Enabled by smart devices equipped with cloud‑connected wearable sensors, AI‑powered data analytics, and smart devices, connected healthcare has the potential to increase patient autonomy, assist doctors in delivering better care, and reduce the pressure on the healthcare system. But for connected healthcare to live up to its potential, healthcare cybersecurity has first to be seen as a key public health concern requiring utmost attention. In response, government agencies and regulatory authorities are increasingly stepping up cybersecurity requirements on medical devices.
Connected healthcare is rife with potential attack‑surfaces for hackers to exploit. They lie not only inside the patient wearables that measure anything from heart rate, body temperature, and blood pressure to your blood oxygen, stress, and blood glucose levels but also in medical devices used in the hospital. And they extend into cloud, where much of the collected data is stored and analyzed.
It’s no surprise, therefore, that medical data has become a gold mine for hackers – and an expensive one at that. Aside from disrupting patient care, the hackers can use the data they gather to commit identity theft, set up ransomware attacks, steal R&D data, disrupt supply chains, and manipulate stock prices. According to a study by the Ponemon Institute, the per capita cost of data breaches in the healthcare industry greatly exceeds that in other industries. There’s also the potential physical harm that can be done by hacking into connected health‑critical devices, such as cardiac pacemakers or connected medication dispensers. And let’s not forget that when people’s personal data is exposed, security breaches lead to breaches in privacy.
From the device all the way to the cloud
On paper, at least, we’ve solved this problem to the point that we are comfortable entrusting our financial data to e‑banking software. Approaches such as public key cryptography robustly keep hackers from being able to interpret any intercepted data. Similarly, public key certificates can be used to ensure that the software running on devices has not been tampered with.
But cracks in the armor of IoT security appear in applications that, unlike online banking, cannot be fully controlled by a single manufacturer. Connected healthcare devices often fall into this category.
So how can security be addressed in applications that comprise hardware and software elements from multiple suppliers? At u‑blox, we’ve long argued that it is all about establishing a secure starting point – what we call the secure root of trust. Once established, it can form the basis for a chain of trust from the device all the way through to the end of the application.
Five pillars of IoT security
At u‑blox, we’ve developed five‑pronged approach to IoT security called the Five Pillars of Security, which we apply across our technological portfolio of wireless modules. It starts by ensuring that only authenticated firmware can run on our modules, in what we call Secure Boot. Secure firmware updates (FOTA) then ensure that only authenticated and validated updates can be applied to the hardware.
The third pillar of security is applied at the level of physical interfaces and APIs, where only authorized users are given unique access to configure u‑blox modules in the medical devices. Transport layer security ensures that communications to the server are encrypted, averting man‑in‑the‑middle attacks. And the final, fifth pillar of security provides robustness against software attacks and detects potential attacks on air interfaces.
A concerted effort
To this day, too many players in the connected health space only consider securing their applications against malicious attacks as an afterthough. It’s understandable that more resources are devoted to developing the main feature of their applications. At the same time, it’s important to recognize that subpar security ultimately undermines efforts to shore up public acceptance and support for connected healthcare, as each new data breach erodes hard‑earned trust in the Internet of Things and its applications.
Developing secure solutions for connected health requires a concerted effort on the part of everyone involved in the IoT chain. With both the benefits of connected healthcare on patients and the growth of the connected health sector at stake, we at u‑blox are heavily invested in ensuring that security is front and center the development of our new devices.
Our Five Pillars of Security are one element in this quest. Another includes working closely with our customers to make sure that they are asking the right questions, using the right tools, and taking the right measures to cover vulnerable attack surfaces. And when new vulnerabilities emerge, as they inevitably will, we are committed to providing security patches that keep our wireless modules safe.
Provided that the future connected healthcare system has strong defenses, we all stand to benefit from it. All of us, that is, except for the hackers.
 Report on improving cybersecurity in the health care industry, Health care industry cybersecurity task force, May 2017