Differential, Attested, and Clinically-Aware OTA for Android Medical Fleets: A Policy-Driven Orchestration Framework

Abstract

Healthcare organizations increasingly deploy Android devices as gateways and embedded systems in regulated environments. Fleet updates remain risky because defective patches can interrupt monitoring, breach compliance, or expose devices to known vulnerabilities. A regulated over-the-air orchestration framework tailored to medical fleets addresses these challenges. The framework combines differential patching using bsdiff-class algorithms with software bill of materials provenance. Android Verified Boot and attestation capabilities strengthen device integrity verification. Phased rollouts bound to clinical risk enable controlled deployment. Automatic rollback prevents widespread service disruption. Policies are enforced using Android Management API controls, including windowed updates, freeze periods, and kiosk constraints. Post-install health probes verify Bluetooth Low Energy reconnection, sensor latency, and application state. Content-risk scoring modulates rollout velocity based on whether changes affect kernel components or user interface elements. Software bill of materials components link directly to known vulnerabilities in public databases. Simulated and pilot deployments demonstrate reduced remediation latency and prevention of care-critical regressions compared with all-at-once update strategies. The design meets the FDA premarket cybersecurity requirements, and NIST Secure Software Development Framework, and attestation logs, software bill of materials, and risk score justifications support regulatory submissions and inspections.