Amar Parmar

1. How does medical device software development need to improve to meet today’s challenges?

Software is becoming more important in the development and operation of medical devices. The healthcare and medical device segment is experiencing rapid innovation and a quickly changing environment. Medical device software architecture needs to include data connectivity, quick software updates to cover security vulnerabilities, quick turnaround time (TAT) DevOps, and an upgrade path to allow for long life cycles.

2. How are the latest FDA recommendations (i.e. 60-day updates for security vulnerabilities), affecting medical device companies?

Both fielded equipment and new equipment must improve upon today’s manual update model, which involves USB sticks. To meet the 60-day update recommendation, medical device companies will need to use network communication to provide device management and remote software updates. Such solutions need to be precisely controlled, both from a technology and process standpoint.

Additionally, there are the dual challenges of managing new development and managing brownfield devices in the field. Software technologies such as virtualization and containerization can bring modern software solutions to medical devices.

For virtualization, Wind River Helix Virtualization Platform allows running both legacy applications and new applications at the same time, without the need for drastically changing legacy code. Each application runs in a virtual machine (VM), which is partitioned and separated from other VMs. This mechanism protects safety and security applications from interference by other applications on the device.

For containerization, Wind River Linux provides flexible and easy methods for allowing application containers to be added, removed, updated, and run on medical devices.

Wind River is bringing the power of these modern development concepts to embedded devices.

3. Security vulnerabilities can be a matter of life or death for medical devices, how is this best addressed?

All new developments should undergo a thorough security assessment and the product development should account for security at four stages of the device lifecycle: design, execution, operation, and end of life to ensure maximum protection.

Older devices in the field should be revisited from both a software and hardware security perspective. A holistic security approach, which covers products, processes, tools and technologies needs to be considered by medical device companies.

4. What changes are happening to the medical device development process?

As software has become a key and critical component of the new generation of medical devices, it is changing the way that medical device companies are looking at the development process and their business model. Medical device companies are beginning to focus their expertise on the innovation and functionality of their medical devices and separating out the underlying software components, like the operating system and libraries, to outside vendors. This allows them to redirect non-core software development, user interface, communication functions, etc to third party software experts.

5. How can a company get started to assess the security of their medical device products?

We first recommend that you perform a cyber threat assessment, like this quick 10-question one from Wind River The report from this assessment can provide a starting point that can then be built upon, either through internal or external resources.

For more information: