Periodic Reporting for period 1 - ENTRUST (ENsuring Secure and Safe CMD Design with Zero TRUST Principles)
Reporting period: 2023-01-01 to 2024-06-30
ENTRUST sits at the forefront of digital transformation for the Healthcare domain as it moves into the next generation of Connected Medical Devices, where the expansion of connectivity and data processing capabilities and resources at the edge have revolutionized the health sector by improving outcomes, lowering healthcare costs, and enhancing patient safety. ENTRUST project aims to tackle the lack of cybersecurity implementations in connected medical devices (CMDs) without limiting their applicability. Its trust management architecture holistically manages the lifecycle of CMDs, starting from formally verified design-time trust models, and risk assessment processes to secure lifecycle procedures and real-time conformity certificates based on novel runtime attestation mechanisms and distributed ledgers. The added value and effectiveness of the ENTRUST Framework will be evaluated in four real-world use cases ranging from wearable and medical devices used for remote patient monitoring to high-end stationary equipment used in hospitals and clinics. ENTRUST innovations not only disrupt the CMD value chain and impact all stakeholders by putting dynamic trust assessment as a new dimension of quality of a devices’ operational profile but are also a significant driver to overcome existing gaps (in current standards - MDCG 2019-16) in the security of such complex systems.
The ENTRUST project has achieved several key milestones, advancing its goal of developing a comprehensive security framework for Connected Medical Devices (CMDs):
1- ENTRUST Architecture Finalization: The architecture was successfully designed, establishing a holistic security model covering the entire CMD lifecycle. This was achieved through collaborative design and stakeholder input.
2- Risk Assessment and Threat Modelling: The Risk Assessment component, calculating Required Trust Levels (RTL), and the Threat Modelling component, using Large Language Models (LLMs) to identify threats, were completed. These were developed through research and testing, allowing real-time security adjustments.
3- Formal and Software Verification Tools: Tools for ‘security-by-design’ Formal Verification and Software Verification, including fuzzing techniques, were created to detect and address vulnerabilities early. These ensure CMDs meet security standards from design to deployment.
4- Digital Twin and Secure Updates: A Digital Twin was implemented for attack emulation, alongside secure software update mechanisms. These were developed to test and mitigate cyberattacks in a simulated environment, ensuring device integrity.
5- Open-Source Roadmap: An open-source roadmap for CMD Trust Reference Implementation was established, fostering collaboration on platforms like GitHub and Zenodo, with support from partners like OpenContinuum and ECLIPSE.
1- ENTRUST Architecture Finalization: The architecture was successfully designed, establishing a holistic security model covering the entire CMD lifecycle. This was achieved through collaborative design and stakeholder input.
2- Risk Assessment and Threat Modelling: The Risk Assessment component, calculating Required Trust Levels (RTL), and the Threat Modelling component, using Large Language Models (LLMs) to identify threats, were completed. These were developed through research and testing, allowing real-time security adjustments.
3- Formal and Software Verification Tools: Tools for ‘security-by-design’ Formal Verification and Software Verification, including fuzzing techniques, were created to detect and address vulnerabilities early. These ensure CMDs meet security standards from design to deployment.
4- Digital Twin and Secure Updates: A Digital Twin was implemented for attack emulation, alongside secure software update mechanisms. These were developed to test and mitigate cyberattacks in a simulated environment, ensuring device integrity.
5- Open-Source Roadmap: An open-source roadmap for CMD Trust Reference Implementation was established, fostering collaboration on platforms like GitHub and Zenodo, with support from partners like OpenContinuum and ECLIPSE.
The ENTRUST project is poised to significantly impact the rapidly expanding zero-trust security and medical device markets, addressing critical needs in device security and trustworthiness. With the global medical device market projected to reach USD 171.1 billion by 2027, ENTRUST’s comprehensive security framework offers innovative solutions beyond current standards. Key advancements include a Risk Assessment component that establishes baseline trust through the Required Trust Level (RTL), a ‘security-by-design’ Formal Verification approach to address early-stage vulnerabilities, Threat Modelling utilizing Large Language Models (LLMs) to shape threat landscapes, Software Verification employing fuzzing techniques to detect threats, and a Digital Twin component for attack emulation and secure software updates.
ENTRUST is also developing an open-source roadmap for the CMD Trust Reference Implementation, fostering a collaborative ecosystem for secure medical devices. This initiative, supported by platforms like GitHub and Zenodo, emphasizes community involvement to enhance the platform's quality, adoption, and sustainability. The plan includes a Minimum Viable Product (MVP) and Open-Source Development (OSD) strategy, with support from the OpenContinuum action and ECLIPSE collaboration.
To ensure successful adoption and enhance security and trustworthiness of connected medical devices worldwide, ENTRUST needs to focus on:
-Ongoing R&D to refine threat detection, risk assessment, and secure device lifecycle management.
-Demonstrations and pilot projects to validate the framework in real-world settings.
-Market access strategies to position ENTRUST within the growing medical device and cybersecurity sectors.
-Effective management of intellectual property rights and collaboration with open-source initiatives.
-Alignment with regulatory and standardization frameworks to ensure compliance and facilitate market adoption.
-Internationalization to expand the project’s global reach and ensure alignment with international standards.
ENTRUST is also developing an open-source roadmap for the CMD Trust Reference Implementation, fostering a collaborative ecosystem for secure medical devices. This initiative, supported by platforms like GitHub and Zenodo, emphasizes community involvement to enhance the platform's quality, adoption, and sustainability. The plan includes a Minimum Viable Product (MVP) and Open-Source Development (OSD) strategy, with support from the OpenContinuum action and ECLIPSE collaboration.
To ensure successful adoption and enhance security and trustworthiness of connected medical devices worldwide, ENTRUST needs to focus on:
-Ongoing R&D to refine threat detection, risk assessment, and secure device lifecycle management.
-Demonstrations and pilot projects to validate the framework in real-world settings.
-Market access strategies to position ENTRUST within the growing medical device and cybersecurity sectors.
-Effective management of intellectual property rights and collaboration with open-source initiatives.
-Alignment with regulatory and standardization frameworks to ensure compliance and facilitate market adoption.
-Internationalization to expand the project’s global reach and ensure alignment with international standards.