Mar 27, 2019 5:34:54 PM
Medical IoT Device Security: Why Unique Identities Matter

For many of us in IT and system administration, the recent digital security misstep by GoDaddy, Google and Apple undoubtedly hits home.

Every story like this gives us at least one lesson to think about. In this case, it’s recognizing that running a digital security program isn’t just about doing the work and checking a box.

An effective digital certificate and security strategy includes foresight and hindsight. It’s the kind of effort that requires medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs) alike to think big and wide – including enterprise-level planning, investment, and ongoing governance.

Securing the internet of medical things (IoMT) means accepting that every connected device is vulnerable until it isn’t.

Every device, you say? Yes.

Medical devices have and will continue to be appealing targets for hackers, and the damage can be catastrophic. Device takeovers have become real enough that the FDA is intensifying its efforts around medical internet of things (IoT) security.

Whether it’s 100 devices or 100 million, digital certificates serve as a natural foundation to uniquely identify and provide IoT security coverage for every connected medical device in the field.

How do individual unique identities make a difference in medical device security?

Using unique digital certificates for every device validates that a device is authentic and asserts with high assurance that its messages are genuine. It also allows IoMT platforms and applications to validate the integrity of data and programming sent to and from each device.

This ensures that critical healthcare information is sent from and received by only the intended recipients. The potential impact of a compromised device is minimized because it carries a unique identity, encrypts its data, and is programmed with a cryptographic key associated to that identity.

Less secure alternatives include static passwords and shared keys, neither of which provide the required level of security or control. Compromising a static password allows access to, or impersonation of, every device utilizing that password. Should that password be stored in clear text, device takeover can become an even easier task. Updating the compromised password across all deployed devices is challenging and often impossible due to it being embedded within code.

Shared keys are a stronger method than text-based passwords. However, they are not associated to a specific root of trust nor can they be updated. This does not allow for absolute differentiation between devices in the IoT ecosystem. If multiple devices authenticate with the same key pair, any subsequent identifying information cannot be validated with high assurance.

Ensuring that specific instructions only reach a particular device, or validating that that specific data came from a particular device, are both out of reach unless each device carries its own unique and strong credentials.

With perpetual patient monitoring over open networks across numerous facilities becoming standard practice, medical device security has never been more important. This means every device must be accounted for, maintained, and monitored for safety.

To learn more about core tenets of a successful IoMT security strategy read our Five Guiding Principles for Optimizing IoT Security or contact us today:

LET'S TALK