Medical device creators are designing electronic devices with enhanced and sophisticated functionality, with most of the complexity contained within the software. Many new devices are also equipped to communicate with hospital networks, one another and the IoT (Internet of Things).
Martin Nappi, Green Hills Software
Designing life-critical software into the medical device and then connecting it to a hospital network or the expanding IoT introduces an elevated level of risk. It also broadens the potential attack surface of the device to would-be cyber attackers.
Due mainly to the increasingly aggressive threat landscape, governing authorities like the FDA expect device manufacturers to take cybersecurity very seriously. To achieve approval to bring a Class III medical device to market, they expect manufacturers to conduct a threat assessment that includes an analysis of the potential for patient injury and mitigation of identified security risks. Manufacturers must provide an analysis of the likelihood and severity of patient harm balanced against other design considerations. Product developers are expected to incorporate device cybersecurity and perform risk-analysis at every phase of the development cycle.
Operating systems like Windows, Linux, Android and many embedded real-time operating systems (RTOS) are not appropriate for use in life-critical devices. Basing a connected medical device design on a weak or vulnerable operating system framework may be suitable for some devices, but not for a Class III medical device or any device whose unauthorized breach or anomalous behavior could directly or indirectly cause a loss of life. These operating systems only protect against inadvertent or casual attempts to breach the device’s security. Furthermore, their immense base of program code has proven to contain thousands of vulnerabilities, according to the National Institute of Standards and Technologies.
Using microkernel architecture
Other industries, including avionics and automotive, have transitioned to using a software architecture based on partitioning or separating different software tasks into separate memory areas on the device. This high-integrity separation-kernel or microkernel architecture uses microprocessor memory protection and hardware security to guarantee isolation of software components, monitor run-time operation and ensure each task has the resources required to run correctly. The underlying microkernel constantly monitors the overall system, detecting and isolating any unusual behavior caused by errant or malicious code.
Critical tasks are partitioned separately from non-critical tasks, and information flows are validated. Digital certificates and keys are tied to the hardware root of trust to protect software and communications. Network connections may be enabled to specific tasks or to guested operating systems such as Windows or Linux, hosted in separate non-critical partitions so that coding errors and security breaches cannot affect critical functions of the device.
Given the risks, external and independent software testing authorities should validate systems against stringent industry standards (e.g. RTCA DO-178B, ISO/IEC 15408, IEC 61508) with rigorous safeguards against failure conditions and strong resilience to defend against unauthorized access. It is reassuring to know that there have been separation kernel operating systems commercially available from multiple vendors for up to 20 years that are recognized by international authorities as meeting the highest levels of safety and security.
Historically, product security in the medtech industry was much less of a concern because many devices were not connected to networks, smartphones, and tablets. But with the emergence of the IoT and the criminal element that comes with it, the top three priorities for device designers are now:
- Keeping the patients and clinicians safe;
- Keeping electronic health records secure;
- Keeping the device consistently operational and resistant to cyber attack.
Life-critical devices and our healthcare system need to be resistant to sophisticated, well-funded cyber-criminals, including terrorists or any criminal group with a reason to compromise our healthcare system.
Martin Nappi is VP of business development for the medical industry at Green Hills Software. He is a 30-year veteran of the embedded systems industry and is responsible for providing safe and secure software technology for medical devices and systems.
The opinions expressed in this blog post are the author’s only and do not necessarily reflect those of Medical Design and Outsourcing or its employees.