CLEIO applies cybersecurity best practices in developing embedded software in a connected medical device to preserve medical confidentiality, protect personal data, and avoid endangering the health of patients. Here are some of them.
Connected medical devices are valuable for their data
With IoMT, medical data can be shared and collected without requiring human action. Embedded software records, monitors, and adjusts its operation at each interaction between the patient and the device.
As connected medical devices become more present in healthcare organizations, cyberattacks are growing with the potential to harm patients. Hackers want to take control of a device remotely to bypass its protections and to disclose confidential personal data or compromise its operation.
To avoid security risks, CLEIO considers and plans for it from the design phase of a connected medical device. Experts in embedded software development participate in meetings with design and quality assurance teams. Their role is to ensure that security requirements are met and that there are no gaps or vulnerabilities in the various systems.
Conducting a risk analysis to identify security vulnerabilities
At the design phase completion, a risk analysis, specific to each device and each product, is conducted before starting the software development. All data types stored in the embedded software and its connection ways (Internet, Bluetooth, wire) are reviewed and analyzed. Higher are the risks if the device uses many connection ways.
4 tips to develop a secure embedded software
CLEIO is used to implement good practices to guarantee embedded software security. The most common are securing the source code, using data encryption, applying certificates, and verifying code integrity.
1. Securing the source code
The source code is the DNA of your software. It gives instructions to the connected object to perform specific tasks. During a cyberattack, the hacker uses a decompilation tool to modify the code and take control of the device. Securing the source code in protected memory helps prevent this.
With this type of memory use, a connection from the outside is impossible, and the source code cannot be rewritten outside the production phase. However, it is essential to keep it up to date to eliminate future security flaws. Combining this measure with a bootloader allows updating the code from the outside via a secret process.
2. Encrypting the data
With cryptography, it’s possible to encrypt messages and data shared between the patient and the connected medical device.
3. Adding a security certificate
Certification is a technology employed for embedded software that works with a server or the cloud. The security certificate is a key that allows authentication, for example, when sending messages. The sender is guaranteed to have sent his message to the right person, and the recipient is sure that the person who sent the message is an authentic sender.
The security certificate encrypts messages and guarantees that the cryptography has not been altered. This security is very complex to bypass.
4. Validate the code integrity
Code integrity is a feature that protects a device from threats. Its validation ensures that the source code has not been corrupted or modified to add malware.
Zero risk does not yet exist
We cannot guarantee zero risk, even if all these good practices are applied.
However, as developers add security and certificates to the embedded software of a connected medical device, it will require considerable effort to exploit its potential flaws. Thousands of hours may, then, be required to bypass the security.
At CLEIO, you can have peace of mind. Our quality assurance team, designers and developers make sure to follow best practices to design and develop your medical product safely.
