Toward a Safe and Secure Medical Internet of Things
Figure 1. General architecture of ICE and an instantiation of it in a test setup at MD PnP Lab.
The ICE Network Controller is essentially a high-assurance middleware that forwards data or
commands to or from ICE applications and devices, ensures communication quality-of-service
and is agnostic as to the intended use of the clinical apps that it supports. It also manages the
discovery and connection protocol for devices that wish to connect to the system. Given its
critical communicatory role in ICE, having high-performance and context-aware security support
in the network controller is paramount. The major functional security requirements for the
network controller include: i) having authentication mechanisms for validating the identity of
devices and apps, vouching for their provenance and ICE compliance, ii) having flexible yet easyto-use mechanisms for defining and enforcing access control policies for various ICE
configurations in different care environments, iii) having a mechanism for secure device and app
discovery, iv) having a secure auditing mechanism and v) having mechanisms to guarantee the
integrity, freshness and confidentiality of data. Note that the functional requirement should be
met via a solution that has minimal negative impact on non-functional requirements such as
performance, availability, robustness, and ease of use for clinicians and developers.
The ICE Supervisor provides separation/isolation-kernel-like data partitioning and time
partitioning. It makes sure the information cannot inadvertently leak between apps and apps
cannot inadvertently interfere with one another. It provides real-time scheduling guarantees that
the computation in one app cannot cause the performance of another to degrade or fail. It also
provides a console that allows a clinician to launch apps, monitor their progress and provide userinput during app execution. The ICE Network Controller and Supervisor may be incorporated
together and deployed as a standalone ICE Manager.
ICE Applications are programs that accomplish a clinical objective by interacting with one or more
devices attached to the network controller. As each app executes in the supervisor, it defines the
intended use of the current ICE configuration. An important safety- and security-related concept
IIC Journal of Innovation
-7-