Secure design of embedded IoMT devices

The healthcare industry's growing reliance on connected devices makes it vulnerable to cyberattacks, ranking second only to small businesses. To prevent potential disasters, the U.S. Food and Drug Administration (FDA) has developed embedded device safety implementation guidelines for medical device manufacturers to follow. This guide covers all stages of design, development, product launch, after-sales support, and discontinuation. Although the information in the FDA guidance is required reading for designers, it is often written at a high level, most often stating what features should be implemented, rather than how. To help medical device designers delve deeper, this article provides some missing details.

The FDA has been issuing recommendations on cybersecurity for the medical industry since 2014, each updating previous requirements to address the rapidly evolving threat landscape. The updated guidance is contained in "Cybersecurity in Medical Devices: Quality System Considerations and Pre-Sale Submissions: Draft Guidance for Industry and FDA Staff," published in April 2022. It has three main parts:

General principles:

How and why cybersecurity should be part of device security, quality system regulations, how to design for security, why providing transparency is critical, and submission documentation.

Security product development framework:

How to manage and assess security risks, and the need for updates and patches, using threat models and security architectures that incorporate security controls, global systems, and multimodal harm views. This section also provides detailed information on network security testing.

Cybersecurity transparency:

Communicated by labeling and establishing a vulnerability management plan, it acknowledges that users have different mitigation capabilities and that solutions should be suitable for everyone.

However, the most useful information for embedded system designers is in Appendix 1 at the end, including information on authentication, authorization, encryption techniques, execution integrity, event detection, logging resiliency, firmware, and software updates.

It is necessary to cover each topic individually to fill in the missing details in the FDA's extensive guidance.

First, authentication is essential to the security model. Public/private key pairs and associated certificate chains connect medical devices to the network. The private key needs to be isolated from device firmware that may contain vulnerabilities and make the key easily accessible. The FDA recommends placing the encryption key in a tamper-proof security key store similar to Microchip's CryptoAuthentication™ security IC.

The connection to the cloud server must be verified by trusting each other's devices and the cloud. While it is possible to verify every session, this can consume a lot of power in battery-powered Internet of Things (IoT) devices. The combination of hardware crypto accelerators and secure key storage significantly alleviates this problem, as it maintains extremely low current at the nanoamp level in sleep mode.

User authentication allows administrators, technicians, and others to have privileged device access, which introduces the concept of key authentication. This class of use cases is provided through predefined CryptoAuthentication integrated circuit (IC) configurations utilizing the Trust Platform Design Suite (TPDS) development tools.

Information authenticity is essential for signing messages and verifying their trustworthiness in embedded systems. While cryptographic authentication ics essentially handle encrypted or unencrypted message authentication, it is also possible to use message authentication codes (MACs) that employ symmetric related encryption accelerators.

Authorization is another important contribution of the FDA guidance because it establishes the principle of least privilege, which sets permissions and permissions between the trusted execution area and the application area to manage critical code. Each module can access only the information and resources it needs to fulfill its purpose.

Encryption is clearly another key factor in ensuring security. The FDA wisely recommends the use of standard encryption algorithms because they are constantly tested and updated by public organizations with the help of a large number of community user input. Encryption keys will verify the integrity of the data, but not validity, so designers must verify that all data from an external source is well-structured and conforms to the appropriate specification or protocol.

Confidentiality is related to authentication and authorization, and if the encryption key is not kept secret in the hardware, unauthorized use can occur. Manufacturers should ensure that confidentiality is supported for all data that could be exploited by hackers to cause harm to patients. Confidentiality must be ensured when handling and storing encryption keys used for authentication, as disclosure can lead to unauthorized use or abuse of device functionality.

FDA documentation provides information on the proper implementation of authorization and authentication schemes that typically ensure confidentiality. However, designers should assess whether this is the case during threat modeling and make the necessary changes to the system to ensure appropriate controls are in place.

In addition, the FDA describes event testing and recording, while recommending that they be stored for forensic discovery. This involves preserving and restoring trusted default device configurations, and designers must determine how to achieve this using secure key storage.

It is reasonable to assume that all Internet of Things (IoT) devices today allow over-the-air (OTA) firmware and software updates, but the truth is that many of these devices do not have this capability. Without proper firmware, system updates cannot be quickly deployed to address the latest threats. Code updates should also conform to established user permissions, as the person with the public key can control OTA updates and inject harmful code.

Fortunately, CryptoAuthentication IC makes this process both easy and automated, and ensures that updates are performed. A single CryptoAuthentication IC can securely store encryption keys for most, if not all, of the use cases mentioned by the FDA.

Conclusion

For medical device manufacturers, the FDA's new guidance is comprehensive and aims to advance the field of healthcare system cybersecurity. These guidelines are written in a form that can be incorporated into legislation, rather than as an "operational guide" for embedded system designers, which is why benchmarking level discussions are only included in appendices.

Microchip has spent years developing a trusted ecosystem of security devices and tools, and it's a good place to start before starting to develop systems that will be included in the next generation of medical products.