By Sashidhar Thothadri, Global Head of Sales, IoT Products, Thales Digital Identity & Security (DIS)
Digital espionage has surged during the COVID-19 pandemic. A fortnight ago, North Korea was accused of stealing information on coronavirus vaccines and treatments through a hack at Pfizer.
A huge rise in hacking comes as demand for digital technology and connected medical IoT devices surge in the healthcare industry to manage the ongoing pandemic. Often, the reason why hackers can penetrate the networks easily is because these devices are lacking critical security mechanisms to defend themselves against malicious actions.
There are three major threat vectors that harm IoT deployments:
- Devices are hijacked by malicious software;
- Data collected and processed in IoT ecosystems is tampered with and impacts the confidentiality, integrity and availability of the information; and,
- Weak user and device authentication.
The common denominator in these IoT attacks is the assumption that those simple devices do not require strong security measures. The truth, however, is far from that. Any IoT device connected to a network becomes a potential bridge between the internet and a malicious entity.
Design the health of IoT for a secure future
The market of IoMT (Internet of Medical Things) is expected to grow to US$534 billion by 2025 with a compound annual growth rate of close to 20% during the forecast period of 2020 to 2025 according to Grand View Research Inc. Most importantly, it provides a platform upon which all patients, regardless of location, have efficient and effective access to care.
Securing IoMT devices should be by design. Security-by-design principles should be leveraged to ensure security is “built-in” instead of a “bolt-on” approach. This lays the foundation for how resilient the devices would be in the continually evolving threat landscape.
IoMT devices cannot be effectively secured if they cannot be uniquely identified, with a high level of confidence. This requires each IoT healthcare device to have a digital identity, with the necessary level of assurances from a root-of-trust. The digital fingerprint of the device must be based on both hardware and software, with authenticity and authorization following zero-trust principles to the maximum extent.
Digital healthcare security needs intensive care
Let’s not forget hygiene practices for securing IoMT devices. This includes keeping software up-to-date, continuous monitoring and anomalous behavior detection. Good cybersecurity habits such as these will significantly reduce the risk that they pose. It should be noted that hygiene cannot overcome the genetic makeup, just ask a bald man who practices a good hair care regime religiously. Hygiene can, therefore, not compensate for the lack of security that is not built into the device.
Prevention is better than any cure and, for IoMT, this means encryption of data, through all its states – in motion, at rest, in-use – along with proper key management, can prevent misuse in the event of a data breach. Also, network segregation and leveraging zero-trust principles (i.e., ensuring that authorisation of devices and systems is not long-lived, context-based, and with minimal privileges) are foundational prevention techniques.
Security and health: a shared responsibility
Healthcare is heavily regulated, and for good measure. Similarly, cybersecurity is built on foundational principles, and many cybersecurity frameworks can be leveraged. Authorities have spelled out measures to ensure healthcare related equipment and software step in line with protocols to be more cybersecure. Singapore’s Cyber Security Agency of Singapore has also issued its latest masterplan that contains measures everyone, including organisations, can take towards securing our digital infrastructure.
It shouldn’t take breaches costing billions of dollars to get people to take the digital security of healthcare organisations seriously. We need our healthcare services to thrive. Such is also the case with IoMT, where security affects all devices, no matter the function, vendor or deployment model. Any device that captures health-related information should have supporting security practices proportional to its potential of causing harm.
