Dr. Fu Goes to Washington

This morning, I testified in Congress on technology to combat waste, fraud and abuse in the Medicare program. My testimony focused on the expectations of smart cards. The testimony can be downloaded from the House website. I noticed an odd filename that legislators assigned to my testimony. Seems reminiscent of Arnold Schwarzenegger, but hopefully unintentional.


Here are some summaries:

• GOP lawmaker calls for tougher fight against Medicare fraud
• Uncle Sam Wants To Stop Healthcare Fraud, But Smart Cards Are No Panacea

Videos:

• Video of testimony
• Video of Q/A

Earlier thoughts.

U.S. House Hearing on Smart Cards and Health Care Fraud

This Wednesday, I'll be testifying in a U.S. House hearing to examine options to combat health care waste, fraud and abuse. This service has rustled up memories of my time as a tech gopher at Holland Community Hospital in the 1990s when the hospital deployed second-factor authentication tokens for clinicians (i.e., 2nd factor = something you have rather than something you know). One of my tasks was to write software to quickly and effectively detect incorrect entries in the hospital's voluminous general ledger. Medical billing records. So exciting. I remember replacing lost "authentication keys" for nurses and physicians who would visit my tiny time-shared desk next to machine room for the soon-to-be-retired VAXen, line printer, and reel-to-reel backup. At the time, the authentication keys were literally shaped as plastic keys. Each clinical computer had a key reader connected via serial port. Clinicians would insert and twist the key in order to access the clinical computing systems. Removing the key resulted in automatic log out.  I am told that the system lives on today in some form nearly 17 years later.

What's changed across the nation in terms of health care cybersecurity since the 1990s? Malware spreads by USB sticks and IP networks rather than 3.5" disks. Medical devices depend much more on networks and software. There are now so many layers of software dependencies, it's hard to even inventory what's in the trusted computing base.

I still have the wooden shoe presented to the staff who helped "go live" with this clinical computing system in Holland. Stored on a shelf right above my IHTFP propeller hat.

First graduate course in the nation dedicated to medical device security

Semmelweis is credited as a pioneer of antiseptic technique. 

How do we begin to improve the information security of increasingly interconnected and wirelessly controlled medical devices?  Starting with highly trained engineers who also appreciate the complexities of human factors and regulatory affairs.  My upcoming Winter 2013 course at the University of Michigan on Medical Device Security will be the first of its kind in the nation to teach students about this topic.  Students will learn the timeless concepts and cutting-edge skills in computer engineering, human factors, and regulatory policies that determine the safety and effectiveness of manufacturing software-controlled medical devices.

Students will apply the newly learned concepts and skills by analyzing the security of a real-world medical device in a hands-on term project. Interdisciplinary teams will consist of students from complementary backgrounds to mimic the composition of teams at medical device manufacturers and regulatory bodies. Occasional guest speakers from medical device manufacturers, hospitals, and government will complement the classroom activities with critical lessons from the front lines.

False Part 2: FDA does not allow software security patches

[Note the sarcasm in my title.  In fact, FDA guidelines promote keeping COTS software up-to-date.]

Hurricane Sandy gave me to opportunity to try out some drawing programs while stranded in Minneapolis.  Here's my artistic interpretation to expand upon my earlier post to encourage regular cybersecurity patches for medical devices that depend on COTS software like Windows XP.  You can download the PDF poster here.  Consider posting near your hospital CIO's office.  This poster has been verified and validated by smart engineers from the medical device manufacturing community (they liked it, so I am sharing it).