1. Field of the Invention
The present invention relates generally to the art of medical instrument systems, and more specifically to controlling access to software applications and data stored in an external file system for use in operating a safety critical medical system.
2. Description of the Related Art
Safety critical systems such as automated medical system products or surgical instrument systems may include hardware platforms providing Input/Output (I/O) data ports enabling access from outside of the instrument system. Current medical system designs such as those available from Advanced Medical Optics, Inc. provide access from outside of the system via a Universal Serial Bus (USB) I/O data port. A USB data I/O port provides an interface for connecting a USB device. Types of devices that may be connected to the USB I/O data port include a ‘memory-stick’ flash memory storage device, USB CD-ROM or DVD device, or a USB enabled hard drive, each providing access to a file system. To gain access to the file system stored in a USB compliant storage device, the user need only to connect the USB storage device by plugging it into the instrument system's USB host controller or connection.
Providing surgical instrument systems with open data interfaces, such as a USB I/O data port, affords designers flexibility in providing additional functionality to the end user. The increased functionality and capabilities may be realized from software applications and data residing in a USB device. Any number of individuals may have access to the system via the USB I/O data port. Persons able to access the system may include factory sales representatives, service personnel, and physicians. For example, service personnel may store software applications for use in troubleshooting, engage in calibration and diagnostics of the instrument system, transfer files between instrument host systems, or repair and upgrade the system software. Sales personnel may demonstrate new features and functionality by executing a pre-configured software application stored in a USB device. Physicians may store individual preferences, surgical procedure settings, and other configurable instrument system parameters.
A major disadvantage of such open designs is that the system becomes vulnerable to potential corruption. The primary concern involves either virus software or malicious programs that may gain access via the open external data port. When a program is executed from the USB storage device, the software can gain access to all of the resources forming the safety critical system. If a malicious program executes from the USB device file system, the program could alter or corrupt the operating system software, modify stored physicians settings, and rewrite portions of software applications required for the proper and safe operation of the instrument system. In a similar manner, a virus program may execute from the USB device file system and insert a virus into the instrument systems software. As may be appreciated, even an inadvertent change of data, let alone corruption of a mission critical program, can be devastating and even deadly in a medical system.
Today's deployed safety critical systems do not provide a sufficient level of file system access control for externally attached storage devices. Access control is paramount to fielding the highest level of safety required in an operating theater environment. Today's designers are faced with a difficult and complex implementation challenge to balance providing external interfaces open enough to allow the desired functionality to be realized, yet secure enough to ensure the integrity and continued safe operation of the instrument system.
In an attempt to mitigate unauthorized system access current designs may require the user to enter a password. Entering the proper password may allow the user access to software programs and data stored at the external device. Unauthorized system access may be implemented using physical protection to block access to the USB I/O data port on the instrument system. In this arrangement, only authorized users are supplied a key needed to unlock the physical protection device.
Password protection schemes are known to exhibit numerous disadvantages. For example, an authorized user may lose or forget their password. Once lost, it becomes necessary to install a mechanism to allow the password to be restored. These recovery mechanism can be difficult and costly to implement, and may open the system to additional vulnerabilities. Passwords may also be acquired by unauthorized users, either inadvertently or stolen, allowing access to vital corporate software and data assets. More importantly, once system access is gained via entering a valid password, any program or data stored in the external file system may be altered. A malicious program may be substituted for a valid software application stored in the file system. A compromised password can enable the user to unknowingly execute an altered or malicious program on the instrument system.
Current protection schemes using devices to physically block access to the external I/O data port may be easily compromised. Similar to password protection, only authorized users are given a key needed to unlock the physical block. The key may become lost or stolen and it is often possible to remove the physical block without the key by use of force. Like passwords, once unauthorized access is gained, the contents of the external file system may be altered or substituted.
Current designs may configure the external storage device as ‘read-only’ to effectively protect external file system contents. In this configuration, the instrument system may send data to the external device, but will not allow any data stored on the external device to enter the instrument system. This protection mechanism limits fielding much of the desired functionality because the ‘read-only’ configuration does not allow application software to execute from the external device.
Based on the foregoing, it would be advantageous to provide access control for use in safety critical systems that overcome the foregoing drawbacks present in previously known methods used in the design of safety critical systems.