In the ENTRUST expert interviews, our dissemination leader, Future Needs, speaks with other project partners to discuss topics like connected medical devices, cybersecurity, and strategies to strengthen privacy across the entire medical ecosystem.
In this conversation about cybersecurity for connected medical devices, Egle Joneliunaite from Future Needs is joined by Dimitris Karras of UBITECH which is responsible for the overall scientific and technical coordination within the ENTRUST project.
UBITECH is an innovative software house, systems integrator and technology provider, established to provide leading-edge intelligent technical solutions and consulting services to businesses, organisations and governments. It specialises in enabling efficient and effective secure access and communication with various heterogeneous information resources and services, anytime and anywhere.
Key highlights of the interview:
In recent years there have been significant advancements in the domain of connected medical devices (CMDs). These are devices used by hospitals and other large healthcare delivery organisations to monitor patients and collect diagnostic information. These devices can either be used on-site or remotely (such as in a patient’s home).
There is a wide diversity of such devices, which can range from small wearables to large pieces of equipment. CMDs in use today are produced by multiple manufacturers, have varying levels of computational capabilities and include legacy devices.
There is a need for improved security systems to allow medical organisations to ensure that devices are working correctly, are not compromised themselves, nor pose a threat to the cybersecurity of the organisation as a whole through vulnerabilities that may be exploited. For example, a malicious party may try to gain illicit access to a device by compromising a different device and using it as an entry point.
ENTRUST is developing a risk assessment system suitable for the large-scale environments in which CMDs are used. It is also developing security enablers to address potential threats and attacks even for legacy devices, supporting CMDs’ operational security from their deployment until the end of their lifecycle.
A key concept in ENTRUST’s work is “sustainable security” which refers to the ability to verify that devices are working properly at all stages of their lifecycle (including manufacturing). Devices should be able to operate without interruption and provide verifiable information about the correctness of their state no matter when this is requested. This is particularly important in the case of CMDs where incorrect diagnostic information may lead to patient harm.
ENTRUST includes several use case demonstrators that have been selected to cover a wide variety of practical applications:
Heart Monitoring (KARDINERO): Devices collect heart-related data that is then sent to the backend infrastructure where it is analysed.
Remote Patient Monitoring (Tellu): In-home devices provide remote diagnostics.
Smart Ambulance (POLARIS / PARTICLE): In-transit diagnostics are sent to hospitals in the context of emergency care.
Mental Health Monitoring (Sentio Labs): Wearable devices collect information to assist in mental health monitoring.
One of the core innovations of ENTRUST is to make use of trust assessment techniques based on subjective logic. This is needed, for example, in the event that different devices provide contradictory information (due to one or more having been compromised) without it being clear which device is not operating correctly. The ENTRUST team has developed a methodology that can aggregate such data and use the notion of uncertainty to generate trust decisions.
ENTRUST not only designs security solutions but rigorously tests them in practical scenarios to ensure their real-world applicability through collaboration with manufacturers partnering with the project. Notably, ENTRUST is among the first to establish a trusted computing base for low-end devices using programmable unclonable functions (PUFs), with initial tests on commodity devices showing promising results.
In terms of impact on the EU’s economic and social policy, ENTRUST provides all of the above solutions and technologies as open source, enabling their adoption by manufacturers which will enhance the EU medical supply chain. It is further supporting EU healthcare services by developing recommendations on security controls such as conformity certificates that can be used by auditors and certification bodies to verify that medical devices are operating correctly.
The security enablers offered by ENTRUST have been designed to be able to dynamically adapt to the evolving threat landscape beyond the end of the project, making use of information from continually updated databases such as CWE or NVD and using AI-based techniques.
ENTRUST collaborates with standardisation organisations like the Trusted Computing Group and certification bodies. It has participated in EU initiatives to promote collaboration between projects with regard to standardisation efforts. The team contributed to a white paper with recommendations for the Medical Device Coordination Group regarding vulnerability management in CMDs.
ENTRUST’s consortium includes SMEs, large companies, and academic institutions, fostering mutual knowledge sharing. Notable partners are the Eindhoven University of Technology, University of Surrey, and University of Murcia, each specialising in security fields relevant to ENTRUST’s mission.