Provisioning and root of trust
In a connected system, securing exchanges is paramount; therefore, a provisioning mechanism is used. Certified keys are written into the product during its manufacture. These keys allow the cloud to identify and recognize hardware; they prove its identity, and the cloud can trust it.
Conversely, the product has to trust the cloud server. We use security mechanisms, such as https, that prove the server’s authenticity.
This security, integrated into the manufacture of the product, requires a root of trust to be established with certificates giving authority to your factories and subcontractors, for example, and allowing you to revoke them if necessary.
Provide a secure Over the Air update mechanism for your medical IoT device
Implementing secure update mechanisms to protect your medical IoT device is essential. First, because no software system is infallible over time. You must be able to update it when you identify and correct flaws. Moreover, all client interfaces evolve, and you will probably need to make changes, add new features, and so on.
The purpose of a secure update mechanism is obviously to protect each hardware item as well as to avoid, in case of problems, compromising the entire pool.
An authentication system should be implemented here to avoid unique keys.
Choose a specialized semi-public or private cloud for your medical IoT device
In order to address privacy and security issues specific to the medical IoT devices field, some infrastructure providers offer specialized cloud solutions guaranteeing high data storage and transfer security.
For example, solutions such as OVH Healthcare, FollowMed exist and cloud giants also provide solutions, such as Google Healthcare or Microsoft HealthVault.
Certification of these solutions is progressing. In early 2018, following a change in the legislation, the ASIP (French Shared Healthcare Information Systems Agency) revised its procedure.
It now imposes a documentary and on-site audit carried out by an independent third party and verifies the equivalence of any ISO27001 and ISO20000 certifications already obtained. The ASIP also differentiates between two certification perimeters: physical infrastructure host and hosting companies.
See things differently with Edge Computing for medical IoT devices
The principle of this solution is to not transmit all raw data to the cloud but to pre-process the data directly in the hardware of your medical IoT device. Unlike Cloud computing, which consists in transmitting all data to the cloud to be exclusively processed, Edge computing is a solution when high volumes of data need to be transmitted and stored in the cloud. In our context, it can also address sensitive data security by processing it directly in the hardware and only transmitting pre-processed and potentially less sensitive data.
Medical IoT devices: Open up the field of possibilities with artificial intelligence
Recent developments in this field have applications in multiple fields and open up a number of perspectives.
As regards to the medical IoT devices market, the implementation of artificial intelligence algorithms could address data confidentiality issues by generating data models that are in every way similar to real data without actually being the data of real patients.
For example, an artificial intelligence engine can learn to generate patient data from real patient data, and once it has learned how to do this, it can generate thousands of similar data, consistent with real data but without privacy issues as the data generated is not related to an actual patient. The learning phase is done in a secure environment (because handling and access to real data), but once completed, the AI engine can be implemented in an open environment.
AI can be used to develop new diagnostic and interpretation tools of exceptional reliability, for example.
No doubt there are software solutions for successful medical IoT devices, the key is to start with the right questions
As we have seen, there are various mechanisms that guarantee security, confidentiality, and compliance with medical market development standards while providing connectivity and data transfer interfaces to implement IoT scenarios.
The implementation of these different technologies is far from trivial and the choice of technologies and their integration with the right level of security requires specific software expertise as well as proven software architecture and integration skills.
It is also important to keep in mind that each scenario is different. Depending on the type of medical device, its purpose, the type of data handled, the level of security required, the environment of use, and the scenarios of uses envisaged, the technological choices and the manner in which they are combined will be completely different.