Security Concerns in Healthcare IoT Devices (Part 3)
To drive the need to secure IoT devices, the stakeholders should be aware of the presence of security flaws. The ultimate users should also be aware of the consequences of security flaws. This knowledge leads to the increased demand for secure products which in turn motivates the manufacturer to invest in securing their device to meet the demands of the consumer.
The United States Food and Drug Administration (FDA) has taken some steps to ensure the cybersecurity of healthcare devices. A few steps in the right direction are webinars to raise awareness and partnering with cybersecurity specialists. FDA has also issued a communique on mitigating risks when security vulnerabilities were exposed. There is some progress in securing healthcare IoTs, albeit grossly inadequate. Regulatory authorities should implement compliance criteria for IoT devices in order to protect the consumer. Until such time, it is up to the consumer to find out what devices can be entrusted with their health.
There has been some improvement in the cybersecurity of the devices over the years. More systems are managed on cloud-based systems, use multifactor authentication, switch to secure modes of communication, use encryption when transmitting and storing data. In addition to fixing the vulnerabilities common to all IoTs, there are innovative solutions to address the issues specific to healthcare devices.
Some security features can be built into the system by the design itself. For example, pacemakers can be made to operate within fixed maximum and minimum rates. If the pacemaker can’t increase the heart rate above a certain value, it is impossible to create a life-threatening tachycardia even if the device was compromised. Likewise, infusion pumps can be designed to limit the amount of medicine that can be carried, i.e. To carry less than the lethal dose. If the pump was compromised, it would be impossible to deliver a lethal dose without physically interacting with the pump to refill it.
Another security feature is auditory or visual alerts when the device communicates with the programmer. This may not prevent unauthorized access. But, alarming the patient as soon as the device is compromised will help to mitigate the risks.
Another is having to physically interact with the device, for example by pressing a button on the device, every time the device is reprogrammed. However, this sometimes defeats the very purpose of IoT devices.
Cloaker devices are an innovative solution. Cloaker devices are separate from the IoT device itself. The IoT device does not communicate with the programmer when the cloaker device is nearby. To reprogram the IoT device, the cloaker device has to be removed from the patient. IMD shield devices work similarly. They prevent the IoT from communicating with the programmer in the presence of the shield device.
Logging every action of the IoT device is also helps to secure the IoT device. Logging does not avert the attack. Every interaction with the IoT will be logged thereby making it easy to identify a compromised device. Logs should be inspected regularly to find out unauthorized activities.
The attempts to improve the cybersecurity should not distract from ensuring physical security. A malicious user does not need to remotely hack into a device when he can casually walk up to a hospital computer and use it. The supply chain should also be secure to prevent middlemen from tampering with the device before reaching the consumer.
To ensure that healthcare devices remain secure, it is necessary to keep abreast with developments in IoT in general while looking at creative solutions for healthcare IoTs.
Thanks for reading. You can ready Part 1 here and Part 2 here if you missed them.
About me: I’m Alice Emma Walker, a User Experience Designer in Canada/Hong Kong/Australia. When I’m not UXing, I’m playing rugby or travelling. Check out my other articles or connect with me on LinkedIn.
