Protect your health with IoT security
David Kleidermacher, Blackberry
The market for the Internet of Things (IoT) in healthcare is predicted to hit $117 billion by 2020. While there are numerous benefits of embracing the adoption of IoT in healthcare, such as improved efficiencies, cost savings and enhanced patient experience, it can also bring issues of security to the forefront, writes David Kleidermacher, the chief security officer at BlackBerry.
According to Motherboard, ransomware is coming to medical devices, opening a door for attackers to steal or delete data, as well as putting potential lives at risk. It is also considered the single biggest cyber security threat for 2016. In contrast to personal computers, current digital security measures do not extend to biomedical devices. Instead, it is the onus of the device and software manufacturers to implement the appropriate security protocols.
Unsecure medical devices are still quite common in today’s hospitals, especially as the technology is still in its relative infancy. Unsecured and connected medical devices can be threatening not only to our health, but to our very lives. For example, a hacked insulin pump could suddenly deposit an entire vial of insulin into a diabetic patient’s bloodstream. Attackers can also disable home and business thermostats or furnaces during the winter months, bursting pipes and causing severe structural damage.
In order to combat these security issues, a group of diverse healthcare professionals have combined their expert knowledge to work together on a new connected healthcare cybersecurity standard. This new standard focuses on embedding security through medical systems, and at the start of the development lifecycle.
Launched in May 2016, and led by the BlackBerry CHACE team, DTSec is a new cybersecurity standard for medical devices, with security and assurance requirements built in. Contributors to the development included physicians, nurses, medical device manufacturers, university researchers, industry cybersecurity/technology firms, ethical hackers, security assessment labs, and government regulators including FDA/CDRH, Health Canada, NIH, DHS and others. A crucial goal of DTSec is to ensure assessments can be performed efficiently, at the speed of consumer electronics, and without adding undue financial burden to product vendors.
DTSec uses the work of other international standards, including ISO 15408 and IEC 62304, to offer a methodology for specifying the security requirements of any product type, called a protection profile, and evaluates that a specific product faithfully meets those requirements. At a basic level, the standard aims to target networked, life-critical devices such as insulin pump controllers. It can, however, be used in a far bigger variety of medical products and components, providing a foundation for effective cybersecurity standards across other connected devices, and the broader IoT.
Developers within the Internet of Medical Things must embed strong security within their devices, physicians must demand it, and regulators must enforce it. Otherwise all of these initiatives surrounding connected medical devices are potentially doomed to failure. Consumers must also be aware that they aren’t just connecting more of their appliances to the Internet: they’re connecting their own bodies as well, and as a result they themselves can be targeted by cyberattacks. With the support of industry standards, such as DTSec, we can gain the confidence we need and deserve in the ability of connected medical systems to protect our private information and our health against modern security risks.