With patient health on the line, keeping connected medical devices secure is mission critical. Security isn’t static; manufacturers need to continuously update not just the software on a device, but the security measures used on the device as well. Patients and providers count on manufacturers to build devices that can be trusted out-of-the-box and through end-of-life.
Many internet of things (IoT) devices in healthcare lack proper authentication—the method of allowing access to only trusted apps, users, and systems. The result puts devices at risk of data breaches or device hacking, causing direct harm to the patients and healthcare providers that depend on the device operation and its uptime.
With no clear-cut set of IoT security standards to reference, industry experts recommend using public key infrastructure (PKI) and digital certificates as an effective way to securely authenticate devices without compromising interoperability. PKI is a battle tested tool used in IT to manage the digital certificates and keys that protect digital identities associated with people, applications and devices.
Unique device identities provide mutual authentication as the device attempts to connect to gateways, update servers, or other devices—without the need for static passwords or tokens. Digital certificates provide device makers with a method to communicate securely with devices even after they’ve been deployed into the ‘wild.’
Security Starts at Design
Pre-pandemic, device makers and industry regulators worked to implement measures that would ensure security is built into the device at design and sustained through its lifecycle. Building crypto-agility in at device design is becoming a foundational best practice. Historically, if a healthcare device failed, the entire fleet would be recalled for update or repair – a time consuming and inefficient process. In the case of a full fleet recall, making sure all products were properly updated was difficult.
Today, building with crypto-agility means that cryptography on a device can be changed out or updated remotely and securely if it depreciates over time. In combination with PKI, device tracking and cybersecurity incident management becomes simpler, giving manufacturers the ability to respond and address issues and long-term threats immediately.
In many cases, IoT devices are not constantly connected to the internet, but they have intermittent connection. Whether online or offline, a trusted connection and/or intermediary is needed for field maintenance or interval repairs.
No device is hack proof, but adoption of cybersecurity best practices in design and development gives device makers the ability to drive innovation while mitigating the risk of emerging threats, especially as connected medical device usage rates climb in a post-COVID world.
For more information, visit Key Factor.
