In the first of our two-part series, we covered the unhygienic security practices and the impact of the modern healthcare ecosystem. This final installment digs deeper and provides useful recommendations for alleviating those risks.
However, containing the said issues or implementing privacy and security controls is challenging and not short of pitfalls. Fundamentally, privacy is a complex issue that jurisdictionally falls into different areas. There is no clear sense of the definition of “privacy.” What constitutes a privacy violation, who is responsible or accountable among the involved stakeholders in the event of a breach and so forth.
Also, the notion of “privacy paradox” is disconcerting and undermines the efforts to manage security and privacy. Privacy paradox implies that people’s privacy concerns and expectations are diverse and contradictory in terms of theory and outcomes and that despite people’s clearly expressed concerns about their privacy, there is a simultaneous lack of appropriate secure behavior (for instance sharing of sensitive information on social media).
Moreover, healthcare providers tend to prioritize health care utility and safety while manufacturers prioritize intended device features over security and privacy. The shortage of quality technical resources and the sheer difficulty in managing third-party environments such as the cloud or social networking healthcare promotion sites also hinder their efforts to create a sufficient cross-functional privacy and security team. Compliance is also expensive and IoT device constraints (limited power and resources) mean that privacy controls can slow down medical devices and reduce the usable battery life. In some medical devices such as pacemakers, critical functionalities cannot be updated immediately if a patch is available. These limitations further deter manufacturers from producing products with enhanced security and privacy features and manage them through the lifecycle of the product.
Nonetheless, it is inherently difficult to track the flow of PII/PHI data. Data may be collected and used in many systems throughout an organization and across the continuum of the healthcare industry, in hospitals, rehabilitation centers, insurance agencies, and so forth. The more places the data exists, the more systems an organization has to track, maintain, and protect. Even privacy-preserving mechanisms have their shortcomings. There is an inherent trade-off between information loss and confidentiality protection because the reduction in granularity results in diminished accuracy and utility of the data.
Regardless of the issues, regulations such as the FDA, HIPAA, the HITECH Act, GDPR, etc. are making inroads in preserving individual privacy and security. In addition to the existing principles as recommended by the regulations, we recommend the following practices that can help alleviate the risks:
- Privacy by Design – all applications (mobile apps, software, etc.) and devices whether they are “clearly” for medical purposes or “indented” for medical purposes must follow privacy by design principles. This also involves restricting the overcollection of data and employing privacy-preserving mechanisms on data stores.
- Accountability – Clearly defining data ownership and the responsibilities of the involved stakeholders in the event of a breach might help deter the unethical motives.
- Awareness Programs – consumers need to be educated on their rights, and how to make use of technology-assisted healthcare without undermining their privacy.
- Periodic Risk Analysis – this includes the “covered entities” (as defined by HIPPA) regularly reviewing their records to track access to PHI and evaluating the effectiveness of security measures put in place from risks such as unauthorized access, destruction, modification, or disclosure of data.
- End-of-Life Management – in recent times, several breaches have been attributed to poorly discarded medical devices that store PHI. Device manufacturers and healthcare providers must uphold procedures and policies that address issues that arise as a result of devices reaching their end of life.
- Third-party audits – medical devices must be tested for security and privacy issues by an independent third party and include provisions in the management cycle to address issues unfound during the audits. All such reports, if made public, can help healthcare providers make an informed choice and not rely on public databases that are strewn with vague information.
- Expanding the definition of “covered entities” – HIPAA only regulates the healthcare industry, and thus only applies to what the law considers “covered entities” and their “business associates.”. If the medical information is disclosed to anyone else, HIPAA would not apply. For instance, any information provided to a social networking site, or one’s employer, or a wellness app will often not be protected by the existing medical privacy regulations.
The modern healthcare ecosystem is undeniably rewarding to one and all. It dramatically improves the efficiency of healthcare services, optimizes healthcare workflows, and originates cutting-edging research that improves vitality. But it is also immensely complex and inherently insecure, with a high susceptibility to security threats, especially from threat actors whose primary intention is to either commit fraud, obtain non-prescribed drugs, or secure ransom.
A Privacy Nightmare?!
The complexity and low-security maturity of the ecosystem primarily stem from the presence of diverse legacy and modern technologies that have significant inherent vulnerabilities (OWASP IoT Top 10) and contrasting security pre-requisites that cloud the prevailing efforts. Unhygienic security practices such as casual data sharing in conversations, social media, and chat groups also exacerbate the situation. Other, yet common issues that add to the complexity include:
- Unethical motives – selling PHI data to advertising agencies
- Acquisitions – consolidation of assets and practices is common in the healthcare industry and security is only as strong as the weakest link
- Inept and Garbled Privacy Policies – facilitate and encourage users to share data thoughtlessly
- Disclosure Exceptions – the government is exempted from privacy rules regarding national security by law. Therefore, healthcare providers occasionally do reveal sensitive information in good faith to uphold the safety and security of the public.
- Misrepresented Public Records – FDA requires physicians and healthcare providers to report issues with devices and in some cases, this is voluntary and cumbersome. Therefore, an issue gets tagged with another issue as a subsidiary to save up on the paperwork. This therefore results in not painting the complete picture of issues for a device accurately and hence physicians who reply on these publicly accessible reports to assess the safety of the devices prior to prescribing it to their patients may inadvertently prescribe an insecure product.
- “Intended for medical purpose” – there are situations in which a product is not conceived by its manufacturer to be used “clearly” for medical purposes, but “intended” to be used for medical purposes, such as wellness apps and wearables. This means that manufacturers of medical apps and devices that may incidentally be medical devices do not have to create them to the same security standards required for conventional medical devices according to the law.
- Unchecked and Uncontrolled
- Data collection: One might not realize it, but PII and PHI are often added to a mandated public database without one’s consent in the name of national interest
- Data usage by third parties – In an instance, it was also found that third-party analytical services could potentially link data from the ﬁtness and health applications to other applications that contain identifying information about the user, leading to Big-brother like surveillance
In gist, the ecosystem as a whole is an avenue for dire and far-reaching medical data privacy violations, the impact of which is manifold. It can lead to excessive fines and reputational damage for both healthcare providers and manufacturers in the event of a breach.
At an individual level, privacy violations can spring stigma, embarrassment, and discrimination, in turn resulting in unemployment, loss of health insurance and housing, and so forth. Patients may lose trust in their care provider, resulting in ineffective communication between physician and patient.
At a societal level, loss of individual trust may lead to unacceptance of medical assistive technologies, thereby hampering the efficient development and successful rollout of E-health technologies into society. Moreover, trust engenders individuals to participate in and support research if they believe their privacy is being protected (The equation is simple: higher quality data means higher quality medical care).
At a national level, it can also lead to an espionage-like situation as was evident with the Cambridge Analytica scandal. It may result in a situation where a private, for-profit, or a government organization knows and owns a lot of data about individuals, while the individuals do not know much about the company or government entity. This situation combined with unchecked usage of PII/PHI data by the data owners can inspire authoritarian intrusions into citizens’ private lives and unfairly scrutinize citizens based on opaque computer algorithms.
In part two we will cover the privacy enigma and conclude with best practices to preserve privacy.
The security implications of IoT range far and wide. With almost every conceivable thing connected to the internet, it’s hard to predict what is and isn’t a threat to its user’s data.
Have you ever thought about what IoT security actually means? Kudelski Security CTO Andrew Howard sat down with the #AskIoT podcast team from IoT For All to discuss how companies really should approach cybersecurity and what needs to be done by everyone involved to ensure the devices we use every day are as secure as possible.
Andrew’s interview follows these basic questions and a whole lot more:
- Which industry is most at risk to security threats in IoT?
- How do you handle building security into legacy systems?
- How should non-technical companies approach IoT adoption?
Do you want to listen to the podcast? Click the play button below.
Read the original article by clicking here.
The IoT market continues to grow, with investments expected to top $1 trillion by 2020, according to IDC. With the rollout of 5G, Ericsson forecasts that the number of cellular IoT connections is expected to reach 3.5 billion by 2023, and DBS Asian Insights predicts that IoT devices and services will reach an inflection point of 18-20% adoption in 2019 alone.
Security continues to be one of the greatest barriers to IoT adopters in 2019. Insecure components, prevalent malware and shortsighted attempts to apply traditional security measures to IoT networks act as formidable challenges to these adopters. Heeding to this new zephyr, threat actors are also adapting and innovating new attack services and hacking tools that will be more complicated and more difficult to detect and respond to. In accordance, we can anticipate a substantial increase in supply chain attacks, IoT botnets, and cryptominers alike.
We predict that device manufacturers will put an increased focus on security in 2019 versus previous years, but the number and scope of attacks will continue to rise. Microsoft reports that more than 90% of consumers want manufacturers to step up their security practices, and 74% would pay more for a product with additional security built in. This demand will drive innovation and increased adoption of trusted hardware and software systems. It will also force manufacturers to adopt and adhere to industry recommendations for data management and privacy, bring about increased awareness of supply chain security management and so forth. Manufacturers will also look to include bug bounty programs and responsible disclosure programs for manufactured and deployed devices to improve the security of their products.
Alternatively, consumers will also pay heed to IoT security governance and adopt processes and technologies that assist in the governance of the IoT landscape — an amalgam of several technologies comprised of the cloud, device, mobile, edge devices and so forth. For instance, they will look for IoT monitoring systems and platforms for better visibility and management, data protection technologies for better security and privacy, cloud protection technologies and active threat detection technologies.
Moreover, consumers and manufacturers alike will invest heavily in technologies that assist them in determining the maturity of their security programs. Companies will also look to cyber-risk insurance to safeguard their business from formidable cyberattacks nonetheless.
Furthermore, as IoT security products and services innovation and adoption gains momentum, assisting technologies, such as machine learning, artificial intelligence and blockchain, will make strong and forced inroads into IoT security products, assisting in building improved trust, threat detection, identity management, and data and device management at scale. But, to a large extent, government regulations will bring about a culture of shared responsibility for protecting the IoT landscape.
This article was orginally featured in IoT Agenda.
The fourth Industrial Revolution, or Industry 4.0, is well underway. Emerging technologies such as artificial intelligence, augmented and virtual reality, wearables and autonomous vehicles are making sizeable advancements and becoming a part of everyday lives and business.
These emerging technologies all create a lot of data, data that needs to be protected. Connected medical devices transmit sensitive patient information and are also responsible for keeping people healthy and alive. Connected power plants and other critical infrastructure transmit sensitive information and are also vulnerable to attacks. The list goes on. Not only are these technologies creating large amounts of data that require protection, they also require protection for the intellectual property (IP) fueling them. Augmented and virtual reality companies are creating helmets and goggles for civil and construction employees straight out of Iron Man. And there are states out there that are not above stealing this kind of IP, which raises the stakes as many of the world’s electronic components come from those states, adding extra pressure to manufacturers to keep devices secure.
This creates two situations where data, whose value is exponential to criminals, needs to be given extra precaution when securing both it and the devices producing and transmitting it, as well as protecting the intellectual property making them work. Data in transit and data at rest in these situations require heightened security through greater encryption and IoT security as well as high-assurance data protection environments to secure it when not in use.
IoT security efforts should focus on developing a dedicated plan to secure the IoT devices, especially given how an IoT architecture — with its disparate protocols, software and hardware — differs from the traditional enterprise network. Integrating IoT devices into enterprise networks will require new risk management strategies and updated operational security strategies with the level of protection for a given asset greatly depending on its use case and the criticality of the application it supports.
It is therefore essential for enterprises to establish a clear vision of the business need for IoT devices, validate the technologies with stakeholders (including security professionals), assess the risks, deepen their technical understanding of how the IoT system really works, and validate system operations and feasibility.
To be most effective, IoT security has to be a shared responsibility. Many security incidents could be avoided if developers and manufacturers were aware of the risks they face on a daily basis, considering not just those that affect IoT devices, but also those that affect the IoT environment as a whole and develop products accordingly. But connected devices are typically designed to be low-cost and built for a single purpose — not with security at the forefront. They often have limited memory and computing power, which means they can’t be protected by traditional endpoint security. Therefore, enterprises must fully vet new IoT devices to understand how much security is built in. For example, the device may have strong embedded encryption, or it may have a USB port. The administrative password might be “password,” providing an open invitation for misuse and abuse.
Finally, it should be noted that is impossible for every IoT system to behave securely at all times within every context. A good rule of thumb and a sound approach for enterprises is to always adopt an evolving security posture.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
“IoT security” has long been a hot topic, with many articles and conferences insisting that the biggest single obstacle to growth in this industry is the lack of a comprehensive solution to secure IoT devices and ecosystems. But in many ways, the challenge of IoT security is not a new one, and there are clear parallels between IoT security and other industries that have needed to secure their critical assets and business models. Understanding the technical and commercial structure of these approaches provides excellent guidance for IoT device manufacturers on how to address their security needs as well.
The focus of this article is on the global pay television market. Like many industries leveraging the Internet of Things, pay-TV involves high-value business models (more than US$200 billion in annual revenues), vulnerable edge devices subject to attack (set-top boxes), and a quickly evolving threat landscape that requires an active and dynamic approach to security.
A Short History of Pay-TV Security
From the very beginning of digital pay TV’s launch in the 1990’s, service providers turned to a small group of specialized Conditional Access System (CAS) companies whose expertise was in securing the pay-TV business model against piracy using smart card-based solutions that they either developed themselves in-house or customized based on available industry chips. Smart cards were the technology of choice for pay TV because they provided a hardware-based root of trust, securely storing the keys necessary decrypt access to pay-TV services. Smart cards also allowed service providers to implement and manage a single security solution across a variety of different set-top box vendors and devices, as well as offering the advantage of being replaceable, enabling service providers to “swap” cards in case of security issues.
By defining this “intermediary” role for CAS vendors in between the device manufacturers and the pay-TV operators who used those devices, it not only allowed each party to focus on their core strengths and business activities, but it also created a clear definition of who was responsible for the security lifecycle management of pay-TV services. And considering the average life of a set-top is almost 10 years and that CAS systems are under constant attack, that role is a critical one in order to create a sustainable pay-TV business model.
This is very important to consider when we think about IoT device security. The question of “who is responsible for what” is one that needs to be unequivocal. In the world of pay TV, this was a byproduct of the fact that the companies providing CAS technologies were effectively different companies than those providing the devices themselves. Therefore, security responsibilities were clearly defined, and when breaches occurred (as they inevitably did), pay-TV operators knew exactly to whom they could turn for support. As a result, this successful model still remains dominant today in broadcast pay television, and the technology provided by CAS vendors has continued to evolve over time to fend off wave after wave of pirate attacks.
Becoming a Trusted, Strategic Security Partner
As CAS vendors become the trusted security experts in pay TV, operators also began to ask for their help with the end-to-end definition of their security architectures and choice of other technologies, like chipsets and set-top boxes. In fact, CAS vendors ultimately took responsibility for certifying the end-to-end implementation of pay-TV security, with the other parties in the chain required to submit their technologies for evaluation and approval. As the industry evolved further and new video distribution methods (namely the internet) and devices (like PCs, tablets and smartphones) became popular, CAS vendors were called on to adapt their security technologies to this environment as well. This role in helping design security into new devices, adapting it to new networks and evolving it over time is critical to IoT as well.
In addition, as pirates started to leverage the internet to distribute content illegally in new ways, CAS vendors were called on to provide managed anti-piracy services. This included both monitoring the internet and dark web for piracy as well as the response measures required to actively manage it. Today, CAS market leaders like Kudelski Group’s NAGRA are able to cover the entire end-to-end security needs of their customers, helping them to design, integrate, certify, run and sustain high levels of security over time, protecting their critical assets and business models. This same breadth of products and services is also important to consider when selecting an IoT security vendor.
Other Industries Embrace Similar Models
Pay TV is not the only industry to embrace the model of an independent security partner. Others as varied as banking, telecommunications and IT, all of which involve billions of dollars in revenue at risk of fraud, have also turned to trusted third-party security providers as well, also frequently using smart cards. This technology has protected a wide range of different types of businesses:
- Banking applications, where smart cards have been used as payment and credit cards
- Telecommunications, where smart cards (in the form of SIM cards) have been used to secure the secrets required for phones to access mobile networks
- Corporate IT, where smart cards give secure access to company networks and resources
Smart card-based systems for all these industries are designed to resist attacks from even the most determined hackers and pirates, and as a consequence, these industries have resisted sustained efforts from organized criminals to undermine their businesses. As a result, the technology has evolved and flourished. Smart cards have been so successful because they provide a secure device for storing data and executing security functions that need to remain “secret”, preventing counterfeit and pirate solutions from becoming widespread.
Whom Do You Trust?
Fast forward to IoT and many device manufacturers seem to be repeating mistakes that were already made and solved in these other industries many years ago. The worst mistake is that many IoT devices seem to be designed without any security at all, or with security only as an afterthought. Many IoT silicon vendors – whose real expertise lies in delivering functionality and connectivity – see this as an opportunity to position “security” as a selling point for their chips in the hope they can differentiate their products in what is often a low-margin business. But designing security into IoT chipsets is not enough to secure end-to-end security lifecycle management provided by the specialized security vendors like the ones mentioned above. The key question is whether or not the security provider is committed to the long-term protection of the end customer’s business model and has the infrastructure and operational experience to be the long-term guarantor of end-to-end IoT security.
What Does Good IoT Security Require?
Let’s assume for the moment that device manufacturers and service providers embrace the concept of identifying a partner to be responsible for security. What should they look for?
- Deep relationships with key chipset vendors and the ability to influence their designs are required
- The flexibility to deliver a root of trust using a variety of different protection methods (integrated secure element, SIM card, TEE, etc) in order to achieve maximum device reach.
- The ability to provision devices with secrets, either in the production process or over the air (OTA) based on close collaboration with these chipset vendors.
- The ability to quickly update code on deployed products in case of hacking
- The ability to constantly monitor (via in-field diagnostics) any deployed products to anticipate potential security compromises (by using techniques such as artificial intelligence-based behavioral monitoring, for example)
- The presence of proprietary security mechanisms embedded into the silicon in order to activate countermeasures (as has historically been done with smart cards) in the event of a security breach
- Cryptographic algorithms and other security elements should be changeable in the field on deployed products to counteract piracy on deployed devices.
Most of these things require a strong collaboration on design between IC vendors and security vendors in order to align with the required features. Is such collaboration likely to happen? In industries like pay-TV, it has become the norm. Whether it becomes the norm with IoT will depend greatly on the decisions made by device manufacturers when they chose their security partners and IC vendors. Sometimes at the outset, it may appear efficient to select a “one-stop shop” solution, but a judicious reflection needs to consider the long term, and a key question is “who do I call when bandits knock at my door?”
Final Key Questions
In summary, IoT device makers and service providers are invited to consider two very important questions that are critical to IoT success.
- Does your security provider have the technical ability and operational experience to help you withstand both basic and advanced attacks?
- Is their commercial business model aligned with your needs for long-term security lifecycle management, keeping your IoT products secure over the long term?
Selecting a trusted, strategic security partner who has the ability and relationships to execute on the required technical features and services to enable sustainable business models is crucial. Once these types of questions become seriously considered in the IoT market, we will be able to make progress on removing “security” from the list of barriers holding back the full potential of the Internet of Things.