Digital Trust for Connected Medical Devices

Originally published by DigiCert.

Written by Robyn Weisman.

Connected medical devices, also known as IoMT (Internet of Medical Things), can dramatically improve patient health while minimizing the potential for harm. Infusion pumps illustrate this in a stark fashion. In 2010, Reuters reported more than 50,000 incidents related to legacy infusion pumps, including 710 deaths. Among the cases cited was a woman who received “10 times the dose of a blood thinner because the zero key on her pump stuck.” Thankfully, a smart infusion pump can make such distressing incidents a thing of the past. These pumps can deliver accurate doses of medication, remotely monitor patients and adapt care, integrate with patient electronic health records, and issue alerts to medical staff if there is an operation failure.

This potential for more accurate and safer care is the reason the number of connected medical devices is exploding. According to Fortune Business Insights, the global IoMT market will surge to almost $188 billion by 2028, quadrupling its value from 2020. This same study predicts that 70.6 million Americans will use remote patient monitoring (RPM) solutions by 2025, a 56.5% jump from 2022.

Why connected medical devices can be vulnerable to cyber threats

Connected medical devices, however, create attack surfaces for cyber threats. The possibility has already been explored in popular culture. In an episode of Homeland, a terrorist hacks the pacemaker of the vice president of the United States, wirelessly increasing the rate of his heartbeat and causing a fatal heart attack. Marc Goodman, author of Future Crimes, describes how difficult it can be to investigate an attack on connected medical devices: “The evidence of medical device tampering might not even be located on the body, where the coroner is accustomed to finding it, but rather might be thousands of kilometers away, across an ocean on a foreign computer server.”

There are many other, albeit less spectacular, ways that threat actors can infiltrate IoMT. Ransomware can lock down hospital networks, preventing patient data from reaching infusion pumps. Infiltrating one connected medical device can wreak havoc on other devices that rely on them. Patient data can be compromised. A 2022 FBI report cited research showing that 53% of connected and IoT devices in hospitals had known vulnerabilities, that there is an average of 6.2 vulnerabilities per medical devices, and that 40% of medical devices at end-of-life offer little to no security patches or upgrades. Given the countless connections between different devices and networks, protecting and monitoring connected medical devices with an updatable security infrastructure is essential. This is where digital trust comes in.

Benefits of digital trust in connected medical devices

Digital trust ensures that we can have confidence that the interactions, processes and transactions that we undertake are secure, as discussed in the IDC report, Digital Trust: The Foundation for Digital Freedom. For connected medical devices, incorporating digital trust into a device security strategy can encompass:

• Establishing device authenticity and preventing counterfeiting: Digital certificates can securely authenticate device identity, which prevents devices starting up or operating if they’re compromised.
• Encrypting private patient data that is transmitted wirelessly or over a network: Digital certificates can ensure both encryption and integrity of data, which thwarts data theft or data tampering by bad actors.
• Improving user trust in device safety: Secure device identity and operations can provide users with the confidence to incorporate devices that improve patient outcomes.
• Securely integrating with other technologies that improve the accuracy of patient care: Connected medical devices can securely integrate into protected systems that automate accurate and timely delivery of medications.

The complexity of delivering digital trust

Not surprisingly, implementing digital trust strategies for IoMT devices is rarely straightforward. You may need to address:

• Intermittent connectivity at manufacturing centers: Inconsistent factory connections compel strategies that enable continuous delivery of digital certificates to parts of or to finished devices for continuous operation of the line — even during internet outages.
• Diverse product lines with different form factors and security needs.
• Integration with cloud services: Cloud vendors offer value-added services for IoT management (e.g., analytics); however, many require development of custom code and API integration. This can eventually lead to an unsustainable level of maintenance.

As the number of attacks on healthcare providers continues to ramp up, it becomes more important than ever that IoMT device manufacturers find a way to consolidate digital trust across all their product lines. Further, in the United States, the Food and Drug Administration now requires that medical device applications must provide reasonable assurance that devices are protected, including providing the FDA with a software bill or materials used by devices, and make security updates and patches on a regular basis and in critical situations. Digital trust architectures and strategies support IoMT device makers in meeting these market and regulatory requirements.