Self-authentication in medical device software: An approach to include cybersecurity in legacy medical devices

2016 IEEE Symposium on Product Compliance Engineering (ISPCE) Pub Date : 2016-05-16 DOI:10.1109/ISPCE.2016.7492841

Srinivasan Jagannathan, Adam Sorini

{"title":"Self-authentication in medical device software: An approach to include cybersecurity in legacy medical devices","authors":"Srinivasan Jagannathan, Adam Sorini","doi":"10.1109/ISPCE.2016.7492841","DOIUrl":null,"url":null,"abstract":"The FDA recommends that medical device manufacturers take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment. However, including safeguards into legacy devices in the field is not easy. One approach is to make software changes that are then distributed into the field. The problem with software-only changes is that they are easy to defeat by malicious attackers. This paper explores an approach that provides incremental security to software that is distributed in the field. Specifically, this paper describes an approach to \"self-authenticate\" software so that it is robust in detecting attempts to defeat security safeguards that are programmed into the compiled software code. Self-authentication relies on encrypting certain critical functions of the software so that decryption of those portions is necessary for proper operation of the device. The decrypted portions also include integrity-checking and/or authentication functions that confirm that the software has not been modified.","PeriodicalId":107512,"journal":{"name":"2016 IEEE Symposium on Product Compliance Engineering (ISPCE)","volume":"39 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-05-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE Symposium on Product Compliance Engineering (ISPCE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISPCE.2016.7492841","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

The FDA recommends that medical device manufacturers take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment. However, including safeguards into legacy devices in the field is not easy. One approach is to make software changes that are then distributed into the field. The problem with software-only changes is that they are easy to defeat by malicious attackers. This paper explores an approach that provides incremental security to software that is distributed in the field. Specifically, this paper describes an approach to "self-authenticate" software so that it is robust in detecting attempts to defeat security safeguards that are programmed into the compiled software code. Self-authentication relies on encrypting certain critical functions of the software so that decryption of those portions is necessary for proper operation of the device. The decrypted portions also include integrity-checking and/or authentication functions that confirm that the software has not been modified.

查看原文本刊更多论文

医疗设备软件中的自我认证:一种将网络安全纳入传统医疗设备的方法

FDA建议医疗设备制造商采取措施，确保适当的防护措施到位，以降低因网络攻击而导致的故障风险，这可能是由于将恶意软件引入医疗设备而引发的。然而，将安全措施纳入现场的遗留设备并不容易。一种方法是对软件进行修改，然后将其分发到现场。仅对软件进行更改的问题在于，它们很容易被恶意攻击者攻破。本文探讨了一种为分布式软件提供增量安全性的方法。具体地说，本文描述了一种“自我认证”软件的方法，以便它在检测破坏已编程到编译的软件代码中的安全保护的企图方面是健壮的。自我认证依赖于加密软件的某些关键功能，因此解密这些部分对于设备的正常操作是必要的。解密部分还包括完整性检查和/或身份验证功能，以确认软件未被修改。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 IEEE Symposium on Product Compliance Engineering (ISPCE)

自引率

0.00%

发文量