Hardware-Based Solutions Counter Medical Device Security Concerns
The rapid growth of personal healthcare and medical products has focused renewed attention on the security of underlying device hardware and software. Ensuring authorized use and protecting critical data within these devices depends on deep security features that cannot be bypassed by traditional software methods. With the availability of hardware-based security features in microcontrollers (MCUs) and devices targeted for medical applications, engineers can harden designs for health-critical systems and devices.
Personal medical devices continue to gain a sure foothold in consumer households. For individuals, devices such as personal blood glucose monitors, heart rate monitors, oximeters, offer a significant benefit in eliminating the need for patient visits to a doctor's office or healthcare facility to obtain key health measurements. Beyond simple convenience, personal medical devices reduce both the risk associated with ongoing health issues, and the cost of their healthcare management. Using integrated wireless communications capabilities, linked to health data networks, these devices can provide healthcare providers with a continuous stream of vital health statistics needed for more comprehensive health management and more timely response to potential health problems.
The increased availability of more widely connected medical devices presents significant security concerns. While news of dramatic penetrations of supposedly secure systems into financial, industrial, and government networks commonly dominates attention, the vulnerability of medical devices has given rise to growing concerns. In early summer 2013, concerns over medical device security prompted the U.S. Food and Drug Administration to issue an FDA Safety Communication: "Cybersecurity for Medical Devices and Hospital Networks," warning device manufacturers and health care facilities to protect against "... the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks."
While a medical technician can ensure that a large piece of equipment is connected with the correct authorizations to the health-data network, the rapid growth in the number and types of devices being introduced into health-data networks represents an ongoing source of threat. In particular, personal medical devices might not even provide a traditional user interface to allow authentication. For example, medical devices, such as continuous heart-rate monitors or blood glucose meters, intended to provide data to healthcare providers typically lack a display because it could distract or distress the patient. As a result, security of these devices requires more integrated solutions.
To address the growing list of security requirements for personal medical devices, designers need to employ effective authentication methods to ensure that only authorized devices are able to connect to networks and participate in the exchange of privileged data. These methods must work with devices using traditional or non-traditional authentication interfaces. In the past, a system might confirm access for an external device by checking its passcode or serial number, passed along as part of the access-authorization process (see Fig. 1).
This simple approach provides a machine-to-machine authorization method similar to familiar password-protection methods for human-to-machine authorization — and both remain as particularly vulnerable points of entry to otherwise secure systems. In fact, in the same FDA Safety Communication for medical devices, it was noted that password-based authentication remains one of the weakness links in healthcare security systems. As with passwords, the method used to generate the pass code is typically not secure, and like passwords lie open to interception. For hardware devices, the passcode or serial number is even more exposed because any host processor can read it from its EEPROM storage, modify it, and otherwise compromise security protocols.
More effective authentication methods rely on a dialog between the device seeking access and the secure system or network. Here, using a method called challenge-response, the secure system issues a message, or challenge, that the requesting device must answer with the correct response. Software implementations of this sophisticated authentication method run the risk that secret data, or even algorithms themselves could be intercepted and compromised. Hardware-based methods such as the Renesas Board ID solution provide a more robust approach for implementing a secure challenge-response authentication method (see Fig. 2).
With Board ID, the authenticating system not only issues a challenge, but uses the device's public key to ensure that only the device holding the corresponding private key can respond correctly to the challenge. By generating a random challenge that accounts for this device-specific secret, this approach mitigates potential attacks by unauthorized devices even if the communications channel were compromised and the dialog intercepted. As a result, the authenticating system can safely authorize access to a device returning the correct response.
Defense in Depth
Authentication is only one part of the critical security combination. Unauthorized access to a system poses significant risk for tampering of the underlying hardware and software. Of particular concern for medical applications, unauthorized access can also enable more insidious methods of attack using altered software to modify device operation and open unauthorized channels of communications for more leisurely attacks. The critical parameters and software stored in the nonvolatile flash memory of embedded systems face are particularly susceptible to tampering. This is where the secure MCU plays a critical role.
To reduce this risk, secure MCUs, such as the Renesas AE-5 and RS-4 series, integrate hardware features required to ensure security. Along with fundamental functionality, such as built in true random number generators, these secure MCUs include built-in cryptography engines, firewall-management units and modular- multiplication coprocessors used in sophisticated-cryptography algorithms. In combination, this built-in functionality provides engineers with a broad array of security options needed to combat threats in embedded medical applications.
Growing concerns over medical device security are driving the need for more robust hardware-based methods that build on defense-in-depth strategies to mitigate security threats. Combining hardware solutions ensures device security from the authentication layer to the chip. In building these devices, designers can rely on secure MCUs able to support sophisticated challenge-response authentication methods used by medical systems and healthcare networks to help ensure that only authorized devices gain access. By deploying security features built into secure MCUs, medical device designers can harden systems against both physical tampering and cyber threats and enhance user confidence in the security of their product and the privacy of their data.