Steeve Huin

Public key infrastructure: An upcoming essential in medical device cybersecurity

March 17, 2023
By Steeve Huin

It is a well-known fact that healthcare is a lucrative target for cybercriminals. It's a target that's more susceptible to disruption because most healthcare devices were not connected to the internet until quite recently, therefore their developers have not made the same security investments other industries were required to do, It is also due to a large amount of sensitive data that healthcare entities maintain for patient care and operations.

Since the beginning of the pandemic, Health Delivery Organizations (HDOs) have become even more attractive profit wise for cybercriminal targets. This is primarily because healthcare providers cannot, under any circumstances, paralyze their operations. Many HDOs focus on modernizing their equipment but rely on legacy medical devices where patching and security models are outdated.

The FBI issued a report earlier in 2022 offering recommendations to address several cybersecurity vulnerabilities in active medical devices, specifically those stemming from outdated software and the lack of security features in legacy devices. In the worst-case scenario, exploitation of these vulnerabilities could impact healthcare facility operations, patient safety, data confidentiality and data integrity.

The medical field is under pressure
In the case of ransomware attacks, for example, the payment of a considerable amount is almost inevitable. It is worth noting that the value of an individual's personally identifiable information (social security, driver's license, medical records, etc.) is valued up to ten times higher on the dark web, than a single piece of information obtained through a common data breach.

These cyberattacks against medical institutions are more devastating than we think. For example, in 2020, a significant incident occurred in Germany where an unidentified woman was turned away from Düsseldorf University Hospital because a ransomware attack hampered its operating ability. The woman was rushed to a hospital about 20 miles away, resulting in a one-hour treatment delay with fatal consequences.

Similarly, in 2019, a leading Medical Device Manufacturer (MDM)'s insulin pumps were urgently recalled. They contained a cybersecurity vulnerability that, if exploited, could have granted unauthorized access to control the pumps. Threat actors could also have used this vulnerability as a springboard to penetrate deeper into an HDO's communications network.

In another instance, in 2021, a cyberattack on Ireland's health system paralyzed its health services for a week, cutting off access to patient records, delaying Covid-19 testing and forcing cancellations of medical appointments.

Many of the vulnerabilities currently present in connected medical devices come from the lack of cybersecurity protection, device integrity and encrypted transfer of information. The issue is neither the ignorance of the cyber threat, nor an unwillingness to address it, but rather the fact that device makers have relied on physical and security through obscurity risk controls in lieu of investing in stronger security technologies. New technologies have been adopted rapidly for their life-saving functions, but an adequate assessment of their cyber-related risks is needed.

One of the most effective solutions in building a strong cybersecurity foundation into medical devices is incorporating an encryption protocol that verifies the trustworthiness and can authenticate the communication between devices and host systems. In cryptography, this is referred to as a Public Key Infrastructure (PKI), a trusted and widely used practice.

Why a PKI is essential for medical devices
A PKI refers to a set of cybersecurity tools that facilitate the secure electronic transfer of information over a given network. Fundamentally, a PKI manages digital certificates and public keys for authentication and encryption. Traditional authentication methods (such as passwords) may be effective in the short term but create longer-term administration challenges. A PKI ensures an effective and trustworthy authorization protocol that is scalable for long-term protection.

PKI ensures every device has a cryptographic certificate that it can use to prove its identity to other devices and generate secure encryption keys for inter-device communication. This way, if a threat actor were to infiltrate the network, they would be unable to decipher the communications, and legitimate devices would refuse to communicate directly with the unauthorized intruder.

In the ideal scenario, MDMs should choose to have PKI as a cloud solution managed by a trusted third party. The advantages of outsourcing are that deployment is managed and centralized, taking care of any additional roll-out costs or future patching requirements. A cloud solution also offers flexibility in terms of updates and scalability to match all IT needs. As a well-established solution, PKI dispels much of the fear around incompatibility and control.

Medical device cybersecurity should be a global concern
High-speed internet connectivity has enabled new forms of automation in remote monitoring and care, bringing invaluable benefits to patients and creating an environment where all medical devices connect and communicate via a wired or wireless network. Some key examples include diagnostic machines, infusion pumps, smart pens and even implanted devices. Collecting more sensitive information than before, these medical devices often lack the appropriate cybersecurity protocols that protect their data transfer, storage, and accessibility.

Security incidents threaten patients' safety worldwide, causing diagnostic or therapeutic errors, compromising the safe performance of a device, affecting clinical outcomes or denying a patient access to critical care. Convergence of global efforts for medical device cybersecurity is vital and in progress through the harmonization of medical device regulations in the US and EU, respectively. The harmonization will ensure patient safety while encouraging innovation better to protect medical devices for the foreseeable future.

Medical device cybersecurity needs to be at the forefront of device design and considered throughout the product lifecycle. For new medical devices to be accepted, MDMs need to ensure that devices meet the new premarket cybersecurity requirements. These include embedding security features directly into the product (digital certificates into the silicon for example), applying risk management strategies, conducting threat modeling and penetration security tests, as well as providing helpful information for users to operate the device safely. MDMs should also consider the intended use environment and foreseeable misuse scenarios for each of the pre-market elements.

Other key aspects of premarket cybersecurity requirements include the Software Bill of Materials (SBOM) and an ongoing vulnerability management. A SBOM is a formal record containing the details and supply chain relationships of various components used in building software, enhancing the understanding of the supply chain through the product life cycle. Maintaining SBOMs has critical importance for software inventory, license tracking and vulnerability management, bringing transparency to the software components and connections within and across supply chains. With a proper SBOM in place, weak links – both known and newly emerged – can be discovered and addressed.

The medical device industry, rapidly adopting new security standards and protocols, is moving to where secure-by-design becomes a core process, creating a solid defense against threat actors and tampering. When medical devices are maintained and secured with state-of-the-art practices, everyone chips in to protect the patients' lives.

About the author: Steeve Huin is the chief operating officer of Connect Health at Irdeto.