The security of connected health technology is often assumed to exist when it does not, or considered to be prohibitively expensive or complex, or, worst of all, relegated to an afterthought. This is dangerous thinking, especially as the industry increasingly moves to a smartphone-based command-and-control model for these safety-critical applications.
Protecting patient health and data requires an end-to-end, multi-layered “security by design” approach that brings trust to all system elements at the time of manufacturing and beyond. The latest solutions also ensure the critically important “always-on” connectivity for sending data to and from the cloud and receiving commands from it, even if the handheld device or smartphone does not have continuous control and data availability.
Three Myths
Three of the most dangerous myths about the security of today’s connected healthcare solutions are:
- The Bluetooth wireless connection provides adequate security.
- The cost of additional security introduces unacceptable cost and design complexity.
- The necessary level of security for safety-critical applications can be added after a solution has been deployed in response to a breach or increased regulatory scrutiny.
Those who believe the first myth don’t understand that the basic security mechanisms in Bluetooth, NFC, LTE, Ethernet, and other protocols do mitigate some breaches, but other threats are far less contained. There are many examples. The widely publicized Blue-Borne flaw that enables attackers to take complete control of affected devices, steal data in transit, and spread malware has reportedly impacted 5 billion PCs, phones, and IoT units since its disclosure in September 2017.
Booz Allen started off its 2019 Cyber Threat Outlook report by referencing “a wave of vulnerability disclosures and in-the-wild attacks targeting Bluetooth devices.”1 More recently, security researchers learned that hackers can exploit an Android weakness that gives accessories access to the phone’s baseband software, enabling them to obtain unique identifiers that they then use downgrade a target’s connection, intercept and forward calls to another phone, or block all calls and Internet access.2
The second myth has unnecessarily dissuaded solution providers from doing what is critically necessary to protect patients against today’s threats. Rather than being prohibitively expensive or complex, the security-by-design approach can add just a few pennies to the cost of a patient’s insulin pump or other connected-health solution when deployed using today’s third-party IoT cybersecurity offerings as opposed to creating a solution from scratch. Capabilities are implemented in a building-block fashion that minimizes cost while simplifying the process of embedding connected-health solution security.
The third myth has the greatest impact on a solution provider’s product plans, since the required levels of security for safety-critical applications can only be embedded at the beginning of solution development. Because a key element of the ideal approach is the factory provisioning of a hardware security module (HSM) to each medical device, any security capabilities that are added after deployment won’t include this foundational piece.
Moving Past the Myths
The security-by-design approach encompasses multiple layers of protection. The first is application-layer security, which is delivered through a secure communications channel between the smartphone app, the medical device, and the cloud (see Figure 1). This layer augments the built-in shared transport layer security mechanisms that already exist in Android and iOS operating systems. Authorized devices use the commercial smartphone’s Bluetooth capability to automatically connect to intermediate hardware gateways or smart-phone apps that are within communication range.
The secure communications channel ensures that the connected health solution is resistant to a variety of malware and wireless channel cybersecurity attacks. An example of this approach is an IoT security platform from Thirdwayv. It was used in the Insulet Corporation Omnipod DASH™ Insulin Management System that was cleared by the Food and Drug Association (FDA) in June 2018. The system also received both the ISO 27001 and DTSec Cybersecurity Standard for Connected Diabetes Devices certification.
The second layer of a security-by-design solution brings trust to the connected health system through reliable user and device authentication, identity management, and, most importantly, attestation of one system component to the other (see Figure 2).
To ensure that only authorized and trusted sources can originate information and commands, each element validates the authority and privileges of any other element so there is a “root of trust” within and between them.
The smartphone app, cloud, and other devices connected to the solution’s communication system are authenticated using a unique digital cryptographic identity, which is most effectively implemented when an HSM is factory-provisioned to each medical device for storing and managing cryptographic keys and digital certificates. The trusted cloud infrastructure uses the HSM to verify the integrity and authenticity of all smartphone apps and medical devices, issues digital certificates over the air that identify them as trusted, and handles all associated identity life cycle management.
To facilitate continuous operation, the third layer of this end-to-end connected-health solution ensures that systems can always receive the most recent data that they need to immediately change device operation based on patient requirements. Solutions that depend exclusively on a handheld device or smartphone to deliver continuous cloud connectivity are often vulnerable to service lapses if the handheld device or smartphone becomes unavailable for sending and receiving data and commands. The answer to this problem is a combination of traditional fixed gateways and using the smartphone as a software gateway.
Each of these layers can be implemented in a building block fashion using the latest third-party security software suites and HSM factory-provisioning services. These solutions are supported by comprehensive software development kits (SDKs) with application programming interfaces (APIs) for enabling rapid incorporation into a medical device developer’s solution. Because all device programming and final test are tightly controlled during manufacturing, connected health solution providers and their customers know these devices are pre-programmed to interact only with approved gateways in the field and can be safely onboarded into their system. They also know these devices are very difficult to reverse engineer or tamper with, and the risk of counterfeits is extremely low since contract manufacturers cannot build more units than authorized.
Today’s IoT security solutions eliminate the previously prohibitive cost and complexity of protecting connected healthcare products and systems from increasingly dangerous cybersecurity threats. These security-by-design software and service offerings also create the opportunity for healthcare solution providers to meaningfully differentiate their products based on the strongest possible safety levels, at a very small incremental cost. This investment also enables providers to minimize the substantial expense of breach remediation and, most importantly, the likelihood of a breach-related injury or death.
References
- “Top 8 Cybersecurity Trends for 2019,” Booz Allen Hamilton.
- Zack Whittaker, “Popular Android Phones Can Be Tricked into Snooping on Their Owners,” Tech Crunch, Nov. 8, 2019.
This article was written by Vinay Gokhale, Vice President of Business Development for Thirdwayv, Irvine, CA. For more information, visit here .