The emergence of medical IoT and widespread use of wireless technology throughout healthcare has changed the cybersecurity landscape.
Martin Nappi, Green Hills Software
Smart mobile devices have become a significant part of the healthcare infrastructure, and their widespread use has led to rapid growth in the development of medical software applications. Smartphones, tablets and laptops provide caregivers with direct access to all types of medical systems and data, improving their efficiency and helping them care for more patients.
For medical staff, mobile devices make collaborating and exchanging patient data more efficient and allow clinicians to engage patients through secure text messaging, patient portals and telemedicine. These technology-enabled forms of patient engagement boost patient satisfaction, loyalty and health outcomes.
Some hospitals employ a Bring-Your-Own-Device (BYOD) policy, allowing doctors, nurses and other staff members to use personal mobile devices to access and engage with systems that store patient health information. Some healthcare systems enable providers to monitor and control life-critical medical devices from these devices, too.
Expect vulnerabilities
Smartphones, tablets, and laptops generally run versions of Microsoft Windows, Apple iOS or Android operating systems, which only protect against inadvertent or casual attempts to breach a device’s security.
These operating systems are comprised of millions of lines of program code and are frequently proven to contain numerous vulnerabilities. Some are caused by software coding errors that may allow a cyber-criminal to install malware, seize operation of the device or use it as a portal to gain access to other resources on its network. Hundreds of these vulnerabilities are listed on the National Institute for Standards and Technology’s (NIST) national vulnerability database.
Historically, product security in the medtech industry was much less of a concern because most medical devices were not connected to networks or wirelessly to computers, smartphones, and tablets. But with the emergence of the Medical IoT and widespread use of wireless technology throughout healthcare, everything has changed.
Hospital-based efforts
Some of the hospitals that have created mobile apps have gone to great lengths to institute extensive cybersecurity for their BYOD program, allowing doctors, nurses and other caregivers to use personal mobile devices to access internal systems and manage patients. They have employed a comprehensive defense-in-depth security strategy to prevent unauthorized access to their networks or patient information. These may include:
- User authentication.
- Role-based-access-control.
- Encrypted communication.
- Virtual private networks.
- Over-the-air updates and installations.
Unfortunately, a sophisticated hacker could still penetrate a healthcare worker’s phone and create an exploit that breaches the hospital system when the worker logs in.
Stop that hacker
As the market changes and security becomes critical, connected mobile devices will become more widespread than today. If we really want to stop that sophisticated hacker, we have to take several different approaches, some of which may not be practical in the short term.
1. Introduce new smartphones, tablets and laptops with a different software architecture, designed from the outset to completely isolate patient and life-critical data from all other data and then only allow secure and encrypted connection with similarly architected computing and networks. These devices do exist and have been deployed for the U.S. armed forces, U.S. intelligence agencies, and law enforcement.
2. Ensure that all new patient life-critical devices such as insulin pumps and pacemakers are designed from the inside-out with an industry-proven separation kernel architecture that securely isolates the safety-critical software components from the connectivity, user interface and general computing components on the device. All information flows are validated, and digital encryption keys are tied to the hardware root of trust to protect software and communications. For decades, separation kernel-based products, extensively certified for both safety and security, have been controlling the flight and guidance systems in airliners, jet fighters, industrial and automotive systems.
3. Where insecure networked equipment, such as PACS systems, medical robotics or hospital pharmacy computing exists and are not due for short-term replacement, a “black box” can be inserted at the equipment connection. This internally uses the separation kernel with network isolation and control software to protect against malicious attacks.
4. Importantly, if none of the above are implemented, devices that could kill a patient if accessed by a hacker should be disconnected from the network until they are secured.
When our healthcare system implements this proven approach to safety and security in their mobile devices and equipment, we will see a far more robust and protected computing environment.
Martin Nappi is vice president of business development for the medical industry at Green Hills Software. He is a 30-year veteran of the embedded systems industry and is responsible for providing safe and secure software technology for medical devices and systems.
The opinions expressed in this blog post are the author’s only and do not necessarily reflect those of Medical Design and Outsourcing or its employees.