‘Almost every discussion of cyber security relates back to the confidentiality, integrity and availability (CIA) triad’
Biju Varghese, SVP, Enterprise Solutions, SAARC & APAC, e-Mudhra illuminates on strategies to fortify enterprise security and the role e-Mudhra can play in developing standards for security in medical devices and systems
Cyber security threats through medical devices have emerged as a real knotty problem. Can you enlighten us about the complexities of this menace?
As medical device technology continues to evolve it is inevitable that more use will be made of commoditised hardware and software. Smartphones and handheld devices are increasingly used as the patient-to-device interface since they provide local processing power alongside an ability to connect into the Internet and transfer clinical data to hospitals, family doctors and researchers. These users wish to analyse and process data on clinical systems and databases, often spread across multiple geographies. The flip side to this is the increasing threat of device compromise, hacking and disruption. According to recent research, the three most common vulnerabilities in healthcare cybersecurity are user authentication deficiencies, endpoint leakage and excessive user permissions — which, combined, account for nearly 37 per cent of all critical risk scenarios. Identity spoofing continues to threaten enterprise security across all sectors, including healthcare.
What are the methods to evaluate major vulnerabilities in the use of any medical device?
The vulnerabilities specific to medical devices are not commonly detected by vulnerability scanners. The fact in clinical environments is that most teams don’t know the proper way to figure the vulnerabilities in the devices. The primary usage for a vulnerability scanner is to find and track the assets and start performing the individual risk assessments on them—that is, independent research of known vulnerabilities, network segmentation, and appropriate alerting mechanisms for devices.
What are the strategies to defend medical devices from cyber threats, even as we leverage the transformational abilities of technologies such as IoT?
Almost every discussion of cyber security relates back to the confidentiality, integrity and availability (CIA) triad. Effective use of Public Key Infrastructure can ensure the confidentiality of data transmitted, integrity of data and authentication of devices. A full scope of testing and evaluations allows manufacturer that a product’s interoperability with other devices and platforms is confirmed, helping ensure an ideal user experience while securing information and maintaining performance. Full-scale testing also ensures communication channels are secure, thus enforcing the confidentiality and integrity of data transferred between the device and IoT infrastructure. Testing the infrastructure, in turn, provides assurance that end-user’ sensitive data is adequately protected against unauthorised disclosure, theft of service, or other concerns.
What are the ways and means to spread awareness among healthcare providers about the cyber security vulnerabilities and enable them to prevent them?
Best practices and industry-specific standards should be used to develop the security minded processes driving the operation of a secure networking and computing infrastructure. A secure ecosystem should be monitored and maintained via regularly scheduled audits and the use of outside teams for tasks such as penetration testing, software evaluations, and hardware assessments. It is also critical to conduct regular security awareness training and ensure employees are regularly trained on security best practices.
How can medical devices be made fail-safe from a security point of view? What would it involve?
It requires tie up with medical equipment manufacturers and embedding secure elements like ‘Trusted Platform’ module which can perform cryptographic functions to ensure confidentiality, integrity and authentication.
How can e-Mudhra help in developing a safe environment for healthcare in the digital era?
e-Mudhra, being a thought leader, can work with the regulators and help develop standards for security in devices. This can also ensure interoperability across the devices.
You have a blockchain solution called emBlock. How can it usher improved efficiencies in cyber security?
Most medical devices today collect, store and transmit patient-specific data. And like nearly every situation where data is centrally stored and transmitted to another central data store, there is a risk that the data may be hacked from the device or captured during transmission by those with less-than-honourable intentions. Blockchain provides an alternative whereby the data is cryptographically protected, immutable and private. This is not possible with traditional data storage and transmission processes. Through blockchain applications it is possible for machines to share their operating data with those responsible for maintaining it without violating compliance and privacy issues. Sensitive information, such as patients who have been treated with the device, types of procedures, and images or other information can be shared with the maintainers but can be used for auditing, reporting and compliance. Blockchain can also keep service records that may be required depending on the device and its purpose. Blockchain can be leveraged to keep permanent records of the development, design, production and distribution of medical devices as well as all of the parts from suppliers. Once the information is submitted to a blockchain it cannot be changed, resulting in permanent traceability for every device.