CN-116232705-B - Interface proxy device for network security

CN116232705BCN 116232705 BCN116232705 BCN 116232705BCN-116232705-B

Abstract

A system for providing network protection to a medical device in a medical environment includes a medical device including a plurality of software services, a back-end server configured to maintain and provide software updates to the medical device, and an interface agent box connected to the medical device and in communication with the back-end server. The interface agent box is configured to determine a plurality of software services residing on the medical device. The interface agent box is configured to install a plurality of software services on the interface agent box that are determined to reside on the medical device, and configure the installed software services to match the plurality of software services residing on the medical device. The interface agent box is configured to periodically communicate with the backend server and receive and apply security updates to a plurality of software services installed and configured on the interface agent box. The medical device is configured to utilize an updated software library on the interface agent box.

Inventors

R. E. Sarin
A. Morcello montejo

Assignees

豪夫迈·罗氏有限公司

Dates

Publication Date: 20260512
Application Date: 20200528
Priority Date: 20190529

Claims (10)

1. A system (5 a, 6 a) for providing network protection to medical devices (5 b, 6 b) in a medical environment, the system (5 a, 6 a) comprising: A medical device (5 b, 6 b) comprising a plurality of software services (10); A backend server (1) configured to maintain a software update for the software service (10) and to provide the software update to the medical device (5 b, 6 b), wherein the software update is used to update a software library and a software package of the software service installed on the interface agent box, and An interface agent box (7) connected to the medical device (5 b, 6 b) and in communication with the backend server (1), wherein the interface agent box (7) is configured to determine the plurality of software services (10) residing on the medical device (5 b, 6 b), install a software library (2 a-f) on the interface agent box (7), the software library (2 a-f) being associated with the plurality of software services (10) determined to reside on the medical device (5 b, 6 b), and configure the installed software library (2 a-f) to mirror the plurality of software services (10) residing on the medical device (5 b, 6 b), wherein the interface agent box (7) is configured to periodically communicate with the backend server (1) and receive the software update for the software service (10) and apply the software update to the plurality of software libraries (2 a-f) installed and configured on the interface agent box (7), and wherein the medical device (5 b, 6 b) is configured to utilize the software library (2 a-f) on the interface agent box (7).
2. The system (5 a, 6 a) according to claim 1, wherein the interface agent box (7) is internally connected to the medical device (5 b, 6 b).
3. The system (5 a, 6 a) according to claim 1 or 2, wherein the interface agent box (7) is externally connected to the medical device (5 b, 6 b).
4. A system (5 a, 6 a) according to claim 3, wherein the interface agent box (7) is externally connected to the medical device (5 b, 6 b) via a wireless and/or wired connection (9).
5. The system (5 a, 6 a) according to claim 1 or 2, further comprising: an input device connected to the interface agent box (7), wherein the interface agent box (7) is configured to analyze input from the input device before sending the input to the medical device (5 b, 6 b).
6. The system (5 a, 6 a) according to claim 5, wherein the input device is a bar code scanner, an RFID receiver, a keyboard, a touch screen or a combination of the above.
7. The interface agent box (7) comprised in the system of claim 1, the interface agent box (7) comprising: a medical device interface configured to communicate with a medical device (5 b, 6 b), wherein the interface agent box (7) is configured to have a software library (2 a-f) installed and configured on the interface agent box (7), the software library (2 a-f) mirroring a software service (10) residing on the medical device (5 b, 6 b), and A back-end server interface configured to communicate with the back-end server (1) periodically, wherein the back-end server (1) communicates software service updates for the software libraries (2 a-f) installed on the interface agent box (7) via the back-end server interface, wherein the interface agent box (7) is configured to apply the software service updates to the software libraries (2 a-f) installed and configured on the interface agent box (7), and wherein the medical devices (5 b, 6 b) utilize the updated software libraries (2 a-f) installed on the interface agent box (7).
8. The interface agent box of claim 7, wherein the interface agent box (7) is reusable.
9. The interface agent box according to claim 7 or 8, wherein the software service (10) comprises a software library (2 a-f) for the medical device (5 b, 6 b).
10. The interface agent box of claim 7 or 8, further comprising a virus scanner.

Description

Interface proxy device for network security The application is a divisional application with the application number 202010466773.4 and the name of 'interface proxy device for network security', which is 28 days of the application day 2020. Technical Field The present disclosure relates generally to network security for medical devices, and more particularly to deploying fast network security updates for medical devices. Background Medical devices are often faced with stringent and ongoing requirements regarding the network security of the device. As medical devices tend to acquire an increasing number of network interfaces and an increasing number of off-the-shelf software (OTSS) components, timely response can be a significant challenge as all of these can introduce vulnerabilities to the medical device. Currently, if a vulnerability such as WannaCry is found, each business department of the company and the network security department of the company need to determine if any business departments have been affected, and if so, immediately define a method of how to solve the problem. This is very expensive, for example, one such network vulnerability patch requires a large amount of funds (such as one million CHF), and a slow general network vulnerability patch period may take about 6-12 months, thus not conforming to the 30 day schedule set by the FDA. One of the most serious problems may be related to vulnerabilities in the exposed library of remote services. Repairing these service problems may require patches to the infected library, which is typically part of the medical device software, triggering a complete software release. By segregating/mirroring these services into separate interface agents that are shared by all corporate medical devices, vulnerable libraries can be patched for all medical devices at once in a separate interface agent box without triggering individual software updates. Leaving a vulnerable library on the medical device may be acceptable because the library is behind a patched and secure proposed separate interface agent box. Prior art document us patent 9,485,218 discloses a protection device for preventing, detecting and responding to security threats. However, the prior art does not address the problem of quick patching to address issues such as repair time requirements from the FDA. Nor does the prior art consider that it attempts to protect differences in the base product to accommodate the services provided by it. In contrast, the prior art proposes a solution in which either patching is done for multiple instances or deployed as a generic product without product specific enhancements. According to the concepts proposed in the prior art, a "security box" will either need to be customized for each specific product or contain too many services that are not necessarily needed for the specific product, thereby reducing the security of the underlying device in question. Disclosure of Invention A solution is provided to explicitly monitor all interfaces of a medical device to create a unified network security solution over a generic interface that is easy to update and/or patch, thereby improving the network security of the medical device. The present invention relates to a system for providing network protection for medical devices in a medical environment. The system includes a medical device including a plurality of software services, a back-end server configured to maintain and provide software updates to the medical device, and an interface agent box connected to the medical device and in communication with the back-end server. The interface agent box is configured to determine a plurality of software services residing on the medical device. The interface agent box is configured to install the plurality of software services on the interface agent box that are determined to reside on the medical device, and configure the installed software services to match the plurality of software services residing on the medical device. The interface agent box is configured to periodically communicate with the backend server and receive and apply security updates to a plurality of software services installed and configured on the interface agent box. The medical device is configured to utilize updated software services on the interface agent box. The invention provides an creative technical scheme to solve the requirement of quick response to the safety problem and loopholes of medical equipment required by the FDA. The interface agent box represents a security measure in which the interface agent box may provide a level of network security for the underlying medical device. The present invention provides an automated medical device specific setup that enables the imaging and installation of specific software services of a medical device on an interface agent box, and on which libraries and software packages on the interface agent box can be quickly updated to ensure minimal (and thus enhanc