Have you already heard about Arm PSA security goals?
We all are benefiting from an increasing number of medical IoT devices and digital health use cases in the market. Thus, reducing healthcare cost and increasing the quality of patients’ life.
However, the collected health data is highly sensitive and a valuable asset – that must not be compromised but protected against attackers. According to PSA Certified the most common IoT hacks take place due to simplest security measures being missed.
PSA therefore posted 10 security goals to easily prove due diligence in a connected product.
We at Leitwert strive to provide the technical tools to build secure and trusted medical IoT devices. In the following we explain how we address the PSA goals within our solutions:
Secure boot / Secure update / Anti-rollback
Leitwert Device Hub used with our embedded secure bootloader ensures that only authorized software will be executed on the device. Together, they also provide a secure way to perform device updates.
Our bootloader implements anti-roolback by only accept increasing version numbers to prevent any unauthorized rollback attempt.
Unique identification / Attestation
During the factory process, the medical device generates an asymmetric key pair, and shares the public key with the factory. The factory can associate a globally unique identity (GUID) to it and register the device on the cloud instance. All devices are then uniquely identifiable on the cloud.
Interaction / Secure storage
Our devices can use their security mechanism to establish a TLS connection to the Device Hub. Device/patient data can then be collected to any storage, via an end-to-end encrypted communication.
If the data storage is considered unsafe, device/patient data can be encrypted on the fly when writing/reading to it.
Isolation / Cryptographic / Trusted services
We are taking an additional step in security by carefully choosing the right hardware components for the job. For example, the Nordic Semiconductor nRF91 (LTE) and nRF53 (BLE) series allow to isolate critical parts of the firmware. Those parts are encrypted and stored in a trusted section on the device, which can be provided by Trusted Firmware M.
Before devices are released to costumers, their assets must be locked-down. This means that after programming and provisioning the devices in factory, their internal memory are protected from read-out and modifications. Any attempts to modify a device and its assets will make it unsuitable for operations.
Are Your medical IoT devices secure?
What do you think about the security level needed in connected medical devices? Do the PSA goals apply and are they sufficient?
We believe security should be discussed more openly, especially in a regulated environment!
Contact us using the button below to discuss, assess and improve the security of your connected medical devices! We’re looking forward to hearing from you.