Case Study

Infection control company collaborates with Timesys to bring medical product to market with 70% cost savings

From board bringup to troubleshooting to lifecycle maintenance, Timesys experts supported each step

Let’s talk about something that’s been on everyone’s mind for the last year: disinfection. We’ve spent the last 12 months wiping surfaces, using hand sanitizer, and washing our hands raw, all to try to keep COVID-19 at bay. We expect any storefront or office we enter to follow strict sanitation guidelines, and this is especially true for medical appointments.

Enter our customer, an infection control specialist company focused on medical device sterilization. You know those medical instruments used during your checkup? They all need to be thoroughly disinfected after every use. So our client has developed suite of products for washing, sterilizing, disinfecting and reprocessing medical instruments.

Moving to Linux and getting a secure product to market quickly

Our customer was ready to start their path to market for a new embedded product, a device for sterilizing instruments.

They experienced an unexpectedly high development effort on their platform, and knew they needed to move to Linux, but the engineering team wasn’t experienced in this area. They made the decision to move to the Toradex Colibri computer system featuring an NXP i.MX6 processor and vendor-provided Linux BSP.

Challenge #1: high development effort on current platform necessitates move to Linux

But making the move to Linux comes with a host of additional tasks — board bringup, managing platform updates, and meeting the latest security standards and compliance requirements for managing open source software vulnerabilities.

So they came to Timesys for our expertise in securing embedded Linux systems. Timesys enabled high assurance boot (HAB) on their board, secured the Linux kernel and root filesystem for a complete software chain of trust, and added a secure firmware update capability. According to our customer, Timesys was able to “do in 8 hours what would take our team two weeks.”

A few months later, they were ready to manufacture their first batch of production/PVT boards and ran into another issue. They were testing the final version of their hardware, and were seeing a failure to boot to Linux, and eliminated any potential hardware issues. They were in a time crunch and needed someone familiar with their system to step in and troubleshoot. Luckily, Timesys’ experienced engineers were able to swiftly look at the source trees and found a configuration issue. One tweak, and our client was up and running again.

Challenge #2: Found a bug during testing final version of hardware

Fast forward 12 months, and after an intense year of application development and associated verification and validation, our customer was just about ready for market. Now, they needed someone to keep their underlying Linux OS updated and manage the security of their device software throughout its product lifecycle.

Challenge #3: need to keep Linux OS updated and manage security throughout product lifecycle

Keeping the software updated and secure

Our customer was so pleased with the initial work Timesys did, that they came back to us for this critically important next step. Because their product is connected to a medical network, it is absolutely essential that it be protected.

They signed up for Timesys’ BSP Lifecycle Maintenance to maintain their Linux OS and BSP, knowing that Timesys performs maintenance in a way that rarely requires changes to the client’s application, and that they’d have the tools they needed for security monitoring.

We provided them with full array of security and maintenance solutions including: a private Git repository for the client’s Linux BSP source code, an initial software vulnerability report, one Linux BSP Maintenance Release per year, minor Linux kernel version updates for their board, integrating a meta-timesys-security layer into their custom Yocto to support root filesystem CVE fixes, RFS updates or patches, and documentation for deploying, running, rebuilding, and testing the delivered software.

This is all bundled with Vigiles Prime, a software composition analysis tool for generating on-demand reports of security vulnerabilities present in your Linux BSP. It allows users to assess the level of threat based on vulnerabilities in their specific deployed device with automated monthly security notifications.

Our initial software vulnerability report found 557 vulnerabilities: 63 critical, 227 high severity, 230 medium severity, and 21 low severity. This provides our client with the information they need to identify the most pressing vulnerabilities and take action where needed without wasting time chasing vulnerability ghosts.

The BSP Lifecycle Maintenance package also includes an emergency critical fix in the case of any catastrophic security events. Remember the Spectre/Meltdown zero-day exploit? In an event like that, Timesys can integrate an available fix and provide an emergency Linux BSP release.

And finally, Timesys’ BSP Lifecycle Maintenance helps them meet the FDA Guidance for Postmarket Management of Cybersecurity and software lifecycle processes.

Reaping the rewards

Our customer rests easy knowing that they have the premier embedded Linux experts maintaining their Linux operating system, with an advanced system that checks for vulnerabilities and allows the user to take action before a security event occurs.

Even better, our customer doesn’t need to worry about any changes in personnel affecting their product. Timesys worked with multiple engineering teams over the course of two years without any interruption in service. Timesys’ years of expertise mean that we can come in at any point during a project and bring it quickly to completion with extremely high quality work, and keep things running smoothly while your team focuses on new features and new products.

The average engineering team shipping a Linux based product spends $96,000/year, checking for vulnerabilities and maintaining their version of the operating system. So the best news for our customer is that, rather than spending man months of their own engineering time doing this work themselves, they were able to achieve improved results at a fraction of this cost by partnering with Timesys.

That means our customer can focus on what they do best: building the disinfecting devices that keep our world safe.

Learn more about how Timesys can help you streamline and simplify compliance with medical device security standards and regulations.

More info

Have a project you’d like to discuss?

Start The Conversation

Stop worrying about how you are going to find the engineering time and in-house expertise to give your product the professional architecture and security attention it needs.