The concept of “virtual reality” has come a long way since the days of Star Trek’s holodeck. In this digital age, more and more activities – including something as mundane as grocery shopping – can be performed virtually via Skype, FaceTime, and other mobile or videoconferencing apps running on VoIP or cloud-based platforms.
The health care industry in particular has benefitted from ubiquitous computing and wireless Machine-to-Machine (M2M) technologies that enable medical professionals to remotely monitor and in some cases manage their patients’ health. Virtual care coordination is providing cost-effective monitoring and treatment for patients with long-term illness and chronic conditions through telehealth devices such as the Care Innovations QuietCare wireless resident monitoring system and the Care Innovations Guide, which combines traditional vital signs capture with advanced videoconferencing and customizable multimedia education. And with Electronic Health Records (EHRs) linking providers and patients to current and past medical data, health care delivery is becoming more accurate, timely, and efficient than ever before.
Care Innovations Guide
One major drawback to greater connectivity in the medical world is greater risk for security breaches. Increasing use of wireless technology in medical equipment has caught the attention of the U.S. Department of Homeland Security (DHS), which recently issued a bulletin warning how life-critical wireless medical devices, if compromised, pose a significant threat to the public and private sectors. While medical systems that use commercial Operating Systems (OSs) are as open to attack as standard computers, proprietary systems can also be exploited through their software update mechanisms, the DHS report stated.
Hospital IT organizations today face the challenge of managing and securing a variety of hardware and software systems, many of which are based on nonstandard or proprietary components that make it difficult to determine if these systems comply with the security policies of the purchasing hospital, says Santhosh Nair, senior director of intelligent platforms at Wind River.
“In the medical industry, the security discussion revolves around HIPPA, and in the absence of more regulation, medical device manufacturers are defining their own security,” Nair says. “This is one of the reasons why the medical industry is behind in terms of security – there hasn’t been a ‘medical Stuxnet’ that has prompted the industry to make more progress here.”
Medical systems based on nonstandard platforms present other shortcomings, including the downtime associated with sending them to the manufacturer for upgrades and the decreased ability to capitalize on the latest security advancements developed to secure IT infrastructure built with standards-based technology, Nair says.
In addition to managing these complexities, medical device development teams must consider intended use validation, design assurance, verification, and data integrity requirements as stipulated by medical regulations. OS vendors must be able to identify risk and operational interactions, functions, and capabilities across the platform to provide visibility throughout the development and test cycles, says Alan Boucher, director of software architecture and engineering at Intel-GE Care Innovations.
“Instrumentation of the application is critical to understanding and properly characterizing your platform design and development approach, the platforms unit test framework implementation, test automation design, and implementation,” Boucher says. “It makes all the difference in the long-term viability and sustainability of your product in the field.”
Wind River’s Workbench Integrated Development Environment (IDE) is one example of an embedded OS platform that enables developers to instrument core stack capabilities such as connectivity, device management, security OS middleware management, file systems, I/O, and multicore (threading models, tasks, processors, exception and error handling, etc.) in a standard way, Boucher says. Furthermore, the Wind River Platform for Medical Devices based on VxWorks provides a Vendor Qualification Summary (VQS) in accordance with FDA quality system regulation 21CFR820.50 to offer visibility into the controls and processes Wind River uses in developing its platform components, thus helping medical system manufacturers meet safety requirements and standardize on open platforms.
Wind River Platform for Medical Devices
To prevent hackers and malware from breaching OS platforms used in health care applications, security must be built into a device from inception to release, Nair says.
“Embedded device security needs to be integrated into the development life cycle of the medical device rather than being an afterthought,” he says. “That is why medical device developers are now taking a more holistic approach to device security. Development teams are considering security issues at every layer of the development stack: the hardware platform, the virtualization technology, the operating system, the network stack or other communications middleware, the packets of data being sent across the network, and the applications.”
Nair recommends several steps embedded systems designers can take to help ensure the highest possible levels of design assurance and data integrity at the embedded OS level:
- End-to-end threat assessment: Evaluate the security threats to the device in the various contexts of its life cycle – development, operation, and maintenance.
- Security-optimized design: Make security a No. 1 requirement and design consideration. Leverage modern separation and partitioning techniques, secure communications, and intrusion protection.
- Secure runtime selection: Build your device from known secure components such as Commercial-Off-The-Shelf (COTS) OSs, middleware, and tools.
- Application protection: Utilize whitelisting technology to exclude malware installation on the device.
- Development life cycle and tools: Consider security to be part of the entire life cycle of the device and plan for updates and security fixes well into the product's lifespan.
In addition to these critical considerations, designers should perform design feasibility assessments and explicitly prototype critical core subsystems to understand and characterize platform risk and design complexity, Boucher says. Evaluation of the OS and data interactions could include the following questions:
- What are the regulatory assessments of the device and its classification?
- What are its intended uses?
- What are the risks associated with the platform’s operation, operating environments, and environmental conditions?
- What are the recovery mechanisms (local, network-based, cloud)?
- Can the OS isolate application operation, thread behaviors, memory use, and operations from other elements of the platform and OS?
- What are the types of faults that can happen?
- How will data integrity be verified and validation?
- What are the data encryption types and levels?
While no system is ever completely secure, medical embedded developers can perform these types of assessments and make security improvements to current and future projects, Nair says. Security concerns are also being addressed by the Medical Device Innovation, Safety, and Security Consortium (MDISS), a nonprofit organization created earlier this year that aims to advance computer risk management practices. The formation of this consortium and its goal of optimizing the relationship between the quality of health care and the process of ensuring that systems are secure are great steps in the right direction, but more efforts are needed, Nair asserts.
Developers can learn more about how to assess risks and implement defenses across a medical system by listening to a newly recorded Intel-Wind River webcast, “Eight Step Approach to Address the Multifaceted Security Threats Targeting Medical Devices.” And read more about how Care Innovations is using embedded computing technologies to enable virtual care coordination applications in a recent Embedded Computing Design Q&A with Alan Boucher.
To view other community content on healthcare applications, see “Top Picks - Medical.”
OpenSystems Media®, by special arrangement with Intel® Intelligent Systems Alliance
Wind River is an Associate member of the Intel® Intelligent Systems Alliance.