With increasing cyber-attacks and lives (literally) at stake, the medical device community is taking a serious look at how manufacturers can embed security best practices into their processes and devices. In fact, the medical device makers we talk to recognize the need for a security-first approach. Security doesn’t happen by mistake, but rather by design. That design ensures data protection, flexibility to support product longevity and unique device identification. Cryptographic considerations have become critically important in medical devices to guard data streams that travel to and from connected medical devices.
Like the general IoT market, the Internet of Medical Things (IoMT) market is growing at an exponential rate. Market research company Frost & Sullivan estimates that next year the number of IoMT devices will top 30 billion. Digitization is driving IoMT adoption and evolving how devices are used in patient care and accessed by medical practitioners; data is no longer a one-way stream. For example, today’s insulin pumps can be remotely accessed, allowing doctors to monitor and adjust insulin doses based on continuous data readouts.
Patient care and safety is a priority, especially when it comes to devices that are implanted within a patient’s body. Medical devices require regular software and firmware updates to ensure the integrity of the data and the device itself. On the development side, lifecycle management that tracks cryptographic code updates is critical to ensure a device isn’t susceptible to future security threats. Manufacturers must have the ability to securely manage ongoing updates without removing a device from a patient’s body. Think of a pacemaker – protecting that device from illegitimate updates and security compromises, all while ensuring uninterrupted functionality, is life-critical.
Regardless of how far medical device manufacturers have advanced security processes, three key considerations can ensure process efficacy:
- Start with identity management. Conduct an audit to ensure record of connected machine and human identities. Understand any credentials assigned to these identities, where those credentials live within the organization and how strong or weak those credentials are.
- Build a plan to address the weakest credentials – and quickly. We often find that many organizations have large numbers of insecure certificates, or digital identities.
- Establish an in-depth plan that addresses ongoing identity management in a meaningful way. This plan should map today’s security risks, consider threats that may emerge, and identify how the company plans to manage security events without disrupting the business.
Digitization has arrived and brought broader cyber risk surfaces along with it. The number of digital identities associated with humans and connected devices will only continue to rise, and at the end of the day, managing and guarding those digital identities is paramount to ensuring security.