As ‘digital’ extends further into the realms of the healthcare industry, thanks to the rise of mobile products and the Internet of Things (IoT), it is no longer just consumer PCs, enterprise networks and government agencies that are targets for highly sophisticated cyber-attacks – it is medical devices too.
With personally identifiable information (PII) of patients being the prize, hackers are increasingly honing their skills to get their hands on this valuable data. And unfortunately, they’re getting good at it – putting patient data, and even patients themselves, at risk. Last November, for example, a virus was injected into a number of NHS Trusts’ computer systems, consequently resulting in the cancellation of appointments, operations and diagnostic procedures for two days. In the US, need we not forget the hack on health insurer Anthem in which up to 80 million patient records, containing client names, dates of birth, medical IDs and Social Security numbers, were exposed on the dark web.
When it comes to data as sensitive as private health information, the potential for an attack should always be taken seriously. Unlike some revocable forms of PII, such as a credit card number, many elements of an electronic patient record are permanent. As such, the stakes are much higher.
So as a range of IP-enabled medical devices are introduced into the healthcare industry, and as DDoS attacks, medication tempering, data breaches and network compromises become commonplace, security will be indispensable – more so than ever before.
Worryingly, today’s devices can be laden with security problems such as outdated firmware, unaddressed security bugs and vulnerabilities. What’s more, medical device vendors may employ open source software in order to accelerate products to market without looking at the security implications.
One solution to keeping hackers at bay, though, is to embed ‘digital birth certificates’ into modern medical devices. Based on strong cryptographic protocols, digital birth certificates create a unique ID for each and every device, which can prevent the introduction of unauthorized code, or unauthorized access.
Once embedded in medical devices, certificates can also be particularly useful in defending against remote attacks that may introduce malicious code or alter the purpose of a device, as the attempted update would fail the authenticity test. And with a reliable public key infrastructure in place, firmware updates can be signed by an authorized source and validated by the end device before installation is permitted.
Our recent research shows that, today, one third of healthcare organizations now use IoT devices to store patient data. Encryption, then, needs to be at front of mind to protect the high-value patient data. Encryption, with strong key management is a fundamental technology to preserve the confidentiality of data stored on, and shared by, medical devices.
As the number of medical devices continues to rise, and as more of our patient records become digitized, getting security right will be critical. Reports of devices such as the St Jude Medical cardiac implants being vulnerable to potentially life threatening cyber-attacks should act as clear warnings of what could happen if robust cyber security measures are neglected. Security needs to be enforced and improved at the manufacturer level, including introducing digital birth certificates into devices right from the start. Only then can we mitigate the potential damage medical attacks can cause in the future.