Medical Device Link.

Wireless sensors are quickly making inroads into prehospital, in-hospital, ambulatory, home monitoring, and long-term care settings. These sensors offer ease of use and flexibility. Postsurgery patients fitted with wireless monitors can walk the hospital floor without being constrained by wires. However, expanding wireless technology usage into other medical applications hinges on the ability of medical equipment manufacturers to meet strict industry standards for reliability and patient data privacy.

Although wireless technology is ubiquitous in many healthcare devices, there has been some reluctance to use it for critical patient care. But steady progress has been made since FDA first approved medical systems using Bluetooth wireless technology in operating room equipment in 2003. Wireless technology advances, industry standards, and broad commercial adoption have addressed many reliability concerns to the point where most operating rooms may soon be able to deploy wireless sensors and save surgical staffs from contending with dozens of sensor wires. For this and other medical applications, manufacturers can benefit from an embedded computing platform that improves the efficacy of virtualization, remote management, and hardware security.

These three aspects each offer areas of improvement for medical equipment manufacturers. Virtualization technology increases reliability by isolating software workloads; remote management improves availability by enabling technicians to fix system defects quickly; and hardware-based security protects patient data by preventing unauthorized software from executing. This article describes an embedded computing platform that encompasses these tools. It also explores how the platform can be used to meet emerging government regulations and create safer and more secure products.

Design Challenges

To remain competitive, medical equipment manufacturers must figure out how to integrate advanced technologies, such as wireless, without negatively affecting the reliability, availability, system integrity, and data security of their products. In doing so, they are guided by industry standards such as ISO 14971, “Application of Risk Management to Medical Devices,” which provides a process for identifying the hazards associated with medical devices. In addition to technology adoption, other design decisions can affect reliability. For instance, designers may consolidate multiple applications onto one platform to save cost and reduce the physical footprint. But when different applications running on an operating system (OS) are not adequately isolated, there may be unintended and dangerous OS and application software interactions.

In addition, even though the complexity of medical equipment increases with every new generation, manufacturers are expected to continuously improve equipment availability. This includes offering systems that are easier to maintain, repair, and track. Systems must also satisfy worldwide government regulations for the security of electronic health information such as the Health Insurance Portability and Accountability Act (HIPAA) enacted in the United States.

Virtualization Increases Reliability

Patient monitoring products implement multiple tasks using sensors and actuators—wired or wireless—for safety-critical functions, such as controlling infusion pumps or monitoring a patient’s vitals during surgery. At the same time, these medical products may run non-safety-critical applications such as graphical user interfaces (GUIs), image and data processing, and database engines. To improve system reliability, developers can run safety-critical code in safe, virtualized execution environments that isolate different work loads and prevent them from interfering with one another.

In existence for many years, virtualization technology is most notably used in data centers where many applications are consolidated onto a single server. Virtualization allows multiple guest OSs and their applications to run in independent, secure partitions on the same physical board. This is achieved by adding a new software layer, called a hypervisor or virtual machine monitor (VMM), which manages the execution of guest OSs in much the same way that OSs manage the execution of applications. Two partitions are illustrated in Figure 1, where Partition 1 runs processes (e.g., sensor applications) on a Linux OS and Partition 2 runs a GUI on Windows. The hypervisor maps physical system resources, such as processing cores, memory, and I/O peripherals, to each guest OS.

The hypervisor isolates each virtual instance by providing hardware protection to every partition with its own virtual addressing space. In addition, it guarantees resource availability, such as memory and CPU cycles, to each partition, so that no software can fully consume the scheduled memory or time resources of the other partitions. The result is a robust environment within which multiple OSs and applications can execute simultaneously with a high level of code and data separation.

Further increasing reliability, I/O virtualization enables the hypervisor to securely assign specific I/O devices to specific guest OSs. Each device is given a dedicated area in the system memory that is accessible only by the device and the designated guest OS. This capability offers more data protection for medical systems integrating sensors from various vendors because one application cannot receive another application’s sensor data. In addition to increasing system reliability and stability, virtualization can offer developers other benefits, which are detailed in the following sections.

Ease the Migration of Legacy Applications. Some VMMs and hypervisors enable developers to run unaltered OSs, meaning that they are 100% application binary-compatible with nonvirtualized instances. Consequently, equipment manufacturers can often reuse legacy applications with little or no porting effort because applications can run on their native OS.

Increase Real-Time Performance. As the number of sensors and network data rates increase, medical systems need to process protocol stacks faster to ensure low-latency, deterministic response times. High performance can be achieved by running time-critical tasks on a real-time OS (RTOS) in a partition that is assigned to a dedicated core on a multicore processor. As a result, the protocol stacks can run faster because they are unencumbered by non-real-time tasks that would otherwise compete for CPU resources.

Improve Data Security and System Integrity. Patient privacy regulations are driving medical equipment manufacturers to increase protection against malicious software attempting to gain access to patient data. Virtualization provides an additional layer of security protection because the hypervisor controls memory boundaries and prevents an application (e.g., rogue software) from accessing the data regions of other applications. This protection, enabled by secure partitions (Figure 1), can also improve system integrity because the hypervisor safeguards system resources. Such safeguarding reduces the possibility of a runaway application, perhaps infected or defective, locking up the system.

Speed Up Certification. To gain approval from FDA and other regulatory bodies, medical equipment manufacturers must demonstrate the safe and effective operation of application software and OSs running on the system.1 FDA’s guidelines suggest that manufacturers take measures to prevent defects. With virtualization, OEMs can show that measures have been taken to prevent a piece of software from unintended software interactions that can result in failure, such as one application overwriting the memory space of another. In addition, virtualization can reduce the time to market by allowing previously certified software to be run unmodified in a virtualized partition, thus potentially avoiding recertification of that code. However, virtualization must be validated first, so some time must be spent performing that validation.

When evaluating virtualization technology for their next design, developers may need to upgrade their processor to ensure that there is sufficient computing horsepower. The VMM introduces some transactional overhead (i.e., delay) when it switches context between host processes and guest OS processes, which can be minimized with a faster processor. Developers using virtualization to consolidate applications onto a single board may need the performance of a multicore processor to execute multiple workloads in parallel.

As previously discussed, virtualization helps prevent system failures by stopping harmful software interaction. However, equipment failures are inevitable, and it is important to get the equipment back online quickly. With the assistance of remote management, many system faults can be repaired without requiring an on-site technician.

Remote Management Improves Availability and Maintainability

Medical equipment manufacturers and healthcare IT professionals are experiencing an escalation in the number of systems they must support, including more mobile medical devices. They must ensure that systems are configured properly, run the latest security signatures, and repair them when they break. Remote management facilitates the repair of systems over an internal IT network as well as the Internet, enabling manufacturers to get systems online faster and at a lower cost than sending in an on-site technician. When on-site visits are required, remote management technology can help identify failed components in advance, which enables technicians to arrive with the right spare parts and fix systems quickly. Remote management also provides equipment manufacturers an opportunity to offer upgraded service packages based on faster-service response or more-
aggressive service level agreements.

Recent advances in remote management technology even allow devices to be queried, fixed, and secured when they are powered off or have software issues. Chip manufacturers can accomplish this by adding special circuitry to processors and chip sets to create an alternative, persistent connection between the equipment and the management console. This connection continues to operate when the OS, hard-disk drive, and CPU are not functioning.

This technology also enables biomedical engineers to better manage the support infrastructure. They can remotely boot a device from a hard-disk drive on the network with known good software (i.e., a validated production version of the software with clean code), which greatly aids troubleshooting. The support infrastructure can also remotely reflash the BIOS, load new drivers, or load a new OS regardless of whether the system is running. With remote management, IT organizations can improve equipment availability and cost-effectively perform troubleshooting and security tasks.

Medical equipment manufacturers already offering management services, such as fixing systems, tracking intermittent failures, and running inventory reports, need to weigh the risks and rewards of integrating enhanced remote management technologies. In many cases, the new technologies can be integrated into existing products with relatively little software rework. Perhaps the bigger issue is measuring the rather subjective benefits and modeling the total cost of ownership improvement. Every customer values improved remote management options differently, based on their estimated cost savings for reduced service calls, downtime, and staff requirements for software updates.

Remote management can help ensure that systems are running the latest virus signatures, but what happens when an unidentified virus or piece of malicious software infiltrates the system? Hardware-based security technology can prevent any unauthorized software from executing, as described in the following section.

Hardware Protection Enhances Security

Healthcare environments must employ virtual private network (VPN) and encryption technologies to secure data that leave medical devices en route to networks and external storage devices. Today, it’s necessary to use analogous technologies for data that are moving within a medical device to prevent security breaches. For example, while a medical system on the network boots, its security software isn’t functional, which potentially puts the system at risk of malicious software accessing and abusing unprotected platform data.

A purely isolated system does not require the overhead of encryption or any services to support data movement. However, the trend to support electronic heath records and more automation will soon make devices that do not support automation less desirable and more expensive to maintain. When internal system buses are unprotected, they are vulnerable to malicious software that can commandeer applications, capture keystrokes, intercept medical images sent to the display, and access confidential information and encryption keys. To protect data within a computing system against software-based attacks, new hardware-based security features are being integrated into processors, chip sets, and other platform components. These security features provide the following capabilities:

• Encrypt and store system secrets, such as VPN security keys, safely within the trusted platform module (TPM), a secure cryptoprocessor.

• Ensure that all system software components are in a known state (referred to as a trusted state) before launching.

A trusted state is established using four mechanisms. First, the system generates a binary hash (a number generated by a formula) of all system software, including OSs, applications, and VMMs. The hash is stored in the TPM and is verified before any software is allowed to start execution, thus preventing system tampering. Second, developers create launch control policies, such as a list identifying which drivers and applications have permission to execute, to prevent unauthorized software from loading. Third, a BIOS authentication code module is implemented to secure the boot procedure and prevent hackers from hijacking the system before platform security measures are running. Fourth, the platform encrypts critical security codes, which are only released (decrypted) to the executing environment that originally encrypted them.

Creating a trusted execution environment enables medical systems to prevent unauthorized access of confidential data by programs that masquerade as another, which is called spoofing or phishing. Still, equipment manufacturers must weigh the benefits of a trusted execution platform—namely security and stability—against the cost of a TPM chip, the processing resources required to hash the software, and some additional software development.

COTS Boards

Medical equipment manufacturers face many daunting challenges, including satisfying government regulations, integrating new technologies, and protecting systems against growing security threats. Helping address these requirements more quickly, commercial off-the-shelf (COTS) boards allow manufacturers to start with a proven design that lowers development risk and shortens time to market. Many COTS boards incorporate the latest technologies, processors, and OSs and offer equipment manufacturers an extended life cycle—sometimes as long as five years.

Conclusion

The virtualization, remote management, and trusted execution technologies discussed in this article have been realized in a proof of concept based on a COTS mini-ITX board connected to more than 25 Bluetooth wireless sensors. The Bluetooth networking stack executes from a virtualized secure partition, providing isolation from other system software and increasing the reliability of the platform. With remote management, many potential system issues can be fixed over the network, quickly restoring system availability. Trusted execution prevents malicious software from executing, thus providing another layer of application and data security. With the help of these technologies, medical equipment manufacturers can better meet emerging government regulations and create a competitive advantage by developing safer and more secure products.

Reference

Stuart Fisher is product marketing manager at LynuxWorks (San Jose), Frank Shen is the product marketing director at American Portwell Technology Inc. (Fremont, CA), and Michael Taborn is a platform architect in Intel’s Embedded and Communications Division (Santa Clara, CA).They can be reached at sfisher@lnxw.com, franks@portwell.com, and michael.p.taborn@intel.com, respectively. ■