The Importance Of Public Key Infrastructure (PKI) For Securing Medical Devices

In today’s world, millions of devices are constantly communicating with each other, receiving instructions and updates during data transmission while executing other functions simultaneously. This Internet of Things (IoT) is getting rooted in our lives with each passing day and at the same time becoming a nightmare for cybersecurity experts.

The-Importance-of-Public-Key-Infrastructure-(PKI)-for-Securing-Medical-Devices

According to Statista, the total installed base of IoT connected devices worldwide is projected to amount to 30.9 billion units by 2025, a sharp jump from the 13.8 billion units in 2021. 

With IoT devices being rolled out for every vertical, there is no denying that such devices make lives easier. However, any unsecured IoT device becomes a haven for hackers to steal sensitive data, gain control of a device’s functionality while compromising an array of development and manufacturing systems. 

Let’s look at some of the recent cases. Medical device company Medtronic issued an urgent recall of the remote controller insulin pumps because they are vulnerable to hacks. It is easy for anyone to copy the signals sent via controllers to the pumps. This could be dangerous since these false signals can block or deliver a dose of insulin. This could prove fatal for diabetic patients using the pumps. 

A cyberattack that targeted the Newfoundland-Labrador healthcare system in Canada might be the worst of its kind in Canadian history.  The attack was first discovered on October 30, 2021. However, by the time it was confirmed, it had already caused widespread disruption of healthcare services

According to cybercrime magazine, “healthcare has lagged behind other industries, and the tantalizing target on its back is attributable to outdated IT systems, fewer cybersecurity protocols and IT staff, precious data, and the pressing need for medical practices and hospitals to pay ransoms quickly to regain data. The healthcare industry will respond by spending $125 billion cumulatively from 2020 to 2025 to beef up its cyber defenses.”

The Importance of PKI in Healthcare

While public key infrastructure (PKI) has traditionally been used in hospitals to secure sensitive patient records, cryptography is finding new applications in wearable/remote IoT-enabled medical devices. With such devices capturing user information and relaying it back to healthcare professionals by the minute, it is essential to ensure that the line of communication is not intercepted. It is also crucial to keep the device up-to-date via regular updates for optimum security. PKI makes this possible by providing a device identity and a layer of protection to medical devices.

The CISO’s Guide to Machine Identity Management

Device manufacturers commonly use PKI to ensure that they can create a trusted ecosystem for such devices. All such devices are provisioned with digital identities, and all identities govern their access to various services. This provides vendors with numerous benefits, including but not limited to enhanced control over security even after the devices no longer reside in the safe zones of a manufacturer’s environment. 

Healthcare and Compliance

Being in the healthcare vertical also means strict adherence to evolving data protection laws and regulations. There are plenty of anti-breach laws, such as The Health Insurance Portability and Accountability Act (HIPAA) of 1996, The Health Information Technology for Economic and Clinical Health Act (HITECH). These laws strive to protect electronic health records (EHR) and other digital patient data. However, there are some underlying challenges in implementing safe practices. These stem from significantly high record volumes, widespread use of telemetry, and third-party healthcare services like pathology labs, scan centers, and healthcare insurance providers requiring access to patient records. To add to these, healthcare organizations are among the biggest consumers of IoT devices, making them especially vulnerable to attacks. 

Your business, for instance, might be required to comply with commonly accepted standards (for example, replacing certificates every month, regardless of expiry). In that case, it would be wise to invest in a tool to automate this process and perform the necessary periodic checks. This will ensure that you don’t end up paying a hefty fine due to non-compliance.

Here’s how AppViewX CERT+  helps healthcare providers future-proof digital certificates and key management:

Smart Discovery and Auto-Enrollment: CERT+ integrates with the enterprise’s domain name system (DNS) and provides IP-based discovery, allowing PKI operators to scan, discover, and manage certificates on edge, mobile, and IoT endpoints. 

In the case of short-lived IoT device manufacturing, a high volume of certificates is needed at a very high rate. Device manufacture request these certificates from CERT+ using auto-enrollment protocols like automated certificate management environment (ACME), enrollment over secure transport (EST), simple certificate enrollment protocol (SCEP), etc. CERT+ fulfills the requirement based on pre-set policy, either by enrolling the certificates from an integrated third party CA or issuing certificates from a private CA setup via CERT+ itself.

Certificate and Key Lifecycle management: CERT+ automates X.509 certificate lifecycle management end-to-end, from discovery to enrolment, renewal, and revocation, with native, out-of-the-box automation workflows. Its advanced monitoring and alerting mechanism, coupled with protocol-based automation, eliminate outages and breaches due to unplanned certification expirations.

Protection against Data Breaches: CERT+ generates keys either on the target machine or in the hardware security module (HSM). Automated certificate lifecycle processes further eliminate the need for human access to the key – this avoids key roaming and any potential key compromise. 

Vulnerability and Risk Management: CERT+ scans the network in real-time and alerts security personnel of potential risks and vulnerabilities. The solution’s policy-based, context-aware automation engine applies remediation workflows such as revoking a rogue certificate or destroying a compromised key, along with the necessary validation checks.

High Availability and Resiliency: AppViewX CERT+ comes packaged with a NoSQL database that can be replicated in no time in the event of a failure or unexpected shutdown. This makes the solution highly available, which means the network remains protected with its certificates and keys intact, no matter what happens. 

Find the right partner

The right automation tool can help you achieve unlimited possibilities with limited resources. Invest in an end-to-end automation solution that will provide you with extensive visibility into the certificate and encryption key infrastructure and help prevent data breaches and outages.

Do you want to manage your machine identities better?

Tags

  • certificate lifecycle management
  • Certificate Management
  • SSL Certificate Lifecycle Management

About the Author

Sanchita Chakraborti

Director, Product Marketing – AppViewX CERT+

Sanchita is a Product Marketer responsible for understanding the industry landscape, buyer personas, their pain points and translating them into compelling value propositions and messaging.

More From the Author →

Get weekly blog updates delivered straight to your inbox

Related Articles

| 6 Min Read

Build Trust: Critical Role Of Digital Identity Management Across Industries

| 5 Min Read

Identifying and Mitigating Secure Socket Shell (SSH) Key Security Vulnerabilities

| 6 Min Read

Are You Facing Fundamental Challenges In Deploying And Managing Your Public Key Infrastructure (PKI)?