MEDICAL DEVICE COUNTERFEITING HARMS MANY

Year after year, the amount of counterfeit medical devices increases, which can harm the consumer and always impacts the original equipment manufacturer (OEM).

According to The World Health Organization (WHO), 6% to 8% of the total medical device market is comprised of counterfeit goods. Additionally, Interpol and the World Trade Organization (WTO) estimate that the global effects of counterfeiting across all industries cost legitimate companies over $600 billion, while the latest data available from WHO shows that there was a 20% increase in counterfeit medical products for 2007 when compared to 2006.

A large number of medical devices are sold on the "razor/razor blade" model. The OEM develops equipment, such as a diagnostic device or bedside monitoring equipment, which is quite expensive to create and has a lot of intelligence in it, such as an embedded micro-computer. "Most hospitals do not have a lot of money to spend on buying pieces of bedside equipment," explains Vice President of Technology at Cryptography Research, Ben Jun. "However, what hospitals do have money to do is purchase the patient monitoring devices - the pieces that plug into these consoles and then attach to the patient. These are generally single-use pieces and the margins on these items are much better." The scenario is that the OEM sells equipment to hospitals at a loss and then enters the market of medical consumables to recoup the loss on the price of the equipment - similar to the printer/printer cartridge and pay TV models. Medical consumables range from surgical kits at the high end to diabetes test strips at the low end.

Manufacturers count on the revenue stream coming from these consumables.

However, because these consumable are so profitable, other companies clone, refurbish or counterfeit these items, which are then sold to the hospital, taking revenue from the OEM and creating patient-safety issues.

TYPICAL ISSUES

"Remanufacturing, counterfeiting or cloning, and device tampering are the three main issues which happen throughout hospitals, and these are the areas that Cryptography technology works to address," Jun states.

Remanufacturing/refurbishing is where attackers take a single-use device and find a way to refurbish it and then reintroduce it to the market. "In some situations, the customer knows it is a refurbished piece of equipment, which is quite common in developing countries, but there are other situations where the customer has no idea this device has been used on or in previous patients," Jun explains.

Workstations ensure the authenticity of the microchips embedded in devices.

"The second one is where the adversary creates an outright counterfeit or clone. This is where someone makes, for example, an interoperable probe kit that works with the hospital's equipment. However, that probe kit may not be certified or calibrated and that obviously carries health safety and liability issues," Jun continues.

The third category that occurs with medical counterfeiting is actually modifying the equipment so it will accept unauthorized consumables. Typically occurring more often in developing countries, this is where a supplier will cut a deal with a hospital to supply cheaper products in return for allowing them to modify the "receiving" equipment.

ADDRESSING SAFETY

Counterfeiting, remanufacturing and device tampering all create patient safety concerns and loss of revenue.

Devices are typically built so that when they are "plugged in" they securely register perhaps a single bit of information, and note that it has been used before, alerting the healthcare technician that it should not be used again. Other devices are sometimes able to be used a certain number of times before requiring disposal, or, in some instances recalibration, but it is the history of the device that needs tracking.

"The number one task an OEM wants to do is build a system where, at the very point when the healthcare is being administered, the consumable is being authenticated," Jun states. "In other words, you want a good history of when the device was used and you also want good certification that the device is valid." So, how does Cryptography help?

"Generally, these medical devices already have microchips in them, which enables easy implementation of Cryptography Research's technology to prevent tampering and increase safety," Jun says.

Cryptography's product is logic, called the CryptoFirewall, which can be manufactured as part of a microchip.

Circuitry is incorporated into both the consumable and its complimentary part, the verifier, i.e. the bedside equipment.

The CryptoFirewall is a piece of silicon that can be integrated with other people's chips. The incremental cost reflects the relatively modest increase in the size of the silicon in the microchip that is already used in the equipment.

"These two chips ‘chatter' with each other during the course of normal operation to do steps such as authenticating the part, measuring usage, and tracking other data about the device itself," Jun explains. "In addition, Cryptographic authentication can also periodically debit ‘balances' on the device being used in order to more accurately track how often it has been used and how much device life-span remains." However, Jun notes, there are situations where you do not want to get in the way of the healthcare provider because you do not want to impede work in an emergency situation.

To accommodate cases like this, when a verifier recognizes an authentication failure, it can continue operating but flash a message to the healthcare provider that the unit is out of calibration or beyond the rated number of uses. In general, the policy decision of how to handle errors is determined by Cryptography Research's customers.

IMPLEMENTATION OPTIONS

Piracy in all areas, medical devices included, is quite a lucrative industry. There is money to be made and those attacking the industries continue to get more and more sophisticated - operating outside of the United States and actually setting up entire engineering departments that reverse-engineer a product to determine what they have to do to clone or modify something. If usage is metered and authenticated with strong tamper resistance, OEMs can address remanufacturing as well as counterfeiting.

"By integrating the CryptoFirewall technology within the device itself, we can authenticate and regulate the device's operation, making it possible to address remanufacturing, counterfeiting and tampering," Jun explains.

Unfortunately, most OEMs do not realize they need security until there is a failure in their consumable-consumption scenario - similar to individuals not installing a home security system until after their house has been burglarized.

As Jun explains, medical OEMs have a very sophisticated R&D focus, with the engineers far more interested in getting their equipment out of the lab, through approval, and into the hands of the user, and the security concern does not set in until later. It is here, where Cryptography Research's CryptoFirewall is finding its niche.

"Virtually all of our customers come to us after they have a problem, so our deployments usually involve integrating security features into an OEM's existing chip design," Jun says. "Some of these companies are deploying tamperresistance for the first time, but most are coping with compromises of in-house or third-party designs that had inadequate tamper resistance." Although technology continues to advance to help OEMs, Jun concludes that, "Counterfeiting is a problem for virtually every industry where manufacturing costs comprise only a small portion of a product's sale price, so it will continue. So, at the end of the day, it will still be a game of cat and mouse, but where Cryptography Research sees success is making cloning, counterfeiting and remanufacturing an unprofitable business."

Cryptography Research Inc.
San Francisco, CA
cryptography.com