SAFE Identity Introduces IoMT Credentialing for Health Care

April 14, 2021

Story

The SAFE Identity consortium announced in early March that it would form an Internet of Medical Things (IoMT) working group.

The group will work to establish industry standards and guidance for the smart medical device industry that will help manufacturers develop interoperable and secure safety credentials for their IoMT devices.

The move reflects growing fears among medical providers and cybersecurity experts that IoMT devices may be especially vulnerable to cyberattacks.

As these devices become more and more commonplace in the world of medicine, they may need unique industry standards that will guide manufacturers in creating smart medical devices.

The SAFE Identity Plan for More Secure IoMT Devices

In Phase I, the SAFE Identity IoMT working group will begin by updating the SAFE Certificate policy — “a set of technical specifications, interoperability criteria, compliance guidelines and liability rules that govern the SAFE Identity Trust Framework” — for use in the medical device space.

The group hopes the new policy will enable end-users to securely interact with medical devices “out of the box.”

In Phase II, the working group will establish guidelines to help manufacturers and consumers apply best practices to the development or use of smart medical devices.

In Phase III, the group will ensure their new policy and guidance meets FDA standards on medical devices.

Why IoMT Devices May Need Special Security

IoT devices are, in general, seen as more difficult to secure than devices like smartphones or desktop computers. Poor device management means these devices may use default passwords or not receive regular security updates.

IoT devices also face some unique security issues. For example, if an IoT device manufacturer goes out of business, future vulnerabilities likely won’t be patched, leaving devices open to attack.

The need for device longevity can also pose problems. While you may be able to improve organization security by upgrading company smartphones, it’s not practical to do the same for a smart pacemaker or a costly smart patient monitor.

The growing number of devices that medical facilities have to manage can also pose issues. On average, there are 10 to 15 medical devices per hospital bed, many of them networked. Even in a smaller hospital, IT teams may have to manage upwards of 1,500 devices.

Discovering and maintaining these devices can be a challenge beyond available resources.

As a result, security vulnerabilities that exist due to a device’s hardware or firmware may be difficult or impossible to fix. An IT staff may not even be aware of potentially problematic devices.

Regular device use can also make routine patching difficult, even if an organization has access to the device and knows it may be at risk.

How Data Breaches May Put Patients at Risk

The data that IoMT devices collect and have access to may also make breaches of these devices particularly damaging.

While an IoT device may have access to passwords or some financial information, IoMT devices may hold on to sensitive medical data and a range of personally identifiable information. A compromised device could also provide access to a hospital’s secure network.

This is why industry professionals have been particularly anxious about the potential harm that unsecured IoMT devices may be liable to cause.

Both manufacturers and medical facilities could be held liable. In the event of a breach, patients and medical facilities could argue under state law that manufacturers breached warranty, or leverage strict liability to argue that security oversights during the development process led to the breach.

In any case, the number of patient records exposed by data breaches is steadily rising. As hospitals adopt additional networked devices and medical records become more valuable, hackers are likely to ramp up attacks and target IoMT devices more frequently.

New Standards Could Lead to More Secure IoMT Devices

IoMT devices are becoming more and more commonplace in hospitals — to the point that even small hospitals may be managing tens of thousands of networked smart devices.

These devices, while valuable, also present a serious safety risk for hospitals and patients.

New initiatives, like the working group led by SAFE Identity, may help make IoMT devices more secure by default and provide consumers with best practices for the secure use of these devices. This improved safety could help protect patient data as hospitals become increasingly connected — and increasingly vulnerable to cyberattacks.