email me image email me image

Ensuring Secure Software Updates for Medical Devices

 

While remote software updates for medical devices have traditionally been seen as a convenient feature, the FDA now emphasizes their crucial role in safeguarding against discovered cybersecurity vulnerabilities. However, it’s imperative that these updates themselves are secure; otherwise, they become potential avenues for cyber attacks.

Differentiating Secure from Insecure Software Updates:

The journey towards a secure update begins with a fundamental capability known as ‘secure boot’. This hardware-based feature ensures that only authorized software runs during device startup. It’s paramount that no mechanism, whether in hardware or software, undermines this process. Despite processor manufacturers often including ‘back door’ access for development purposes, these must be disabled in production for genuine security. The software executed during boot-up is typically stored internally within the processor, safeguarding it against modifications. While it’s feasible to store boot software externally, verifying its authenticity poses challenges in smaller systems. The selection of cryptographic authentication methods is pivotal and may hinge on available hardware and software.

By combining secure boot hardware with trusted boot software, a cryptographic root of trust is established on the processor. This setup guarantees that the device powers up securely each time, allowing validation of the main software application before execution.

Steps for Secure Updates:

  1. Downloading from a Trusted Source: Initiating an update process begins with downloading the update from a trusted remote source. Authentication of this source is critical and can be achieved through cryptographic means, utilizing pre-provisioned information and identity details from the source. Commonly, X509 certificates are utilized to provide attestation information.
  2. Verification of the Update: Upon downloading, the update undergoes cryptographic verification to ensure its trustworthiness. This involves computing a cryptographic hash of the update and validating it against a provided cryptographic signature from the software builder, ensuring it was produced by a trusted source.
  3. Application of the Update: Once verified, the trusted update is applied to the device, either replacing the existing software or patching it. The new software is treated to ensure trustworthiness in subsequent power-up cycles, often involving the computation of a cryptographic hash and secure storage of this hash for future verification.

This framework guarantees that only trusted software is executed, ensuring the system remains secure throughout the update process. While additional considerations such as fallback mechanisms and encryption methods are important, they build upon the robust foundation established here.

At BoldType, we have decades of experience in developing and deploying secure remote software update mechanisms. Let us assist you in implementing a secure update mechanism for your next product, ensuring all software updates are executed safely and securely.