In the field of cybersecurity, the CIA triad has been accepted as a model for information security. It refers to three key concepts to be addressed when laying the foundations for the development of secure systems: Confidentiality, Integrity, and Availability. The aim of this article is to analyse these three key principles in the field of medical devices with the inclusion of two additional concepts: authentication and firmware updates as both are relevant in the life cycle of the development of secure embedded systems.
Sometimes, even if a lot of resources have been allocated to protect the communication between two entities through the use of mechanisms such as those mentioned above, it is not enough to prevent an unauthorised external agent from gaining access to them. Nowadays with the use of IoT (Internet of Things) in healthcare devices, there is an increasing amount of information exchanged between clinics, hospitals or care providers. Therefore, confidentiality plays a very important role in the life cycle of our devices. This is the principle that guarantees that information travelling through a network cannot be obtained by a malicious entity. To do so, this information must be encrypted in such a way that it can only be understood by the intended target. Encryption is the key to ensuring that anyone who accesses the encrypted data cannot do anything malicious with it. It is a process based on algorithms used to encrypt the data before it is sent and decrypted by the receiving party using pre-managed keys. The main algorithms are grouped depending on the key type which can be symmetric or asymmetric:
Symmetric key algorithms
The keys used are identical for both encryption and decryption. The main problem is that a hacker will be able to access the information by obtaining that key. Example of symmetric algorithms are, AES (Advanced Encryption Standard) and DES (Data Encryption Standard).
Asymmetric key algorithms
It uses one key to encrypt data, this is called a public key, and a different key called a private key to decrypt data. They offer a higher level of security, as the private key is always kept secret by the owner and cannot be obtained from the public key. Examples of asymmetric algorithms are, Diffie-Hellman or RSA (Rivest Shamir Adleman).
Confidentiality is not enough to protect data travelling through a network. For instance, it may be possible for a malicious entity to alter the contents of a packet without needing to know it. In the case of the medical sector, such alterations can be dangerous as the information being sent is sensitive and can lead to patient harm. For example, if a patient’s medical history is altered, it can affect the care received.
Within a network, mechanisms can be provided to know whether the information has been altered and, if so, this needs to be rejected. This concept is known as integrity, a property that ensures that stored or transported data has not been altered, lost or deleted either accidentally or intentionally. Both hardware and software must work together to maintain and process data correctly and move it to its intended recipients without unexpected modification. Integrity is provided by implementing techniques such as cryptographic routines known as hash functions.
The use of hash functions aims to transform plaintext into a different format. While encryption is a 1:1 encoding, the original data can be obtained from the encrypted data, a hash is a one-way method that turns a plaintext into a unique hash digest that cannot be reverted to the original plaintext without considerable effort. Example of hash algorithms are, MD5, SHA-256.
Under the concept of availability, information should always be accessible only to authorised people when necessary. To demonstrate availability, mechanisms must be put in place; starting from using different user levels with established roles, adding redundancy paths, including intrusion prevention systems that can notify of possible unexpected access, to protections from possible power outages or hardware failures.
Authentication is the process of determining whether the parts involved in the communication, sender and receiver, are who they claim to be with the purpose of ensuring the identity of each other. An attacker could try to impersonate a legitimate entity to receive information and steal it; on the contrary, the attacker might send it back to try to corrupt the system. Thus, authentication is responsible for granting access to the resources, but it is not exempt from risks that can compromise them. To avoid this, a mechanism is needed to check the identity of the remote host.
Authentication has been expanding in recent years and different mechanisms have been deployed in addition to the well-known username-password pair, such as biometric systems. Other techniques worth mentioning are tokens and certificates.
It is based on the use of an electronic key that allows users to authenticate themselves by storing certain personal information. In this way, a higher level of security is provided when accessing data or a network. Tokens can be both hardware, USBs or cards, or software which is a piece of software that is installed on a user’s electronic device.
It is an electronic document that contains information about a specific device used to confirm its identity. Contrary to the use of the user-password pair, certificate-based authentication is preferable because it is based on what the user has- the private key as well as what the user knows- the password that protects the private key.
During the lifecycle of an embedded device, there may be situations where updating the firmware is a primary task. Failure to perform these updates can put the system at risk by causing malfunctions or creating breaches that a hacker could use to penetrate the system. Creating a firmware update requires following certain guidelines to ensure that the process is executed securely and without compromising the device, for example, sign the firmware to be installed on the device. Code signing is one of the most important steps, if the device does not verify the source (who generated the update package) an attacker could distribute malicious code. This would lead to undetected loss of control within the system. Updates can be performed locally or remotely depending on the device’s features and functionality.
In this case, an authorised person, such as a technician, would travel to the location of the device to update it onsite. This method is useful for systems that do not want to be given the ability to access external networks for security reasons or that require additional tools to install the new code.
On the other hand, if the device has remote access to local networks or the cloud, update packet deployments could be carried out. The embedded system will need to be aware if a new firmware version is uploaded or if a command is sent to it to proceed with the update process, receive, verify, store the new binary and install it.
All the aforementioned concepts must coexist as they depend on each other. Without confidentiality, it is easy to compromise integrity, as it is more likely that an unauthorised person could modify a piece of data. If integrity is compromised, it means that information is invalid, which has an impact on availability. Additionally, if the system is not able to update its firmware to solve the considered problems, it becomes a product that must be withdrawn from the market.
The commitment we are pursuing is to ensure high level of cybersecurity in the developments we carry out which are governed by the principles mentioned in this post, a crucial aspect for medical devices.
Author: Juan Francisco Martos Hidalgo
Embedded Software Engineer at D.med Software SL