Chief security officers and other stakeholders protecting the integrity of healthcare organization supply chains face growing challenges. Smarter, connected supply chains carrying a flow of smarter, connected devices may simplify management and improve efficiency, but they also bring security risks in this Internet of Medical Things (IoMT).
These risks include counterfeit products entering the supply chain, and hackers using vulnerabilities in IoMT systems to attack safety-critical medical devices or the core network, or to disrupt the reliable operation of asset-tracking systems. These and other IoMT risks can be mitigated through a three-tiered “security-by-design” strategy that protects all communication between system elements and also brings trust and “always-on” connectivity to each.
Protecting Consignment Inventory
Today’s hospital asset-tracking solutions must ensure that all products, equipment, consumables and Internet of Medical Things (IoMT) devices are always available and accessible. Many of these assets are sold and managed on the hospital premises by their suppliers, who only issue invoices for them when they are used. Both the supplier and the hospital need maximum asset visibility in this arrangement, and the confidence that all automated item ordering and invoicing is secure.
Supply-chain solutions also must be trusted when streamlining safety assurance functions that were previously performed through Unique Device Identification (UDI) labels and barcodes. An example is a latex-intolerant patient preparing to receive a lung catheter. In the past, the nursing staff would typically obtain the catheter’s lot number, serial number, and expiration date to ensure it was valid for implant.
Today, IoMT technology not only simplifies this process but makes it easier to obtain device pricing and other information, such as rubber content or device recall updates, and whether the inventory has been maintained to temperature and other environmental requirements. But the system must be trusted to deliver the right information about the right catheter for the right patient.
IoMT solutions can also be leveraged to defend hospitals against counterfeits and improper use of legitimate medical equipment and consumables, as well. Examples include controlled substances that must be correctly dosed to the intended individual, and x-ray plates that must be used with a given imaging system for a specified patient. Any item of consigned inventory that has not been authenticated is a potential counterfeit in the supply chain.
The same is true in home-healthcare applications where it is vital that all elements in an IoMT care solution can be trusted. An example is today’s new generation of IoMT-based medication adherence services. Smart medication blister packs incorporate sensors and communicate via Bluetooth to a home gateway device featuring a display and camera. The gateway device notifies patients when it is time to open a blister and then pushes the associated dosing event data to the cloud using its cellular and Wi-Fi connections. Caregivers are alerted when they need to intervene and can also use the gateway for well checks and other remote patient interactions. Each blister pack must be genuine and trusted to communicate through the gateway and cloud.
Bringing trust and confidence to these and other connected healthcare applications requires a multi-layered, security-by-design approach that minimizes cost while simplifying deployment.
Security by Design
IoMT solutions should be built on a security-by-design foundation that includes multiple layers of protection. This is particularly true when smartphones are used for command and control of life-critical medical devices, or to access or manage processes in a smart supply chain or consignment inventory system. Bluetooth, NFC, LTE, Ethernet, and other protocols mitigate some, but not all, breach threats. Security starts at the application layer, protecting the communications channel between the smartphone app, the medical device, consumable (if applicable) and the cloud from malware and wireless channel cybersecurity attacks.
The second layer is particularly important for smartphone-based device control. This authentication layer validates the integrity of the user, smartphone app, cloud, consumable and any associated devices that are connected to the solution’s communication system. This layer also prevents counterfeiting by bringing trust to each “thing” in the solution and preventing reverse engineering by protecting the application code and ensuring other smartphone applications cannot interfere with the connected-health application.
Figure 1: IoMT security platforms for safety-critical devices, their supply chains, and asset-tracking systems validate the phone and app integrity. They also defend against the threat of a “rooted” operating system, in which hackers gain “root access” to privileges that enable them to modify the device’s software code or install other software. In the factory, Hardware Security Modules (HSMs) may be used to provision both the medical device and the consumable with cryptographic keys and digital certificates, so that they behave like Secure Elements (SEs) in the system.
The third security layer ensures seamless connectivity. This is vital whether the application is asset tracking and consignment inventory management or a wearable injection device. The IoMT device and the cloud must be able to exchange of data, change operating profiles, update firmware over-the-air and administer alerts. This is the only way to ensure that the system always has the most recent device data and can immediately change device performance.
One way to accomplish this is with security software that runs in the smartphone’s OS background. After the smartphone user starts the app and configures it for continuous operation, this layer can continue to harvest the device’s IoT data whenever the devices are in proximity to the smartphone. Alternatively, a small-form-factor bridge can be used that implements one communications protocol for interaction with the IoT device, and another to communicate with the cloud.
A third approach protects legacy equipment such as MRI machines and other wired Ethernet medical systems by placing a hardware gateway in front of the vulnerable item and connecting it to the Ethernet network. This provides a separate channel for securely communicating only with authenticated devices.
A Building-Block Strategy
In the past, connected-health security solutions could only be built from the ground up. Today they can be implemented in a modular fashion using software developer kits (SDKs) to meet the needs of many different application scenarios. Organizations can now retrofit robust security measures into legacy designs and infrastructures and continuously improve them, up to and including incorporating HSMs later in a solution’s lifecycle to optimize how the application layer’s root of trust is implemented. Today’s solutions significantly improve security and device authenticity at small additional cost to asset-tracking and consignment inventory-management systems, connected legacy medical equipment, and smartphone-controlled implantable healthcare devices.