Many of us feel uneasy thinking about how our connected smart home speakers could be listening in on us, yet we worry less about what information medical devices could be sharing. Personal health information sells for hundreds to thousands of dollars on the black market, while credit cards and social security numbers go for around 25 cents and 10 cents, respectively. And breached patient data could jeopardize not only privacy and patient personal information but also individual safety. Hacked hospital infusion pumps could be used to administer fatal dosages, and pacemakers vulnerable to attacks could lead to lethal shocks. Additionally, the COVID crisis has certainly impacted the healthcare system and attracted cybercriminals, dramatically increasing the attack vector.
A first step in securing sensitive health information is to secure connected Internet of Medical Things (IoMT) devices such as insulin pumps, pacemakers and other monitoring devices. Many run on outdated software and the constant flux of devices connected make managing them extremely difficult. There are around 10 billion IoMT devices today, but that is expected to quintuple by 2028, to 50 billion.
Digital certificates can encrypt information and authenticate users
Digital certificates can help secure devices through encrypting sensitive information, authenticating connections to devices before allowing access and ensuring the integrity of communicated data. For example, DigiCert was recently asked by a customer to help rapidly and securely deploy a test that detects COVID-19 antibodies to healthcare providers around the world. This customer had laboratory equipment deployed globally that could perform these antibody tests, but these devices needed to be updated to load and enable this new antibody test. Because of the urgency to get this testing capability in the hands of healthcare providers, the update needed to be performed over the air, instead of sending field service engineers to each device to load the update. DigiCert worked with this customer to deploy a secure over-the-air update, utilizing code signing certificates to ensure the update arrived safely and wasn’t modified during transmission. The antibody test was securely deployed just days after the first contact with DigiCert and is now used on patients across the world.
This example was relatively simple enough to deploy in only a few days. But as more and more devices connect, we run into problems because manufacturers are building devices with different standards that don’t necessarily work together. In two to five years, we won’t just be worried about connectivity with the vendor’s devices, but with the whole ecosystem.
How smart home manufacturers accomplished interoperability and security
When smart home IoT device manufacturers ran into similar problems, they came together to create a standard for interoperability that also emphasizes security. Consumers nowadays demand connectivity; they want their smart lights, TVs and thermostats to connect to voice assistant hubs regardless of who manufactured them. When Amazon, Google and Apple began getting complaints from consumers that their IoT hubs (Alexa, GoogleHome and HomeKit) were not connecting to many of the smart home devices, they realized that they all had the same pain point and needed to do something. They also realized consumers were beginning to expect and make purchasing decisions based on security. So they came together under the Zigbee Alliance and formed the Connected Home over IP (CHIP) project to build a standardized approach that allows any smart home device that complies with the CHIP standard to function together royalty-free in a secure way. Since the formation of the project, dozens and dozens of leading smart home manufacturers, silicone providers and security experts have joined the project. The group’s goal is to have draft standards and preliminary open-source implementation late this year.
To ensure devices are properly authenticated and communication is handled confidentially, DigiCert was invited to participate in the CHIP project. DigiCert is working with the participants of CHIP to ensure the design and architecture of the Public Key Infrastructure (PKI) and use of digital certificates is sound and has the proper root hierarchy and governing documents. Once this standard is finalized and deployed, manufacturers will be able to simplify development and consumers won’t have to worry about matching their smart home devices with their smart home hubs because their devices will interoperate securely with any other device that complies with the standard.
What healthcare can learn from smart home device manufacturers
The demand for connectivity is also a problem in the healthcare industry. We need to look ahead and plan for a connected ecosystem now to set standards in place that will make interoperability possible in the future. And security must be fundamentally built into the design from the beginning. In this case, we can learn from what smart home manufacturers did to solve their shared challenge and apply it to healthcare. If a group of healthcare IoT device manufacturers collaborated to determine industry-wide specifications, then the entire industry would benefit from this standardization, allowing IoMT devices to be secure, reliable and interconnected.
The problem with any industry change is getting the ball rolling. Who is responsible for initiating standardization, and how? I see two possible solutions for this: either regulators or market leaders need to step forward (or both).
- First, regulators could step forward and create rules that drive medical device manufacturers to adopt security best practices. Or instead of regulation, the FDA could also convene industry leaders and encourage the development of security standards.
- Second, leading medical device manufacturers can follow the example of the smart home industry and convene a group similar to what has happened with the CHIP project. It only takes a few of the big players in the industry to agree on an approach and assemble the right collaboration to develop an industry standard. Once the industry sees the significant players at the table, many more will follow.
Both regulators and industry leaders have a part to play. Someone with the power to convene the right players and drive this collaboration needs to step up and lead.
DigiCert supports creating a connected world and possesses the technologies to keep communications and transactions secure at scale. The way you create device interoperability throughout an industry is through PKI, and if architected correctly, it allows a root of trust to be established within an ecosystem. DigiCert has supported the CHIP project in the development of the security standards and stands ready and willing to do the same thing to help create standards around medical device security and interoperability.
We need to take seriously the privacy and security of our healthcare information, just as we do with the privacy and security of our own homes. PKI can help secure devices and offers the technology to regulate how IoT devices communicate with each other. Medical device manufacturers can follow a similar example to what smart home device manufacturers did in creating a project to solve these challenges. These are just the first steps toward securing patient personal information, but in the healthcare industry, every step towards security matters because it is a step to save lives.