This document discusses cybersecurity and software updates in medical devices. It provides an overview of Integrated Computer Solutions (ICS) and the services it offers for medical device development. These include human factors engineering, software development, medical device cybersecurity, and software verification testing. The document also discusses Toradex and the Torizon platform it provides for over-the-air software updates in embedded systems. It notes regulations and standards driving new requirements for medical device cybersecurity and software updates. Finally, it discusses strategies for implementing secure software updates, including A/B updates, delta updates, container-based updates, and leveraging hardware encryption.
2. About ICS
Established in 1987, Integrated Computer
Solutions, Inc. (ICS) delivers innovative software
solutions with a full suite of services to accelerate
development of successful next-gen products.
ICS is headquartered outside Boston in Waltham,
Mass. with offices in California, Canada and
Europe. Currently 160 people.
Boston UX is ICS’ design studio, specializing in
intuitive touchscreen and multimodal interfaces
for high-impact embedded and connected
devices.
2
3. www.ics.com
Delivering a
Full Suite of
Medtech
Services
3
● Human Factors Engineering
● IEC 62366-UX/UI Design
● Custom Frontend and Backend Software
Development
● Development with IEC 62304-Compliant Platform
● Low-code Tools that Convert UX Prototype to
Product
● Medical Device Cybersecurity
● AWS and Azure Cloud Services and Analytics
● ISO 14971-Compliant Hazard Analysis
● Software Verification Testing
● Complimentary Software Technology Assessment
4. Toradex - What We Do
Make Embedded Computing Easy
Reliable Arm System-on-Modules
Torizon - Linux IoT Platform
Lowest Cost of Ownership
Industry-leading Support
4
5. Focus Verticals
• Industrial Automation
• Healthcare
• Transportation
• Test & Measurement
• Smart City
Typical Annual Volumes
100 to 50k Pcs Per Customer Project
Typical Applications
5
11. Europa Télécommunications Standards Institute (ETSI) EN 303 645
California State Law SB-327
Oregon IoT Law (House Bill 2395)
NIST 8259A
ISO/SAE 21434 – THE CYBERSECURITY STANDARD
IEC 62443
CYBERSECURITY MATURITY MODEL CERTIFICATION CMMC 2.0 – DoD
White House - Executive Order on Improving the Nation’s Cybersecurity
Many More………..
Global Trend In New Regulations
11
12. Global Trend In New Regulations
12
Some Common Requirements
• No Default Passwords
• Way to Timely Patch Vulnerability
• Log Access
• Software Bill of Material
13. Poll - How do you do Software Updates
13
• Remote Updates Regular
• Remote Updates When Needed
• Offline Updates Regular
• Offline Updates When Needed
• No Updates ?
16. Poll - What drives your Security Requirements ?
16
• Company Policy / Best Practices
• Customers
• Government Regulations
• Other Regulations / Standards
• None of the above ?
17. • Example is a Swiss Company
• Medical Devices traditionally
avoided changes to SW or HW
• The Situation is changing
• Devices are connected
› Example: Control Centers in
Hospitals or even for Home
Care with Remote Monitoring
RWJBarnabas Health Community Medical Center
Example: Medical Devices for Hospitals
17
21. Recent FDA Guidance Regarding Software Updates
Cybersecurity in Medical Devices (Latest Draft April 2022)
https://www.fda.gov/media/119933/download
FDA Guidance is a slow process, but PATCH Act 2022 may make this US law.
When to Submit a 510(k) for a Software Change to an Existing Device (2017)
https://www.fda.gov/media/99785/download
Clarification of 510(k) re-submission criteria
21
22. Reasons For New Guidance and Clarifications
Once upon a time system level updates for medical devices were rare
COTS processes and re-validation for OS/Library updates were burdensome
Resulted in base libraries and OS’s sometimes not being updated at all
Wait until next major device revision (next 510(k) submission)
Security issues were mitigated by air gapping and physical access
In a connected world, air gaps are no longer possible
Results were a cybersecurity nightmare
We have run into devices running ancient versions of WinCE wo/SP
22
23. Clarification on 510(k) Submissions
510(k) NOT Required
Strengthen cyber security wo / changes to app / controls SW (OS Patch)
Return device to specifications of cleared device (Bug Fixes)
510(k) Required
Updates change the safety or effectiveness of the device
Risk based assessment needs to be performed to determine significance of
changes both individual and cumulative changes.
23
25. Cybersecurity Communication and Patchability
Design software for patchability
Isolated software components are easier to test and manage risk
Patching Capability
Rate at which updates can be fielded.
Communication of software vulnerabilities and update availability
Ability to re-execute V&V Testing
If V&V takes several months your patching capability will be low.
25
26. Cybersecurity Considerations for Updates
FDA requires that updates are verified to be authentic and unadulterated
Signed
Update was created by the manufacturer for this medical device.
Secure chain of custody
Ensure that updates cannot be corrupted or compromised
Resilient to failure
Controlled combination of system components
Only allow software combinations that have been tested
26
27. Projects Over the Last 15 years
ICS developed many in house solutions for customers
OS Build (Yocto, BuildRoot, Windows Embedded)
Update packaging (Encryption, signing)
Secure bootloader (modified u-boot for applying updates)
Error resistant partitioning schemes (A/B Updates)
Portals / webservices / middleware for update notification and distributions
Off the shelf products, frameworks and hardware are now available
Much easier to write and maintain
27
29. A/B Upgrades
● Dual A/B identical rootfs partitions
● Data partition for storing any persistent data which is left unchanged during
the update process
● Typically a client application runs on the embedded device and periodically
connects to a server to check for updates
● If a new software update is available, the client downloads and installs it on
the other partition
● Fallback in case of update failure
29
30. Delta Updates
● Only the binary delta between the difference is sent to the embedded device
● Works in a Git-like model for filesystem trees
● Saves storage space and connection bandwidth
● Rollback of the system to a previous state
30
31. A/B vs Delta Updates
31
Update strategy Storage space Update size Rollback to a
previous stage
Fallback to a
back-up image
on a separate
partition
A/B
Updates
Large Large Yes Yes
Delta
Updates
Small Small Yes No
32. Container-based Updates
● Container technology has changed the way application developers interact
with the cloud and some of the good practices are nowadays applied to the
development workflow for embedded Linux devices and Internet of Things
● Containers make applications faster to deploy, easier to update and more
secure through isolation
● Yocto/OE layer meta-virtualization provides support for building Xen, KVM,
Libvirt, docker and associated packages necessary for constructing OE-based
virtualized solutions
32
33. Leveraging Hardware Encryption Support
HSM: Hardware Security Module.
TPM: Trusted Platform Module (also known as ISO/IEC 11889).
CAAM: Cryptographic Accelerator and Assurance Module (NXP i.MX processors).
33
34. CAAM (Cryptographic Accelerator and Assurance Module)
CAAM on the Freescale i.MX platform supports the following:
● Secure memory feature with hardware-enforced access control
● Cryptographic authentication
● Authenticated encryption algorithms
● Symmetric key block ciphers
● Symmetric key stream ciphers
● Random-number generation
34
35. Hosting Solutions
Microsoft Azure IoT
Excellent framework for general IoT and update distribution
ICS has written in house C++ wrappers around Azure IoT
Distribution of updates amount other things
Torizon OTA
Turnkey solution for fleet management
35
36. Torizon - Be Faster - Be Secure - Be Reliable
36
37. Torizon
37
Based on Uptane Framework
• Used by major Automotive OEM
• Designed with State Actors Attackers in mind
• JDF/Linux Foundation Project
• Independent Security Audits
• Expands on The Update Framework (TUF)
● Cloud Native Computing Foundation
38. Torizon
38
Key Technology: OSTree
OpenSource
Git - Like
Space savings
● Including automatic de-duplication
Minimal update size
● Diff updates of per-file changes
Integrity can be verified
Atomic updates
Immutability & Revision Control