An IoT Times article by Emmanuel Sambuis
Wireless portable medical devices such as Bluetooth-enabled blood glucose meters and insulin pumps have already become trusted household items and everyday life companions for their users and have gained an irreplaceable role in the global healthcare system. Bluetooth medical devices track users’ physiological conditions continuously and accurately, providing health data to their smartphone app. Doctors and clinicians can access the data via remote outpatient care applications. Wireless applications enable continuous patient monitoring post-acute and in rehabilitation in a convenient and non-invasive manner. Patients can enjoy everyday life at home, while their doctor can conduct medical diagnosis, observation, and consultation efficiently and safely from a distance, effectively protecting against the viral spread of diseases.
The global wireless portable medical device market is expected to continue its substantial growth, adding another $17 billion in revenues by 2025 as governments worldwide seek to increase efficiencies via digitalization and remote outpatient care. However, security concerns are looming over the booming device market and healthcare digitalization frenzy. Product developers must take into consideration critical security concerns to succeed in the wireless medical device market and safeguard the digital healthcare transformation.
Medical Device Security Challenge
Historically, medical devices have been immune to security threats because they lacked wireless connectivity. Users and doctors could trust these un-connected devices, and security wasn’t an issue for device makers until recently.
However, as wireless medical devices grow in popularity, vulnerabilities have surfaced in the medical space. In 2020, the US Food and Drug Administration (FDA) issued a warning about the SweynTooth vulnerability; potential exploits could have introduced risks for wireless Bluetooth Low Energy (BLE) enabled medical devices – crashing and stopping them from functioning, opening access for unauthorized commands, and exposing private information. The industry reacted quickly and neutralized SweynTooth, luckily before any harm.
Given the increasing number of exposed vulnerabilities, the healthcare industry and device makers must make wireless security the number one development priority. Here is a rundown of the seven top security considerations device makers, manufacturers, and healthcare tech professionals should consider when developing or evaluating wireless medical devices.
1. Malicious software
Malicious code insertion is undoubtedly the most common security threat in wireless medical devices. A hacker inserts malicious code to derail the device to execute the wrong software instead of the real, authentic code developed for the product. Malicious code insertion can be eliminated by authenticating software before its execution on the device. When detecting malicious code, the device should be programmed to trigger a countermeasure, such as deactivating the infected product.
2. Chipset cloning
Bluetooth medical devices are typically used remotely by non-tech-savvy users in unprotected environments. This makes it easy for hackers to use cloned chipsets and fake smartphone applications to interfere in the authentication process, accessing devices and private data. The solution to cloning lies in using chipsets hardcoded with a unique ID, which identifies the device each time it joins the network, and enables de-commissioning old products to avoid cloning.
3. Open backdoors
Everyone familiar with programming knows that leaving the USB port unprotected can provide easy access to the internal computer architecture. The same applies to wireless medical devices. However, product developers can easily shut open back doors with a debug port that can be locked and unlocked with an encrypted key. It prevents unauthorized access while allowing easy yet safe field diagnostics and updates.
4. Uncertified Chipsets
How can a product developer know whether a wireless chipset or microcontroller is secure enough for medical use? The safet option is to use security-certified silicon. DTSec Protection Profile and Security Evaluation for IoT Platforms (SESIP) published by GlobalPlatform.org define a standard for trustworthy assessment of the security of IoT platforms.
5. Differential Power Analysis attacks
Differential Power Analysis (DPA) is based on highly advanced power monitoring and mathematical signal analysis to regenerate the device’s security keys. A DPA attack requires physical access to the device, but if successful, it exploits the entire product line or device fleet. The product developers can neutralize DPA threats in their designs by using chipsets equipped with a specific Differential Power Analysis countermeasure technology.
6. Sloppy key protection
Sloppy key protection is the Achilles heel for many medical device makers. Key protection is often the first thing hackers attack because a successful attack vector can be repeated to exploit the entire installed base. The Physically Unclonable Function (PUF) creates a random and unique secret key from individual device imperfections. The PUF key is always generated at startup and encrypts all keys in the secure key storage, and applications can handle the keys while they remain confidential.
7. Unprotected software maintenance
Many Bluetooth medical devices can have several months or even years of operational life before disposal. Several software updates might be needed during their lifetime, each event opening a potential opportunity for hacking. The security design of a medical product is not solely about hardening the hardware and software. The product developers must consider the entire lifecycle maintenance process – including how the installed device base is safely managed via over-the-air (OTA), authenticating the update file, encrypting the whole process, and guaranteeing an unaltered firmware image via the secure boot.
Conclusion
The modern healthcare system will need vast amounts of smart wireless devices to treat the aging population efficiently via safe outpatient care channels. The Bluetooth medical device market is a massive revenue opportunity for manufacturers, device makers, and startups, and will require robust, uncompromised security to continue its growth.
