Many of us involved in healthcare cybersecurity planned to be at the Healthcare Information and Management Systems Society (HIMSS) Conference this week. As one of the foremost gatherings of health technology professionals, the HIMSS conference is an annual touchstone for information and innovation in the sector and its cancellation due to COVID 19 concerns, while certainly understandable, leaves a palpable education gap.
However, you don’t have to miss out on keeping up with the latest healthcare application security advances just because the conference was canceled this year. With the sector growing in terms of importance and business value, protecting healthcare apps and devices has never been more important.
Here’s the latest on what’s happening in the sector.
What’s been happening with healthcare application security
The availability of healthcare apps has surged in recent years, especially those related to the Internet of Medical Things (IoMT). Medical tech companies are making more than half a million different IoMT devices, and the IoMT market has shown remarkable growth, with its value nearly quadrupling between 2017 and 2020.
Given their potential to improve the effectiveness of treatment and the quality of patient care, it’s no surprise that the use of apps and IoMT devices has spread across the industry. Unfortunately, as apps have become more widely used, they have also become a prime target for hackers. Healthcare app code often contains valuable, proprietary technology and medical information stored in apps and devices can fetch thousands of dollars on the dark web, making them a highly lucrative opportunity for attackers.
For medical app and device creators, this is creating some serious problems as attacks can have massive consequences for their business.
- Major med-tech firms such as Anthem and Premera Blue Cross have been hit by large-scale security breaches, with tens of millions of patient records being stolen. Figures show that 89% of healthcare providers have experienced a data breach over the past two years.
- Critical vulnerabilities in medical implants, including pacemakers and insulin pumps, create possible attack vectors that could directly threaten patients’ health.
- The costs of attacks are higher for healthcare companies than any other sector, coming in at $429 per record stolen, compared to an average of $150.
- Costs for data breaches include business disruption, system downtime, and the consequences of abnormal customer turnover where, again, the healthcare sector is affected more than others (a 7% turnover following a breach compared to a 3.9% average).
- Regulatory fines and victim compensation can be catastrophic for many healthcare organizations.
It’s clear that those involved in medical technology need to ensure that their technology has the best security possible.
Six ways to improve healthcare application security
Secure encrypted data and keys
Medical data collected by a monitoring device is highly sensitive and must be secured against unwarranted access to protect privacy and avoid regulatory violations. Encrypting the collected data protects it but that protection rests entirely on the security of the cryptographic key. The weakest link is the companion or proxy application running on mobile devices or client side devices. To ensure app and device safety, these keys need to be stored securely, using a tool such as Secure Key Box cryptographic library, which protects encryption keys even during runtime.
For hackers to locate vulnerabilities in an app’s code, they reverse-engineer it to understand its logic. One of the most successful strategies to prevent reverse-engineering is code obfuscation. Code obfuscation employs a variety of methods to make it much more difficult for the function and direction of code to be understood by attackers. The more complex and varied the obfuscation techniques implemented, the more robust the protection. These include lengthening or shortening of code, the changing of its flow, or the insertion of nonsense code that doesn’t affect the running of the application but means it takes a lot longer to break down.
Secure device identities
Medical devices need to be trusted from out-of-the-box to end-of-life. Manufacturers can use PKI to provision identities in devices, embedding a unique digital certificate into every device to create a trusted identity throughout the device lifecycle. PKI lets manufacturers securely update devices that are deployed in the field, and ensures that healthcare applications connecting to devices can validate the integrity of data sent to and from each device.
A secure connection relies on both parties being able to verify their identities before any data exchange. For healthcare application security, while standard network encryption such as TLS is generally sufficient for communication from the client to server, digital certificates are required to ensure the validity of the client. Those keys must be managed and protected so that cannot be extracted and misused. White-box cryptography can be used with a proprietary network client to secure the client’s end in communication with remote data servers located in the cloud.
Keep information server-side when possible
It is more difficult to protect apps on the client-side, once they are outside the secure ecosystem of the device manufacturer or app developer. With 60% of app vulnerabilities appearing on the client-side, a key element of healthcare application security is making sure that private medical data is not stored on the device or app but is held on secure servers.
More than most other industries, healthcare products, including applications and devices, come under strict regulatory scrutiny. These laws include:
- Europe: GDPR, the EU Medical Devices Regulation, the In-vitro Diagnostic Medical Devices Regulation
- USA: UL 2900-1, HIPAA, US Postmarket Management of Cybersecurity in Medical Devices
- International: ISO/IEC 27001 Information Security
Compliance with these regulations is not just about observing best practices concerning healthcare security and ensuring access to markets, it is also essential for minimizing the cost of data breaches if they do happen.
Trust the healthcare application security experts
At Intertrust, our industry-leading security solutions have already been used to secure billions of devices and harden application code around the world.
To find out how we’re helping those in the healthcare sector defend patients and healthcare professionals from cyber attack, download our whitepaper.