Steven D. Baker

Medical-Grade, Mission-Critical Wireless Networks [Designing an Enterprise Mobility Solution in the Healthcare Environment]

Todays healthcare environment requires an enterprise mobility solution for both patients and staff. Separate isolated networks are suboptimal from cost, management, scalability, and reliability perspectives. The wireless medical telemetry system (WMTS) does not provide sufficient bandwidth for many hospitals. Therefore, some seek to operate outside of the WMTS. Standards-based 802.11 networks with published reliability tenfold higher than conventional telemetry already meet the requirements for supporting life-critical applications. These 802.11 networks are easily supported on an enterprise scale, and they have advanced and matured to meet the needs for life-critical applications on an enterprise-wide shared network. To achieve peak performance, any network must be properly designed, installed, and validated for its intended use. To maintain peak performance, the network must be actively monitored and managed.

A Wireless ECG Smart Sensor for Broad Application in Life Threatening Event Detection

A single channel wireless, wearable ECG smart sensor has been developed for long-term monitoring of patients at risk of life-threatening cardiac arrhythmias. The battery-operated sensor can be applied in virtually any orientation on the upper left quadrant of the chest, and monitors patient health continuously for up to three days. An embedded microcontroller calculates heart rate and monitors the ECG signal for life-threatening arrhythmias, which are transmitted wirelessly to a central server and relayed to a respondent device. Tests on human subjects demonstrated signal amplitude from the closely-spaced smart sensor electrodes to be one-half that of the best vector from traditional limb lead placement. Tests with motion and muscle artifact showed superior noise immunity by the smart sensor as compared to a state-of-the-art telemetry monitor.

Performance measures of ISM-band and conventional telemetry

The primary goal of this study is to quantify the communications reliability of telemetry systems using ISM-band two-way communications technology and contrast it to that of VHF/UHF-based systems from an empirical and clinical perspective. The principal criterion variable of communications reliability was total dropout proportion: the percentage of wireless patient monitoring time attributable to a loss of patient signal. Data from 17 institutions across the United States were included in this research. The data from this study were also used to explore potential relationships between communications reliability and various institutional factors. The institutional variables evaluated for possible adverse impact on ISM-band communications reliability included wireless coverage area, the number of telemetry transmitters supported, institutional experience with the product, gross institution size, and the number of telemetry systems within each hospital. The frequency-hopping communication technology utilized by the ISM-band products was not adversely affected by coexisting ISM-band devices. Institutions with shared ISM-band environments demonstrated a better - but statistically insignificant - performance difference both in terms of total dropout proportion and mean time between dropouts. Analysis showed no adverse affect on the communications reliability of ISM-band systems as a function of the number of telemetry transmitters supported, institution size, number of ISM-band telemetry systems within an institution, coverage area, or institutional experience with the system. In contrast, VHF/UHF installations showed statistically significant adverse impact on dropout proportion from two sources: the more transmitters supported, or the greater the coverage area, the higher the dropout proportion. The results from regression analysis at the institution-level should be interpreted cautiously since the statistical power was limited by the number of hospitals in the sample.

Security and safety for medical devices and hospitals.

Overview In healthcare, security is often equated with compliance with the Health Insurance Portability and Accountability Act (HIPAA). Many believe that HIPAA compliance is all that is needed. This assumption is grossly inaccurate: Encryption of sensitive information is one part of a much larger picture. Medical device companies want to be sure to manufacture products that allow a hospital to be HIPAA compliant, while often using the least expensive parts possible to remain price competitive. The minimum HIPAA requirement is, “A covered entity must, in accordance with §164.306... implement a mechanism to encrypt and decrypt electronic protected health information.” Unfortunately, the simple encryption available in the cheapest wireless solutions is not enough to safeguard medical devices, patient data, and the enterprise network. Wired Equivalent Privacy (WEP) and preshared keys (PSKs) used in Wi-Fi Protected Access (WPA/WPA2) can be compromised in a matter of seconds! Some medical devices use proprietary modulation schemes and protocols, but time and again we’ve seen that security through obscurity is never effective. It is far better to use solutions that are tried and tested by researchers (hackers on the good side of the law), such as the Advanced Encryption Standard (AES) algorithm in 802.11 that also meets the encryptions requirements for the stringent Federal Information Processing Standard (FIPS) 140-2 compliance. The software that runs medical devices and the networks that support them impact quality of care and patient safety. Software quality and the process of hardening medical device systems is important for all devices, be they implantable pacemakers, surgical robots, large machines delivering precise doses of life-saving radiation, or the electronic health records systems that must safeguard protected health information (PHI) and the integrity of data that is used for clinical decision-making. Networks are required to support a myriad of wired and wireless, medical, and personal devices. This network support permits improvements in medical device capabilities and improves ease-of-use, but it adds complexity and risks. Software, devices, and networks can fail accidentally or intentionally. Equipment that fails accidentally is not sufficiently robust, while equipment that fails when deliberately attacked is not sufficiently secure. The consequences attributed to equipment that is not robust and secure range from inconvenience to morbidity to mortality. The software on a medical device must be hardened to make it robust and secure. Software that is not specifically hardened during its development is far more likely to fail when exposed About the Authors

Fuzzing: A Solution Chosen by the FDA to Investigate Detection of Software Vulnerabilities

What is Fuzz Testing? Fuzz testing is a type of negative software testing. In contrast to positive software testing, during which one tests whether the software is behaving as it should, negative testing seeks to check whether the software doesn’t behave the way it’s not supposed to. Fuzz testing typically applies test vectors that are almost correct, such as an invalid packet-length field in an otherwise perfectly-formed IP packet. This method could be compared with someone telling a story that has enough valid facts to make it believable but also contains a few parts that are incorrect. The listener hears and accepts the entire story (or data packet) without questioning it. In fuzz testing, the “test” is to see if these almost-correct packets cause the device to behave unacceptably. To learn about applying fuzz testing and features of a good fuzzer, please refer to the article by Knudsen1 on page 48 of this issue of Horizons.