Getty Images
Medical cyber attacker

Step Up Cyber Hygiene: Secure Access to Medical Devices

April 7, 2020
In times of crisis, cyber attackers will continue efforts to exploit digital vulnerabilities. Businesses should secure vulnerable touchpoints and, above all, protect human health.

Connected medical devices are ubiquitous in healthcare settings where providers digitally monitor patients’ compliance and treatment. But, in today’s unprecedented context, the need to shift workloads to the cloud and protect all endpoints has never been more essential.

There is a healthy fear that hackers can exploit vulnerabilities, thereby endangering patients and compromising data assets. In March 2020, the U.S. Health and Human Services Department suffered a distributed denial of service (DDOS) attack on its computer system. The attack, carried out by automated users, or bots, involved overloading servers in order to slow the system down or paralyze it.

Concerns over cybersecurity are warranted, considering that 25 billion connected things will be in use by 2021, according to a Gartner forecast. The potential risk can be devastating as the heightened dependency on digital infrastructure raises the cost of failure.  

As the COVID-19 pandemic triggers a rapid retooling in industries to support the call for medical IoT—diagnostics systems and device support—the rush amplifies existing security challenges the industry has been working to solve.  

Ellen Boehm, senior director of IoT product management at Keyfactor, a provider of secure digital identity management solutions, sees the reality behind the statistics every day.

Any new connected device expands IoT attack vectors; cyber-attackers are exploiting the global crisis, and hardening device security is critical,” says Boehm. “In the case of connected medical devices, security risks can be life-impacting. Devices that relay regulated signals, like pacemakers or insulin pumps, can be intercepted. Attackers can change the data or alter the device’s firmware and software. For example, if an attacker accesses an insulin pump, they can alter the data that a doctor receives, potentially changing dosage requirements and impacting patient safety. Manufacturers need to plan and properly secure devices that are fast becoming more complex machines with complex functions.”

In a virtual conversation with Machine Design, Boehm discusses the importance of being vigilant in uncertain times by touching on ways to maintain compliance through IoT-powered technologies, nudging industries to take stock of their security protocols and freeing up IT teams so they can make progress on pressing issues.

Machine Design: Please tell us about the security risks. What are the motivations behind and intent of these threats? What are the latest tactics and techniques they’re using? 

Ellen Boehm: Each year, more and more devices are becoming connected to the internet, as companies see opportunities to deliver improved outcomes, including device optimization, data analytics or customized functionality from their IoT products. When more devices are connected, it creates a larger target for hackers to exploit, spreading the impact of their malware or interruption of servers to a broader landscape. Tactics involve exploiting the weakest link in the software or firmware in the IoT system, whether that’s at the device, application or cloud layers.

Oftentimes device manufacturers who aren’t as established with connected products find themselves with issues around authentication, lack of sufficient code signing or weak encryption, making it easy for others to take advantage. These types of threats are old news for web applications and the enterprise space, but are resurging in the launch of new IoT devices for those with lack of experience in the cybersecurity space.

MD: What does this mean in relation to medical connected devices?

EB: When it comes to medical device security, the U.S. Food and Drug Administration (FDA) guidance around cybersecurity has been very informative and helped medical device manufacturers think about how to incorporate the right level of cybersecurity into their products. Additionally, the recent California IoT security regulation bill (SB-327 Information privacy: connected devices) requires unique credentials for each device. It all starts with establishing trust in every device that’s manufactured, using a different digital certificate for each one.

MD: What can manufacturers and a multi-disciplined design ecosystem do to protect their firmware/software? What proactive steps should they take?

EB: When it comes to protecting IoT device communications, unique digital identities utilizing asymmetric certificates and a method for generating IoT device credentials based on a designated root of trust is a recommended method to implement trust within IoT devices and endpoints they communicate with.

MD: Can you explain how it is possible for a hacker to compromise patient safety?

EB: We must think beyond only the physical device and how it functions, because that is only one angle. We obviously don’t want hackers to change settings on a device that’s connected to a person and impact their health, but we also don’t want that same exploiter to get into medical records—access health history or other personal information that might be tied to that individual through the system. That is why it’s so important for all communications between endpoints in an IoT system to use encrypted methods to transfer critical data or commands. 

MD: You’ve stated that the pandemic will alter the way industry operates in future. How is it affecting industry now, and what should manufacturers do to pivot in future? What will they need to alter going forward? 

EB: I think this pandemic has been an eye-opening experience for many of us and has made us think differently about how we work and how healthcare is provided during a time of emergency. With so many “stay at home” orders, patients have a greater need for telemedicine to connect with their provider since a physical visit is often infeasible or risky due to infection. This is perhaps truer for elective procedures or non-essential consultations that are being postponed. If these consults could be held remotely, then health and wellbeing visits can be maintained as planned and not backlogged until a later date.

With regards to COVID-19, patients with a higher risk of complications from the virus can remain safely in their homes and yet take advantage of remote healthcare options. Additionally, connected devices can be leveraged to provide doctors and clinicians with patient vitals and information through a secure platform, all without having the patient needing to leave their home. It’s essential that all patient data and information are being securely protected throughout each of these connected experiences. 

MD: Any tips you can provide on what to be wary of? Are there any tipoffs?

EB: As the opportunities for telemedicine will likely be increasing in the future, the need for strong encryption of any communications around patient health and safety is only going to grow. Consider what we’re hearing in the news recently about Zoom—the video conferencing company that is under scrutiny for their lack of security around end-to-end encryption. While there are many benefits to remote consultations, when it comes to the healthcare industry and people’s life and well-being, there is little room for error.

About the Author

Rehana Begg | Editor-in-Chief, Machine Design

As Machine Design’s content lead, Rehana Begg is tasked with elevating the voice of the design and multi-disciplinary engineer in the face of digital transformation and engineering innovation. Begg has more than 24 years of editorial experience and has spent the past decade in the trenches of industrial manufacturing, focusing on new technologies, manufacturing innovation and business. Her B2B career has taken her from corporate boardrooms to plant floors and underground mining stopes, covering everything from automation & IIoT, robotics, mechanical design and additive manufacturing to plant operations, maintenance, reliability and continuous improvement. Begg holds an MBA, a Master of Journalism degree, and a BA (Hons.) in Political Science. She is committed to lifelong learning and feeds her passion for innovation in publishing, transparent science and clear communication by attending relevant conferences and seminars/workshops. 

Follow Rehana Begg via the following social media handles:

X: @rehanabegg

LinkedIn: @rehanabegg and @MachineDesign

Sponsored Recommendations

50 Years Old and Still Plenty of Drive

Dec. 12, 2024
After 50 years of service in a paper plant, an SEW-EURODRIVE K160 gear unit was checked. Some parts needed attention, but the gears remained pristine.

Explore the power of decentralized conveying

Dec. 12, 2024
Discover the flexible, efficient MOVI-C® Modular Automation System by SEW-EURODRIVE—engineered for quick startup and seamless operation in automation.

Goodbye Complexity, Hello MOVI-C

Dec. 12, 2024
MOVI-C® modular automation system – your one-stop-shop for every automation task. Simple, future-proof, with consulting and service worldwide.

Sawmill Automation: Going Where Direct-Stop and Hydraulic Technologies “Cant”

Aug. 29, 2024
Exploring the productivity and efficiency gains of outfitting a sawmill’s resaw line with VFDs, Ethernet and other automated electromechanical systems.

Voice your opinion!

To join the conversation, and become an exclusive member of Machine Design, create an account today!