A security expert has proposed enforcing the use of “digital birth certificates” to protect medical devices and patient data.
The breadth and scope of cyberattacks have increased in recent years. It is now not only consumer PCs, enterprise networks, or government agencies which are the intended targets of individual attackers or state-sponsored groups; instead, mobile products, Internet of Things (IoT) devices, and medical devices are now also under scrutiny.
Patient data breaches which release the personally identifiable information (PII) of patients are the most common types of attacks which hit the headlines. As in the cases of the UK National Health Service (NHS) data breach which released the PII of HIV sufferers, a US government subcontractor which accidentally exposed the data of medical military personnel and health insurer Anthem’s data breach, such incidents cause outrage and can be serious for users.
However, when attackers compromise medical devices, this can also lead to denial-of-service (DoS) attacks, medication tampering, and vulnerable devices becoming the avenue for greater and more debilitating attacks on medical and enterprise networks.
Speaking to ZDNet, Jim DeLorenzo, solutions manager at Thales e-Security said that as a greater range of IP-enabled medical devices come online, “security will be a very big issue” — and internet connections lay at the heart of potential problems.
Once a device is plugged in and is given Wi-Fi capabilities — such as medical devices which allow patients to record their data or control a device through mobile applications — a path is paved for attackers should a device be vulnerable to exploit.
Today’s devices can be laden with security problems such as outdated firmware, hard-coded device credentials, and unaddressed security bugs and vulnerabilities, and the sheer volume of medical devices already on the market only adds to the problem.
One solution, DeLorenzo says, to enforce so-called “digital birth certificates” in modern medical devices. Digital birth certificates are signatures based on strong cryptographic protocols which create unique identification patterns for each medical device at the time of manufacture.
When unique prints are set in place before these devices are exposed to patients or rigged up in hospitals, they can leverage trusted public key infrastructures (PKIs) for legitimate software updates.
According to DeLorenzo, this can protect them against specific types of malicious behavior, such as the “introduction of unauthorised code or attempts to use the device’s trusted status in order to access enterprise networks.”
When a digital birth certificate is embedded in medical devices, they can also reject remote attacks which may introduce malware or alter device functions — such as changing which firmware updates are accepted, and from where.
Taking advantage of encryption is a key element of implementing digital birth certificates in medical devices. According to internal research conducted by Thales e-Security, a third of healthcare organizations now use IoT devices to store patient data. Therefore, encryption is increasingly important to protect and preserve the confidential nature of patient data — which can demand a high price when sold in the Dark Web.
When private healthcare information finds its way into underground forums, this kind of PII has high value as these records are often permanent and will not change — unlike other forms of PII, such as credit cards or physical addresses. This can lead to patient data being utilized for creating fraudulent lines of credit or for the purpose of identity theft.
“Many elements of an electronic patient record are permanent, so the stakes are much higher,” the executive says.
In June last year, a hacker offered over 10 million alleged US health records for sale on the Dark Web, demanding 750 Bitcoin — approximately $486,000 at the time — for the files, which included names, addresses, emails, phone numbers, dates of birth, and social security numbers.
The security of medical devices has not been explored as much as the “Wild West” of IoT device security, but as researchers switch their focus and some medical device bug reports go so far as prompting legal action, such as in the case of St. Jude cardiac devices, more emphasis is now being placed on protecting these kinds of products.
Thankfully for patients, the ball has at least begun to roll. Back in 2014, the Centre for Internet Security and Medical Device Innovation, Safety and Security Consortium issued medical device security guidance for manufacturers and users, IEC/TR 80001-2-2. In more recent times, the US Food and Drug Administration (FDA) have released recommendations for protecting devices against evolving security threats.
“As is the case with IoT devices, the level of built-in security in medical devices varies widely, and guidance and initiatives are sharpening the focus on device authentication and data protection,” DeLorenzo says.
Government agencies haven’t done much, but at least it’s a start. However, if security can be enforced and improved at the manufacturer level through digital birth certificates, the potential damage medical attacks can cause can be mitigated in the future.