Medical device company Medtronic issued an urgent recall of the remote controller insulin pumps because they are vulnerable to hacks. It is easy for anyone to copy the signals sent via controllers to the pumps. This could be dangerous since these false signals can block or deliver a dose of insulin. This could be fatal for diabetic patients using the pumps.
As more and more medical devices are connected to the internet and healthcare becomes a bigger target for ransomware attacks, worries about insulin pumps, pacemakers, and other products have only grown.
Cybercrime will cost the world $10.5 trillion annually by 2025. According to cybercrime magazine, “healthcare has lagged behind other industries, and the tantalizing target on its back is attributable to outdated IT systems, fewer cybersecurity protocols and IT staff, precious data, and the pressing need for medical practices and hospitals to pay ransoms quickly to regain data. The healthcare industry will respond by spending $125 billion cumulatively from 2020 to 2025 to beef up its cyber defenses.”
Recently, a cyberattack that targeted the Newfoundland-Labrador healthcare system in Canada might be the worst of its kind in Canadian history. The attack was first discovered on October 30, 2021. However, by the time it was confirmed, it had already caused widespread disruption of healthcare services.
How can healthcare organizations keep patient data safe, eliminate breaches and outages and adhere to compliance standards?
Security professionals in healthcare can protect patient records against breaches and attain regulatory compliance with proper data encryption and authentication of people and machines. Keys and digital certificates make encryption and authentication possible, and if managed correctly, it can enable organizations to remain breach-proof and compliant.
With an increase in the number of digital certificates, organizations need to set up their internal public key infrastructure (PKI) so that private certificate authorities (CA)s can be created internally.
Adherence to compliance standards
Healthcare companies need to comply with regulatory standards such as The Health Insurance Portability and Accountability Act (HIPAA) of 1996, The Health Information Technology for Economic and Clinical Health Act (HITECH). Organizations face severe challenges in implementing safe practices due to large record volumes, widespread use of telemetry, and third-party healthcare services like pathology labs, scan centers, and healthcare insurance providers requiring access to patient records. Furthermore, healthcare organizations are among the biggest consumers of IoT devices, making them vulnerable to attacks.
The Importance of PKI in Healthcare
While PKI has traditionally been used in hospitals to secure sensitive patient records, cryptography is finding new applications in wearable/remote IoT-enabled medical devices. With such devices capturing user information and relaying it back to healthcare professionals by the minute, it is essential to ensure that the line of communication is not intercepted. It is also crucial to keep the device up-to-date via regular updates to be at optimum security. By providing a device identity and a layer of protection to medical devices, PKI makes this possible.
What organizations need today is a robust PKI and certificate management system to keep unauthorized users at bay. If you are still wondering how to get started, here are some quick tips.
The first and foremost step is to identify the starting point based on the goals or objectives you would want to accomplish.
Scenario 1: Lack of a well-defined PKI
If you have a small-scale, ad-hoc PKI model consisting of a random assortment of multi-CA certificates and self-signed ones, your first step should be to get in touch with a PKI vendor to obtain secured certificates for all your endpoints.
Scenario 2: Lack of a defined management process for the PKI
The big issue with unmanaged/manually managed PKI systems is a lack of visibility. A certificate lifecycle management (CLM) platform can help. Use one to discover all the certificates you have, maintain an inventory, and create a map of certificate locations, endpoints, and validities.
Assess your PKI
Take a bottom-up approach for your assessment, and determine the functionalities you require to achieve your goals. Ultimately, a well-managed PKI system can single-handedly satisfy all your requirements. Below are some of the features of a fully functional PKI management system – try to match them with your desired outcomes.
- Certificate task execution from a single portal
- Scanning and discovery
- Automated installations
- Minimized key exposure
- Secure key provisioning
- End-to-end CLM
- Real-time monitoring
- Reporting and expiry alerting
- Compliance enforcement
- Policy definition
- Audit capabilities
- Role-based access to PKI
- Integration with hardware security modules (HSM)
- Integration with CAs
- Integration with IT Service Management (ITSM)
Identify bad practices
Once you have assessed where you are with your PKI needs and the features you need to achieve them, the existing infrastructure and practices might throw some obstacles your way. Identifying these obstacles and neutralizing them will allow you to move on to the next stage of your PKI revamp – execution.
Get rid of manual processes
The PKI owner(s) in an organization is responsible for assisting other teams with their PKI needs. This is usually achieved through a ticketing system – teams raise tickets with the PKI owner, who raises tickets with a CA of their choice. Once the CA provides the necessary materials, the PKI team configures them on the requester’s end system. The problem? Manual processes are prolonged and hard to keep track of (especially when thousands of certificates are lying around).
Find the right partner
An automation tool can help you achieve unlimited possibilities with limited resources. Invest in an end-to-end automation solution that will provide you with extensive visibility into the certificate and encryption key infrastructure and help prevent data breaches and outages.
AppViewX CERT+ is a turnkey solution for all enterprise PKI needs. CERT+ is a ready-to-consume, scalable, and cost-efficient CLM solution that infuses identity governance and administration as an integral part of your cybersecurity strategy. CERT+ simplifies PKI and certificate management operations to bring agility in teams so that teams can focus on business innovation and growth.