Medical platform development requires a security-focused mindset, making system protection a priority in the earliest stages of system design. Just as features like authentication and encryption are essential to the security of medical data, smart steps should be taken to harden the system itself. One step includes securing the software stack to minimize the attack surface for safe and effective long-term performance.

Fig. 1 – An embedded OS provides a longer lifecycle and additional security features for an optimized OS image or software stack. Coupled with other hardening techniques, creating the OS image as a baseline ensures consistency in deployment and reduces the attack surface at the earliest stages of development.

By eliminating a certain level of risk early in the design process, manufacturers gain a long-term advantage for products and systems with extended life-cycles. For example, a costly and sophisticated device like an MRI or X-ray machine is intended to be in the field for many years, and engineers need to address evolving security threats. This becomes increasingly complex as more devices are connected.

While every device is different, the ideal is to incorporate greater controls within the operating system (OS). One method to achieve this is to move toward an embedded OS, providing a longer lifecycle and additional security features for an optimized OS image or software stack. Other hardening techniques, such as blending hardware- and software-based security, whitelisting, and freezing configurations, give engineers a broader array of security strategies to reduce the attack surface from the start. (See Figure 1)

Gaining an Embedded OS Advantage

Customizing an OS can be costly, considering the effort required to meet existing FDA and National Institute of Standards & Technology (NIST) security standards; integrate existing applications; and account for custom development, testing, and validation. Choosing the right operating system requires additional thought. For example, a Microsoft Windows® Embedded platform not only enables manufacturers to make those customizations, but it securely improves their customer’s experience and workforce productivity, particularly when working with a partner experienced in Windows Embedded and knowledgeable about their business. Depending on the application, an embedded Linux operating system may be a better alternative, and is traditionally stable, efficient, and less costly. There are also several different distributions of Linux, so choosing what is ideal for the business could be cumbersome.

Beyond productivity and potential cost savings, the configuration options available within an OS create more control. For example, Microsoft Windows 7 is designed for the consumer. It includes features and functionality to improve a consumer computing experience. Internet browsers or email are inherently accessible and ready to use. In an application-specific device, an engineer may turn off various functions, essentially eliminating them from the playlist. In contrast, Windows 10 Internet of Things (IoT) is designed for the manufacturer, and comes with its features and functionality restricted at the start. The engineer selectively turns on applications rather than turning them off. This greater level of control reduces the footprint for security risks.

Ensuring Competitive Value by Optimizing, Validating, and Scanning the Stack

By enabling only features that add value to the application or system itself, engineers create a smart baseline OS image, consistent for all customers using a particular device. By establishing this baseline as an initial standard of deployment, an extra layer of security is established at the product management level. Engineers can then enable corresponding product groups with access to that secure image to easily customize their business unit’s application. It is this customized, yet consistent, approach that helps medical device manufacturers maintain customer satisfaction, meet specific deployment and performance requirements, and simplify compliance and certification processes.

Fig. 2 – Five essential steps harden systems and minimize the cyber-attack surface: design the OS image using an embedded OS, remove unnecessary applications, keep a ready-to-validate version of the software stack available to test at all times, whitelist acceptable applications, and freeze configurations to ensure systems can return to a known state as needed.

Once customized, the device, its OS image, and its components should be tested and validated before deploying a system to the field, ensuring the design minimizes the number of attack vectors. For example, perhaps a medical device manufacturer requires the OS to consistently display Greenwich Mean Time. Validation reports will verify this requirement is met by demonstrating specific test results before image deployment. Detailed processes, testing checklists, and experienced engineering are essential in validating the OS image, along with constant updates from advanced vulnerability scanning engines. This is of particular importance for devices that demand FDA certification. When device features are turned on or off, or embedded controls are added for patient security, scanning and reporting features validate these elements as part of the secure OS image. This information helps medical device manufacturers gain FDA certification or recognition of compliance much more quickly. (See Figure 2)

Managing Risk Associated with Change

Medical device manufacturers may fear updating their OS image or application because of the risk associated with change. Vulnerability is commonly tied to how or how often the system is updated, creating some resistance to deal with this part of the device’s lifecycle. To encourage vendors to support proper patching, the FDA allows devices that are in the field (and that do not affect patient safety) to be patched without additional FDA certification. However, where the application resides will be factored into recertification requirements, which could vary if the application is placed within the image or added after the image is built.

Ideally, a current, ready-to-validate version of a device’s software stack should be ready to test at all times, ensuring patches can be quickly developed, tested, and issued, especially in the event of a recall. For the medical device manufacturer who updates the OS image annually, it may be most effective to work with a security resource that can assist in adapting and managing the baseline image. The annual patch should include both security and application updates, with packaging that does not create an entirely new image, but rather an update based on the timing and content of the last update. Alternatively, a new image may be required, for example, when the application has undergone significant change. Updates must be packaged in a file format supported by the device, and based on an appropriate distribution plan. Batch mode updates are typically suitable for remotely monitored devices, while standalone systems may require a USB stick or DVD.

Case Study: Software Stack in Action

A healthcare organization was providing remote desktop support to its customers, including manual distribution of applications and system updates. Acquired by another medical device manufacturer, the organization needed to migrate to a more standard support platform, move off of Microsoft Windows XP, and enhance security without disrupting end-users. The organization tasked its OS image vendor to develop a strategy to seamlessly migrate customers onto a more current version of the existing monitoring solution for device and application updates, and to help its remaining customers get connected.

An incremental approach was planned. Microsoft Windows XP users were moved to Microsoft Windows XP Embedded with a remote monitoring agent. Connectivity enabled the organization to collect and evaluate device information and easily distribute device updates. Devices were then migrated to the latest version of Windows 7 Embedded, with the entire process invisible to the end user. Other embedded security controls minimized patch updates and enabled vulnerability and validation testing to comply with U.S. Department of Defense (DoD) and Security Technical Implementation Guide (STIG) standards.

The phased approach to improving the OS image proved invaluable in protecting the overall device lifecycle, and is well-suited to systems in the field that need secure updating and added connectivity. Service costs were reduced as well, by using a secure baseline image that served all product lines across the entire organization.

Embedded Security Moving Forward

Even as little as one year ago, security was not necessarily at the heart of the conversation when it came to building a system image. But because of connectivity, not just of the device, but also of everything related to it, there is a greater need for security across the entire device and how it is used. Exposure to attacks is not solely limited to network-connected applications. It includes anything that plugs into the device, such as a USB storage stick, or wirelessly communicates with the device, such as a Bluetooth-enabled keyboard. Along with an array of access points, including hospitals, clinics, doctor’s offices, contractors, suppliers, university networks, and more, increased exposure to risk is the new industry norm.

It’s a rich tapestry of potential vulnerabilities, and the pressure is on to integrate higher-level security into the device itself. Whether making the most of in-house security expertise, or gaining insight from a partner that allows manufacturers to focus on core competencies, maintaining a security mindset provides a new and long-term competitive advantage. Reducing risk early in the process not only provides an ideal design foundation, but also enables better overall performance for medical devices.

Information for this article is sourced from the FDA’s Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software; www.fda.gov .

This article was written by Catherine Ter Horst, Senior Product Manager IoT, and Jeff Durst, Director Healthcare & Life Science Solutions, Dedicated Computing, Waukesha, WI. For more information, Click Here .