Samsung Electronics Co. Ltd. (Suwon, KR)

A Security Enhanced Linux (SELinux) system that implements extended policy models and method for their enforcement, is provided. Extended attributes can be utilized to detect extended policies. Extended policies are now included into the SELinux policy model. Extended policies can be enforced along with SELinux Type Enforcement. A particular implementation defines extended attributes through the definition of TC related attributes in order to determine related policies to TC. Further, extending the SELinux policy model also means expanding the SELinux policy model to incorporate the TC-related policies, in addition to SELinux Type Enforcement. Enforcement of extended policies also entails enforcement of TC-related policy, in addition to SELinux Type Enforcement.

In the realm of computer security, Discretionary Access Control (DAC) is a access control model that an owner-permitted user is able to grant permissions to another subject. The main flaw of the DAC model isthat the ability to grant and use access also allows malicious software to take control over important system resources.

SELinux is an initiative by the National Security Agency (, which attempts to address such weaknesses. SELinux utilizes Mandatory Access Control (MAC) that grants only the essential accesses to a program in order to perform its task. This is also known as the principle of least privilege. SELinux implements MAC in Linux with the help of Linux Security Modules. A Linux kernel that incorporates SELinux enforces MAC policies that limit users and systems servers to the minimum amount of privileges they need to perform tasks. This is distinct from the traditional Linux access control systems.

SELinux creates the security context needed for this limitation by linking the access control attributes of the form user.role:type with all types of subjects (e.g. an application for medical purposes) or objects (e.g. files that include medical records). Withinthat security context, the “type” attribute is the kind of object or subject (e.g. the file, directory). The identification of subjects, objects and their access control by means of types is officially referred to as Type Enforcement (TE). Type attributes are utilized to create the “role” attribute within the security context. This means that access control within SELinux is primarily enforced via TE. Instead of directly associating a user (e.g., Mr. XYZ–a doctor) with a type (e.g.,medicalApplication_t), currently, SELinux associates a user with a role (e.g., Physician Role) and the role with a set of types. The role simply simplifies the management of users , and access control is still enforced by the TE model.

Because SELinux uses a policy model that is based on user (identity), roles and types, a program’s permission to perform an action on an object (e.g., to open a file/directory/security key/network connection) is determined by: the user who isrunning the program, the role of the user, the type of the program and the target object. Therefore, the current security context of SELinux is restricted to TE-only.

It is a part of several open-source and commercial Linux distributions because of the widespread acceptance of Linux. Further, Trusted Computing (TC), a technology developed and promoted by the Trusted Computing Group(, is also proliferating. A SELinux policy model which includes additional attributes is needed.

The invention is a Security Enhanced Linux system (SELinux), which implements extended policy models and provides an approach to their implementation. The SELinux policy model and enforcement are extended to include other attributes in addition totraditional SELinux Type Enforcement (TE).

Specifically the attributes are utilized to establish extended policies. The SELinux policy model has been expanded to include the policies. Policies are enforced along with SELinux Type Enforcement.

In one instance, the process of the definition of extended attributes involves defining the TC-related attributes that define specific policies relating to TC. Additionally, expanding the SELinux policy model involves extending the SELinux policy model to include the TC-related policies, in addition to SELinux Type Enforcement. Enforcement of extended policies also entails applying TC-related policies in addition to SELinux type Enforcement.

These and other features, aspects and advantages of the invention become understood with reference to the following description, appended claims and accompanying illustrations.

Click here to view the patent on USPTO website.

Get Patents with PatentPC

What is a software medical device?

The FDA refers to functions in software which may include ” Software as a Medical Device” (SaMD), and “Software in a Medical Device (SiMD) ), which is software that is part of (embedded within) a medical device.

Section 201(h) of the?Federal Food, Drug, and Cosmetic Act, 21 U.S.C. 321(h),(1) defines medical devices as apparatus, instrument machines, devices, implant an in vitro regulator and other similar items in addition to a component or accessory. . . (b) is intended to be used in the diagnosis of illnesses or other conditions or in the treatment or treatment or prevention of diseases in man or other animals, or (c) is designed to alter the structure or functions of the body of man or other animals.? To be considered a medical device, and consequently subject to FDA regulations the software must satisfy the minimum of these requirements:

  • It should be intended for use in the diagnosis or treatment of a patient; or
  • It should not be designed to alter the structure or the function of the body.

So, if your application is specifically designed to assist healthcare professionals diagnose and treat patients or in hospitals to handle patient records The FDA is likely to view the software as medical devices that are subject to review by the regulatory authorities.

Is Your Software a Medical Device?

FDA will use its oversight of regulatory requirements to medical devices that provide functions that pose danger to patient safety in accordance to the current FDA supervision method. FDA currently considers the software’s functionality over the platform. Some examples of Device Software and Mobile Medical Apps that FDA is looking at includes

  • Software functions to aid those suffering from mental illness (e.g., anxiety, depression, post-traumatic stress disorder (PTSD), etc.) through the use of “Skill of the Day”, a behavioral technique or audio-based messages that the user is able to access when feeling anxious.
  • Software functions provide periodic reminders, motivational advice, and educational information to those recovering from addiction, or who are who are trying to quit.
  • Software functions that use GPS location information to notify asthmatics that they are in places of risk (substance users) and to inform them to environmental conditions that could cause symptoms.
  • Software functions that use video and video games to inspire patients to perform their physical therapy exercises at home;
  • Software functions that require users to select the drug and herb they wish to take in conjunction and offer information on whether interactions have been seen in the literature as well as a summary of what type of interaction was observed;
  • Software functions that take into account specific characteristics of patients, like gender age, gender, and other risk factors, to offer patient-specific counseling, screening, and preventive advice from established and highly-respected authorities.
  • Software functions that utilize the list of signs and symptoms to give guidance on when it is appropriate to see the doctor and what you should do next.
  • Software functions allow users to complete a questionnaire regarding symptoms and provide a recommendation of the most suitable medical facility to treat the patient.
  • The mobile apps enable users to make pre-defined nurse calls or emergency calls using cell phone or broadband technology.
  • Apps that permit caregivers or patients to notify emergency situations to first responders via mobile phones
  • Software that tracks medications and provides user-configured reminders to improve medication adherence.
  • Software functions that give patients with a way to access their own health information including access to information captured during a prior visit to a doctor or historical trending and comparison of vital indicators (e.g. body temperature or heart rate, blood pressure or respiration rate);
  • Software functions that show trends in personal healthcare incidents (e.g. rate of hospitalization or alert notification rate)
  • Software functions permit users to electronically or manually input blood pressure information, to share it via e-mail or track it, and then trend it, and upload it into an electronic or personal health record.
  • Mobile apps that offer oral health reminders or tools to monitor users suffering from gum disease;
  • Mobile apps that give patients suffering from prediabetes advice or tools to help them develop better eating habits, or to increase physical activity;
  • Mobile applications that display at the right time pictures or other messages for a substance abuser who wants to end their addiction;
  • Software functions that provide drug-drug interactions as well as pertinent information about safety (side effects, drug interactions and active ingredient) in a report basing on demographic data (age and gender), clinical data (current diagnosis) and the current medication; and
  • Software functions permit the surgeon to determine the best intraocular lens powers for the patient, as well as the direction of the implantation. This information is based on the surgeon’s inputs (e.g., expected surgically induced astigmatism and patient’s axial length, preoperative corneal astigmatism etc.).
  • Software, mostly mobile apps transforms mobile platforms into a medical device that is regulated.
  • Software that connects with an mobile platform using an instrument or lead to measure and display electrical signals generated by the heart (electrocardiograph; ECG).
  • Software that connects an eye sensor to the mobile platform, or other tools within the platform, to view or record the eye movements in order to identify balance issues
  • Software that asks potential donors about their history with donors and records and/or transmits those answers to an institution for blood collection. This software is used to determine if a potential donor is eligible before collecting blood or any other component.
  • Software that connects to devices of the same in order to control its operation, function, or power source.
  • Software that alters or deactivates the functions of an infusion pump.
  • Software that regulates the inflation or deflation of the blood pressure cuff
  • Software used to calibrate hearing devices and evaluate the electroacoustic frequencies, the characteristics of sound intensity, and sound quality of hearing aids master hearing aids hearing aids for groups or auditory trainers in groups.

What does it mean if your software/SaaS is classified as a medical device?

SaaS founders need to be aware of the compliance risks that medical devices pose. Data breaches are one of the biggest risks. Medical devices often contain sensitive patient data, which is why they are subject to strict regulations. This data could lead to devastating consequences if it were to become unprotected. SaaS companies who develop medical devices need to take extra precautions to ensure their products are safe.

So who needs to apply for FDA clearance? The FDA defines a ?mobile medical app manufacturer? is any person or entity who initiates specifications, designs, labels, or creates a software system or application for a regulated medical device in whole or from multiple software components. This term does not include persons who exclusively distribute mobile medical apps without engaging in manufacturing functions; examples of such distributors may include the app stores.

Software As Medical Device Patenting Considerations

The good news is that investors like medical device companies which have double exclusivity obtained through FDA and US Patent and Trademark Office (USPTO) approvals. As such, the exit point for many medical device companies is an acquisition by cash rich medical public companies. This approach enables medical devices to skip the large and risky go-to-market (GTM) spend and work required to put products in the hands of consumers.

Now that we have discussed the FDA review process, we will discuss IP issues for software medical device companies. Typically, IP includes Patents, Trademarks, Copyrights, and Trade secrets. All of these topics matter and should be considered carefully. However, we will concentrate on patents to demonstrate how careless drafting and lack of planning can lead to problems, namely unplanned disclosures of your design that can then be used as prior art against your patent application.

In general, you should file patent application(s) as soon as practicable to get the earliest priority dates. This will help you when you talk to investors, FDA consultants, prototyping firms, and government agencies, among others. Compliance or other documents filed with any government agency may be considered disclosure to third parties and could make the document public. In general, disclosures to third parties or public availability of an invention trigger a one year statutory bar during which you must file your patent application. Failure to file your application within the required time frame could result in you losing your right to protect your invention.

The information from your FDA application may find its way into FDA databases, including DeNovo, PMA and 510k databases and FDA summaries of orders, decisions, and other documents on products and devices currently being evaluated by the FDA. Your detailed information may be gleaned from Freedom of Information Act requests on your application. This risk mandates that you patent your invention quickly.

When you patent your medical device invention, have a global picture of FDA regulatory framework when you draft your patent application. Be mindful of whether your software/SaaS application discusses the diagnosing and treating patients or affecting the structure or function of the body and add language to indicate that such description in the patent application relates to only one embodiment and not to other embodiments. That way you have flexibility in subsequent discussions with the FDA if you want to avoid classification of your software/SaaS/software as a medical device. In this way, if you wish to avoid FDA registration and oversight, you have the flexibility to do so.

An experienced attorney can assist you in navigating the regulatory landscape and ensure that you comply with all applicable laws. This area of law is complex and constantly changing. It is important that you seek legal advice if you have any questions about whether or not your software should be registered with FDA.

Patent PC is an intellectual property and business law firm that was built to speed startups. We have internally developed AI tools to assist our patent workflow and to guide us in navigating through government agencies. Our business and patent lawyers are experienced in software, SaaS, and medical device technology. For a flat fee, we offer legal services to startups, businesses, and intellectual property. Our lawyers do not have to track time as there is no hourly billing and no charges for calls or emails. We just focus on getting you the best legal work for your needs.

Our expertise ranges from advising established businesses on regulatory and intellectual property issues to helping startups in their early years. Our lawyers are familiar with helping entrepreneurs and fast-moving companies in need of legal advice regarding company formation, liability, equity issuing, venture financing, IP asset security, infringement resolution, litigation, and equity issuance. For a confidential consultation, contact us at 800-234-3032 or make an appointment here.