The recent coronavirus pandemic surfaced the need for quality remote healthcare services. Driven by social distancing measures, doctors had to provide medical services to their remote patients without impacting the quality and accuracy of their diagnosis. The proliferation of connected devices in the healthcare industry allowed this connectivity to materialize. Despite the many benefits, improper or weak management of these devices creates an expanding threat landscape that needs to be addressed sooner than later to avoid damaging data breaches of attacks against the healthcare institutions.
The Connected Healthcare Landscape
Distance between patient and doctor has been a barrier to the provision of quality healthcare services. Even in today’s hyper connected world, isolated communities are lacking access to competent connected healthcare. The proliferation of connected healthcare devices is promising to put an end to this inequality. There are many types of wearable healthcare devices that are currently in use, including:
- Diagnostic and monitoring devices, such as cardiovascular and glucose monitoring devices
- Therapeutic devices, like respiratory or insulin management devices
- Rehabilitation devices, such as body motion devices
- Lifestyle and fitness trackers
Collecting real-time patient data and analytics is revolutionizing the way doctors can monitor and provide their services. Mobile Health (mHealth) and the proliferation of smartphones, apps, and IoT technology have had disruptive impacts on the world of connected health.
Mobile, connected healthcare brings enormous benefits for both the doctors and the patients. Doctors and hospitals can ensure that their patients are taking medications at the prescribed time and amount. Connecting practitioners to their patients remotely can be life-saving – the speed at which a doctor can get to a patient in distress is saving lives. Finally, these technologies remove unnecessary paperwork and bureaucracy, leading in cutting costs and waste for doctor’s offices and hospitals.
Threat Landscape is Expanding
Besides the obvious clinical benefits, the proliferation of medical connected devices in healthcare brings security risks. The volume of healthcare data being transferred and stored every day can be measured in tera bytes — data from IoT and connected medical devices, electronic health records (EHRs), and applications for patients, clinicians, and researchers.
The variety of these connected devices introduces novel cybersecurity challenges related to HIPAA compliance and overall information security. According to a recent study, 63% of healthcare organizations experienced a security incident related to unmanaged and IoT devices in the past two years.
- Infusion and insulin pumps are vulnerable because of their connectivity capabilities, and NIST has published guidance to secure wireless infusion pumps in healthcare organizations.
- Researchers discovered a simple denial-of-service attack against pacemakers that has the potential to kill.
- Wearable devices transmitting heart rate, blood sugar, and other vitals via Bluetooth can be exposed to cyber-attacks.
- Thermometers used for measuring the employee temperature as a precautionary measure to COVID-19 can also be hacked exposing sensitive data.
PKI Can Secure Connected Medical Devices
To protect patient data and secure healthcare organizations against cyber-attacks, these entities need to develop a robust security strategy that is based on the ability to effectively identify all connected devices. Identity authentication is the most effective way to reduce risks associated with exchanging information between medical devices.
This is where Public Key Infrastructure (PKI) comes in handy. PKI is a well-established solution that provides encryption and authentication to any type of connected device and offers numerous advantages. PKI enables identity assurance while digital certificates validate the identity of the connected device.
With PKI, IoT devices can be authenticated across systems. A robust PKI, where certificate lifecycle management follows well-established policies and practices, is not vulnerable to common brute force or man-in-the-middle attacks targeting the precious medical data. At the same time, PKI encrypts sensitive information while in transit, protecting it from malicious actors even in the event of a data breach or compromise.
As such, PKI enforces HIPAA compliance. The HIPAA Security Rule dictates that healthcare entities must implement safeguards, such as encryption, that renders electronic Protected Health Information (ePHI) “unreadable, undecipherable or unusable” so any “acquired healthcare or payment information is of no use to an unauthorized third party.”
In addition to meeting HIPAA compliance, PKI is scalable enough to secure heterogeneous connected medical device environments, which vary in size, complexity, and security needs.
Certificate Lifecycle Management is Critical
As we have noted before, connected devices authentication and encryption is based on an effective certificate lifecycle management program. With connected devices exploding, the associated digital identities explode in numbers as well. Healthcare organizations need to able to manage these identities effectively and efficiently to ensure that the corresponding certificates do not expire causing damaging outages. Digital certificates ensure the integrity of healthcare data and device communications through encryption and authentication, ensuring that transmitted data are genuine and have not been altered or tampered with.
This is essential since, according to a recent report, 73% of healthcare organizations experience unplanned downtime and outages due to mismanaged digital certificates and public key infrastructure. As a result of poor certificate management practices, 55% of surveyed organizations have experienced four or more certificate-related outages in the past two years alone. The main reason for the weak certificate management is the lack of visibility. 74% of healthcare organizations do not know how many keys and certificates they have, where to find them or when they expire.
How AppViewX Platform Helps
With the proliferation of connected medical devices and their digital identities, it is important to understand that manual discovery of keys and certificates is no longer an option. Manual certificate management is an erroneous and time-consuming process which creates a false sense of security, leaving healthcare organizations open to vulnerabilities and devastating cyber-attacks.
It is essential that organizations automate and centralize their PKI to minimize the risk of certificate related outages and data breaches.
The AppViewX platform helps organizations reinforce their IoT PKI strategies. It helps manage and automate every step of the implementation cycle – from multi-vendor certificate enrolment, to revocation, monitoring, and end device provisioning. It’s all your organization needs to stay secure and compliant, while scaling upward and enforcing cryptography across the network. You can either request a demo or contact our experts to learn more.