Emily Newton, Editor-in-Chief, Revolutionized03.23.21
Smart healthcare requires nigh-impenetrable cybersecurity if it’s going to succeed.
By now, everyone knows smart home devices are vulnerable, such as smart speakers or security cameras. There’s often no way to know where the related data streams are going or who’s listening in. It means we often sacrifice some of our security and privacy to use these convenient devices, which is concerning to many.
However, many common mistakes that occur in IoT (Internet of Things) deployments simply cannot happen with IoMT (Internet of Medical Things) devices or medtech. If sensitive medical information is leaked, or the devices fall under a nefarious actor’s control, the implications are far more severe.
Can you imagine someone’s smart pacemaker, for instance, being affected by a remote hack? Moreover, personal health information goes for a premium on the black market, exceeding thousands of dollars and making it much more lucrative to would-be hackers.
Manufacturers cannot make the same development and security mistakes with IoMT devices. Vulnerabilities in both categories are concerning, but one could result in a major loss of life, so there’s much more on the line.
Many of the high-security solutions and techniques that show potential in the IoMT industry can also be used for consumer-level IoT technologies.
1. Segmented Networks with Limited Access
Regarding cybersecurity, there’s a vast difference between an open network—even a secured one—and one that remains private with limited access. Commercial networks, medical-related especially, should be segmented to restrict the flow of traffic.
Segmentation involves dividing up a network into several parts, with the more restrictive segments locked down and hidden. Most networks broadcast their existence to the general area, but there is a way to prevent this so only those who know the network exists can find it. Moreover, advanced authentication can prevent random or nefarious users from gaining access.
What this might look like in the IoMT world, for example, is servers used to collect and process smart device data would be segmented and hidden. Only authorized users, with the right tools and access protocols, can connect to that network and review or manipulate the data.
More importantly, users can be issued varying access levels, so they might be able to read or review data, for example, but not alter, download, or remove it.
2. No Encryption, No Use Cases
Encryption is mission-critical for IoMT devices and medtech platforms. Data being transmitted, stored, processed, or read must always be protected behind advanced levels of encryption.
Encrypted data that’s leaked or snooped on cannot be translated without the proper encryption key. It means even a massive database of personal details can essentially end up unusable without the key. It’s important to understand that encryption can be broken. Yet, the stronger the encryption, the more difficult and time-consuming it is to reverse.
All sensitive and proprietary medical or health data should be encrypted, period. Nothing is ever 100 percent secure, but it provides an additional and much-needed layer of security to the data.
3. Frequent Penetration Testing
One of the best ways to find weaknesses in the walls of a fortress is to attempt to breach them. Precisely the same is true for smart technologies and IoMT networks. Regular penetration testing can place a spotlight on the most concerning vulnerabilities and security issues.
Additionally, it can help medtech, IT, and security teams come up with a plan of defense if and when there is an attack. They learn how an attacker might try to gain access and what that might look like from the attacking side. It also allows them to build an incredibly accurate risk assessment that can be used to plug many of the existing or potential gaps.
4. Absolute System Integrity
On mobile platforms and connected devices, regular updates are warranted because they help patch security vulnerabilities, fix bugs, and sometimes introduce new features or device support. Unfortunately, the way many of these updates are deployed — over-the-air is the biggest offender—tends to introduce serious security problems.
By accounting for basic device and data integrity, this issue can be mitigated, or it may even eliminate intrusions. The driverless automotive sector is working hard to deploy secure OTA updates to many of its vehicles. It’s easy to understand why they wouldn’t want hackers to gain access to vehicles, especially those already on the road.
Code signing can be used to verify the integrity of update packages sent over-the-air and is just one of many authentication measures that can be used to verify data. Being able to establish and verify data integrity is key.
5. Accounting for Scale
Right now, scaling isn’t as much of a concern in the IoMT or medtech fields because adoption isn’t rapid or widespread. That will change, and it means all of the security solutions must be ready.
Security platforms that cannot keep up with the growing scale of a network and all connected devices will fail. When that starts to happen, it may also affect other systems, such as remote devices trying to sync up with a server. Smart medical devices that cannot send or receive feedback from a server could prove disastrous, even if they are designed to function locally and offline.
True Security Is Ongoing, and Medtech Is No Exception
All parties, from manufacturers to software engineers and end-users, must understand that cybersecurity is never a one-and-done event. Throughout the lifetime of a system, regular security updates must be delivered. Appropriate and advanced security methods must be used, such as secure passwords, biometrics, or single-user access. All medical data must be locked down, with access limited to only a select few parties.
Organizations that want to boost their security must establish a proper IT security team with experience and skills to match. They must also focus on developing proper authentication, integrity, and encryption protocols. Furthermore, they must prepare for the growing scale of connections and devices, with segmented networks created for the most sensitive data channels.
Anything short of these proposed strategies creates a highly vulnerable system or device, which could spell disaster.
Emily Newton is the editor-in-chief of Revolutionized. She’s always excited to learn how the latest industry trends will improve the world. She has over four years of experience covering stories in the science and tech sectors.
By now, everyone knows smart home devices are vulnerable, such as smart speakers or security cameras. There’s often no way to know where the related data streams are going or who’s listening in. It means we often sacrifice some of our security and privacy to use these convenient devices, which is concerning to many.
However, many common mistakes that occur in IoT (Internet of Things) deployments simply cannot happen with IoMT (Internet of Medical Things) devices or medtech. If sensitive medical information is leaked, or the devices fall under a nefarious actor’s control, the implications are far more severe.
Can you imagine someone’s smart pacemaker, for instance, being affected by a remote hack? Moreover, personal health information goes for a premium on the black market, exceeding thousands of dollars and making it much more lucrative to would-be hackers.
Manufacturers cannot make the same development and security mistakes with IoMT devices. Vulnerabilities in both categories are concerning, but one could result in a major loss of life, so there’s much more on the line.
Many of the high-security solutions and techniques that show potential in the IoMT industry can also be used for consumer-level IoT technologies.
1. Segmented Networks with Limited Access
Regarding cybersecurity, there’s a vast difference between an open network—even a secured one—and one that remains private with limited access. Commercial networks, medical-related especially, should be segmented to restrict the flow of traffic.
Segmentation involves dividing up a network into several parts, with the more restrictive segments locked down and hidden. Most networks broadcast their existence to the general area, but there is a way to prevent this so only those who know the network exists can find it. Moreover, advanced authentication can prevent random or nefarious users from gaining access.
What this might look like in the IoMT world, for example, is servers used to collect and process smart device data would be segmented and hidden. Only authorized users, with the right tools and access protocols, can connect to that network and review or manipulate the data.
More importantly, users can be issued varying access levels, so they might be able to read or review data, for example, but not alter, download, or remove it.
2. No Encryption, No Use Cases
Encryption is mission-critical for IoMT devices and medtech platforms. Data being transmitted, stored, processed, or read must always be protected behind advanced levels of encryption.
Encrypted data that’s leaked or snooped on cannot be translated without the proper encryption key. It means even a massive database of personal details can essentially end up unusable without the key. It’s important to understand that encryption can be broken. Yet, the stronger the encryption, the more difficult and time-consuming it is to reverse.
All sensitive and proprietary medical or health data should be encrypted, period. Nothing is ever 100 percent secure, but it provides an additional and much-needed layer of security to the data.
3. Frequent Penetration Testing
One of the best ways to find weaknesses in the walls of a fortress is to attempt to breach them. Precisely the same is true for smart technologies and IoMT networks. Regular penetration testing can place a spotlight on the most concerning vulnerabilities and security issues.
Additionally, it can help medtech, IT, and security teams come up with a plan of defense if and when there is an attack. They learn how an attacker might try to gain access and what that might look like from the attacking side. It also allows them to build an incredibly accurate risk assessment that can be used to plug many of the existing or potential gaps.
4. Absolute System Integrity
On mobile platforms and connected devices, regular updates are warranted because they help patch security vulnerabilities, fix bugs, and sometimes introduce new features or device support. Unfortunately, the way many of these updates are deployed — over-the-air is the biggest offender—tends to introduce serious security problems.
By accounting for basic device and data integrity, this issue can be mitigated, or it may even eliminate intrusions. The driverless automotive sector is working hard to deploy secure OTA updates to many of its vehicles. It’s easy to understand why they wouldn’t want hackers to gain access to vehicles, especially those already on the road.
Code signing can be used to verify the integrity of update packages sent over-the-air and is just one of many authentication measures that can be used to verify data. Being able to establish and verify data integrity is key.
5. Accounting for Scale
Right now, scaling isn’t as much of a concern in the IoMT or medtech fields because adoption isn’t rapid or widespread. That will change, and it means all of the security solutions must be ready.
Security platforms that cannot keep up with the growing scale of a network and all connected devices will fail. When that starts to happen, it may also affect other systems, such as remote devices trying to sync up with a server. Smart medical devices that cannot send or receive feedback from a server could prove disastrous, even if they are designed to function locally and offline.
True Security Is Ongoing, and Medtech Is No Exception
All parties, from manufacturers to software engineers and end-users, must understand that cybersecurity is never a one-and-done event. Throughout the lifetime of a system, regular security updates must be delivered. Appropriate and advanced security methods must be used, such as secure passwords, biometrics, or single-user access. All medical data must be locked down, with access limited to only a select few parties.
Organizations that want to boost their security must establish a proper IT security team with experience and skills to match. They must also focus on developing proper authentication, integrity, and encryption protocols. Furthermore, they must prepare for the growing scale of connections and devices, with segmented networks created for the most sensitive data channels.
Anything short of these proposed strategies creates a highly vulnerable system or device, which could spell disaster.
