Towards Trustworthy Integrated Clinical Environments

An integrated clinical environment (ICE) connects various medical devices and coordinates their actions via a computer system serving as the supervisor. The primary goal of an integrated clinical environment is to enhance the safety of high acuity patients during clinical operations. As such, the trustworthiness of an ICE is of paramount importance. In this paper, we propose a set of mechanisms to enhance the trustworthiness of ICEs. To ensure continuous availability and resiliency under malicious attacks, the supervisor must be replicated. To design robust mechanisms for enhanced system trustworthiness, we first carry out a comprehensive threat analysis of the ICE. In addition to ensuring the generation of consistent commands for all connected medical devices despite faulty supervisor replicas and faulty medical devices, which is essential for ensuring the integrity of the system, our mechanisms prevent faulty replicas from launching stealth denial-of-service attacks, which is important for the liveness of the system. Furthermore, we analyze the latency overhead incurred by our mechanisms. We show that the overhead of our mechanisms is sufficiently low to warrant their use in practical ICEs.