Interconnected, Secured and Authenticated Medical Devices - Prof. Dr. Norbert Pohlmann

M. Cagnazzo, M. Hertlein, N. Pohlmann:,
„Interconnected, Secured and Authenticated Medical Devices“.
In Proceedings of the “Smart Innovation, Systems and Technologies” Conference,
Editors: R. J. Howlett, , L. C. Jain,
ISSN: 2190-3018,
Springer International Publishing AG,
2017

The following paper introduces a secure and efficient application concept that is capable of authenticating and accessing smart medical devices. The concept is based on two already developed applications. It describes the used technologies and discusses the outcome and potential downfalls of the idea.
Modern smart medical devices (SMD) are often connected to the internet or intranet, for example a hospital network, and therefore need authentication to offer services to an authenticating entity. The reasons why connectivity need to be added are diverse, for example the components are used for telemetry. The confidentiality, availability and integrity requirements for authentication and transmission mechanisms are also important. The mechanisms should be secure, easy to use and reasonable fast, so the user has no waiting time and the application becomes tactile and tangible. If we consider nowadays common mechanisms to authenticate against a service or a device, the most used technique is to use username and password-based approaches. These are prone to manifold attack vectors, for example Brute Force-, Dictionary-, Rainbow Table and Keylogging-Attacks. Since users tend to use unsafe passwords or the same password for multiple services, attacks on and over the internet become more and more profitable. But not just users are tending to use unsafe passwords, vendors and manufacturers are also likely to use combinations like username: admin password: admin as recent discoveries around the Mirai botnet show. One alternative is multi-factor authentication which combines knowledge (username/password), ownership (smartphone) and/or individual biological properties (biometry). Access to a system is therefore granted if and only if the combination of all these challenges return successful.