Encryption is a vital aspect of cybersecurity within a medical device. Encryption standards are in place to ensure that data is being handled safely and securely and that no unauthorized actors can intercept sensitive data. There are many different methods of encryption and ways that they can be implemented to ensure proper security. Data may be subject to dangerous and costly breaches and leaks if not well enforced.
What Should Be Encrypted?
With data being used in many different contexts, it can be difficult to understand what needs to be encrypted. Implementing encryption for every process can be difficult and costly, but leaving it out in sensitive areas can be disastrous. As a general rule of thumb, it is better to encrypt data when in doubt. It is far better to encrypt data unnecessarily than to omit it for something potentially compromising. Having said that, there can be a few areas where encryption can safely be left out.
Any time PHI is being passed or stored, it should be encrypted without exception. The single most important consideration for the security of a medical device is patient privacy and safety. If PHI is leaked, this can open up the patient to harm and massively damage the organization storing that data. The same goes for any sort of personal data. Anything that can be tied back to an individual or organization should be encrypted and properly secured.
Another example of data that should be encrypted is anything that could tie to the compromise of a device from a technical standpoint. This could be error or system logs, diagnostic data, or any custom implementations in the device. This type of data should be reviewed for its content, and if it is deemed that it may be compromising, fully encrypted. If the information being passed has no likelihood of being dangerous in the hands of an attacker, such as if it is a simple heartbeat ping from a server to a client, then encryption may not be required.
Some data does not need to be encrypted in all cases. A good example of this would be anonymous health data in transit, such as from an ECG lead. This data cannot be tied back to any individual during transit and should be largely safe to be passed in plaintext. This can change if the information is tied to an individual down the line, such as if in storage the ECG data is stored with other PHI. In this case, the data should all be fully encrypted.
How Should Data Be Encrypted?
While making sure that the right data is being encrypted is very important, it becomes irrelevant if the data is encrypted in an insecure way. Encryption standards evolve as best practices are tweaked and certain encryption algorithms are deemed unsafe. It is important to regularly check encryption implementations to ensure that nothing is falling out of date. This should be done regularly as part of standard penetration testing and auditing.
The most important rule of encryption is that it should be done both in transit and at rest. Often this step is overlooked, especially encryption in transit. Each protects against a certain type of attack, with encryption in transit defeating man-in-the-middle attacks, and encryption at rest decreasing the severity of a data breach. In combination, both of these massively reduce the risk involved of an attacker compromising a device or a network.
Encryption strength is another important factor when properly implementing encryption. As security researchers discover new techniques and computer hardware gets increasingly advanced, previously secure algorithms may get cracked. When this happens, organizations need to adapt their encryption implementations to ensure that they stay secure. This is unfortunately a constant problem as hackers both good and bad get better and better at breaking complex encryption algorithms.
In the context of a medical device, it is especially important to make sure that encryption standards are being followed. Patient data potentially stored on a device must be kept secure and protected from access by external actors. During the initial development of a device, it is crucial to put proper procedures in place for how encryption is handled and ensure that they are well enforced. These procedures need to be reviewed regularly as part of scheduled testing and auditing. When in doubt, reaching out to a security professional for a consultation on encryption practices can save organizations from costly and dangerous data breaches.