How to overcome roadblocks facing the security of embedded medical devices

In order for the healthcare system to evolve and take full advantage of information technology, we must find a way to secure our medical devices and the data they generate, while still allowing medical professionals to run the necessary computations. Right now, we do not have a system in place that is practical or financially viable at scale for securing medical devices, and innovation is essential.

The concerns for protecting data from wearable medical devices are diverse, here are some of the roadblocks, including problems related to confidentiality, security vulnerabilities, scalability and cost, and how to deal with them.

Confidentiality and security of the cloud

When examining embedded medical devices within the framework of standard information security analysis approaches, experts generally analyze systems from the perspective of the confidentiality, integrity and availability (CIA) triad. Clearly, medical data should be secure and private, and patients only want their data to be seen by their medical professionals or people they grant access to the information. However, because the data needs to be stored in the cloud, the sensitive information could be viewed by individuals who were not granted access.

The cybersecurity community is looking for ways to limit the amount of data that remains decrypted within cloud storage. The pressing goal is to minimize or eliminate any human interactions that could slow data sharing, processing or access delegation or lead to social engineering vulnerabilities. It should be the goal of cybersecurity professionals to lessen the number of humans or machines that have data access or the ability to decrypt data.

Cost and flexibility

Currently, there is no end-to-end encryption or architecture that will allow data to remain encrypted in the cloud and decrypted in the hands of medical professionals and patients. At the same time, manipulation of data in cloud storage has required the data to be encrypted, and medical data processing can only be accomplished in trusted computing environments. These environments are expensive to construct and maintain, and they require the management of highly trusted individuals.

Similarly, because encryption is used to protect data when transmitted point-to-point, data is encrypted only when the intended recipient of the data has been pre-approved. Security and effectiveness trade-offs have prevented the widespread use of low-cost cloud computing environments because of trust issues and high costs of these type of security environments. Traditionally, large engineering efforts have been needed to validate the security of wearable medical devices. These roadblocks raise costs and reduce flexibility, making security impractical.

Lag time and geographical distribution

Another area of concern with the future of wearable medical devices is the lag time currently created during the collection of data. The medical devices, data processing sites and intended caregivers are often geographically distributed, causing operational problems because each device, site and caregiver operates on different time scales. Data is collected for days or months before analysis and usage, and the data is currently not reaching medical professionals in time to make potentially life-changing decisions. When the data is encrypted, it does not allow for real-time computations to go into effect. The end-to-end delivery needs to present a workable end- to-end latency, and it’s essential to find a way to make encrypted technologies practical within the health care industry.

Data breaches

On top of the limited flexibility of manipulating healthcare data and keeping costs down in security environments, the data is still highly vulnerable to attacks and breaches. For example, in the past year, we have seen several data breaches that exposed patients’ medical records to hackers. For example, since 2009, “more than 38.7 million individuals have had their protected health information compromised in HIPAA privacy and security breaches, according to data from the Department of Health and Human Services,” as reported by Healthcare IT News. With the increase of wearable medical devices, the number of cyberattacks and data breaches will only continue unless the industry innovates.

Clearly, there are many roadblocks facing medical wearable devices, and new architecture must allow for end-to-end encryption of data. Practical methods to address this problem are promising. Specifically, a technology called homomorphic encryption can help lead the healthcare industry into a realm of new possibilities with cybersecurity, more on that next time.