As we have seen, the Internet of Things will disrupt and change every industry and how actors within it do business. Along with new paradigms in services and products that one can offer due to the proliferation of IoT, come business risks as well as heightened security concerns \u2013 both physical and cyber. In our prior column, we spoke about this topic in the context of the Smart Electric Grid. Today we\u2019re taking a look at how IoT is disrupting the health care market and how we can take steps to secure it.\nIoT projects in health care\nLet\u2019s first look at how IoT is being used within the health care industry \u2013 after all, IoT is simply a technological concept, not an end product or process. According to a recent Gartner report (\u201cMarket Insight: Healthcare IoT in 2018 \u2014 Sell to CEOs and Set Realistic User Expectations\u201d) most IoT deployments in healthcare are what is called internal implementations \u2013 for use within a health care facility and organization, versus external use such as for purposes related to management of outside vendors, communications with third parties, etc. Workforce and patient tracking for productivity and efficiency enhancement are the primary use-case. A great example is tracking bracelets given to doctors, nurses and patients, along with readers that capture the position of these within a medical building, or at a given medical station. This helps capture data on say, the amount of time a patient spent in a waiting room, or the time a doctor spent in front of a terminal. This can then be used to improve patient workflows or reduce wait time \u2013 and can lead to a direct cost reduction per patient.\nThere has been a lot of focus recently on improving in-house medical care, especially in the field of elder care or geriatrics. There are various newer products that use a combination of trackers \u2013 proximity, weight, sound and vibration \u2013 to capture a person\u2019s general movement within a house. Over time the data is used to create a model of one\u2019s expected behavior and movement within a home, throughout the day. This can then be actively monitored. If an anomaly is detected \u2013 for instance a fall, or someone is unable to get up from their bed at the right time, medical staff can be alerted. The appeal of these connected sensors is that they are non-intrusive. No cameras are placed within the home and patients aren\u2019t required to wear a bracelet, arm band or other body tracking device.\nFinally, one great example I\u2019d like to mention that is directly related to medical health is a product called the EVA bra. This bra has several biosensors that detect skin temperature and then send it to a smartphone app. This data is then analyzed to see if the recorded temperature is above the norm, which happens due to increased blood flow \u2013 a sign indicating the possibility of a tumor. Still undergoing clinical trials, this is a great novel application of a connected device helping to combat disease.\nThe need for cybersecurity\nConnected medical devices are increasingly being deployed within healthcare facilities. Apart from the aforementioned examples, there are several devices that are used for patient monitoring. Most of these are for bedside monitoring and actively capture, transmit and record patient medical data. This brings up the first issue which is around data privacy and security. Data, whether in transit, in rest or under processing needs to be protected \u2013 not just as a best practice but now also required under federal law. The FDA guidance \u201cManagement of Cybersecurity in Medical Devices \u2013 2016\u201d requires that data be protected. Encryption is the first step by which we can make sure that data and communications between medical devices cannot be easily intercepted and eavesdropped upon.\nApart from passively capturing information, some medical devices also actively administer drugs or physical care to a patient, thus more directly, and sometimes autonomously, affecting patient health. A connected infusion pump is one such device. This leads to more complex security issues. We need to now ensure that we are able to identify a given pump, ensure that we are talking to the right one, that any command to update dosage is sent to the correct one, and only the care provider with the authority to do so, is allowed access. There have been several well publicized attacks on insulin pumps.\nHow PKI can help\nThe first thing we need to do is add on a layer of identity to connected medical devices. Next, we want to ensure that any data coming from these devices is encrypted. Then, we want to be able to prove that the device that is sending data is actually who it claims to be \u2013 essentially to authenticate it. Finally, we want to ensure that only authorized users are able to send commands to a device.\nThese four security tenets \u2013 identification, encryption, authentication and authorization \u2013 are the cornerstones of public key infrastructure delivered via digital certificates. It starts of by giving a meaningful digital certificate to each connected device as well as the monitoring and control software that is managing it. Then we configure these systems to only accept incoming connections from devices that are able to produce this certificate, enabling authentication (we have to of course protect the device\u2019s private keys, and ensure that the certificate provisioning step was done in a secure manner). A TLS tunnel now gets established between the server and medical device, giving us a blanket of privacy. Finally, we can add metadata to digital certificates that specify policy on who is allowed to provide commands to which device. In this way, we can enforce authorization.\nConclusion\nThe smart medical devices market is expected to reach $25 billion by 2025. This not only brings business opportunity, but leads to a new paradigm of services and administration of healthcare. The ultimate goal is improved health and increased patient satisfaction. However, cybersecurity should not be an afterthought and bolted on after these devices have been designed. As we have shown, integrating PKI into your device design is an easy, affordable and key first step in ensuring compliance and security for your medical devices.