Protecting Medical Devices with Software Encryption

Intellectual property theft is rampant around the globe. In a 2016 study, VDMA, the German Mechanical Engineering Industry Association, reported that nine of out ten manufacturers were victims of piracy, and that in 70% of all cases, reverse engineering was the main trigger. Components, industrial designs, and even entire systems are being counterfeited across all sectors of industry.

The medical device manufacturing community is a prime target for counterfeiting. Take for example the case of an Irvine, CA engineer who in 2016 was charged with stealing and possessing trade secrets from his two former employers, both of whom manufactured medical devices used to treat cardiac and vascular ailments. During his employment, the engineer was found to have travelled to the People’s Republic of China (PRC) multiple times – sometimes soon after allegedly downloading trade secrets from the employer’s computer and emailing information to his personal email account. According to the FBI, the engineer appeared to be in the process of setting up a company with other individuals in the PRC to manufacture medical devices.

In many cases, counterfeiting of the equipment starts with the theft of the intellectual property contained in the software and embedded in the equipment. That was the case when a leading global manufacturer of gambling slot machines found out that their proprietary gaming software was being used on counterfeit slot machines across Europe and Asia. Once the software was stolen, the perpetrator was able to reverse engineer the machine itself and build a functioning slot machine that closely mimicked the original equipment.

Because the intellectual property of today’s surgery robots, X-ray machines, MRI scanners, dental devices, infusion pumps, patient monitors and most other medical equipment is encapsulated in embedded software, the industry is ripe for attack.

Modern encryption technology, however, is a strong antidote that software developers can use to protect medical device software from theft. Encryption is the process of encoding data in such a way that only authorized parties can access it. Encryption denies the intelligible data to a would-be interceptor. In an encryption scheme, the intended data is encrypted using a special algorithm–a cipher–generating ciphertext that can only be read if decrypted. An encryption scheme usually uses a random encryption key, generated by the algorithm. It is theoretically possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. The data can only be decrypted with the key provided by the originator and the key is kept in a secure location.

During the encryption process, the software developer can encrypt the entire executable code, just specific tagged functions, or a combination of both. The encrypted code is then decrypted at runtime with the appropriate key.

Medical device manufacturing companies like Dentsply Sirona, Fritz Stephan GmbH, Agfa HealthCare, and custo med are prime examples of companies who have taken necessary steps to protect their intellectual property with modern embedded software protection mechanisms.

During MD&M West 2018 in Anaheim, our visitors had a chance to learn more about encryption mechanisms and IP protection for medical device IP.