- DigiCert announced the release of its DigiCert Auto-Provisioning solution to help appease the need for medical Internet of Things (IoT) device security.
The tool provisions digital certificates at scale, regardless if an organization’s devices use open standards or support proprietary device enrollment protocols.
The number of IoT and connected medical devices is rising rapidly and each device needs to be secured properly.
IoT devices are not subjected to the same login-type security protocols as laptops, tablets, or smartphones. The devices connect to the network without a login process, making securing them different from securing other devices in a health IT infrastructure.
"Device authentication and encryption are critical to securing connected devices and the information they share, but many software implementations lack standard protocols for provisioning devices," DigiCert CTO Dan Timpson said in a statement. "DigiCert Auto-Provisioning, powered by Device Authority, helps companies get certificates on a much wider range of IoT devices in a scalable, secure and automated way."
DigiCert added that as the number of connected devices rises, current security deployments are lagging and are unable to properly secure all IoT and connected medical devices. The company estimates that three-quarters of connected devices failed to encrypt communications to the internet and local network.
It was also discovered that smartphone application programing interfaces (APIs) were not authenticating users on the server.
Healthcare has had specific issues with IoT security solutions because of the alternative authentication that is required by the connected devices. The FDA also recently issued its Postmarket Management of Cypersecurity in Medical Devices, where the agency outlines the security risks of connected medical devices malfunctioning.
Any IoT device can have a security vulnerability that could potentially affect the entire network. Something as simple as a connected copy machine, or a smart refrigerator, could expose a network via an unprotected gateway.
Security vulnerabilities have been discovered in pacemakers, defibrillators, and diabetes insulin pumps. These devices are meant to be communicating with the management server only, but have been found to broadcast signals out into the internet, breaching security protocols.
Without a security solution to manage the activity of these devices and understand their behavior, small but significant instances could potentially become more and more common as the number of devices continues to grow.
Organizations need to have network visibility to gain control over their devices. They need to identify how each device can be compromised and how secure the data is in transit.
DigiCert mentions the physical restrictions of IoT devices as another obstacle for legacy security solutions.
IoT devices do not have the same computing power as smartphones and laptops, making it difficult to deploy a strong encryption option. It can also be more difficult to securely generate and store the keys needed for strong device security.
The number of IoT devices does not allow for convenient manual credential adjustment, which leaves the security solution vulnerable to human error.
IoT devices are vast and it is predicted that hackers will take advantage of unsecure IoT devices in the coming year. Healthcare organizations cannot afford to risk human error when protected health information (PHI) is on the line.
DigiCert explained that to counteract the vulnerabilities expected in securing IoT devices, it has expanded the range and type of IoT devices that can be secured.
DigiCert added certificate deployment and management at scale through secure certificate generation and delivery. It also implemented automated certificate renewal, automated certificate revocation, and encrypted medical store to its solution.
Thompson concluded that organizations have to control their network on a much wider spectrum because of connected devices. Security controls need to be strengthened and solutions need to be implemented so organizations can have full control over their IoT investments.