Mobile-Side BLE Connectivity for Medical Devices: Webinar

Medical device developers, manufacturers and R&D groups have experience implementing Bluetooth Low Energy (BLE) on the firmware side, where everything is under your control. But architecting BLE for the mobile side, where control rests firmly in the smartphone’s OS, is far more challenging. To arrive at the right solutions, you need an understanding of the inherent complexities of mobile BLE connectivity.

On May 24th, 2023, Orthogonal and MedSec kickstarted our joint Bluetooth Low Energy Webinar Series with a webinar crash course on BLE for connected medical devices. This discussion featured insights from Bernhad Kappe, Orthogonal’s CEO and Founder, Jim Hewitt, Senior Technical Architect at Orthogonal, Buddy Smith, Director of Technical Consulting at MedSec, and Jim Keller, VP of Marketing and Business Development at MedSec. It was moderated by Randy Horton, Chief Solutions Officer at Orthogonal.

Webinar Recording

Key Takeaway Points

1. Bluetooth comes with significant advantages and challenges

• • Smartphones are everywhere. It makes sense to connect consumer devices and medical devices through Bluetooth to create powerful, convenient and engaging digital health products.
  • But in doing so, you give up full control over your device and enter a space where you have to accommodate thousands of device profiles, frequent updates that are beyond your control, and operating systems that deprioritize your app when it’s running in the background.
  • Any time you have a connected system, you have cybersecurity concerns. With a Bluetooth-enabled device, you have to deal with Bluetooth security concerns as well as general internet connected security concerns, because the smartphone is connected to the internet.
  • These challenges are surmountable with a comprehensive and informed approach to device design, testing and managing cybersecurity risk.

   2. How to approach Bluetooth security

• • Since Bluetooth is a common feature to many devices, your app shares bandwidth with any other application that’s on a bonded device. This introduces additional attack vectors and surfaces that you need to mitigate.
  • A risk-based approach lets the overall functions of the device inform the level of risk classification as well as depth and breadth of testing. An active implantable device has much higher security concerns than a pulse oximeter, for example.
  • Device pairing and bonding can take more secure forms than the default mode that we’re familiar with from consumer electronics: App-level encryption, long-term passkeys, out-of-bound pairing with NFCs and cryptography, for example.
  • The FDA^[1] emphasizes the need for devices to continue operating safely even if security controls are compromised. There are multiple valid approaches to incorporating cybersecurity risk management within the device product lifecycle. One option is to separate security risk, penetration testing and threat modeling from safety and clinical risk. Another is to address patient risk and cybersecurity risk management together.

3. Managing background communication

• • When an app is running in the background – i.e., it’s not actively displayed on a user’s screen – both Android and iOS deprioritize Bluetooth connection for it. That presents a challenge to developers because it turns off the means for periodic data retrieval.
  • A common misperception in the connected medical device community is that the peripheral device can awaken the app from a background state, but this is a characteristic of Bluetooth Classic, not BLE. One common approach to this, using push notifications from a cloud database to tell the smartphone to wake up the app, is problematic because it introduces additional risks and edge cases that aren’t worth taking on – as well as the risk that an OS update can break this feature.
  • The best practice approach is to program in scheduled wake-ups that instruct the operating system to launch the app at specific times. You can schedule these wake-ups as frequently as needed.

4. Tools you will want in your Bluetooth development toolkit

• • Sniffer devices that provide tooling for capturing data over the air.
  • Integrated development environments for building out mobile applications that display data captured from the device.
  • SDKs from Bluetooth chip manufacturers to debug on the firmware/device side.
  • Peripheral and central device simulators that you can use to exercise the scenarios you want to debug or test for.
  • Faraday boxes to simulate signal interference.
  • Access to a FCC-certified lab for testing signal interference and data transmission.

Speaker

Bernhard Kappe, CEO and Founder, Orthogonal

Bernhard Kappe is the Founder and CEO of Orthogonal. For over a decade, Bernhard has provided thought leadership and innovation in the fields of Software as a Medical Device (SaMD), Digital Therapeutics (DTx) and connected medical device systems. As a leader in the MedTech industry, Bernhard has a passion for launching successful medical device software that makes a difference for providers and patients, as well as helping companies deliver more from their innovation pipelines. He’s the author of the eBook Agile in an FDA Regulated Environment and a co-author of the AAMI Consensus Report on cloud computing for medical devices. Bernhard was the founder of the Chicago Product Management Association (ChiPMA) and the Chicago Lean Startup Challenge. He earned a Bachelor’s and Masters in Mathematics from the University of Pennsylvania, and a Bachelor’s of Science and Economics from the Wharton School of Business.

Jim Hewitt, Senior Technical Architect, Orthogonal

Jim Hewitt provides deep expertise in software, firmware, data architecture, and development in health informatics and medical device projects for Orthogonal. He brings over 35 years of experience as a senior technical architect focusing on team and project success in a variety of industries. In addition, he has established himself as a leading expert on Bluetooth technologies.

Buddy Smith, Director of Technical Consulting, MedSec

Buddy Smith is a security engineer focused on protecting electronic devices from attack. He has an extensive background in firmware development, bringing his passion for embedded development to the security world. In his 15 years of experience, Buddy has worked in cryptography, hardware design, firmware engineering, and information security. In his role at MedSec, he has supported clients with regulatory filings, performed penetration tests of devices and created threat models for systems, from long-lived implantable devices to bedside infusion pumps.

Buddy holds a Bachelor of Science in Computer Engineering from the Georgia Institute of Technology, and is an Offensive Security Certified Professional. He is also an IEEE Senior member.

Jim Keller, VP of Marketing and Business Development, MedSec

Jim Keller is a seasoned senior executive with extensive global experience advising thousands of healthcare organizations on planning for and purchasing of medical devices, managing medical device-related safety, and complying with medical device-related regulatory requirements. He has also served in business development leadership roles guiding medical device, in vitro diagnostics and pharmaceutical companies on design solutions for cloud-based Software as a Medical Device and other digital health applications, and on best practices for addressing and selecting international compliance- and regulatory-related strategies and solutions, including for cybersecurity.

Mr. Keller earned a Bachelor of Science degree in Zoology from the University of Massachusetts and Master of Science degree in Biomedical Engineering from the University of Connecticut. He is a member of the University of Connecticut’s Academy of Distinguished Engineers and is a past-president of the American College of Clinical Engineering.

Moderator

Randy Horton, Chief Solutions Officer, Orthogonal

Randy Horton is Chief Solutions Officer at Orthogonal, a software consulting firm that improves patient outcomes faster by helping MedTech firms accelerate their development pipelines for Software as a Medical Device (SaMD), digital therapeutics (DTx) and connected medical device systems. Orthogonal makes that acceleration happen by fusing modern software engineering and product management tools and techniques (e.g., Agile, Lean Startup, User-Centered Design and Systems Thinking) with the regulated focus on device safety and effectiveness that is at the heart of MedTech.

Horton serves as Co-Chair for AAMI’s Cloud Computing Working Group, as well as AAMI CR:510(2021) and the in-process Technical Information Report #115, all of which address how to safely move medical device computing functions into the cloud. He is a frequent speaker at conferences and webinars, including events hosted by AdvaMed, AAMI, HLTH, RAPS and the Human Factors and Ergonomics Society (HFES).

References

1. FDA. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff, Appendix G. U.S. Food & Drug Administration, 2022. https://www.fda.gov/media/119933/download, PDF download.