Figure 1: Authentic devices can prove they know a secret–without revealing that secret–using “Challenge/Response” protocols. Challenge/Response is surprisingly common in real life, as shown by the above example of an ATM. Image courtesy of Rambus.
The issue of medical device and equipment counterfeiting has existed for decades and continues to escalate. Counterfeit medical devices and equipment enter the legitimate healthcare supply chain in many instances because buyers are seeking the best price. This is an open invitation to counterfeiters to hit those lower price points with their fake goods. Thus a growing market exists in large part due to low-cost medical equipment seekers.
At last report, the World Health Organization (WHO) estimated medical product counterfeiting at upwards of 8% internationally. However, experts say that it’s difficult to get precise facts and figures on a black market and counterfeiting. So, it’s anyone’s guess at what stage it’s at. There is clear evidence this egregious practice is growing. For example, in 2017 it was reported that the World Customs Organization (WCO), Interpol, and law enforcement from more than 123 countries successfully executed Operation Pangea X. In this operation, officials seized more than $50 million worth of counterfeit medicines and medical devices, and they shut down more than 3,500 websites. Moreover, other published reports discuss U. S. counterfeit surgical devices, including $7 million worth of aortic pumps recalled after authorities learned they were fake.
Meanwhile, major concerns focus on patient safety relating to counterfeit medical equipment. Those include sub-standard, non-FDA qualified devices and equipment that pose the greatest health risks to medical patients. Here, the spectrum ranges from inaccurate diagnoses to injury and even death. There’s also the associated potential OEM liability and brand issues.
Various methods are used to curtail counterfeiting. However, they may be too little, too late in many instances. OEMs have taken multiple approaches in hopes of resolving this issue. Most often, these methods deal with major dollar outlays for dedicated equipment. Often, those purchases are not within budget, especially for medical providers that service lower-income global populations.
Published reports indicate a number of medical product companies rely on so-called passive and active tags as a way to discourage counterfeiters. In many instances, these are well suited for disposable medical products like insulin pump disposables, but not for top-of-the-line systems. These are best characterized as high-value, wall-powered, self-contained systems that demand ultra-safety plus revenue and brand protection.
Thanks to recent advances in anti-counterfeiting (ACF) electronics technology, newer safeguard methods can be inextricably intertwined with these top-line systems and provide the cure for this growing safety-jeopardizing and business malady.
Here’s why a more advanced ACF approach is critical and how it can be implemented. When it comes to security and anti-counterfeiting, authentic devices need to prove that they know a secret without revealing that secret. In the trade, that’s called “challenge/response,” and it’s surprisingly common in everyday life. The perfect teaching example is an ATM.
While there are many technical details to the various protocols ATM use around the world, generally they work this way: when you place your card in an ATM, your PIN is the secret, and it is used to encrypt a one-time challenge that the bank sends to the ATM. That challenge is a random number, and it’s different every time you use your card. The correct response – where the challenge is encrypted by a key that relies on the PIN number – can only be generated if you entered your secret PIN your response. (See Figure 1 above.)
Authentication integrated circuits (ICs) follow a very similar protocol. When two devices need to prove that they are authentic to each other, they use a challenge/response protocol based on a verifier and the authentic device, in essence, defining the core of anti-counterfeiting.
Figure 2. An advanced ACF technology encompasses four distinct implementations within a system: a prover electronics microchip, the verifier software, a secure manufacturing flow, and the challenge/response protocol between the verifier and prover.
ACF Takes Technology Leap
This section will describe the technology components necessary for a complete anti-counterfeiting solution. Ideally, medical device and equipment OEMs want their anti-counterfeiting technologies to ensure safety as well as revenue and brand protection.
As Figure 2 (above) shows, an advanced ACF technology encompasses four distinct implementations within a system, including a prover electronics microchip, the verifier software, a secure manufacturing flow, and the challenge/response protocol between the verifier and prover.
Let’s take those one at a time. The prover chip, located on the peripheral device, includes “response” core circuitry. The prover chip contains the secret, as described above, and receives a “challenge” (a large random number) from the host system. The prover chip never reveals its secrets outside of the chip; rather, it then encrypts the challenge with the secret it knows and returns that encryption as a “response.”
The verifier software is the next stage. Located within the host system, the verifier sends the challenge to the prover, receives the encrypted response back, and determines whether that response is valid. Upon confirmation that the peripheral is indeed authentic, the verifier software notifies the host system of acceptance. This entire process is immediate, with no perceived wait time for the medical professional.
The third aspect of ACF is actually inserting the secrets into the prover chip, called “secure configuration.” During the manufacturing of the actual chip, specific and controlled steps are taken to securely configure the chips.
There are several major steps involved in this secure manufacturing flow to prevent theft of secrets. At a high level, it should be noted that secure functionality of the chip is turned on only in as much as it needs to be for its particular stage of manufacturing. During initial silicon manufacturing (“fab”), only a small part is activated. During final chip assembly, it is given a second piece of cryptographic (security) code. When the chip is installed into the final OEM medical device, a final piece of the cryptographic code is activated. This can be done only by the medical OEM and not any other party, including the chip manufacturer or any party within the supply chain.
Before going to the fourth implementation, it’s important to discuss the effects of differential power analysis (DPA). DPA is a way of determining device secrets through analysis of a chip’s power consumption and emissions. Every time an encryption operation is performed using a secret key, small amounts of that secret key information leak into an encryption chip’s power supply. If a challenge/response is performed (using traditional encryption) a few hundred or few thousand times, a counterfeiter can deduce what the secret key is. This is the opening counterfeiters are seeking that allows them to reverse-engineer the chip secrets. This is a disaster for any medical equipment OEM attempting to execute anti-counterfeiting. Protections are available to make the secrets DPA-resistant up to a billion cycles and should be employed to best provide security.
The fourth implementation within the ACF system is the actual challenge/response protocol. This protocol involves the actual method and calculations that happen between the prover and the verifier. Protocols vary but must be DPA protected to ensure counterfeiters are best kept at bay.
Finally, there is an additional, non-technical approach to further prevent counterfeiting. Medical OEMs can employ a patent-protected challenge/response protocol. While this certainly won’t keep all counterfeiters from attempting to clone, intellectual property (IP) protections can be strong deterrents for some, as violations would prevent them from shipping into the United States or other areas with strong IP legal protections. It should be said that counterfeiters, by their nature, are generally not concerned with laws as others. Legal protections, by themselves, will not be sufficient. But when combined with technical protections, legal protections provide a stronger case for medical OEM security.
The technology discussed here is designed to be as resistant as possible from being cloned. While technology continues to advance, the capabilities of counterfeiters advance perhaps even faster. New, more robust ACF systems continue to be developed and deployed to ensure that medical devices remain secure and safe for patients and OEMs alike.