Case Study

Timesys’ security and BSP lifecycle maintenance expertise enables medical device manufacturer to maintain strong product security throughout deployment

The Challenge

A leading medical device manufacturer (MDM) was faced with the constant challenge of keeping its device software up-to-date and secure throughout the product lifecycle.

As well as addressing software updates and bug fixes, the company has to meet federal quality system regulations (QSRs) that apply to medical devices, requiring it to address all risks, including cybersecurity. In addition, the MDM’s health care customers face strict information security requirements. So the company must respond rapidly and efficiently when vulnerabilities affecting its product BSPs are identified and might put its customers at risk.

The MDM had multiple devices featuring an NXP i.MX 6 series-processor-based Advantech Qseven module and was built with an Advantech Yocto Linux BSP.

To keep its product line updated, in-sync and secure, the manufacturer’s engineering team previously used a largely manual, time-intensive process. The team would apply software package updates and continuously monitor and analyze and assess the severity of vulnerabilities affecting any of the software components used in its devices. As part of the mitigation process, the team would monitor the availability of patches and updates, and then locate and apply the fixes.

However, the MDM wanted to dedicate its engineering resources to developing its next-generation products and needed to find an engineering team with embedded Linux software and security expertise to provide the managed BSP maintenance the company required.

The MDM engaged with Timesys to leverage Timesys’ expertise in embedded software security and Linux BSP development and maintenance.

The Solution

To efficiently maintain the MDM’s BSPs, Timesys first developed a common software platform so security updates could be applied to all medical devices. Then, to keep its devices updated and secure, Timesys:

Set up a collaborative infrastructure that included:

  • A shared GIT repository to establish repeatable automated build & test infrastructure with shared source control
  • A test framework and baseline test reports
  • Updated packages, initial baseline security scan and security audit/assessment and recommendations
  • Agreed upon BSP update cadence for applying security and package updates

Provided Security Vulnerability Monitoring and Management that included:

  • Continuous CVE monitoring of vulnerabilities and security issues with Timesys Vigiles® Vulnerability Management Suite
  • An initial review and assessment of all security vulnerabilities and anomalies, along with relevant patches/updates
  • Notification of critical vulnerability issues, with vulnerability and anomaly reports and reviews on a monthly basis
  • Reviewing monthly reports with the MDM for applicability
  • Maintaining a GIT branch that incorporated the agreed upon patches and updates

Provided major upgrade deliverables, including:

  • Summary reports that included release date, hardware version information, change log and versioning for all software modules, feature changes since last release, test report and security audit reports
  • Test binaries, source code, work orders and recipes, change log, drivers BOM, Software Bill of Materials (SBOM), license manifest, and test reports

The Benefits

Timesys provided the security and BSP maintenance expertise required to keep the medical device manufacturer’s product line updated, in sync, and secure during deployment. By engaging with Timesys for BSP Lifecycle Maintenance which included Vigiles for vulnerability monitoring and management, the MDM was able to streamline compliance with the FDA’s cybersecurity guidance for medical devices. And it was able to dedicate its resources to developing its state-of-the-art applications while Timesys focused on maintaining the security posture of the company’s product line.

Have a project you’d like to discuss?

Start The Conversation

Stop worrying about how you are going to find the engineering time and in-house expertise to give your product the professional architecture and security attention it needs.