Published on 08.11.2021
The technical (r)evolution in laboratories and hospitals and its demands on security and data protection.
Digitalization is on the rise. While industry can already point to far-advanced processes and successes with buzzwords such as “Industry 4.0”, “IoT” and the “digital Factory”, the healthcare sector is still at the beginning of a similar development.
Markus Dillinger, General Manager – Technology at System Industrie Electronic GmbH, a development and manufacturing specialist in the medical & IVD sector, says: “A complete digitalization and extensive automation of the healthcare sector with a focus on faultlessness, connectivity and safety is inevitable. However, unlike in industry, we see much more sensitive areas of application and data protection needs in the medical sector. Accordingly, the development of advanced medical devices must always go hand in hand with fully comprehensive security concepts. In addition, the fundamental risk assessment of the two sectors is also significantly different. While business IT has been and continues to be designed with a clear focus on security over function, the principle of function over security usually applies to medical devices, as it does in industry.” This unavoidable prioritization of the health sector must be incorporated by modern development and manufacturing specialists in the design of new equipment.
The three pillars of security
Modern security concepts are based on the classic “three pillars of security”. Confidentiality – Integrity – Availability. For each of these pillars, appropriate hardware and software precautions must be taken in the context of a fully digitized medical system. At the beginning of a protection concept, the protection goal must be defined. In the context of this definition, the following questions must be answered for each individual product: What is to be protected? Why should it be protected? Who is the potential attacker? In the case of digital medical devices, a dedicated approach is recommended. “Fully digital medical devices can be manipulated and attacked on several levels;” says Markus Dillinger. “Bootloaders, the operating system and device-specific application software are all based on the respective hardware platform. Each of these levels is
vulnerable and must be protected accordingly.”
Protection at all levels
Complete protection concepts therefore start at the hardware level to guarantee the long-term availability (see above: “Three pillars of security”) of developed devices. For example, robust ESD-compliant circuit design beyond the standard specifications and discharge measures for potential overvoltage in the housing can protect devices from USB high-voltage generators. These sticks, which are relatively easy to purchase, could quickly and effectively put equipment out of operation without appropriate protection. This would be particularly fatal in the health sector. “While increasing networking and interfaces can make workflows easier and more convenient in the future, it must be clear that any additional possibility of intervention also makes systems more vulnerable. To this end, attention must be paid to particularly secure product design as early as the product development phase,” says Dillinger.
In the area of system integrity, the next step is to determine who can change data and how, and to ensure appropriate traceability. In addition to the classic encryption of sensitive data, secure boot systems, which prevent access and manipulation during the boot phase, are particularly effective aids here. Secure boots force all hardware and software components in operation to authenticate themselves at system startup. If this authentication fails, the system prevents access. Hardware tools such as a case intrusion protection or detection in combination with correspondingly reacting automatisms such as data deletion or device shutdown can also be valuable measures for the protection of sensitive data.
Of course, the issue of confidentiality is also taken into account in modern security concepts. Irrespective of networking via the Internet or intranet, the USB interface is another major weak point of unsecured devices.
The above-mentioned Secure Boot or a corresponding USB device authentication provide a quick and easy remedy. Markus Dillinger adds: “However, awareness must be created, especially at the end customer level. Who can access a device, when and how? Are there communicated and known update concepts? How are devices protected against unauthorized access? In cooperation with partner companies, we see time and again that the extensive training of service personnel and the definition of uniform service procedures are extremely important steps towards a mature security concept. It’s important to make yourself and partners aware that system protection doesn’t start with software or virus protection, but much earlier.”
Looking at these approaches and concept structures, it becomes clear relatively quickly why the healthcare sector still lags behind industry or the IT sector when it comes to digitalization.
industry. Far more sensitive data, a much greater focus on fail-safety and the correspondingly required complex security concepts do not make the tasks for developers, manufacturers and end users any more difficult – but they do make them much more complex. However, one thing is clear: developers, service providers and their partner networks are working at full speed on new solutions – the (r)evolution in the medical sector towards a fully networked, automated and digitized healthcare system is imminent.