November 17, 2020

Blog postEJBCA CloudEJBCA SaaSMedTechSignServer Cloud

The key for security in Healthcare and MedTech IoT: Flexibility and scalability

person smiling

Each industry vertical is going through a process of digital transformation and with it comes specific security regulatory requirements and cyber threats that must be addressed. The compliance background also varies from country to country because of several national regulations like HIPAA, the NIST standards or the upcoming updates by FedRAMP. In many cases, this digitization is creating new internet connected devices (Internet of Things) that are needed to capture remote data, carry out a remote physical action, or the device itself needs to be updated “over the air”. However, to reduce cost and with little appreciation of the potential risk, many first generation IoT device use cases implemented no security controls or very basic checks that initially relied on username and password. This method is inherently flawed as very often batches of products are shipped with a “default password” and never changed. This allows credentials to be easily stolen or attacked with brute force. In addition, the continuous evolvement in the area of connected devices, many solutions are moving data processing, intelligence and decision making out to the edge, which leads to dangerous attack vectors for hackers.

As more IoT use cases emerge, PKI (Public Key Infrastructure) is now being used as a core security component of more IoT use cases, including healthcare and MedTech. Embedded certificates and encryption offer a secure method of communicating with devices, while public, cloud-based PKI act as the enabler to meet the requirements of scale, flexibility, and predicable cost model needed to support potentially millions of billions of devices. As IoT grows rapidly, organizations are increasingly looking for a solution that allows them to scale their public key infrastructure as quickly and flexibly as their cloud resources. Therefore, it makes sense to rely on PKI as a Service or a Cloud PKI.

Healthcare and MedTech

For example, in an industry such as healthcare, patient records are increasingly made available as digital files, but these are just the tip of the iceberg when it comes to securing authentication and access. MedTech companies providing items such as infusion pumps that control the flow of liquids and medicines through intravenous drips, are connected and controlled by software elements. The only way the software can securely identify each Intravenous therapy (IV) is through a digital certificate for each device. The IV machine itself, which has mission critical software, must also be able to ensure that this software has not been tampered with – again through certificates. In this scenario alone, for a patient to be administered a dose of medicine, multiple digital certificates and PKI-based processes will need to have happened successfully to ensure that there has been no tampering with any of these files, devices or communication paths. In addition, the hospitals and the MedTech companies rely on data from the devices for maintenance and long-term product and business development.

Looking through a modern hospital and the same requirements are needed for surgical robots, refrigeration units – even the key cards used to open secure areas such as medicine cabinets – almost certainly will use PKI-based technology as the fundamental first step in authentication and secure communication.

In an environment such as a hospital, a cloud PKI solution has the added advantage of allowing deployment to be centralized and shared across multiple hospitals within a healthcare group without local IT teams needing to manage additional local server hardware and applications at each site. Many MedTech device manufacturers are turning to PKI due to its standardization, trusted technology and lightweight certificate-based architecture. This has led to major growth for PKI and certificates as entire industries attempt to find a standardized way of meeting minimum security controls. The longevity of the standard is one attractive feature, but another is the ability to place a lot of these controls within the cloud – often alongside the IoT control plane – to create a simplified yet secure method of managing machine to machine and human to machine security. As PKI is a known standard that has remained consistent for nearly five decades, this takes away a lot of the fear around incompatibility and control.

A multi-purpose PKI solution for healthcare applications and MedTech solutions

PrimeKey EJBCA Enterprise offers a set of security services for trusted identities and secure communication in any environment and use case through a multi-purpose PKI software that supports multiple Certificate Authority (CA) across multiple levels. For added ease of use and scalability, the PrimeKey EJBCA Cloud version can be deployed within public clouds such as AWS and Microsoft Azure with the same feature set as a traditional on-premise implementation, including FIPS certified HSMs. EJBCA Cloud and SignServer Cloud as well come with an elegant and unique software architecture.

Although the cloud products have been on the marketplace for almost three years, there is still no competition in sight. Because of this fact, we reached a unique market positioning as a Cloud PKI pioneer. PKI delivered from the cloud is one of the newest deployment options from PrimeKey and I have been involved from the start. The shift has provided more changes than just physical location. We have evolved both our technological platform and our business models. Today, most organizations taking security seriously, like hospitals or MedTech companies, have already or are in the process of deploying PKI to issue certificates and sign code for many of their use cases. EJBCA Cloud and SignServer Cloud take this into consideration and provide the functionality, reliability and compliance these customers expect.  


SignServer Cloud



Alex Gregory

Alex Gregory is Senior Director Cloud & Managed, PKI Products and Services at PrimeKey based in San Mateo, Silicon Valley. He has over 20 years of experience in the IT Security and Product Management fields, providing senior systems, security and IT solutions to a diverse set of companies.