Security in medical devices, part 3: Security mechanisms

June 21, 2018


Security in medical devices, part 3: Security mechanisms

Once vulnerabilities have been highlighted during the attack surface analysis, what can be done about them?

This is the final part in our three-part blog, where we look at improving security in medical devices. Once vulnerabilities have been highlighted during the attack surface analysis, what can be done about them? This section suggests just a few methods of addressing and mitigating typical security concerns that could be identified during an attack surface analysis.

Read part two here.

Root of trust

It is vital to ensure that the initial objective is implemented in a highly robust way, which is very unlikely to be compromised. Ideally the initial security objective is to confirm that the device that has booted is the correct device, and that the software of the device has not been compromised. This is referred to as the root of trust, and creates a secure mechanism for developers to lock down their code. Each time the system boots, the system validates the digital signature of the booting code. Only proven authentic software can execute. Attacks that modify the system software are detected and blocked.

Digital signature

The digital signature is a mathematical scheme for demonstrating the authenticity of digital data. A valid digital signature gives a recipient reason to believe that the data was created by a known source (authentication),  that the sender cannot deny having sent the message (non-repudiation), and that the data was not altered in transit or during storage, which provides integrity. Typically, it is created using a private/public key cryptography. 


Encryption is used to protect data at rest, or in transit, so that attackers can't discover the plaintext of a message or stored data. Typically data is encrypted, then signed with a digital signature. If the receiving device can authenticate the digital signature, then the source of the message can be confirmed, and also its integrity. Then the message or data object can be decrypted.


Software updates and patches allow medical devices to stay current, but also introduce vulnerabilities. They must be delivered from an authenticated source, with an attached digital signature used to authenticate the code image, keeping systems in the field from being tricked into accepting malicious updates.

The difficulty with designing a secure device is that the bad actors will always have an advantage; they only need to find one successful attack vector, whereas the defender must defend all possible attack vectors. We’ve looked at only a few mechanisms here, but many exist, including using standards and an attack surface analysis (part 1 and part 2 of this short series). What must be remembered is that there is no one action to make a medical device secure – only a thorough and holistic approach can reduce vulnerabilities in medical devices. For more on this topic, download WITTENSTEIN's free white paper, Increasing Security in Medical Devices.

Andrew Longhurst is a Business Leader at WITTENSTEIN high integrity systems. A skilled project leader with an extensive background in electrical, electronic and software engineering, Andrew is able to deliver an indepth understanding of the challenges facing embedded engineers within the safety critical sector. Andrew has worked in Medical, Aerospace and Automotive since 1993 and has worked for WITTENSTEIN since 2000. Andrew holds a BEng in Electrical & Electronic Engineering and an MSc in Robotics & Automation.