(Originally published in NS Medical Devices on June 3, 2019)

We speak to John Grimm from Entrust on how hospitals can prepare for new vulnerabilities.

Despite the implementation of GDPR, healthcare organisations are still exposed to new vulnerabilities due to increased network connectivity, according to encryption hardware company Entrust.

How Entrust Security recommends hospitals can stay resilient to cyber-threats

Since the enforcement of the data regulation across the EU on 25 May last year, the healthcare industry has observed a rapid advancement in connected medical device technologies, with the Internet of Things (IoT) also gaining a presence in healthcare.

The IoT in the medical industry stood at $22.5bn (£17.24bn) in 2016, and is expected to expand at an impressive annual growth rate of 26.2% to reach $72bn (£55.17bn) by 2021, according to analyst and research firm Frost & Sullivan.

Entrust’s senior director of strategy and business development John Grimm told Compelo that technology can improve care, but these systems are regularly hacked.

He said: “Every day we’re seeing how technology in healthcare is helping improve the care that patients receive. However, we have also seen that the healthcare industry is regularly under attack.

“Entrust’s cryptographic expertise helps to secure cloud, IoT, blockchain and digital payments technologies. Among the core areas of its business is helping companies stay compliant with data laws such as GDPR.

“The masses of data being produced by healthcare organisations each day make them a prime target.

“Medical IoT devices, such as pacemakers and insulin pumps, were in many cases not designed from a security perspective to operate in today’s connected environment, and thus create vulnerabilities for users.”

Entrust recommends how to reduce security threats facing medical IoT devices and medical data?

There’s an increasing appetite for the adoption of IoT devices within the healthcare industry due to its advantageous impacts bringing big breakthroughs in the treatment of chronic diseases as well as tracking staff members, patients and hardware in hospitals for safety.

However, the growing sector of the internet doesn’t come without its downfalls.

Advanced attackers have demonstrated the ability to pivot to other systems by leveraging vulnerabilities in IoT devices, the most common security threats involve hijacking, leaks and unsecured devices.

But these are problems medical device manufacturers and application developers can work to surpass through external support for the industry in its early stages of development, believes Mr Grimm.

He said: “Many organisations struggle to find solutions which can discover and control devices, and protect the data they produce and collect, all while ensuring that data analytics – the whole point of IoT – is not impeded.

“The Medical Device and Health IT Joint Security Plan recently formed to address some of the challenges that healthcare organisations are facing when securing and protecting themselves against cybersecurity incidents.

“Also making headway is the Medical Device Innovation Safety and Security Consortium, which recently developed a series of best practices for securing connected medical devices.

“The best practices draw from widely used standards for industrial automation and control systems cybersecurity.”

Still in its infancy, IoT and any new technology has its issues, especially with regards to internet security and privacy.

How can healthcare organisations become smarter than cyber-criminals to protect their systems and patients?

The IoT for medical device shifts the focus towards the consumer end, enabling healthcare providers to automatically collect information and apply decision support rules to allow for earlier intervention in the treatment process.

Mr Grimm explained: “In the simplest terms, the IoT seeks to connect all kinds of devices to the internet so they can collect and share data.

“Look closely at any organisation’s digital transformation initiatives, and you’ll find that the IoT is the linchpin of almost every one of them.

“Organisations in every sector and of all sizes are discovering and benefiting from the opportunities it provides.

“The ability to capture and analyse data from distributed connected devices offers the potential to optimise processes, create new revenue streams and improve customer service.”

Unfortunately, medical companies often do not consider the security risks of connecting these devices to the internet exposing themselves to new security vulnerabilities due to increased network connectivity, which expands the potential attack surface for cyber criminals.

It is therefore imperative that healthcare organisations implement a data protection strategy that protects its large amounts of sensitive patient information.

He adds: “Whether it’s a healthcare organisation or a business operating in another sector, the best defence in cybersecurity is a proactive one.”

“Encryption is a very valuable tool, but only if the keys that are used to encrypt and decrypt are properly protected and managed.

“Hardware security modules are ideal tools to perform that function, and can also be used to create identities for people and devices so they can be strongly authenticated in networked environments.

How AI plays a role in increasing as well as limiting the security shortcomings?

As it’s constantly evolving, an array of companies are investigating the usage of AI and machine learning to understand how to protect their systems against cyber-attacks.

Despite the many risks it presents including malicious corruption or manipulation of the training data, integrating AI into their security systems can both protect and upgrade to protect their systems by early detection and responses.

The benefits of using AI to analyse data could be huge for the healthcare industry as they could help alleviate the resourcing and financial struggles currently facing the NHS, and help produce better diagnoses to improve outcomes, explained Mr Grimm.

He said: “Even though increased connectivity increases risks and creates security challenges for the devices, this doesn’t mean healthcare organisations should shy away from innovating.

“They just need to be committed to implementing a thorough cybersecurity strategy utilising established best practices and defence in depth.

“This, alongside employee education and an accompanying set of policies and procedures, can help healthcare professionals reap the benefits of technology and strengthen their overall security posture.”

Medical devices require adequate defence measures and focused attention as many were not designed for today’s connected environment or with well-established security principles in mind.

Clearly setting out the design features and cyber security controls at the start of the design and development process is important to assess the risk these devices pose, and develop compensating controls where needed.