IoT Cybersecurity Regulations and Embedded Protection from Sternum (Interview)

By 2025, an estimated 75 billion internet of things (IoT) devices are predicted to be in use worldwide. This includes the growing number of connected medical devices, such as pacemakers, that patients rely on to sustain life. While some regulation related to securing healthcare data exists, governance related to protecting the devices themselves is inadequate despite the increasing risk of malicious attacks on these digitally-accessible medical technologies.

Medgadget has previously spoken with emerging cybersecurity companies who recognize the risks of compromised medical technology and are building solutions to address the challenge. To learn more about the regulatory landscape surrounding IoT, Medgadget spoke with Natali Tshuva, CEO of Sternum, an Israeli startup offering multilayered cybersecurity for embedded IoT protection. We also had a chance to hear more about Sternum’s IoT cybersecurity solutions which currently serve healthcare as well as other industries where connected devices are becoming increasingly prevalent.

See Sternum’s commentary on the FDA’s Content of Premarket Submissions for Management of Cybersecurity in Medical Devices draft guidance here.

Medgadget: The dialogue around healthcare security usually
includes references to HIPAA compliance and HITRUST certification. Can you give
us some grounding in how those standards apply to IoT device security and what
it means for an IoT technology company to claim that it has achieved either
standard? Are there other regulatory standards to which IoT device companies
currently must adhere?

Natalie Tshuva, CEO, Sternum

Natali Tshuva: To understand the relevance of these regulations in medical IoT, it’s essential to differentiate between health technology security as it pertains to protected health information (PHI) and the security of medical IoT devices themselves. HIPAA addresses PHI and HITRUST addresses information security risk management and privacy, but neither address the security of actual IoT devices. Additionally, neither address on-device security, hardening devices against cyber attacks, reporting cyber incidents, or preventing malicious code from running on a device. This does not mean, however, that the standards set out by these regulations are not important, and we hope these regulations evolve to include guidance for IoT device cybersecurity.

That said, there are other regulatory standards concerning IoT device security, for example, standards by the FDA and NIST in the US, and ENISA in the EU. While these standards do touch on important points such as real-time monitoring, none are mandatory and most are still in the process of being drafted and established. With billions of IoT devices now in use, this is the time for regulations and industry standards to be put into place to ensure security and device integrity. Regulators have put an incredible amount of resources into achieving these standards so far. I think to further this mission the industry needs one to two mandatory standards or regulations that are clear and precise when it comes to IoT device security. These regulations should send a clear message to device manufacturers that security is a fundamental requirement. These regulations should be based off of traditional cybersecurity solutions, but adjusted to fit the unique nature of IoT. 

Medgadget: Despite the existence of some regulations, what
gaps or risks still exist?

Tshuva: The cyber risks IoT device manufacturers face remain significant.
This is what motivated us to develop our product in the first place. We looked
at the medical sector, as well as multiple other industries, and saw how
billions of IoT devices were connected to the internet, yet proper end-to-end
security solutions that protected these devices were largely non-existent. The
guidelines set out by HIPAA and HITRUST are focused on PHI and do not touch on
proper on-device security protocols. We cannot wait for regulation to catch up
to the constantly evolving cybersecurity threats we face today. 

IoT Cybersecurity should not only mean protection of PHI on
networks (which HIPAA and HITRUST are largely focused on and which exclude IoT
devices that are not part of a network or contain PHI). It needs to include
total protection of IoT devices themselves, including preventing hacks, knowing
if your device experienced a breach, and stopping denial-of-service (DoS)
attacks. Hackers have learned how to exploit vulnerabilities within an IoT
device in order to bypass encryption. Robust cybersecurity solutions must be
one step ahead of these hackers by ensuring immunity to vulnerability
exploitation on a device and enabling visibility into potential future attacks.
This includes protection and monitoring of third party code that OEMs and
enterprises cannot control. Without effective cybersecurity solutions in place,
the results of a hack on a sensitive medical device could be lethal,
particularly if devices are manipulated to not act as they should. 

Medgadget: What are the risks to device companies who fail
to properly secure their technologies? What are examples of IoT-specific
breaches that have resulted in significant harm?

Tshuva: IoT device companies must be aware that cyber risks do not solely threaten the connected devices themselves but have become the gateway of choice for an increasing amount of network intrusions. With 75 billion IoT devices predicted to be in use in the coming years, it’s critical to include security solutions on the devices themselves. Network protection is proving incapable of adequately preventing cyber breaches from IoT devices. And when we are dealing with high-value IoT medical devices such as pacemakers, cyber attacks could ultimately be lethal. There is also, of course, the physical and financial ramifications of cyber attacks. 

The WannaCry ransomware attack in 2017 is an example of the risks posed to connected devices in the medical industry. In addition to the tens of hospitals in the UK and unnamed medical facilities in the US that were hit hard by the massive malware attack, the ransomware also appeared on a Bayer Medrad device used to improve imaging in the radiology department of a US hospital. The device, connected to the hospital network, only demonstrates how one vulnerable connected device could spell trouble for an entire system. Also in 2017, we saw the FDA warn that implantable cardiac devices designed by St. Jude Medical were at high risk. 

Medgadget: Turning our attention to Sternum, how does the company
solve some of the challenges you’ve identified?

Tshuva: We tackled these challenges by creating a multilayered
cybersecurity solution that offers real-time, on-device protection for
individual IoT devices. We understood right away that other security solutions
were hyper-focused on two things – patching every vulnerability on the device
itself and attempting to protect the entire network. Yet it’s nearly impossible
to identify every weak point on a device and it’s not effective for enterprises
to simply ignore endpoint protection. This is especially true for distributed
devices, like homecare medical devices, as it is impossible to deploy a network
security solution into these unmanaged and uncontrolled environments.

Our product suite offers on-device, real-time protection from both
known and unknown threats, ensuring immunity to vulnerability exploitation.
Simultaneously, our solution focuses on the monitoring of a company or OEM’s
device fleets, enabling visibility into all devices and potential future
attacks. First, our Embedded Integrity Verification (EIV) operates like an
on-device firewall – it validates each and every operation within the IoT
device to ensure overall device integrity at all times, including protection of
sensitive data within it. Second, our Real-time IoT Event Monitoring System
(RIEMS) provides first-of-its-kind visibility from within individual IoT
devices (including 3rd party components) so that OEMs, enterprises, and
consumers are immediately alerted to indications of any cyber breach, as well
as prevented attack attempts. Both EIV and RIEMS work symbiotically: while
RIEMS continuously collects and monitors cyber and operational events, EIV
proactively prevents attack attempts in real-time. 

Medgadget: Who are Sternum’s customers? How do those
customers gain peace of mind that the IoT solutions they deploy are secure?

Tshuva: Sternum’s customers include a number of OEMs in various sectors including healthcare, industry 4.0, smart cities, and energy. Our product solution is designed for OEMs who produce IoT devices, enterprises that implement them, and end-point consumers who ultimately use them. Since our solution is uniquely embedded throughout the device’s code (including 3rd party components), we are empowering IoT devices with self-protection techniques to armor themselves with real-time prevention from cyber attacks. Our product also gives users unprecedented visibility into their entire device fleet. This means OEMs and medical companies can track devices’ activities, receive alerts on mitigated attacks or attempted breaches, and manage 3rd party code, all via a simplified interface. 

Medgadget: How easy is it for an IoT device company to
integrate with Sternum’s solution? What is the range of IoT devices with
which Sternum can be integrated?

Tshuva: The integration process is very simple. Our flexible internet of
medical things (IoMT) security solutions can be integrated into existing
R&D environments and work seamlessly with any operating system and/or
development process. We are a software-only solution, meaning that no special
hardware, operating system, or additional platform is required. Once our
solution is integrated, customers are able to continuously protect the entirety
of their code automatically, including newly added code and third-party
components. Monitoring capabilities are also embedded automatically and utilize
existing connectivity within target IoT devices to deliver real-time alerts.

Sternum’s solution is capable of being installed on any IoT device in any industry, including medical, industry 4.0, smart cities, and energy sectors. As a high-diversity and platform-agnostic solution, Sternum currently stands as the only on-device, real-time cybersecurity solution supporting all types of real-time operating systems (RTOS).

Medgadget: How does Sternum differentiate against
other competitors in the IoT cybersecurity market?

Tshuva: Our competitors can be split into two main groups: network-based solutions that do not address the need for on-device security and endpoint-focused secure-development tools, like MedCrypt, that lack real-time protection or deep visibility after an IoT device is deployed. What makes us unique is the fact that we offer both innovative on-device, real-time protection and unprecedented visibility into the device. We are the only on-device, real-time cybersecurity solution supporting all types of RTOS. Plus, when utilizing Sternum’s EIV solution, our cyber attack prevention rate is nearly perfect. 

Medgadget: Sternum services other industries outside of healthcare. Did Sternum start in healthcare and how did Sternum get to where it is today providing cybersecurity solutions for multiple verticals?

Tshuva: We did start in healthcare! It was immediately obvious to me how vulnerable lifesaving medical devices are to potentially fatal hacks. The IoMT industry craved a comprehensive cybersecurity solution that could defend medical devices such as pacemakers and insulin pumps by mitigating known threats, while simultaneously adapting to and combating new ones. Existing solutions were either too focused on the security of PHI or protecting entire hospital networks, as opposed to securing medical IoT devices themselves. We created a multilayered approach that ensured the on-device security the medical industry needed. We soon realized our solution could be applicable to big markets outside of medical so we decided to expand.

Link: Sternum homepage…