Compliance considerations for the medical Internet of Things
May 27, 2016
The medical industry is poised to take a quantum leap in available data from wearable IoT devices as well as advanced systems that can monitor, report...
The medical industry is poised to take a quantum leap in available data from wearable IoT devices as well as advanced systems that can monitor, report, and track a variety of medical conditions. At the same time, Healthcare IT News reported in a 2015 article that the medical industry had over 2 million identity theft victims in 2014, representing a 22 percent increase from the previous year.[1]
There are a number of regulations that attempt to ensure the privacy of sensitive patient data. This article explores security during patient data transmission, the regulations that govern it, and a recently announced solution that may enable more advanced medical IoT applications that also comply with data security regulations.
Medical IoT challenges
IoT is less a collection of products and more of a paradigm shift in how a deployment solution can provide the end user significant benefits, as well as offer vendors valuable information about how the system is used. With an explosion in the number of wearables, these devices represent an unprecedented level of access to massive volumes of information that can be utilized to propel the medical practice to new heights. This also opens the door for new medical devices that utilize technology similar to wearables for biometric information, but are custom built for analysis of medical conditions and the effect of diet, exercise, and lifestyle on those conditions.
Medical IoT challenges extend privacy issues beyond just the protection of stored data that the medical industry has been dealing with for a long time. New challenges involve getting this sensor data to the ingestion and storage system securely and reliably. The Federal Information Processing Standard (FIPS) has been tasked with providing standards and assurance levels of protection and privacy in these areas. The FIPS 140 standard deals with security in transmission of information, which is a key compliance piece in order to successfully de-ploy medical IoT applications.
FIPS 140-2 overview
FIPS 140-2 is a U.S. government computer security standard used to accredit cryptographic modules. In the medical industry, this standard is used to secure sensitive data involving personal medical records or data. The certification for the encryption methods of the data is tested against entropy for random number generation and validation of the security of the cryptographic algorithms used. There are additional levels that also include tamper detection and response requirements.
These are important compliance requirements in order to en-sure the security and protection of the data. Applying IoT to medical, this sensitive data is also flowing from medical sen-sors, devices, and gateways into cloud environments that can track, monitor, and analyze the data from a single individual to groups of test subjects. This extends the security requirements to not only the data storage, but also the transport from sensors to cloud.
FIPS 140-2 implementations
Redpine Signals recently announced the availability of a FIPS 140-2 Wi-Fi module based on the company’s M2MCombo chipset (Sidebar 1). These modules allow designers to easily incorporate compliance capabilities within their healthcare, financial, education, and manufacturing systems.
Sidebar 1 | Redpine Signals M2MCombo Wi-Fi chipset.
The FIPS 140-2-compliant M2MCombo Wi-Fi chipset from Redpine Signals includes algorithms such as AES 128/256-bit in CBC mode; AES CCM; AES-12 CMAC; SHA-1; SHA-256; HMAC-SHA1; HMAC-SHA256; RSA PKCS#5; SP800-90 DRBG HASH_DRBG; SP800-108 KDF; and CVL. There are also algorithms in the chipset that are non-approved but al-lowed in FIPS mode, and mainstream cryptographic algorithms for non-FIPS mode. This makes the chipset extensible for a variety of compliance requirements. The entire SSL stack is embedded in the chip, which eliminates any cryptography bottlenecks on Wi-Fi performance.
Venkat Mattela, CEO of Redpine Signals mentioned that they have been working for over 3 years to bring FIPS 140-2 compliance to the dual-band Wi-Fi network commonly used in medical facilities due to increased robustness and resiliency. “Prior to this effort we had worked to bring FIPS 140-1 to market, which defines the cryptographic functions. These functions are tested for entropy of the random number generation and validation of the cryptographic algorithms,” Venkat said.
Wi-Fi vendors typically have enterprise certification like AES, which can be sold into non-military components. But these enterprise-grade solutions represent a significant roadblock to the adoption of medical IoT applications.
“Draeger Medical was one of the companies at the forefront of developing applications that require FIPS 140-2,” Venkat continued. “Incorporating these FIPS 140 components within their Wi-Fi-based Infinity M300 patient-worn telemetry monitor represented an important benchmark for securing sensitive data for a medical IoT application.”
There are lots of very interesting and useful health applications that run on smartphones and link with various wearable devices and sensors to monitor activity, fitness, and weight loss. Extending these devices to be used by medical industry professionals could provide greater insights into lifestyle, exercise, and eating habits and their impact on health and illness prevention.
Beyond medical
Venkat mentioned that while the FIPS 140 capabilities were developed for medical applications, there are many other mar-kets making IoT devices and systems, such as banking and finance, government and facilities, energy production and smart grid, critical manufacturing, emergency services, transportation systems, chemical production, and research. “All these applications exchange sensitive data that pertains to pub-lic health and safety. The FIPS-140 capabilities unlock IoT possibilities in all these mission-critical industries.”
There are a number of key aspects in order for FIPS to be ef-fectively implemented. The deployment must be fully embedded in software so you don’t need an extensive Linux processing system. Hardware acceleration that enables maximum throughput is important, and a knowledgeable support infrastructure that engages with customer use cases from concept to deployment is also critical. These key capabilities can result in applications and systems being quicker to market with lower platform expense while extending infrastructure into new markets with similar security requirements.
One big benefit of incorporating FIPS-compliant modules is the ability to leverage certification from the modules being incorporated. Venkat commented that the requirements for the randomness entropy itself took six months to refine and test until they were certified.
Summary
Data security is a critical element of medical IoT appli-cations. That security must exist while the data is stored, as well as in-transit. Components that implement the FIPS 140 standards are an important building block to enabling a high level of data security for industries that require them.
References:
1. “Medical Identity Theft Sees Sharp Uptick.” Healthcare IT News. 2015. Accessed May 11, 2016. http://www.healthcareitnews.com/news/medical-identity-theft-sees-sharp-uptick.