Securing medical IoT devices: the MEDICYNE solution

In 2019, Insight SiP and its partner CYSEC, leading Swiss cybersecurity specialists, received an R&D grant from the Eurostars programme for their MEDIcal CYbersecure NEtwork project (“MEDICYNE”) proposal to develop an end-to-end secure communications solution for medical IoT devices. Our project was timely as the use of IoT-based connected devices in the healthcare sector has risen significantly. The arrival of Covid-19, pressure on healthcare budgets and increased demand for remote access healthcare solutions have injected a further sense of urgency into our project.

This article will give you an overview of the medical IoT devices market, major security issues, case studies of hacked medical IoT devices and medical data, the cybersecurity issues affecting medical IoT device-based ICT systems today and some potential solutions.

Medical IoT devices

Medical IoT devices are smart healthcare devices connected via sensors and network communications to IOT-based IT systems which link healthcare providers such as hospitals, laboratories and doctors’ surgeries with their patients. Medical IoT devices include those that monitor vital signs, imaging systems, implantable cardiac devices, infusion pumps, patient monitors, ventilators, anaesthesia machines, medication management and respiratory devices.

Rapidly growing market

The global IoT healthcare market is showing explosive growth. Analysts TrendsMarketResearch valued the market at US$ 38 bn in 2017 and estimates that it will reach US$ 270 bn by 2026, at a CAGR of 27.78% during the forecast period. Similarly bullish are analysts MarketandMarkets. They project growth from US$ 20.59 bn in 2018 to US$ 63.43 bn by 2023 at a CAGR of 25.2%.  TrendsMarketRearch states that insufficient “data privacy and security” are major factors which could inhibit growth in this market.

Hacking devices today

The medical IoT devices perceived to be particularly vulnerable to hacking include:

• Imaging systems like CT scanners and MRI’s, considered to be the easiest of targets.
• Infusion pumps which deliver fluids into a patient’s body in a controlled manner. The USA’s Food and Drug Administration (“FDA”) has logged 56,000 reports of negative incidents since 2005. (source: FDA)
• Pacemakers using wireless communications are extremely vulnerable to hacking, which can be life-threatening. The FDA reported security issues with 465,000 pacemakers which use radio frequency communications. (source: FDA)
• Patient monitors check heartbeat, oxygen and blood pressure levels. McAfee’s security researchers have shown that it is possible to hack into a medical network through a patient monitor and falsify a patient’s vital signs. (source: FierceHealthCare)

Types of attacks

• Malware and ransomware are often used by criminals to shut down individual devices. For example, a surgeon at the University of California took his team through an alarming simulation of what might happen to a stroke victim whose critical surgery including a CT scan is interrupted halfway through by a ransomware demand. In 2017, Wannacry’s ransomware attack disabled one-third of UK hospitals. (source: org)
• Data breaches give criminals access to health records.

Types of security issues

User practice issues comprise 41% of all medical IoT device security issues including rogue applications and risky browser usage. Outdated operating systems and software are also major security hazards, representing 33% of security issues. (source: TechRepublic)

Famous hacks

• Insulin pump - At a Black Hat security conference, Jay Radcliffe, a cybersecurity specialist with diabetes, showed how easy it was to hack into his own insulin pump and potentially administer himself fatal doses of insulin. (source: Venturebeat)
• Pacemakers - Thanks to poor authentication protocols and a lack of integrity checks, cybersecurity researchers accessed a pacemaker manufacturer’s software delivery network which healthcare professionals use to tune implanted pacemakers. They were able to take control of the programming and consequently the implanted pacemakers. (source: Wired) In this case, the issues could be solved with a relatively simple “digital code signing”.
• Medical data - There have been numerous medical data thefts reported where hackers target hospital and health records. For example, in November 2018, 29 data breaches were reported in US hospitals exposing the data of 570,000 patients. This is possibly a small percentage of actual incidents as many go unreported. (source: ModernHealthCare)

Medical IoT device-based ICT systems - security today

Today, the security of IoT medical IoT devices is managed in multiple ways, offering different standards of security. Particularly vulnerable are the IoT sensors, which constitute the Edge. They are devices which typically do not store any data but are entry points into wider wireless  and wired networks which carry data to and from the Backend of ICT systems. Wi-Fi which links sensors to smartphones, to gateways and carries data wirelessly between gateways and smartphones is highly vulnerable to cyberattacks.

Medical IoT device security – THE MEDICYNE SOLUTION

Our MEDICYNE solution aims to provide a secure element and cryptographic processing capability in IoT devices connected to a secure database compliant with the European Union and the USA’s FDA regulations on cybersecurity for medical data. It also provides the ability for the appropriate authorities to monitor cryptographic operations and encryption.

MEDICYNE’s innovative solution will provide secure communication for IoT data transfer and data storage between the IoT sensors on the Edge and Backend systems in a way which is highly scalable and finally becomes cost-effective for healthcare providers.

The main features of our MEDICYNE project solution will include:

• A security process independent of data transmission method, be that wires, wireless, Bluetooth, Wi-Fi, cellular or other.
• A secure element embedded inside the miniature radio module in the IoT device.
• High level controls for crypto keys and data.

Combining strengths

Insight SiP and CYSEC bring complementary skills together to achieve the objectives of the MEDICYNE R&D project. Insight SiP brings its expertise in RF System-in-Package to create an ultra-miniature wireless solution for medical IoT sensors. It will develop a complete RF system and integrate strong computing capacity, large memory and an independent, high-performance Secure Element.

CYSEC’s cybersecurity knowledge will enable it to customise ARCA, its versatile security solution to store sensitive data and run critical software in a trusted environment adapted to the specific and highly demanding standards required by the professional healthcare ecosystem. Its state-of-the-art certified security ARCA data server for IoT-based systems will securely host sensitive applications. ARCA software will securely manage various processes that underpin data security including device authentication (PKI), key management (KMS), firmware signatures (FOTA) as well as software integrity and data encryption.

MEDICYNE R&D results – a blueprint for the future

We will complete our MEDICYNE R&D project in August 2021. At that point, we will offer a blueprint to the healthcare IoT ecosystem for creating a secure end-to-end communications solution for medical IoT devices to help safeguard the data and futures of healthcare providers and their patients.

 

Michel Beghin