Wibu-Systems Blog https://www.wibu.com/nl/blog.html Thu, 24 May 2018 23:37:34 +0200 Thu, 24 May 2018 23:37:34 +0200 t3extblog extension for TYPO3 New Product Piracy Report – Same Old Story Wed, 09 May 2018 11:06:00 +0200 https://www.wibu.com/nl/blog/article/new-product-piracy-report-same-old-story.html post-89 https://www.wibu.com/nl/blog/article/new-product-piracy-report-same-old-story.html Daniela Previtali VDMA Product Piracy Study 2018 indicates that, while the overall scale of damage remains unchanged, damages have worsened in the last two years. New Product Piracy Report – Same Old Story by Daniela Previtali 09-05-18

The VDMA, the advocacy organization for Germany’s mechanical and systems engineering industry, has released data from its latest research on product piracy (Product Piracy 2018), and once again, the results are alarming –71% of the enterprises in Germany’s industrial engineering sector are directly affected by product or brand piracy with damages estimated at €7.3 billion annually.

Conducted every 2 years, VDMA’s survey seeks to determine the current state of threats posed by counterfeiters, pirates and forgers. The study is mostly concerned with the illicit reproduction of products, or more specifically, the imitation of products in breach of special proprietary rights or imitation of products without any breach of proprietary rights, but against accepted competitive practice.

This year’s study, completed in March 2018, determined that the overall scale of damage from product piracy remains relatively unchanged from 2016, while surprisingly, 39% indicated that damages had worsened in the last 2 years. The People’s Republic of China remains the grand champion of the countries named as the origin of piracy, with 82% of counterfeits made there and 44% sold there. By comparison, Germany was second with 19% of respondees saying they were the country of origin.

Beyond the damages of IP theft, public safety is also a major casualty of counterfeits: 36% of companies reported counterfeits that endanger their operators, users, and the environment while 46% of the participants see the counterfeits they have identified as a danger to the effective operations of industrial facilities.

How are these companies protecting their IP and product innovations from piracy? Most (61%) of the participating companies consider the piracy to be a legal management issue but are engaging other areas of their organization to join the fight. R&D functions (42% of cases), legal and patent affairs offices (34%) and even sales and marketing (29%) have become actively involved. However, before trying legal recourse, most companies will first attempt to settle such matters out of court. More than one third of the affected companies would not, however, take any action. This applies in particular to small and medium-sized enterprises.

Unfortunately, the data suggests that current legal efforts have not stemmed the tide of global product and or brand piracy which continues to pose a major danger to the industry. And, with the emergence of the IoT and Industrie 4.0 fueled by millions of connected devices and the communication of sensitive data over the Internet, the dangers to public safety loom even larger.

The VDMA is working closely with security experts like Wibu-Systems and other industry organizations to develop strong and preventive measures that make it more difficult to copy or reverse engineer product designs, secure data, and add a measure of safety to industrial processes. Some of those protection mechanisms are outlined in VDMA documents, Product and Know-how Protection, and, Industrie 4.0 in practice – solutions for industrial applications.

For our part, Wibu-Systems has dedicated itself to eradicate sabotage, espionage and cyber-attacks in smart factories. With our flagship CodeMeter® licensing and protection platform, developers can safeguard digital assets and product know-how that are available in machines as well as on personal computers, industrial PCs, embedded systems, mobile devices, tablets, programmable logic controllers and microcontrollers from software counterfeiting, product piracy, reverse-engineering and machine code tampering.

]]>
Security Requirements for Medical Devices Mon, 23 Apr 2018 12:08:00 +0200 https://www.wibu.com/nl/blog/article/security-requirements-for-medical-devices.html post-88 https://www.wibu.com/nl/blog/article/security-requirements-for-medical-devices.html Terry Gaul When choosing the right system software for medical devices, secure communications, multi-CdPU design, modularity and scalability are key. Security Requirements for Medical Devices by Terry Gaul 23-04-18

Software has become ubiquitous in the healthcare industry given its widespread use for controlling medical devices and health information systems and communicating and maintaining electronic patient data, all in an increasingly connected environment. For embedded system developers, in particular, choosing the software best suited for the design of the medical device and its end use is critical. Options abound – use a commercial off-the-shelf product or create their own? Employ a real-time operating system or a general-purpose operating system such as Linux or Android? And, what security mechanisms will be incorporated to protect software from malicious tampering and ensure data transmission and storage?

Wind River recently published an interesting white paper, Choosing the Right System Software for Medical Devices, that explores many of the essential considerations that will help developers in making their choices. As Wind River points out in the paper, while the needs and requirement for each device will vary as will the features, functions, and capabilities, it is critical to evaluate the full range of options before making the selection. Of the many key considerations are shelf-life, easy-to-understand user interface, secure and stable communications, multi-CPU system design, connectivity, modularity and scalability.

Additionally, use of commercial vs. open source development options require careful consideration. While each has advantages and trade-offs, Wind River notes that the choice typically comes down to the completeness and sophistication of commercial offerings versus the low cost and ubiquity of open source software. From a safety standpoint, the medical device system software needs to support security features that protect against malware and also deliver secure data storage and transmission. The system software also needs to support the secure upgrade, download, and authentication of applications to help keep devices secure across an ever-changing threat landscape.

As open source software continues in popularity within the development community, commercial vendors too are focusing on software solutions that specifically address the unique challenges of medical devices. Companies like Wind River and Wibu-Systems, for example, offer integrated solutions that leverage each other’s technology expertise. With the integration of Wibu-Systems’ CodeMeter security platform with Wind River’s Security Profile for VxWorks®, the world’s most widely deployed commercial RTOS, developers of connected medical systems have access to a fully scalable solution that features best-of-breed security for device, data, and IP protection, and additional licensing management options to expand business opportunities for applications developed on the VxWorks platform. You can read a more detailed description of the joint technology in this solution brief.

Beyond functionality and security, however, medical device developers must also weigh additional economic and operational factors affecting the healthcare industry. For example, given the burgeoning costs of healthcare, developers must take into account a mandate to minimize cost per capita of each person’s healthcare while reducing the cost of the devices themselves. With expanded features and sophistication of the devices, they must be readily understandable and easy to operate by both the professional and non-professional care givers who will use them. And they must work every time.

Medical device software developers have much to consider, particularly when human lives are at stake.

]]>
Product Liability and the IoT Thu, 19 Apr 2018 13:26:00 +0200 https://www.wibu.com/nl/blog/article/product-liability-and-the-iot.html post-87 https://www.wibu.com/nl/blog/article/product-liability-and-the-iot.html Terry Gaul Product liability in the cyberworld opens up a whole new area of litigation, as the ISV becomes also responsible of software exploitation for malicious intent. Product Liability and the IoT by Terry Gaul 19-04-18

Historically, software developers have been free of liability if their software fails thanks to End User License Agreements that essentially grant them immunity from lawsuits. Over the years, U.S. courts have upheld those agreements. As far back as 1986, Apple was let off the hook by a federal court and ruled that they could not be sued for bugs in its software, pointing to the disclaimer that no claim was made that the code was bug free. Since then, there have been several class action suits brought against software makers for buggy software that were similarly ruled against.

But, ISVs beware, that scenario may be changing. In late 2016, The Christian Science Monitor reported that “leading digital security experts are calling on U.S. policymakers to hold manufacturers liable for software vulnerabilities in their products in an effort to prevent the bugs commonly found in smartphones and desktops from pervading the emerging IoT space.”

Just recently, the Washington Examiner reported that U.S. Senator Mark Warner told the audience at the South by Southwest conference in Austin, Texas, that “a fulsome debate is needed about whether the software sector's legal immunity has outlived its usefulness, especially in an age of relentless cyberattacks that frequently exploit software vulnerabilities.”

Warner, who is also a leader on the U.S. Senate Intelligence Committee, also believes that “subjecting the software industry to legal exposure for flaws in their products is one way to get the private sector to improve their cybersecurity.”

With the global spotlight on cybersecurity, it’s not hard to understand why the software industry and product liability issues are under heavy scrutiny. The discussion is now well beyond the inconvenience caused by buggy software. Unprotected and vulnerable software in the cyberworld can have grim and even life-threatening consequences – an autonomous vehicle could crash, a lifesaving medical device could fail, or a power grid could be attacked and put national security at risk.

Product liability in the cyberworld opens up a whole new area of potential litigation, as the ISV is not only responsible for its own software, but also responsible if people exploit it for malicious actions. So, for example, if a hacker finds a vulnerability in the code and manipulates it to cause damage, the developer conceivably could be held responsible for it. And when life and death are at issue, the focus will surely shift to accountability and liability.

A key takeaway here is that developers need to take action now to design security into their products. If they don’t have the expertise (and many don’t), they need to work with security partners who can help them eliminate potential vulnerabilities and protect against nefarious hackers. Two good reference points are the Industrial Internet Consortium’s Industrial Internet Security Framework and the on-demand Webinar, IIoT Endpoint Security – The Model in Practice

]]>
Global Product Piracy on the Political Agenda Mon, 09 Apr 2018 12:16:00 +0200 https://www.wibu.com/nl/blog/article/global-product-piracy-more-than-a-political-talking-point.html post-86 https://www.wibu.com/nl/blog/article/global-product-piracy-more-than-a-political-talking-point.html Terry Gaul The U.S. points to China for rampant IP theft, which they believe has significantly weakened U.S. companies’ position in the global market. Global Product Piracy on the Political Agenda by Terry Gaul 09-04-18

Trade imbalance is at the crux of the harsh rhetoric exchanged between the U.S. and China recently as both sides threaten to implement tariffs on certain goods and imports to protect their own economies. Adding to this trade imbalance, the U.S. points to China for rampant Intellectual Property theft which they believe has significantly weakened U.S. companies’ position in the global market. As a result, there is heightened awareness of the economic impact of IP theft and it has become a key geopolitical talking point in the debate on fair trade policies.

IP theft takes many forms – counterfeiting, piracy, reverse engineering, industrial espionage, patent theft, brand imitations, and outright blackmail. The VDMA, Europe’s largest mechanical engineering federation representing over 3,100 companies in the capital goods industry, has been monitoring and expressing growing concern about the industrial product piracy epidemic for many years. They claim revenue loss and damages caused by product piracy in mechanical engineering reached the billions in 2015. (see infographic)

For ISVs, of course, IP theft is much more than a talking point. Software piracy alone accounts for billions in lost revenues as well.

According to a 2015 report published by the Business Software Alliance, a leading advocate for the global software industry, 39 percent of software installed on PCs around the world in 2015 was not properly licensed, costing the industry billions in lost revenues. In the United States alone, the commercial value of unlicensed software, installed in 2015 amounts to $9 billion, with worldwide damages estimated to be five times as high. The report further noted that unlawful use of software was particularly widespread in China, Russia and Indonesia, in most cases, amounting to outright theft.

While the ongoing political discussion surrounding IP theft surely won’t result in a solution to the problem, it has at least brought the issue to the forefront. So, what can ISVs do to protect their software from piracy and unlawful usage? A good place to start is to harden their software protection mechanisms provided by commercial solutions such as CodeMeter. CodeMeter Protection Suite comprises a comprehensive set of tools to protect software and firmware from piracy, counterfeiting, reverse engineering and tampering. Protection Suite encrypts the source code and utilizes state-of-the-art anti-debugging and anti-reverse engineering technologies to achieve maximum protection. It is scalable and designed for quick and easy integration into your software.

These protection mechanisms are available now and we urge ISVs to take a serious look at protecting their applications, from the simplest to the most sophisticated, and whether they are delivered on PC, mobile, cloud or embedded systems.

During our Webinar, How Secure do you Want Your Application to be?, on April 11, 9 a.m. PST, we will provide a detailed overview of the different protection layers of CodeMeter and demonstrate how ISVs can use these tools to safeguard their applications. You can register for the 1-hour Webinar here.

]]>
Preparing for the IIoT Transformation Mon, 19 Mar 2018 08:33:00 +0100 https://www.wibu.com/nl/blog/article/preparing-for-the-iiot-transformation.html post-85 https://www.wibu.com/nl/blog/article/preparing-for-the-iiot-transformation.html Terry Gaul Only 3% of the executives surveyed expressed that they were not challenged by the adoption of  new technologies inherent with the IoT. Preparing for the IIoT Transformation by Terry Gaul 19-03-18

The Fourth Industrial Revolution Is Here - Are You Ready?

That’s the question posed to more than 1,600 C-level executives by Deloitte Global in a survey recently conducted by Forbes Insights. The research was designed to gauge the readiness of business to address both the sizeable challenges and tremendous potential envisioned with the societal transformations being shaped by Industrie 4.0.  

Industrie 4.0 is driving an unprecedented phase of interconnectivity, one where plants and equipment are not just fully automated but also controlled remotely over the Internet, from offsite locations or even via cloud computing. The potential incremental efficiencies, lower labor costs, and the competitive advantages are clear and obvious to all. Just like any other technological revolution though, Industrie 4.0 opens up a myriad of new challenges.

Are we ready? It’s an important question and one that impacts not only business, but global economies, the workforce and society as a whole. In gauging readiness, it is important to first understand the tremendous challenges that must be addressed in a digitized economy. Executive’s in Deloitte’s survey noted several common challenges they faced in the adoption of new technologies. For example, they cited lack of internal alignment about which strategies to follow; lack of collaboration with external partners; short termism; lack of adequate technologies, lack of rank-and-file adoption; and lack of vision by leaders, to name just a few. Only 3% of the executives expressed that they were not challenged by the adoption of the new technologies inherent with the IoT.

The digitization of virtually every facet of our society in the evolution of Industrie 4.0 has far reaching implications, none more important than cybersecurity. Cyberattacks are perceived globally as a major threat to success and safety in the new digital economy. Cyberthreats can take many forms, from counterfeiting and product piracy to malicious tampering of connected devices and life-threatening attacks on machines and critical infrastructure.

For example, according to VDMA, Europe’s largest mechanical engineering foundation, product piracy alone in the mechanical engineering sector causes loss of revenue and damages in the billions annually.

Furthermore, the Alliance for Cyber Security in Germany recently reported that nearly 70 percent of companies and institutions in Germany were victims of cyber attacks in 2016 and 2017. In many cases, the attackers were successful and able to gain access to IT systems, influence the functioning of IT systems or manipulate corporate websites. Half of the successful attacks led to production or operational failures. In addition, there were often costs for clarifying incidents and restoring IT systems, as well as reputational damage.

Fortunately, security technology leaders like Wibu-Systems are working in partnership with industry organizations and other technology leaders to develop innovative solutions that allow industry to stay a step ahead of the cyber criminals. For example, as a member of the Alliance for Cyber Security, Wibu-Systems documented its security technology in a white paper, “Integrity Protection for Embedded Systems,” which contributes substantially to the understanding of advanced technology for protecting the integrity of connected devices in embedded environments. The whitepaper outlines the necessary protections that can be deployed to protect Intellectual Property and machine code integrity using sophisticated encryption among other mechanisms.

Ongoing efforts to extend the global knowledge base of innovative technology advances pertaining to Industrie 4.0 will serve to ensure the safety of industry, governments and individuals who are all stakeholders in the new economy, as well as provide the foundation for powerful new business models. A good reference point is Deloitte’s white paper, Growing Internet of Things Platforms, which examines how companies can build a healthy business platform to make optimal use of available IoT technologies.

]]>
Global Technology Partnerships Are Key Wed, 28 Feb 2018 19:31:00 +0100 https://www.wibu.com/nl/blog/article/global-technology-partnerships-are-key.html post-84 https://www.wibu.com/nl/blog/article/global-technology-partnerships-are-key.html Terry Gaul We support BSA US 2018 Policy Agenda in developing international consensus on cybersecurity best practices and leveraging innovative solutions. Global Technology Partnerships Are Key by Terry Gaul 28-02-18

BSA | The Software Alliance, a leading advocate for the global software industry, recently announced its U.S 2018 policy agenda. The agenda focuses on four main policy areas: data, intellectual property, workforce development, and emerging technologies.

In the realm of cybersecurity, BSA promotes endeavors to improve the government’s capabilities and readiness to address cybersecurity threats. BSA supports a robust partnership of government and industry to:

  • Promote a secure software ecosystem through industry benchmarks, enhanced tools, research and vulnerability disclosure
  • Strengthen government’s approach to cybersecurity
  • Build international consensus on cybersecurity policies, standards, and practices
  • Develop a 21st century cybersecurity workforce
  • Embrace digital transformation by leveraging emerging technologies and forging innovative partnerships

At Wibu-Systems, we wholeheartedly support BSA’s agenda in building partnerships with government, particularly in developing international consensus on cybersecurity best practices, leveraging emerging technologies and forging innovative solutions. Beyond joint research activities with the government, we also believe that technology partnerships between industry participants directly or through industry associations can serve to dramatically speed the development of innovative technology solutions for the common good of the global industrial ecosystem.  

For example, the members of the Industrial Internet Consortium (IIC), an organization dedicated to setting the standards, best practices and processes of the Industrial Internet, have worked tirelessly to develop best practices, technical guidance, and testbeds for the emergence of the industrial Internet of Things. To assess cybersecurity issues that represent a major threat to world safety and security, Wibu-Systems contributed its security expertise in the development of the Industrial Internet Security Framework (IISF), an in-depth cross-industry-focused security document comprising expert vision, experience and security best practices. It reflects thousands of hours of knowledge and experiences from security experts, collected, researched and evaluated for the benefit of all IIoT system deployments.

As a member of the Infineon Security Partner Network (ISPN), Wibu-Systems joins a selected group of security experts whose mission is to make proven semiconductor-based security easily accessible to the growing number of manufacturers of connected devices and systems. Wibu-Systems has powered its entire CodeMeter hardware product line with Infineon’s SLE 97 security controllers, crucial components for the data security and system integrity of computers and embedded systems in smart factories. Additionally, Wibu-Systems has successfully integrated the Embedded variant of CodeMeter with Infineon’s XMC 4500 industrial microcontroller family. As a result of this cooperation, software developers of field programmable gate arrays and microcontrollers can now protect application code and intellectual property against reverse engineering and implement a license control system.

Wibu-Systems is also an active member of the OPC Foundation, an organization dedicated to  providing security standards for authentication and secure encrypted M2M communications. The OPC UA standard clearly defines the secure authentication of networked control systems. Wibu-Systems’ CodeMeter technology supports the Unified Architecture protocol and provides security extensions and license management via OPC UA. The benefit of this support for the OPC UA standard was demonstrated during the Hannover Messe tradeshow in 2017. Wibu-Systems was one of 18 partner companies who contributed to a live demonstration of a flexible robotic transport system that used RFID tag descriptions in accordance with the ISO 15693 standard, OPC UA protocol, and a Manufacturing Execution System (MES) to ensure the highest level of standardization in hardware and communication. Wibu-Systems was able to address the security aspect of the demonstration.

These are just a few examples of the power of joint partnerships with the government, industry associations and technology companies that benefit the global industrial community. There surely will be more to come.

]]>
Essentials in Software Monetization Wed, 14 Feb 2018 10:03:00 +0100 https://www.wibu.com/nl/blog/article/essentials-in-software-monetization.html post-83 https://www.wibu.com/nl/blog/article/essentials-in-software-monetization.html Terry Gaul Modern software monetization ensures customers use the services they pay for while taking advantage of cloud adoption and real-time analytics tools. Essentials in Software Monetization by Terry Gaul 14-02-18

“As today’s technology becomes increasingly complex, modern software monetization is essential. The adoption of modern technologies like the cloud have pressured independent software vendors (ISVs) to learn how to better protect their intellectual property (IP)…. To meet new demands, ISVs should look to modern delivery models and monetization methods including a user-centric focus, customer intelligence, and transparency for software usage.”

So writes Olivia Cahoon in a recent article in Software Magazine, Seeking Transparency: Modern Software Monetization. The gist of the article is that modern technologies such as the cloud and delivery models like Software-as-a-Service are giving consumers more options in the way that they use and purchase software. And because consumer preferences continue to evolve in rapid fashion, ISVs must be agile enough to re-package and deliver their offerings to match these dynamic usage requirements.

Marcellus Buchheit, President and CEO of Wibu-Systems USA, noted in the article: “Gone are the days of selling software with a perpetual license in a box. The ability to offer flexible licensing models is an important component in every ISV’s toolbox for optimizing their software monetization strategy.”

We can define modern software monetization as the ability for ISVs to maximize revenue by licensing and delivering their software with creative business models that are best suited for their customers’ requirements while protecting their software from outright piracy and illegal license usage, whether deliberate or inadvertent. Monetization issues are similar across all applications, whether delivered via on-premise, cloud, or mobile platforms.

Deploying usage-based licensing is a critical monetization consideration for ISVs as customers gain increasing say in how they want to consume and pay for their software. Traditional perpetual software licensing agreements are rapidly falling out of favor as often times they place restrictions on product use that do not fit the dynamic business needs of the end user. Many smaller companies, for instance, benefit from the ability to tailor licensing usage and subsequent costs to reduce their upfront expenditures and more closely match their business cycles.

For ISVs, the flexibility to offer licensing models tailored more closely to their customers business needs can help them reach new markets that they might not have been able to achieve with a conventional perpetual licensing strategy. ISVs need to decide whether their existing licensing system can deliver the flexibility they need to keep pace and even stay ahead of the market, or should they consider a licensing solution offered by a 3rd party to achieve their business goals. For example, look at the comprehensive range of license models readily available to ISVs with Wibu-Systems’ CodeMeter licensing platform, including both traditional single user or network licenses as well as consumption and user-based models, such as feature-on-demand, pay-per-use, and subscription licensing.

Software piracy continues to be a major monetization challenge faced by ISVs today. Unprotected applications can allow unauthorized access and theft of IP and personal data; insecure license management systems enable unlawful use of the software; and proprietary portions of source code can be hacked to reverse engineer and build counterfeit products – all resulting in losses in the billions of dollars for ISVs around the globe.

Compounding that issue is the importance of protecting cloud deployed applications and data against IP theft, counterfeiting and reverse engineering. Encrypting source code of the cloud application using strong cryptographic techniques protects IP against piracy and tampering. User authentication mechanisms and secure techniques for creating, storing and delivering licenses in the cloud further protect against unauthorized usage and ensures the proper monetization of the software.

In summary, today’s marketplace requires flexibility in licensing, delivery, reporting, and management while also protecting intellectual property. Said Cahoon: “Modern software monetization ensures customers use the services they pay for while taking advantage of cloud adoption and real-time analytics tools. To maintain customer satisfaction and improve monetization, ISVs should ensure data and software usage is transparent and easily understood by customers.”

]]>
Cybersecurity for Medical Device Endpoints Thu, 25 Jan 2018 08:42:00 +0100 https://www.wibu.com/nl/blog/article/cybersecurity-for-medical-device-endpoints.html post-79 https://www.wibu.com/nl/blog/article/cybersecurity-for-medical-device-endpoints.html Terry Gaul The best integrity protection solutions are based on cryptography and the associated use of digital signatures and authentication. Cybersecurity for Medical Device Endpoints by Terry Gaul 25-01-18

With the recent, highly publicized incidents of identity theft, ransomware and malware attacks directed at healthcare facilities, the medical device community is on high security alert. Cybersecurity exploits have resulted in the theft of patient data, intrusions to hospital IT networks, and malicious manipulation of medical devices and systems connected to these networks. The consequences of these attacks are potentially catastrophic: personal identity theft, disruption of critical hospital services, and an overall threat to patient privacy, care and safety. No one in the medical device community would argue that there is an urgent need to secure medical systems, devices and data.

Government organizations, like the FDA and National Institute for Standards and Technology (NIST), are now giving more attention to cybersecurity in the medical area as well.

The US FDA recently published recommendations for both manufacturers and regulators to address medical device cybersecurity. The document, Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff, encourages manufacturers to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.

Updated guidelines from NIST include specific updates regarding cybersecurity metrics and considerations about supply chain risk management and common terminology used to communicate with outside partners and vendors.

Industry organizations, including the Industrial Internet Consortium (IIC), are involved as well. Earlier in 2016, the IIC released its Industrial Internet Security Framework (IISF) document that identified endpoint vulnerabilities, many of which are prevalent in medical network environments, and ways to protect against them.

Security Considerations for Medical Device Endpoints
An endpoint device includes any computer-based device or system that is Internet-enabled and connected to an IP network. In the medical area, endpoints can be surgery robots, X-ray machines, MRI scanners, dental devices, infusion pumps, patient monitors or any other medical equipment with a computer chip and connection to the Internet. Security experts consider endpoints to be most vulnerable to hackers, particularly in the healthcare environment. Securing medical device endpoints involves many aspects:

  • physical security to prevent uncontrolled changes to or the removal of the endpoint
  • root of trust to provide confidence on the endpoint identity
  • integrity protection to ensure that the endpoint is in the configuration that enables it to perform its functions predictably
  • access control to ensure that proper identification, authentication and authorization protocols are performed
  • secure configuration and management to control updates of security policies and settings
  • monitoring and analysis for integrity checking, detecting malicious usage patterns or denial of service activities, and enforcing security policies and analytics
  • data protection to control data integrity, confidentiality and availability
  • security model and policy for governing the implementation of security functions

Integrity Protection
The term “Integrity Protection” encompasses security measures, namely protection of system resources, programs and data against unauthorized manipulation, or at least identification and display of such modifications. The challenge consists in guaranteeing data integrity, and, if not possible, bringing the system to a safe mode and stopping the execution of any function. The best integrity protection solutions are based on cryptography and associated security mechanisms, such as digital signatures and message authentication.

Secure Boot
Secure Boot functionality utilizes a digital certificate-based chain of trust to help prevent malicious software applications from loading during the system start-up process.

These are just a few examples of security measures that developers have available to ensure the proper use and performance of the medical device in a healthcare setting.

If you are planning to attend MD&M West February 6-8 in Anaheim, stop by Wibu-Systems booth #976 and we’ll tell you more about protecting medical device end points and security.

]]>
Monetizing the Medical Device Industry Fri, 19 Jan 2018 07:42:00 +0100 https://www.wibu.com/nl/blog/article/monetizing-the-medical-device-industry.html post-82 https://www.wibu.com/nl/blog/article/monetizing-the-medical-device-industry.html Terry Gaul Medical device manufacturers can leverage software licensing to unlock unique business models that generate new revenue streams. Monetizing the Medical Device Industry by Terry Gaul 19-01-18

Modern day medicine is increasingly dependent upon sophisticated technology that is rapidly changing the landscape of healthcare delivery and demonstrating that its use can make a dramatic improvement in patient outcomes. However, the new generation of medical instrumentation is expensive and a major contributing factor to the upward spiraling cost of healthcare. The Hastings Center, a not-for-profit organization geared towards addressing fundamental ethics issues in healthcare, life sciences, and other areas, estimates that “new or increased use of medical technology contributes 40 – 50% to annual cost increases.”

Medical technology is advancing rapidly as manufacturers develop new and improved software based models with more features and functionality. As a result, product life cycles are much shorter, meaning that equipment purchased 3 or 4 years ago can be outdated in a hurry. To keep abreast of the rapidly evolving technologies, providers need to replace equipment much more frequently than in the past. With such a rapid turnover of equipment, providers are hard pressed to gain an adequate return on their purchase investment and justify the expense. The problem is even more acute for smaller hospitals and medical centers who simply can’t afford the high-priced capital expenditures for new equipment with short life cycles.

With the global spotlight on the high cost of healthcare, pressure is mounting for healthcare organizations to keep capital expenditures low while maintaining and continuing their mission to deliver high quality patient care. This of course is the conundrum: how can healthcare providers utilize and pass on the benefits of advanced medical technology to their patients while maintaining an acute eye towards cost containment?

Software monetization is a key area of focus for medical device manufacturers. Much can be learned from the new software licensing models being successfully deployed in many other markets. The days of the conventional perpetual license, with the large upfront cost, are gone and being replaced by more creative monetization models, such as subscription licensing, that make it more affordable and accessible to larger target groups.

For medical device manufacturers, software is key because many of the rapid advances in equipment features and functionality occur because software is relatively easy to develop (vs. hardware modifications), deploy, and update in the field. Software not only controls the equipment, acquires data, and monitors events, but it can be programmed to simply turn features and functionality on an off as requested or as needed.

Medical device manufacturers can leverage software licensing to not only reduce the upfront costs for healthcare providers, but also to unlock unique business models that generate new revenue streams and open up markets that were previously unreachable. Let’s take a closer look at modern licensing models that can be adapted to medical devices:

Subscription Licensing: The software is licensed for a limited time (Expiration Time), a limited period (Usage Period) or on an annual basis (Subscription). To minimize the upfront capital cost for providers, the equipment can be leased and software licensed only for the specified time requested. For manufacturers, this provides a predictable, recurring revenue stream.

Pay-Per-Use Licensing: Use of the product is metered and providers are charged only when they use the equipment. In this case, users are charged on the basis of the real consumption of licenses per period. This model is similar to “Pay-per-view TV” or online journals who charge on a per use basis. Pay Per Use presents significant cost-saving benefits and allows manufacturers to penetrate untapped markets with an affordable offering.

Feature on demand: The medical device is delivered with the most important basic functionalities at an entry level cost. The system can be upgraded by additional licenses that are used to activate specific product features and models and charged accordingly. Features can be turned on and off as needed, giving customers greater control over their expenditure and allowing them to more readily address the unique needs of individual patients.

Trial: The user can access and try additional features of the software for a limited time, so that customers can test additional features while using the device in real-world conditions. This removes financial risk for the customers and allows them great flexibility.

Let’s take a look at a few real-world use cases.

Agfa HealthCare
Agfa HealthCare is a leading provider of diagnostic imaging and healthcare IT solutions for hospitals and care centers around the world. In the digital healthcare market, computed radiography is an important driver in making medical imaging more accessible, especially for smaller healthcare facilities in emerging countries. However, the upfront capital investment in equipment and software remains an important hurdle for healthcare providers with a relatively modest need for medical imaging.

To address this issue, Agfa HealthCare developed a computed radiography solution that offered a complete digital imaging package, including equipment and software, without upfront investment. They implemented a solution for time-based licensing that allows the healthcare providers to use the computed radiography package in a pay-per-use scenario. Their customers pay as they go, with a fixed down-payment followed by equal and regular installments, thus keeping upfront capital investment low and cost management easy. In turn, the flexible business model made new markets accessible to the company.

Fritz Stephan
Fritz Stephan is a developer of highly specialized technical solutions in ventilation, anesthesiology and oxygen supply. Fritz Stephan’s EVE ventilation systems were developed for a very sensitive group of patients that require gentle and non-invasive ventilation therapy. The ventilation family consists of three models: EVETR is mainly used in emergencies and during transport; EVEIN is a fully-fledged intensive care respirator for patients in the hospital environment; and EVENEO is an intensive care ventilator for the neonatal unit.

The company was looking for a modular licensing solution that would allow them to implement feature-based licensing and enable easy online updates. A scalable licensing model would also allow them to upsell new licenses to their global customer base and conveniently modify the set of features of their devices over the Internet.

To address their need, they structured a scalable licensing model where they can remotely activate features on-demand. This allows them to create new post-sales revenues and deliver responsive pricing models for their customers. Essentially, the device that was initially purchased by the customer stays the same, but it can be upgraded in the field, no matter where it was sold. With EVENEO, the adult features can be easily enabled at a later stage, or the neonatal mode can be activated for EVEIN at any time.

If you plan to attend MD&M West on Feb. 6-8 in Anaheim, stop by Wibu-Systems booth #976 and we can continue the discussion on medical software monetization strategies.

]]>
Protecting Medical Devices Fri, 12 Jan 2018 08:00:00 +0100 https://www.wibu.com/nl/blog/article/protecting-medical-devices.html post-80 https://www.wibu.com/nl/blog/article/protecting-medical-devices.html Terry Gaul Since the IP of today’s of most medical equipment is encapsulated in embedded software, the industry is ripe for attack. Protecting Medical Devices by Terry Gaul 12-01-18

Intellectual property theft is rampant around the globe. In a 2016 study, VDMA, the German Mechanical Engineering Industry Association, reported that nine of out ten manufacturers were victims of piracy, and that in 70% of all cases, reverse engineering was the main trigger. Components, industrial designs, and even entire systems are being counterfeited across all sectors of industry.

The medical device manufacturing community is a prime target for counterfeiting. Take for example the case of an Irvine, CA engineer who in 2016 was charged with stealing and possessing trade secrets from his two former employers, both of whom manufactured medical devices used to treat cardiac and vascular ailments. During his employment, the engineer was found to have travelled to the People’s Republic of China (PRC) multiple times – sometimes soon after allegedly downloading trade secrets from the employer’s computer and emailing information to his personal email account. According to the FBI, the engineer appeared to be in the process of setting up a company with other individuals in the PRC to manufacture medical devices.

In many cases, counterfeiting of the equipment starts with the theft of the intellectual property contained in the software and embedded in the equipment. That was the case when a leading global manufacturer of gambling slot machines found out that their proprietary gaming software was being used on counterfeit slot machines across Europe and Asia. Once the software was stolen, the perpetrator was able to reverse engineer the machine itself and build a functioning slot machine that closely mimicked the original equipment.

Because the intellectual property of today’s surgery robots, X-ray machines, MRI scanners, dental devices, infusion pumps, patient monitors and most other medical equipment is encapsulated in embedded software, the industry is ripe for attack.

Modern encryption technology, however, is a strong antidote that software developers can use to protect medical device software from theft. Encryption is the process of encoding data in such a way that only authorized parties can access it. Encryption denies the intelligible data to a would-be interceptor. In an encryption scheme, the intended data is encrypted using a special algorithm–a cipher–generating ciphertext that can only be read if decrypted. An encryption scheme usually uses a random encryption key, generated by the algorithm. It is theoretically possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. The data can only be decrypted with the key provided by the originator and the key is kept in a secure location.

During the encryption process, the software developer can encrypt the entire executable code, just specific tagged functions, or a combination of both. The encrypted code is then decrypted at runtime with the appropriate key.

Medical device manufacturing companies like Dentsply Sirona, Fritz Stephan GmbH, Agfa HealthCare, and custo med are prime examples of companies who have taken necessary steps to protect their intellectual property with modern embedded software protection mechanisms.

 

If you would like to learn more about encryption mechanisms and IP protection for medical device IP, stop by our booth #976 at MD&M West on February 6 – 8 in Anaheim.

]]>