Innovation in the medical community is constant. New devices and emerging technologies move through the complex development & approval process with next-gen releases top-of-mind.
Whether it’s wearables, implanted devices or electronic health record (EHR) systems, users are excited about how devices and data can improve the quality and delivery of care. They’re also counting on the fact that every device is secure for them to use — not just from the start, but throughout its lifecycle.
With healthcare security breaches abound and medical device takeover becoming too close for comfort, it’s critical that medical device manufacturers (MDMs) do all they can to incorporate layers of digital security into the devices they’re producing.
One theme that's emerging from customers is the importance of securing signed code – a standard practice that protects software and hardware against malicious compromise. Here, we’ll provide an overview of:
- What code signing is and how it works
- How code signing secures the healthcare ecosystem
- The risks of implementing code signing without proper controls
What is Code Signing?
MDMs produce all sorts of code -- software applications for use in hospitals and facilities, script or applets, or code that runs inside of medical devices such as chipsets (referred to as “firmware”). When the code is ready to be released, one of the final steps in the process is to sign the code.
At a basic level, code signing is the application of a digital signature to a piece of code that validates it as a legitimate release and provides authenticity of its source. To do this requires a specific type of x.509 certificate. Depending upon the code being signed, the certificate may be either from a publicly or privately rooted certificate authority (CA).
- The private key of the digital certificate Is used to sign a cryptographic hash of the software package.
- The recipient will verify the signature by performing its own computation of the cryptographic hash and comparing that hash with the signed version received by the signer.
- The recipient will unpack the software and check that the cryptographic hash is legitimate for the contents. This affirms that the software has not been changed in any way from when it was originally signed.
The checking of the hash validates the authenticity of the software package, and that the software was signed with a certificate belonging to the organization who produced the software.
How Code Signing Protects Patient Safety
Code signing is the modern-day equivalent of holographic tags in consumer goods. It gives the end-user confidence that they are using a legitimate product that will be backed by the vendor.
If medical device manufacturers release code that is unsigned, they run the risk of someone either changing the contents of the code or worse yet, replacing the legitimate code with malware-laden code.
While code signing is not a new application, it has recently taken on increased importance. Regulatory bodies like the National Institute of Standards and Technology (NIST) and the U.S. Food & Drug Administration (FDA) have stressed the importance of safeguarding secure software releases. Both are working on updates to best practices and guidance on taking proactive measures against future threats.
Sounds ideal, right?
Not so fast. The same technology that protects the devices can also become a liability if it’s implemented without proper controls.
Why Secure Code Signing Certificates Matter
Devices need to be implemented such that they only install properly verified firmware. As such, every application and firmware release - every script and product - should be signed.
But this process is not just a box that gets checked.
Code signing certificates are some of the most valuable to cybercriminals. Someone that possesses a signing certificate can use that certificate to sign malware and easily distribute it on large hospital networks. It is essential that MDMs securely manage these signing certificates.
So what’s the risk if code signing certificates are compromised?
- According to the latest Keyfactor / Ponemon Institute Report, The Impact of Unsecured Digital Identities, the average cost of code signing certificate and key misuse is estimated at $15M.
- Networking equipment company D-Link fell prey when their certificates were used to sign password-stealing malware.
- A 2015 breach involving a targeted campaign against a South Korean mobile software developer resulted in the threat actor launching a series of attacks across multiple continents over two years.
In a perfect world, every organization would keep code signing certificates under lock and key - or in the IT world, in a hardware security module (HSM), and implement policies and procedures to ensure only authorized persons or processes have access.
However, chances are there are already code signing certificates in use throughout your organization that are stored in the most convenient manner, not always the most secure.
For code signing to do its job, you’ll need policies and procedures in place to keep the keys safe and ensure your brand is protected. When properly implemented, code signing becomes an integral part of development giving both your customers and internal stakeholders confidence in using your company’s products. For more on the importance of code signing for healthcare, download our latest White Paper, Secure IoMT: Enabling the Safe Delivery of Virtual Healthcare.