The increasingly complex requirements of medical systems can be met using a new secure open platform built on multicore hardware with hardware-assisted virtualization with the use of hypervisors and separation kernels.

Changing requirements in the healthcare industry are creating interesting consequences for the developers of tomorrow’s medical devices. For instance, there is a growing need for proactive healthcare providing prevention rather than cure, particularly for our aging baby-boomer population. Persistent monitoring and analysis of patients at hospitals, doctors offices, and even at home is the way of the future. The devices that service these needs will also be connected to the patient’s medical records. Doctors and specialists will be able to combine and analyze new information from the devices with the patient’s past history. This connected world opens up some interesting challenges with the government regulated Health Insurance Portability and Accountability Act (HIPAA), which protects patient privacy. HIPPA appears to run counter to the openness and easy access to information that is needed to effectively monitor and analyze a patient’s progress.

To bridge these challenging issues, the government, the healthcare providers and the healthcare industry need to partner and to work with technology companies. This way we can develop new treatments and devices using advanced technologies to ensure the safety of the patient and the security of personal health information. The healthcare industry looks to advanced technologies to address a plethora of complex problems. To stay competitive, medical device manufacturers must bring products to market that address the needs of healthcare while dealing with time-to-market pressures, cost constraints and more.

Trends in Medical Devices

Medical device functionality is on a path similar to that of the consumer electronics industry. As is the case with consumer and other industries, size, weight, performance and mobility are top priorities. Many medical devices are now implemented with wireless technologies in order to extend the portability of healthcare and reduce the clutter in the healthcare facility. For example, most European hospitals have telemetry units where patients can be monitored for vital parameters through patient-worn transmitters that connect to a central station.

Healthcare providers also want to reduce the number of devices needed to adequately treat patients by combining once disparate devices. For example, all the various sensors used to monitor a patient during surgery could be wirelessly connected to a single integrated graphical display on a single workstation. This would eliminate a tangle of wires and numerous pieces of monitoring equipment. Finally, as providers move from a paper-based patient information system to a connected electronic health information world, they need to develop systems that ensure the security and privacy of patient information.

As device manufacturers move forward, they look to technology companies to provide commercial-off-the-shelf (COTS) products. These hardware platforms and integrated software solutions can offer the advanced technologies in standard and optimized form factors. This is a cost-saving measure and is a move away from proprietary systems that in the past were custom built to the specifications of the medical device manufacturer. Recently, a new COTS solution has become available that enables new highly integrated platforms to provide more processing power, lower energy consumption and the potential to dramatically reduce bill-of-material costs. Even more importantly, though, it provides the means to keep systems and data secure by using virtualization technology to create a protected environment for running operating systems (OSs) and applications.

Virtualization for Medical Device Platforms

Virtualization technology has been around for many years, mostly seen in data centers and the server world. Multiple applications are consolidated onto a single server or system to improve operational efficiencies and overall system performance.

A new generation of chip-level virtualization technology, which includes optimizations for embedded devices, can now be used to develop medical devices. Additionally, in order to meet the more stringent requirements for safety-critical applications, a new type of software virtualization solution was developed. This new software allows guest operating systems and their applications to run on top of it, in effect allowing multiple, and even dissimilar operating systems to share a single physical hardware platform. This is achieved by adding a new software layer, called a hypervisor or virtual machine monitor, which manages the execution of guest OSs in much the same way that OSs manage the execution of applications.

Each guest operating system is assigned certain dedicated resources, such as memory, CPU time and I/O peripherals. The software isolates each virtual instance by providing hardware protection to every partition with its own virtual addressing space. This makes it possible to safely run multiple applications on a single platform by isolating them into separate partitions to prevent unintended or dangerous software interactions. Additionally, it makes it possible to easily port existing or legacy applications to a new hardware platform, since these applications can run unmodified in the new environment.

Today’s medical device systems use a single operating system, typically a real-time operating system (RTOS). However, as systems grow in complexity and feature set, developers may find advantages in using a general purpose operating system (GPOS) such as Linux or Windows for their user-interface and for connectivity to medical networks. In this case, the ideal scenario would be to use both a general purpose operation system for communications with the outside world and an RTOS for real-time functions such as patient monitoring.

This could be done using virtualization to run multiple operating systems on the same physical platform. Virtualization works by abstracting the underlying processing cores, memory and devices. This is done by running virtual machines (VM) on top of an embedded hypervisor, with each VM running its own OS and related applications. A hypervisor is a software layer that either resides directly on the hardware (type 1 hypervisor) or hosted on top of a conventional operating system running on the hardware platform (type 2). A secure virtualization platform is one that combines a type 1 hypervisor with a small separation kernel to provide secure isolation of the virtual machines and offer real-time performance and determinism when required.

The Wireless Patient

Let’s look at a practical application of this technology. When monitoring vital signs such as EKG and blood oxygenation during a patient’s hospital stay, numerous sensors must be attached to the body. Frequently this results in an awkward and uncomfortable tangle of wires. To help untether patients, the wires could be eliminated by using Bluetooth wireless biometric sensors. These sensors could then communicate their data to a single workstation. Within that workstation would be a virtualized environment running one or multiple virtual machines dedicated to the real-time monitoring and analysis of the patient. The heart rate sensor would report its data in one VM while the blood oxygenation sensor would connect to another VM, and so on.

Figure 1: The ability to run different operating systems in secure partitions ensures that data transfers from one subsystem to another are done in a controlled way and a controlled direction. It also prevents intrusions or malfunctions of the user interface or the network from jeopardizing the security of the patient-critical applications.

Each of these VMs would run either an RTOS or a GPOS like Linux, with real-time scheduling and determinism guaranteed by the underlying separation kernel. The information from all of the patient sensors could then be graphically portrayed for visual monitoring in a familiar Windows environment running in another VM. And all of them could run on the same workstation. The same Windows VM might also be used to connect local storage of patient data, or possibly the hospital network. The use of dedicated virtual machines means that the monitoring and analysis subsystem cannot be seen or compromised. Whatever occurs with the user interface or the network will not jeopardize the security or performance of the patient monitoring system. The data transfers from one subsystem to another are done in a controlled way and a controlled direction (Figure 1).

Software virtualization platforms are available for both single or multicore architectures. These platforms can take advantage of the hardware-assisted virtualization, available on modern Intel processor architectures for increased performance and security. The latest iterations of this platform, such as the LynxSecure 4.0 product from LynuxWorks, can support both asymmetric multiprocessing (ASMP) and symmetric multiprocessing (SMP) virtualized (or guest) OSs offering optimized system performance.

To show how these technologies can be used, LynuxWorks and Portwell, Inc. teamed up to create a proof-of-concept (PoC) wireless sensor platform for hospitals based on Intel technology, very much like the example above. The platform uses the Portwell WADE-8067, an Intel Core2 Duo processor-based Mini-ITX board. Running on the board, LynxSecure from LynuxWorks provides state-of-the-art software virtualization technology that makes it possible to securely run both a Linux operating system and an unmodified Windows operating system in parallel on the platform (Figure 2). The solution can connect more than 25 wireless biometric sensors and supports rich graphics display. Equally important, it leverages hardware-assisted Intel Virtualization Technology (Intel VT) to isolate and partition two different operating systems with their data and resources, and controls information flow between these partitions to ensure data integrity.

Figure 2: The LynxSecure hypervisor and separation kernel running on the Intel Core2 Duo supported by Intel hardware-assisted virtualization technology, provides a multicore foundation for adding security to legacy systems and securely reusing legacy Windows and Linux applications alongside real-time systems.

The PoC demonstrates a means whereby medical equipment manufacturers can quickly port legacy wired sensor applications to a new wireless multicore platform. The Windows operating system, for example, is used to provide the environment for graphical user interfaces (GUI) and other open applications.

The new virtualization technology offers medical device manufacturers a platform to safely and securely meet the complex requirements of the healthcare industry. Virtualization increases reliability by allowing developers to run safety-critical code in safe, virtualized execution environments that isolate different work loads and prevent them from interfering with one another. It improves data security and system integrity because the hypervisor adds a layer of protection by controlling memory boundaries and preventing an application (e.g., rogue software) from accessing the data regions of other applications. Virtualization enables reuse of legacy applications with little or no porting effort because applications can run on their native OS. By using a COTS solution, manufacturers can start with a proven design that lowers development risk and shortens time-to-market.

Intel
Santa Clara, CA.
(408) 765-8080.
[www.intel.com].

LynuxWorks
San Jose, CA.
(408) 979-3900.
[www.lynuxworks.com].

Portwell
Fremont, CA.
(510) 403-3399.
[www.portwell.com].