One of the primary challenges of the Internet of Medical Things (IoMT) is the disclosure of personal and private information. Medical devices have been and will continue to be attractive targets for hackers, and the consequences can be disastrous. To prevent unauthorized users from getting access to information systems, by using Public Key Infrastructure (PKI), the technology behind digital certificates, authentication through digital signatures has become an integral component of IoT.
PKI Authentication for Connected Medical Devices
PKI digital certificates can be used to identify devices across systems, authenticate them, and encrypt the data that flows through them. Using PKI, a unique signature can be created from the identity of the sender and the message, and later verified by the recipient. PKI enables the safe authentication of users, systems, and devices without the need for tokens, password policies, or other time-consuming factors. PKI enables identity assurance by using digital certificates to validate the identity and authenticity of the connected device.
A strong PKI, with well-established policies and practises for certificate lifecycle management, is not vulnerable to common brute force or man-in-the-middle attacks aimed at sensitive medical data. Simultaneously, PKI encrypts sensitive information in transit, shielding it from malicious actors even in the event of a data breach or compromise.
PKI certificates also offer the highest levels of identity assurance, providing a measure of confidence that the entities at both ends of a data transaction or authentication event are who they claim to be. Effective identity verification is a fundamental element for effective security and connected device trust. PKI certificates provide evidence that the identity of organizations, domains, and devices was properly established because certificates cryptographically bind public keys to such identities.
Secure IoT Medical Devices
Healthcare organisations must have confidence in the trustworthiness and security of their ecosystems of connected IoT medical devices. This necessitates, among other things, authentication and data encryption for these devices. Digital certificates, depending on the system, can be used in these "Internet of Medical Things" applications for:
Data Integrity: Certificates can be used to ensure that data sent to and from a connected device is not intercepted and altered in transit.
Secure Device Boot: When a device is started, certificates are used to ensure that the configuration settings, software, firmware, or other components of the device have not been changed from the desired settings.
Firmware Authentication: When a firmware update is sent to a connected device, certificates can be used to ensure the update is signed by a trusted and/or pinned certificate and comes from a trusted source.
Software Code Signing: When a manufacturer installs software on a connected device, certificates can be used to sign the code, ensuring that it hasn't been tampered with.
Before digital certificates can be deployed on a medical device, the necessary infrastructure for certificate management must be in place. A certificate management platform that automates critical aspects of a certificate's lifecycle (provision, issue, renew, and revoke) enables manufacturers to focus on security without additional hassle or error. Platforms should be adaptable, dependable, and scalable for the IoT manufacturer.
IoT manufacturers will benefit from using a platform that allows them to:
- Issue, renew, and revoke certificates
- Create custom certificate profiles
- Deploy a large volume of certificates
- Scan and remediate TLS vulnerabilities
- Store and manage certificate keys in a secure manner.
After installing a certificate management platform, a manufacturer can deploy certificates for authentication, encryption, and signing services.
Providing, Installing & Managing Trust Digital Identities to Protect Medical Devices in an eHealth Environment
The use of PKI-based device certificates ensures online trust, privacy and security in the world of connected devices and therefore, should be managed securely and centrally. Digital certificates increase trust by providing:
- Strong device identity authentication
- Encryption of confidential data and communications
- Digital signing to ensure the integrity of data and systems
Digital certificates can be installed in a connected medical device at the manufacturing level before purchase, shipment and installation. Or, they can be installed on-site. Deployments models could be:
1. A customized solution to manage every part of the certificate lifecycle by using a service delivery platform,
2. Purchased directly from a certificate provider and managed manually.
However, in their extremely diverse IT structures, many businesses are struggling to rapidly deploy, discover, revoke and replace digital certificates which are distributed across on-premise and cloud environments.
Ideally, all certificates and the certificate lifecycle management process should not be controlled manually. Administrators should use a Certificate Lifecycle Management (CLM) service to undertake continuous monitoring of their systems and digital certificates, as well as generate audits and maintain track of expirations and renewals to avoid service disruptions.
PKI digital certificates play a central role in both traditional healthcare applications and IoT use cases for connected medical devices.
With increasing numbers of interconnecting medical IoT devices, certificate management efforts grow exponentially. Previously, issued certificates were valid for the duration of a device's lifecycle; however, increases in infrastructure complexity and risk have forced regulatory authorities to require more frequent renewals. Failure to meet renewal deadlines can expose devices to cyberthreats, disrupt service availability, and jeopardise business operations.
X.509 certificates have become an essential component of IoT security. Secure provisioning necessitates a wealth of experience, complex software development, and dependable production line tools and processes.
u.trust Identify provides a secure, flexible and scalable end-to-end PKI Certificate Management System and provides a core interface for managing PKI and certificate lifecycle requirements. Please see our product page for further information.
About the author
Dawn Illing is a product development manager with over 25 years of product management experience in the banking, insurance and cyber security industries. By working internationally across EMEA, this has inspired her interest in cross-border digital identity and cyber security, including the interoperable requirements that necessitate successful delivery of digital product and market solutions.