PKI and identity access management for clinics

Digitalisation presents both opportunities and risks for hospitals: Automated and digitalised processes reduce the workload on personnel, while at the same time improving medical care for the patients. However, they also present more potential gateways for hackers to gain access, which increases the risk of cyber attacks – unless clinics upgrade their security. Elementary modules here are a public key infrastructure (PKI) in conjunction with identity access management (IAM).

There has been a pronounced rise in cyber attacks on hospitals and other care facilities in the last few years. This is because quite a number of these organisations have committed to digitalisation, yet failed to focus adequately on the topic of security. This makes life easy for hackers, whose cyber attacks can have severe consequences, including: massive disruptions in day-to-day clinic operations, loss of sensitive data, high recovery costs, all the way up to life-threatening manipulations of medical equipment.

In order to avert health risks and financial damage, clinics need to invest significantly more in their security and take steps to combat both external and internal attacks. Introduction of a public key infrastructure (PKI) in conjunction with identity access management is the recommended approach here.

PKI for hospitals: Securing internal and external communication

A PKI provides essential protective mechanisms for communication within clinics, as well as for exchange with external systems used for procurement, telemedicine applications or the electronic patient record. This is an asymmetric crypto-technology, which is considered one of the securest forms of encryption, as it can be used both to sign and encrypt data and messages. 

Two keys are then required for any connection between communication partners (for example between doctors and laboratory staff):

  1. A public key for encryption of data. Authenticity is ensured with digital certificates, each of which validates the previous certificate in a kind of chain. This creates a secure certification path. 
  2. A private, secret key for decryption.

At hospitals and care facilities, each piece of medical equipment now has its own device identity, a kind of one-off certificate. It then uses this for authentication during commissioning in the clinic network. Further certificates are subsequently assigned, for example for hardware and software updates or for communication with other devices and systems. The respective communication partners exchange certificates and can then encrypt data and messages in such a way that only the other partner can decrypt them. This prevents any unauthorised access, as well as any potential manipulation of the data, effectively closing off gateways for cyber attacks.

Identity access management at clinics: Preventing non-authorised access

Alongside PKI, it’s essential to also implement identity access management (IAM) to effectively thwart unauthorized access to devices and systems. This means that computers and medical equipment may only be operated after logging in. In the hectic day-to-day operations at clinics, however, the process for logging in must be made as convenient as possible. Passwords are clearly not practical, as they are not always easy to remember, users often enter them incorrectly due to being so busy and they also represent a massive administrative burden for the IT department.

The trend is therefore moving towards smartcards or FIDO tokens (Fast Identity Online), as these offer the perfect balance between security and convenience. The respective individuals authenticate themselves by inserting the hardware component or placing it on the device in question. They can then, for example, view patient data or adjust the medication on a medicine pump. Once they have completed their work, they simply remove their token again and the device is then locked. Another benefit is that information on who made which changes and when can be logged easily and transparently. In cases involving highly sensitive data or settings, multi-factor authentication may be employed in addition. Alongside placing a token on a device, biometric verification such as a fingerprint recognition is then required.

Security in hospitals: Identifying loopholes through penetration testing

Before introducing a PKI and IAM, it is a good idea to analyse the current situation first. Penetration testing can pinpoint the gateways vulnerable to cyber attacks and assess the associated threat levels. External IT security providers simulate hacker scenarios to identify system weaknesses. Within the scope of such projects, it is often beneficial to conduct awareness training for the personnel, since the system’s security heavily relies on its users.

Über die achelos GmbH

"We ensure more security in the connected world!"

achelos GmbH is a system house for cybersecurity and digital identity management founded in Paderborn in 2008. The independent provider develops robust solutions and offers service packages in various expansion stages for secure products and applications. For its customers from the fields of healthcare, industry, the public sector, digital payment and telecommunications, achelos translates security standards into viable solutions in line with the requirements of compliance. Customers benefit from this holistic approach – from consulting and conception to software development and certification, and up to and including secure operation. achelos is certified according to ISO 9001, ISO 27001 and Common Criteria and has a prestigious network of partners.

www.achelos.de

Firmenkontakt und Herausgeber der Meldung:

achelos GmbH
Vattmannstraße 1
33100 Paderborn
Telefon: +49 (5251) 14212-0
Telefax: +49 (5251) 14212-100
http://www.achelos.de

Ansprechpartner:
Bianca Dören
Public Relations & Events
Telefon: +49 5251 14212-341
Fax: +49 5251 14212-100
E-Mail: bianca.doeren@achelos.de
Für die oben stehende Story ist allein der jeweils angegebene Herausgeber (siehe Firmenkontakt oben) verantwortlich. Dieser ist in der Regel auch Urheber des Pressetextes, sowie der angehängten Bild-, Ton-, Video-, Medien- und Informationsmaterialien. Die United News Network GmbH übernimmt keine Haftung für die Korrektheit oder Vollständigkeit der dargestellten Meldung. Auch bei Übertragungsfehlern oder anderen Störungen haftet sie nur im Fall von Vorsatz oder grober Fahrlässigkeit. Die Nutzung von hier archivierten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Eine systematische Speicherung dieser Daten sowie die Verwendung auch von Teilen dieses Datenbankwerks sind nur mit schriftlicher Genehmigung durch die United News Network GmbH gestattet.

counterpixel