Public Key Infrastructure (PKI) and, if its architecture is correct, allow the establishment of a root of trust within an ecosystem. DigiCert has supported the CHIP project in developing security standards and is willing to do the same to help create standards related to the security and interoperability of medical devices.
We need to take the security and privacy of our health information as seriously as we do the security and privacy within our homes. A Public Key Infrastructure (PKI) can help create secure devices and offers the technology to regulate how Internet-connected devices can communicate with each other. Medical equipment providers can follow the same example that appliance manufacturers set in creating a project that solves those challenges.
These are simply the first steps toward securing patients' personal information, but in the healthcare industry every step toward security matters because they are actions that save human lives.
The author of this article is Mike Nelson, Vice President of IoT (Internet of Things) Security at DigiCert. Before joining DigiCert, he built his career in healthcare IT, including the U.S. Federal Government's Department of Health, GE Healthcare, and Leavitt Partners. Mike's strong interest in this topic is related to his own experience as a patient, as he has type 1 diabetes and his treatment requires the use of connected technology.