Cybersecurity and connected medical devices: best practices to limit the risks

By Caroline

With the Internet of Things (IoT) development, we are experiencing a major technological revolution. Connected and smart devices have become essential in all fields, including the healthcare sector. With the Covid 19 pandemic, telemedicine use has increased, and the Internet of Medical Things (IoMT) has developed at a fast pace.
Thanks to the feats they can achieve, connected medical devices are transforming healthcare techniques and services. However, these repeated interactions between patients and devices are not without risks.

CLEIO applies cybersecurity best practices in developing embedded software in a connected medical device to preserve medical confidentiality, protect personal data, and avoid endangering the health of patients. Here are some of them.

Connected medical devices are valuable for their data

With IoMT, medical data can be shared and collected without requiring human action. Embedded software records, monitors, and adjusts its operation at each interaction between the patient and the device.

As connected medical devices become more present in healthcare organizations, cyberattacks are growing with the potential to harm patients. Hackers want to take control of a device remotely to bypass its protections and to disclose confidential personal data or compromise its operation.

To avoid security risks, CLEIO considers and plans for it from the design phase of a connected medical device. Experts in embedded software development participate in meetings with design and quality assurance teams. Their role is to ensure that security requirements are met and that there are no gaps or vulnerabilities in the various systems.

Conducting a risk analysis to identify security vulnerabilities

At the design phase completion, a risk analysis, specific to each device and each product, is conducted before starting the software development. All data types stored in the embedded software and its connection ways (Internet, Bluetooth, wire) are reviewed and analyzed. Higher are the risks if the device uses many connection ways.

The findings of this analysis are employed to apply appropriate development techniques to face security vulnerabilities.

4 tips to develop a secure embedded software

CLEIO is used to implement good practices to guarantee embedded software security. The most common are securing the source code, using data encryption, applying certificates, and verifying code integrity.

1. Securing the source code

The source code is the DNA of your software. It gives instructions to the connected object to perform specific tasks. During a cyberattack, the hacker uses a decompilation tool to modify the code and take control of the device. Securing the source code in protected memory helps prevent this.

With this type of memory use, a connection from the outside is impossible, and the source code cannot be rewritten outside the production phase. However, it is essential to maintain a method to update the source code to mitigate future security flaws. Combining this measure with a bootloader allows updating the code from the outside via a secret process.

2. Encrypting the data

With cryptography, it’s possible to encrypt messages and data shared between the patient and the connected medical device.

Let’s take the simplified case of someone using a Bluetooth headset connected to a cell phone. It is quite possible to imagine that someone could try to connect between the cell phone and the headset to intercept the conversation. In cybersecurity, it is called the man-in-the-middle attack.
Data encryption replaces the words exchanged with random values and makes them indecipherable to avoid this. Thanks to cryptography, data exchanged, stored, and processed are securely protected.

3. Adding a security certificate

Certification is a technology employed for embedded software that works with a server or the cloud. The security certificate is a key that allows authentication, for example, when sending messages. The sender is guaranteed to have sent his message to the right person, and the recipient is sure that the person who sent the message is an authentic sender.

The security certificate encrypts messages and guarantees that the cryptography has not been altered. This security is very complex to bypass.

4. Validate the code integrity

Code integrity is a feature that protects a device from threats. Its validation ensures that the source code has not been corrupted or modified to add malware.

Implementing code validation on a device prevents the source code from not working as intended or from making the system vulnerable.

Zero risk does not yet exist

We cannot guarantee zero risk, even if all these good practices are applied.

However, as developers add security and certificates to the embedded software of a connected medical device, it will require considerable effort to exploit its potential flaws. Thousands of hours may, then, be required to bypass the security.

At CLEIO, you can have peace of mind. Our quality assurance team, designers and developers make sure to follow best practices to design and develop your medical product safely.

Author & collaborators

Written by
Caroline

Newsletter & Monthly Digest

Subscribe to get our insights delivered to your email inbox.

Other posts you may like

10 Common Mistakes to Avoid in Medical Device Development

MedTech Conference 2024: See You in Toronto

Enhancing Medical Device Cybersecurity with the STRIDE Threat Model

10 Common Mistakes to Avoid in Medical Device Development

MedTech Conference 2024: See You in Toronto