Cybersecurity and Medical IoT Devices – Make it Trusted and SIEMple!

Internet of Medical Things (IoMT) devices are already revolutionizing the healthcare business.  They are delivering on their promises of improved data access, convenience, operational efficiencies and automation for the Health Care Providers (HCP). Additional drivers like patient engagement and safety, accuracy of vitals, mobility within the institution, etc. will guarantee an explosive growth in smaller, connected medical instruments.

However, the IT groups at HCP are struggling with the proliferation of IoMT devices throughout their institutions, currently averaging 3-6 monitoring devices per admitted patient. They are challenged to facilitate the new world of digital medicine while ensuring data privacy and patient safety remain their top priorities.

Security Information Event Management (SIEM) systems, like IBM’s QRadar, are the major tool the HCPs have to successfully deal with the explosive growth in connected devices and data. Gartner’s “Magic Quadrant for Security Information and Event Management” 2018 report defines the SIEM market as “the customer’s need to analyze event data in real time for early detection of targeted attacks and data breaches, and to collect, store, investigate and report on log data for incident response, forensics and regulatory compliance.” SIEM promises to make security events more digestible and actionable, especially when cognitive computing is brought to bear on the large volume of aggregated data that floods in from the networked devices.

But even the most sophisticated SIEM systems can struggle at the hyper-connected institutions we see today:

  1. Integrating instruments that are based on small, embedded processors and RTOS

It can be a challenge to extend the reach of the SIEM into devices that have very constrained resources and may not be able to support standard logging as a result. Supporting the wide diversity of device platforms and operating systems that you might see is equally daunting.

  1. Allowing for untrusted devices

Mobile devices like smartphones and tablets that host medical applications must be considered as hostile environments… they are often unmanaged (or even BYOD) and can leave the premises, which allows a hacker the luxuries of time and access in order to craft an attack. This is equally a concern for the emerging category of patient wearables.

  1. Scaling to thousands of devices

The problem of scaling boils down to a matter of trust in the data. If a motivated hacker compromises the device, they can manipulate the data being sent or block it entirely. SIEM systems use a combination of forensics, behavior and multiple sources to combat this, but as the numbers of connected devices deployed in medical institutions grow exponentially the shear volumes of log events that must be processed to discern critical security events becomes untenable. This is especially a problem for SIEM systems that may use Artificial Intelligence / cognitive processing to detect bad behavior of a device to use as a cybersecurity event alert. The increasing numbers put severe pressure on the ability of the system to produce timely security events as well.

The ideal solution to the problems above is a ‘trusted’ security telemetry agent and associated services. Using software protection techniques we’ve written about before, it is possible to conceive of a secured telemetry agent, an agent that could produce reliable and robust critical security events in near real-time, without any complicated forensics and additional processing required.

  • The agent should be written in protected source code for easy portability between platforms and OSes, with a small footprint in code and memory size for instruments with constrained resources.
  • The agent would leverage software protection features for anti-reverse engineering, and anti-tampering, as well as utilizing integrity verification to establish a software-based root-of-trust.
  • End-to-end protected communications to a dedicated server for aggregation, filtering and reporting rounds out the high-level feature set.

With the features above in place, critical security events can be logged, and the data cannot be compromised by attackers in the generation phase, at rest, nor in transit. Such a self-protecting, security-in-depth implementation means you can extend trust to untrusted devices and the pre-qualified security events would help the SIEM extend its reach and scale to thousands of IoMT devices easily!

Irdeto has a Cloakware® protected Trusted Telemetry solution built along the guidelines above. We have partnered with IBM QRadar SIEM to demonstrate our solution at HiMMS19, February 11-15, 2019 in booth #6580. Look for us there!