Secure IoT solutions for connected medical devices

Connected healthcare is rife with potential attack‑surfaces for hackers to exploit. They lie not only inside the patient wearables that measure anything from heart rate, body temperature, and blood pressure to your blood oxygen, stress, and blood glucose levels but also in medical devices used in the hospital. And they extend into cloud, where much of the collected data is stored and analysed.

It’s no surprise, therefore, that medical data has become a gold mine for hackers – and an expensive one at that. Aside from disrupting patient care, the hackers can use the data they gather to commit identity theft, set up ransomware attacks, steal R&D data, disrupt supply chains, and manipulate stock prices. According to a study by the Ponemon Institute, the per capita cost of data breaches in the healthcare industry greatly exceeds that in other industries. There’s also the potential physical harm that can be done by hacking into connected health‑critical devices, such as cardiac pacemakers or connected medication dispensers. And let’s not forget that when people’s personal data is exposed, security breaches lead to breaches in privacy.

From the device all the way to the cloud
On paper, at least, we’ve solved this problem to the point that we are comfortable entrusting our financial data to e‑banking software. Approaches such as public key cryptography robustly keep hackers from being able to interpret any intercepted data. Similarly, public key certificates can be used to ensure that the software running on devices has not been tampered with. 

But cracks in the armor of IoT security appear in applications that, unlike online banking, cannot be fully controlled by a single manufacturer. Connected healthcare devices often fall into this category.

So how can security be addressed in applications that comprise hardware and software elements from multiple suppliers? At u‑blox, it has long argued that it is all about establishing a secure starting point – what it calls the secure root of trust. Once established, it can form the basis for a chain of trust from the device all the way through to the end of the application.

Five pillars of IoT security
At u‑blox, it has developed five‑pronged approach to IoT security called the Five Pillars of Security, which we apply across our technological portfolio of wireless modules. It starts by ensuring that only authenticated firmware can run on our modules, in what we call Secure Boot. Secure firmware updates (FOTA) then ensure that only authenticated and validated updates can be applied to the hardware.

The third pillar of security is applied at the level of physical interfaces and APIs, where only authorised users are given access to configure u‑blox modules in the medical devices. Transport layer security ensures that communications to the server are encrypted, averting man‑in‑the‑middle attacks. And the final, fifth pillar of security provides robustness against software attacks and detects potential attacks on air interfaces.

A concerted effort
To this day, too many players in the connected health space only consider securing their applications against malicious attacks as an afterthough. It’s understandable that more resources are devoted to developing the main feature of their applications. At the same time, it’s important to recognise that subpar security ultimately undermines efforts to shore up public acceptance and support for connected healthcare, as each new data breach erodes hard‑earned trust in the Internet of Things and its applications.

Developing secure solutions for connected health requires a concerted effort on the part of everyone involved in the IoT chain. With both the benefits of connected healthcare on patients and the growth of the connected health sector at stake, at u‑blox they are heavily invested in ensuring that security is front and centre the development of new devices.

The Five Pillars of Security are one element in this quest. Another includes working closely with customers to make sure that they are asking the right questions, using the right tools, and taking the right measures to cover vulnerable attack surfaces. And when new vulnerabilities emerge, as they inevitably will, it is committed to providing security patches that keep the wireless modules safe.

Provided that the future connected healthcare system has strong defences, we all stand to benefit from it. All of us, that is, except for the hackers. 

Blog wirtten by Pelle Svensson, Market Development Manager, Product Center Short Range Radio, u‑blox.

Courtesy of u-blox.