04-08-2020 | | By Robin Mitchell
Security is now one of the most critical aspects of modern IoT design, and its importance cannot go understated, especially in the medical field. How will medical IoT help doctors in the future, and what measures should be considered when designing a medical project?
AI is a technology that has only recently become useful thanks to numerous advanced in technology, and the massive amounts of data generated globally. Generally speaking, an AI can achieve any task provided that the system has enough data to learn from, which is why the IoT industry is often tied into AI systems. For example, an AI controller for a production line can make predictions on when parts require maintenance. This is achieved by monitoring the equipment for abnormalities (such as odd vibrations and temperature swings), and once detected, alerting operators that there could be a fault. With enough data, an AI system could even identify what the fault specifically is (such as a failed motor, or misaligned belt), which not only drastically improves performance, but minimises equipment downtime.
The medical field is no different, and doctors of the future will become reliant on AI systems for initial diagnosis, as well as long-term health monitoring. Just like industrial environments, medical AI will require data from both the patients they are monitoring, and data from medical cases to learn from. This is why medical IoT devices will become critical soon.
Medical IoT devices can come in all shapes and sizes performing different tasks from reading blood pressure to monitoring heart rate. One goal that needs to be achieved in medical IoT devices is the ability to monitor using non-invasive and non-constrictive methods. For example, blood pressure is commonly measured with the use of restricting blood flow through an artery to determine at what pressure blood flow is stopped at. However, a new method developed by researchers has shown that radio waves can be pulsed through the body and received at the neck via surface mounted sensors, which is far more comfortable than a compression-based system. However, another goal that medical IoT devices will need to achieve, beyond all others, is security. While monitoring systems themselves are somewhat low risk, those that can administer medicines, or interact with bodily functions such as a pacemaker, will need to be impenetrable. The reasoning for this is self-explanatory, and living in a world where attackers continuously look for exploits and flaws in designs presents designers with a challenging environment. So, what security factors should a designer consider when creating a medical device?
Hardware in devices comprises of two layers; hardware and software. While security is essential, it is essential to recognise how an attacker will most likely going to attempt an attack. A medical device is very personal, and will unlikely be accessed physically; thus, a designer should focus their security strategy on software as opposed to hardware. That is not to say that hardware security should be ignored; methods such as the use of secure boot, and hardware cryptographic accelerators must be used to ensure that the device cannot be injected with malicious code. The same also applies to updates; underlying security hardware must ensure that applied updates are authentic. Designers should also understand that hardware security is a relatively new field (when compared to software security), meaning that many modern SoCs and microcontrollers lack a diverse range of security measures.
Software security itself comes into two main areas; good practice, and mitigation techniques. Mitigation techniques include the use of malicious code detection, securing of memory, and limiting what processes can do via the use of privilege levels in a CPU. Good practice, however, is more concerned with the approach designers take during the developmental stage, and ensuring that basic mistakes (such as default passwords) are not used.
In general, when designing an IoT system, the following criteria should be met
NEVER use identical default passwords. Every default password to a device should be unique, and be strong (i.e. symbols, numbers, upper case, and lower case)
When first used, the device should ask for a new password. This password should only be accepted if secure with the use of symbols, numbers, upper case, and lower case
All connections should be encrypted using the latest algorithms (i.e. SSL)
Stored data (such as that found on external EEPROMS), should be encrypted
The software should always be up-to-date (i.e. prevent users from denying software updates)
Medical IoT devices will revolutionise medicine with its ability to gather vast amounts of data, provide medical AI system with the ability to diagnose conditions better than any doctor, and also provide long-term monitoring to provide preventative measures instead of reactionary measures. However, medical devices will need to be incredibly secure to ensure that users are protected from attackers who may wish to cause them harm. Generally speaking, a good litmus test for the security of such a device is that the designer should be happy to store their bank account number, pin, and passwords on the device, then give that device to a known criminal.