Thales Blog

Prescription for securing internet-connected devices in healthcare

October 22, 2020

Ashvin Kamaraju Ashvin Kamaraju | Vice President of Engineering, Strategy & Innovation More About This Author >

As we continue to address the importance of good cybersecurity practices during National Cybersecurity Awareness Month (NCSAM), and this year’s theme “Do Your Part. #BeCyberSmart”, we now turn our attention to this week’s focus on Securing Internet-Connected Devices in Healthcare.

The COVID-19 pandemic, a defining event of our times, has been a stark reminder of the fragility of humans. It has also been a showcase of our resilience. It has rallied, and unified people from across the globe determined to regain control of their lives and a future post-pandemic world. It has also proven to be a novel opportunity for hackers to launch new cyber threats.

The FBI has issued several warnings indicating how hackers are utilizing current conditions for their gain, all while we pivot to working remotely, juggling the duties of parenting/caregiving, cooking, cleaning, supporting our communities and even teaching. As the exponential spread of the virus increases the demands on our healthcare infrastructure, technology has played a crucial role in scaling critical services, including internet-connected healthcare devices, or Medical Internet of Things (MIoT). This market is expected to grow to over $500 billion by 2025.

IoT healthcare devices such as wrist bands and mobile devices are proving to be crucial for containment. Businesses can operate without compromising safety by leveraging devices to automatically check employees for symptoms Loved ones can check-in and provide care for their loved ones remotely through cameras and mobile apps. Fitness trackers and connected health devices have become indispensable in our “lockdown” lives.

6 tips for securing MIoT devices

These interconnected and internet-enabled devices in healthcare will continue to play a prominent role in the future, but only if they can be secure. What can healthcare practices teach us about securing MIoT devices? Below are some key observations:

1. Genetically built to thrive: Our bodies have the inherent ability to defend and heal against viruses and infections. Similarly, securing MIoT Devices should be by design. Security by design principles should be leveraged to ensure security is “built-in” instead of a “bolt-on” approach. This lays the foundation for how resilient the devices would be in the continually evolving threat landscape.

2. No two are the same: Each of us has a unique identity, which allows us to consume healthcare services tailored specifically for us. — for example, dosages of drugs, physical therapy regimen and lab tests. Similarly, MIoT devices cannot be effectively secured if they cannot be uniquely identified, with a high level of confidence. This requires each Iot healthcare device to have a digital identity, with the necessary level of assurances from a root-of-trust. The digital fingerprint of the device must be based on both hardware and software, with authenticity and authorization following zero-trust principles to the maximum extent.

3. Practice good hygiene: Hygiene practices keep us all healthy and dramatically reduces risk to our health. Similarly, for securing MIoT devices, keeping their software up-to-date, continuous monitoring and anomalous behavior detection will significantly reduce the risk that they pose. It should be noted that hygiene cannot overcome the genetic makeup, just ask a bald man who practiced hair care religiously. Hygiene can, therefore, not compensate for the lack of security that is not built into the device.

4. Prevention better than a cure: Exercise, eating a balanced diet, getting enough sleep and drinking plenty of water, etc. can radically reduce the risk of chronic diseases. Similarly, encryption of data, through all of its states (in motion, at rest, in-use), along with proper key management, can prevent misuse in the event of a data breach. Also, network segregation and leveraging zero-trust principles (i.e., ensuring that authorization of devices and systems is not long-lived, context-based, and with minimal privileges) are foundational prevention techniques.

5. Believe the experts: Healthcare is heavily regulated, and for good measure. Similarly, cybersecurity is built on foundational principles, and many cybersecurity frameworks can be leveraged. A great starting place is the NIST Cybersecurity Framework, which outlines five critical activities of Identify, Protect, Detect, Respond, Recover. The Center of Internet Security (CIS) has published a guide specific for IoT that outlines specific activities that can be followed. The FDA has issued its guidelines, and they are expected to be enforced soon. Regulations continue to be ratified and passed around the globe, including the European Union, California and UK.

6. Universal need: Everyone needs healthcare services to thrive. Such is also the case with MIoT, where security affects all devices, no matter the function, vendor or deployment model. Any device that captures health-related information should have supporting security practices proportional to its potential of causing harm.

The three pillars of cybersecurity are technology, process and people. So along with the above recommendations, there needs to be supporting processes that can work within the healthcare environment, along with adequate security awareness education.

MIoT will play a significant role in the future in allowing us to thrive and prosper. The data gathered by all IoT healthcare devices will enable healthcare services to create a bespoke, dynamic treatment plan, tailored to each individual that will, ultimately, unlock further innovation. Security of these devices will be vital for achieving this to the fullest potential.

For other insights on NCAM, please read my colleague Tina Stewart’s blog post “In a Year Like No Other, National Cybersecurity Awareness Month is the Time to Consider the Future of Data Security”.

More in-depth analysis on the world of IoT, can be found with this on-demand webinar, “Evolving Security for an IoT World”, the follow-up Q&A session as well as with this smart metering example, “Protecting smart grids with a dedicated cyber security solution”.