Connected medical devices present exploitable vulnerabilities that could result in a major risk. A potential hacker can compromise the device’s integrity and safety, or access confidential patient records stored on servers. Medical device cybersecurity should therefore be a top priority as it can dramatically reduce the negative effect on the healthcare industry.
To secure against potential cybersecurity vulnerabilities, Medical Device Manufacturers (MDMs) should enroll their medical devices into a Public Key Infrastructure (PKI), a trusted and widely used cryptographic practice that ensures operational safety.
What is Public Key Infrastructure (PKI)?
A PKI refers to a set of cybersecurity tools that are used to facilitate the secure electronic transfer of information over a given network. Fundamentally, a PKI creates and manages the use of digital certificates and public keys for encryption.
The traditional method of encryption – passwords for example – may be effective in the short term but create longer term administration challenges. Using a PKI allows for a longer-term view on effective and trustworthy encryption protocols.
Functioning with two separate keys: one private and one public, PKI encrypts the transmission of sensitive data between the medical device and host system. When data is encrypted using a public key, the only method of decrypting it would be by using a private key of the same pair. The reverse is also true, private encryption for public decryption.
Given the nature of the information stored and transferred between medical devices, the adoption of PKI by manufacturers can save on the roll-out and patching costs, as well as being of massive benefit to the security of patient data.
How does Public Key Infrastructure (PKI) secure medical devices?
A medical device is only trusted when there is evidence of its integrity, from the moment it is purchased and put into operation. The MDM’s security strategy should include the enrollment of each medical device into a PKI, to prove the device’s origin, brand authenticity and the integrity of the supply chain.
An example of creating device integrity is when the digital keys and certificates are anchored into the silicon of the medical device during the physical assembly. This way, the credentials act as a permanent and unmodifiable Root of Trust (RoT), or device identity that the original manufacturer or service provider can rely on.
The main complexity in adopting RoT is ensuring that the set-up is done correctly at the assembly line. Typical factory environments do not have skilled cybersecurity personnel and as such, the assembly could be performed by contractors, resulting in an oversight from the original manufacturer on the provisioning operations.
Depending on the class of the device and where it will be situated, there may be a requirement for higher security standards. In some cases, MDMs are not fully in control of the medical device’s assembly and as such, there can often be no assurance that the factory is a safe environment.
Therefore, many MDMs resort to an IT third-party that can work directly with the manufacturing facility to ensure that the keys are implemented securely. Keys embedded directly into the silicon of the medical device chips are unique, cryptographically strong and limit the impact after the compromise of a single device. The digital certificates can then act as a RoT that future communications can rely on for the authenticity of the connection.
Want to learn more about securing your medical device with a PKI?
To learn more about securing your medical device with a PKI download our free e-book titled: “Why should Medical Device Manufacturers (MDMs) secure their devices with a Public Key Infrastructure (PKI)?”