MDDI Online is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Challenges of Securing and Protecting Medical Devices

Regardless of how far medical device manufacturers have advanced security processes, these three key considerations can ensure process efficacy.

Medical devices require regular software and firmware updates to ensure the integrity of the data and the device itself. On the development side, lifecycle management that tracks cryptographic code updates is critical to ensure a device isn’t susceptible to future security threats. Manufacturers must have the ability to securely manage ongoing updates without removing a device from a patient’s body.

With increasing cyber-attacks and lives (literally) at stake, the medical device community is taking a serious look at how manufacturers can embed security best practices into their processes and devices. In fact, the medical device makers we talk to recognize the need for a security-first approach. Security doesn’t happen by mistake, but rather by design. That design ensures data protection, flexibility to support product longevity and unique device identification. Cryptographic considerations have become critically important in medical devices to guard data streams that travel to and from connected medical devices.

Like the general IoT market, the Internet of Medical Things (IoMT) market is growing at an exponential rate. Market research company Frost & Sullivan estimates that next year the number of IoMT devices will top 30 billion. Digitization is driving IoMT adoption and evolving how devices are used in patient care and accessed by medical practitioners; data is no longer a one-way stream. For example, today’s insulin pumps can be remotely accessed, allowing doctors to monitor and adjust insulin doses based on continuous data readouts.

Patient care and safety is a priority, especially when it comes to devices that are implanted within a patient’s body. Medical devices require regular software and firmware updates to ensure the integrity of the data and the device itself. On the development side, lifecycle management that tracks cryptographic code updates is critical to ensure a device isn’t susceptible to future security threats. Manufacturers must have the ability to securely manage ongoing updates without removing a device from a patient’s body. Think of a pacemaker – protecting that device from illegitimate updates and security compromises, all while ensuring uninterrupted functionality, is life-critical.

Regardless of how far medical device manufacturers have advanced security processes, three key considerations can ensure process efficacy:

  1. Start with identity management. Conduct an audit to ensure record of connected machine and human identities. Understand any credentials assigned to these identities, where those credentials live within the organization and how strong or weak those credentials are.  
  2. Build a plan to address the weakest credentials – and quickly. We often find that many organizations have large numbers of insecure certificates, or digital identities.
  3. Establish an in-depth plan that addresses ongoing identity management in a meaningful way. This plan should map today’s security risks, consider threats that may emerge, and identify how the company plans to manage security events without disrupting the business.

Digitization has arrived and brought broader cyber risk surfaces along with it. The number of digital identities associated with humans and connected devices will only continue to rise, and at the end of the day, managing and guarding those digital identities is paramount to ensuring security.

Chris Hickman

Chris Hickman is the chief security officer at Keyfactor, a technical organization with deep security industry expertise. He leads client success initiatives and helps integrate the voice of the customer directly into Keyfactor’s platform and capability set.

Prior to joining Keyfactor, Hickman was the director of technical services at Alacris, a smartcard and certificate management company that was sold to Microsoft and is now part of the Microsoft Identity Manager product suite. He has worked on PKI projects for organizations and firms including NATO, both the United States and Canadian Departments of Defense, Fortune 100 banks and financial institutions, manufacturers, insurance companies, telecommunication providers and retailers.

500 characters remaining