New Security Enhancements for the WLAN

Since IEE 802.11b was approved in 1999 and the Wi-Fi Alliance TM was formed in 2000; there has been a constant evolution to always advance security of the WLAN. New enhancements will come to market in 2018 as a part of Wi-Fi CERTIFIED WPA3 TM. Enhancements will include the following: Hard protections will be provided when passwords are not complex and this will ensure the ease of configuring security for a limited display interface. User privacy will be enhanced through individualized data encryption. This includes (OWE) Opportunistic Wireless Encryption. OWE provides encryption without authentication. (SAE) Simultaneous Authentication of Equals replaces WPA-PSK to mitigate attacks against Pre-Shared Keys. (DPP), Device Provisioning Protocol replaces WPS to mitigate security flaws and provides a more user-friendly way to set up devices without displays or keyboards. Security will be additionally enhanced through 192-bit encryption that is in line with the (CNSA) Commercial National Security Algorithm from the Committee on National Security Systems.

The Connected Medical Device & IOT Security Summit

Integra Systems, Inc. will be presenting at this conference January 25-26 in Baltimore.

http://tcbi.org/iotmdsec/

This conference and the agenda is very timely due to the overall topic of cybersecurity in general; but also how to address security related to IOT and medical devices in healthcare. Use discount code 45 for a $300 discount on the registration fee.

Healthcare providers and medical device companies are currently facing ever growing financial, legal, operational, and patient safety challenges as a result of cybersecurity threats. Malware attacks are evolving and becoming more sophisticated, while preventable privacy breaches are becoming more common in all industries across the globe. The fall in the black market price of stolen data along with improvements in “Black Hat” customer service implies we are facing a mature, evolving, and resilient enemy.

The Healthcare industry is moving to new revenue models, value based care, shared risk, and precision medicine, creating a growing proliferation of distributed and connected medical devices, and cloud based IT systems incorporating personal genetic, medical, and behavioral data. These systems must share not only clinical data, but also financial, risk, and vulnerabilities with each other.

As connections grow and devices move out of the hospital into patients’ homes and to geographically distributed providers, new threats, new vulnerabilities, attack surfaces, and hazards are created that go far beyond the typical concerns of stand-alone components. Stolen information is being combined with stolen financial and publicly disclosed personal data to create new black market “products”. Safeguarding our entire care delivery systems requires meeting the daunting challenge of maintaining regulatory compliance, ensuring patient confidence, detecting insider threats, and maintaining the integrity of shared data all without interfering with patient care.

Addressing these issues involves an ever-expanding body of stakeholders: regulated and unregulated manufacturers, public and private payers, both the healthcare financial and technology industries, regulators, standards bodies, as well as hospitals, providers, payers, the law enforcement community and – not least of all – patients.

We are at a critical juncture in Healthcare. As an industry, we must combat these threats in multiple dimensions and on many fronts. The Summit will bring together healthcare, medical device, and security experts to offer a unique complete end-to-end perspective on the cybersecurity environment – from the economics and motivations of ransomware authors to the needs of the patient.

See the title of and abstract of our presentation.

Title: Innovations in Secure IOT Medical Device Application Support.

Abstract: Many medical device companies now have applications servers that require support and also upgrades of application software. Devices have evolved from standalone devices to modern complex IT systems. The traditional way to provide this support is by either on-site service or by the use of a VPN (virtual private network). On site service is costly. The traditional device service model for devices doesn’t work with modern software deployment architectures. Healthcare institutions are often reluctant to provide VPN access to a vendor without a lengthy legal approval process. Some institutions refuse VPN access. Hospitals face legal/liability/regulatory/quality barriers to enabling vendor access to their systems (both the vendor product, and hospital systems that must be accessed to support the vendor’s product). For example, hospitals often deny vendors VPN access because of privacy, legal, compliance reasons. Security of the network is the highest priority of the institution. Security is a high priority, but can never be perfect. Security is a trade-off between convenience, cost, support, etc. New support/service models in the industry that look to address these issues are discussed and compared.

Q4 Winter 2017 Wireless ULP/Major Growth of Bluetooth in Healthcare

Please find the latest ULP Winter 2017 Quarterly from www.nordicsemi.com.

Integra Systems, Inc., has worked with Nordic for many years on unique product development efforts for the medical device space using both ANT www.thisisant.com and BTLE. , as well as the WLAN. This however is the first issue of ULP Quarterly that “really highlights” the huge growing BTLE medical device market space.

While Bluetooth has been around for a long time. The advent of the “smart-phone” with BTLE, the Bluetooth SIG driving improvements to now the release of 5.0, the connectivity convergence has now arrived for healthcare and medicine big time in 2017. The momentum will continue in 2018. Consumers also are demanding the connectivity as well from glucose meters to in-ear wireless temperature measurements for babies. The smart phone, the application, and the "connected" device, brings it all together. (Page 3)

Some interesting highlights that sets the tone for continued medical device product development for BTLE. “The FDA has approved the first drug in the United States with a digital ingestion tracking system". The patch sends data, i.e. dosage and when the pill was taken via Bluetooth Low Energy to a smart phone application allowing patient’s and caregivers to track the ingestion of medication. (Page 11).

Everybody is concerned today about security. By the nature of BTLE and FHSS, BTLE is considered a secure protocol. While security has greatly increased over the improvements in BTLE and now 5.0, design and development efforts may want to consider the addition of an ARM TrustZone CryptoCell-310 Cryptographic module and an AES 128-bit hardware accelerator. This can provide support for a wide range of asymmetric, symmetric, and hashing cryptographic services for secure applications. In BLTE 4.2 an asymmetric encryption scheme was introduced called “secure connections”. This revision of the BTLE specification included an algorithm that generated a private key using an Elliptic key exchange method making it almost impossible to intercept.

https://www.arm.com/products/security-on-arm/trustzone-security-ip

Just like Wi-Fi, “man in the middle” attacks can pose a security to BTLE. OOB commissioning was introduced as a part of Bluetooth 4.0. This moved authentication away from the usual Bluetooth LE channels to an “out-of-band” channel which remains unknown to the prospective hacker. It seems that NFC (Near Field Communications) offers the best balance of security, but also user friendly for the implementation of the OOB channel.

NFC devices exchange information in the 13.56 MHz ISM band at rates ranging from 106 to 424kbps. Bidirectional interaction is established by bringing the devices within 4 to 10cm of each other. The NFC link can be used as the OOB channel to start the pairing process and look after authentication. Once this handshake commissioning process is completed, then communication switches to the secure Bluetooth LE link.

The value to NFC for the OOB channel is the very short distance which would make hacking via a man in the middle intercept very difficult to reveal their intent. Finally OOB commissioning also stops unwanted devices from establishing a connection with the user’s permission. From a user’s standpoint, there is no need to enter or verify a passcode.

Download ULP_WQ_Winter_2017