Sunday, November 10, 2013

New York Times on Medical Device Security

Credit: Richard Perry/The New York Times
The New York Times recently interviewed the leadership of the Archimedes Center for Medical Device Security. The article provides a balanced perspective on risks and benefits of various approaches for medical device security, and draws on several primary sources.  This balance is an important departure from media articles over the past couple years that largely sensationalize rather than analyze the problem space.  Great to see some in-depth reporting.

Thursday, September 26, 2013

Controlling for Cybersecurity Risks of Medical Device Software

[direct link to Peter Neumann's PDF here]

Today, Dr. James Blum (Anesthesiology, University of Michigan Health System) and I published an article that reflects on "Controlling for Cyber Security Risks of Medical Device Software" in the context of the draft FDA guidance on cybersecurity. You can download this Inside Risks Column from the Communications of the ACM.

The ACM Committee on Computers and Public Policy conducts peer review of the Inside Risks column in CACM, and also helps the moderator of the RISKS Digest.

-Kevin Fu

Monday, September 16, 2013

Video of USENIX HealthTech Panel w/ Speakers from Adventium Labs, U. Michigan, VA, and FDA

USENIX HealthTech has posted the video of the panel on medical device security from August 2013.






The panelists include:

Thursday, August 15, 2013

New $10M NSF Research Center to Investigate Trustworthy Health and Wellness

Today the National Science Foundation announced a new $10 million research center led by Dartmouth College to investigate Trustworthy Health and Wellness (THaW.org). THaW aims to enable the promise of health and wellness technology by innovating mobile- and cloud-computing systems that respect the privacy of individuals and the trustworthiness of medical information.

Within the University of Michigan's College of Engineering, our role focuses on scientific methods to study the extent of malware in hospital networks. Michigan is also the home of the Archimedes Center for Medical Device Security to help manufacturers improve medical device security.

More information can be found at NSF and the participating universities (Dartmouth College, University of Illinois, Johns Hopkins University, University of Michigan).

-Kevin Fu

Tuesday, August 6, 2013

Join us at the HealthTech 2013 Poster/Demo Session

The USENIX Workshop on Health Information Technologies on August 12th is rapidly approaching. We have already blogged about the medical device security panel, but the poster/demo session will also be a great opportunity to meet and exchange ideas with some of the best and brightest in the community.

In addition to refereed poster presentations, there will be a binary analysis and fuzzing demo put on by Codenomicon, the session's sponsor. Codenomicon will be running their demo 5:45--7:00 pm.

Tuesday, July 30, 2013

RIP Barnaby Jack

Barnaby Jack photo

We were sad to hear that Barnaby Jack, a skilled ethical hacker who applied his keen intellect and infectious enthusiasm to medical-device security, died in San Francisco on July 25.  Among other accomplishments, he got a lot of technically inclined people interested in medical devices—which can only be good for the world.  May he rest in peace.  (Donations.)

Friday, July 26, 2013

WattsUpDoc: Detecting malware on medical devices via an instrumented power outlet

I will be presenting research results on how to detect malware on medical devices at USENIX HealthTech in Washington, D.C. on August 12th. Below is a summary of our research (lightly edited from the final paper). I would be happy to discuss the project at the workshop or before. We are particularly interested in collaborating with manufacturers and hospitals to further field test our prototype.

Health care networks are composed of general-purpose computers (e.g., desktop workstations) and embedded devices that perform specific functions and connect to the network for centralized control or configuration.  A primary drawback of increasing connectivity is that all devices on the network---including embedded devices---are increasingly exposed to malware [1,2]. The U.S. Food and Drug Administration has recently acknowledged these risks by issuing a safety communication concerning cybersecurity.
This pharmaceutical compounder is a medical device running Windows XP Embedded. In a controlled lab, we repeatedly infected such devices with malware to evaluate the effectiveness of WattsUpDoc.
Unfortunately, there are no simple solutions to this problem. Many embedded devices are incompatible with conventional software-based anti-malware mechanisms such as antivirus (AV) programs or networked intrusion-detection systems (NIDS). Traditional embedded devices commonly use custom firmware or OSes for which no antivirus program exists.  Other embedded medical devices are built with commodity hardware and software and are thus compatible with AV or NIDS, but some manufacturers explicitly forbid device owners to install OS security updates or antivirus software[3].

A high-level illustration of system deployment. WattsUpDoc monitors system behavior without affecting any inputs, outputs, or software. No software or hardware change is required on the device under observation.
Our paper addresses the challenge of malware on embedded systems by introducing WattsUpDoc, a behavior-monitoring system for embedded devices. WattsUpDoc relies on the side channel of systemwide power consumption, which leaks information about the system's computing activity without requiring any hardware or software modifications. WattsUpDoc uses machine-learning techniques to match patterns of power consumption. In our experiments, WattsUpDoc detected previously known malware with at least 94% accuracy and previously unknown malware with at least 85% accuracy on several embedded devices.

Using WattsUpDoc, device owners can gain greater visibility into the behavior of the systems they own.  WattsUpDoc can provide preliminary evidence of abnormal behavior, such as malware problems, signaling the need for further investigation. WattsUpDoc may also help to detect general abnormalities such as a failing hardware component or misconfigured software. With better visibility and earlier warnings, WattsUpDoc can help to detect problems that otherwise could lead to hazardous situations and harm.

Wednesday, July 17, 2013

USENIX HealthTech hosts medical device security panel from FDA, VA, and industry in DC


I am pleased to announce that representatives from FDA, the VA, and medical device manufacturing have agreed to participate in a technical panel on recent activity in the medical device security space. Early registration for the USENIX HealthTech Workshop ends on July 22. Note, this is a technical and research workshop. With a bit of policy to spice things up.

USENIX HealthTech Workshop on Safety, Security, Privacy, and Interoperability of Health Information Technologies

Monday, August 12, 2013
Hyatt Regency Washington on Capitol Hill
Washington, DC


The panel on "Health Data and Device Perspectives from Industry, Government, and Health Providers" takes place at 11AM and will focus on security and privacy related to recent news over the past year. Confirmed panelists include:


Brian Fitzgerald, Deputy Division Director, Division of Electrical and Software Engineering, U.S. Food & Drug Administration Center for Devices & Radiological Health

Ken Hoyme, Medical Device Consultant and Co-chair, AAMI Medical Device Security Working Group; Former Senior Fellow, Boston Scientific, Cardiac Rhythm Management

    Lynette Sherrill, Deputy Director, Office of Information Security, Field Security Office, Health Information Security Division, Department of Veterans Affairs



    Kevin Fu (moderator), Associate Professor and Director, Archimedes Center for Medical Device Security, Computer Science & Engineering, College of Engineering, University of Michigan






    For a refresher course, look back at the video recordings from the predecessor workshop, HealthSec.

    -Kevin Fu

    Thursday, July 11, 2013

    Covered entities and medical device security

    Mac McMillan has an interesting quote in a recent article, "FDA Warnings About ‘Cyberattacks’ Give CEs Leverage to Demand Better Security."
    So where is OCR in all this? McMillan says the agency has been putting “pressure” on FDA and the Office of the National Coordinator for Health Information Technology (ONC) about this issue. However, OCR spokeswoman Rachel Seeger would say only that OCR had no “substantive” or “direct role in FDA’s guidance or warning.” 
    McMillan says there is talk of creating some kind of system for assessing medical device security features akin to HHS’s meaningful use certifications that apply to electronic health records. Only those that meet certain criteria, which include certain access controls, can be purchased with federal funds (RPP 9/12, p. 4). CMS and ONC maintain a list of certified EHRs.
    A version of this question was discussed by panelists from CMS and FDA (audio recording conveniently below).  In February 2012, I moderated a panel at the NIST Information Security & Privacy Board on the topic of economic incentives to improve medical device security.  The audio recording and discussion questions can be downloaded from our blog post.  The high bit: at the time, there were very few economic levers for covered entity to incentivize better cybersecurity in manufacturing of medical devices.  The draft guidance from FDA may provide an important lever for covered entities so that patients ultimately have safer and more effective medical devices.

    -Kevin Fu

    Public radio's Marketplace on medical device security

    Radio is hip.
    Yesterday, APM Marketplace presented a short audio segment on medical device cybersecurity that I presume aired on NPR. The piece is obviously not intended for digestion by an engineer, but instead presents the latest regulatory issues of medical device security for the layperson.

    I presume the research that Dr. Castellanos refers to is this one from 2008. But there are plenty of other non-implantable devices that arguably bear more risk to public health by virtue of sheer quantity and area of attack surface. For instance, the incidents documented in our blog archive.

    Tuesday, June 18, 2013

    HealthTech (née HealthSec): Now with Posters!

    Now that the technical program of HealthTech 2013 has solidified, we want your great ideas in poster form at the HealthTech 2013 poster session!  One-page poster proposals are due June 25.

    The HealthTech 2013 poster session will trap stakeholders from medicine and technology in a single room with controversial ideas and a bunch of snacks.  It will look something like this.  (Actual attendees may vary.  Photo from BNL.)

    2013 USENIX Workshop on Health Information Technologies
    August 12, 2013 — Washington DC
    Call for Posters — Proposals due June 25, 2013

    The poster session is a great opportunity to discuss new work and propose controversial ideas with stakeholders from academia, industry, government, and medicine in an informal social environment.

    Relevant topics in HealthTech areas include, but are not limited to:

    • Preliminary or experimental work that has not yet been published
    • New or emerging technology to improve healthcare
    • Evidence of cross-cutting problems that need solutions
    • Highlights from deployments of health information technology (HIT), including surprising outcomes or unintended consequences
    • Controversial arguments for or against a specific HIT practice or technology

    Space at the poster session is limited, so the poster committee will give special preference to exciting new results, projects led by students, and topics that are likely to generate fruitful interactions among attendees.

    Refer to the full call for posters for submission instructions.  If you'd like to advertise this to your colleagues, students, families, and pets, here's a printable version (~2MB PDF).

    See you there!

    Thursday, June 13, 2013

    FDA Publishes Draft Guidance on Medical Device Cybersecurity


    A screenshot of the password process for a Thoratec Left
    Ventricular Assist Device (LVAD) provided to Dr. Kevin Fu by
    a physician he met on an airplane. What is the hazard analysis
    associated with this security mechanism?
    Today the FDA issued long awaited draft guidance on medical device cybersecurity. Engineers can find the cybersecurity document at FDA's website.  The PDF is here.  There is also a safety communication from FDA on cybersecurity. My take away is that this document acknowledges that cybersecurity is a real problem rather than theoretical problem. Unlike previous guidance on cybersecurity for specific types of COTS software, this guidance spells out more detail on cybersecurity responsibilities for a medical device manufacturer ranging from hazard analysis that incorporates cybersecurity to meaningful instructions for end users on malware protection. However, the document is quite short...

    I'll update the list below as new information comes in.  Here are some juicy quotes.
    Computer viruses and other malware increasingly are infecting equipment such as hospital computers used to view X-rays and CT scans and devices in cardiac catheterization labs, agency officials said. The problems cause the equipment to slow down or shut off, complicating patient care. As more devices operate on computer systems that are connected to each other, a hospital network and the Internet, the potential for problems rises dramatically, they said.
    • WSJ on "Patients Put at Risk by Computer Viruses"

      “We are aware of hundreds of medical devices that have been infected by malware,” or dangerous computer software, said Bill Maisel, a senior official at the FDA’s device unit. Though the agency doesn’t know of deaths or injuries resulting from this, he said, “it’s not difficult to imagine how these types of events could lead to patient harm.”
      ...
      For instance, previously unreleased Department of Veterans Affairs records show that since 2009, malware infected at least 327 devices at VA hospitals. More than 40 viruses hit devices including X-ray machines and lab equipment made by companies such as General Electric Co., Philips N.V. and Siemens AG.

      In one case, a VA catheterization laboratory was temporarily closed in January 2010, VA officials said. At that New Jersey facility, records show that malware had infected computer equipment needed for procedures to open blocked arteries after heart attacks. Separately, at a private Boston hospital, a virus caused a device to potentially expose sensitive patient information by sending it to outside servers.

    • WSJ on "Potential Cyberattacks on Implanted Medical Devices Draw Attention"
    Worries over medical-device cybersecurity have largely focused on plugged-in equipment primarily used in hospitals, such as computed tomography scanners and heart monitors that are vulnerable to viruses traveling across medical networks.
    Reps. Anna Eshoo (D-Calif.) and Edward Markey (D-Mass.) praised the Food and Drug Administration for directing device makers to explain how they will protect their products from hacking or tampering. 
    "I welcome the FDA's tightening of security standards for medical devices capable of connecting to each other, hospital networks and the Internet," Eshoo said. "Medical devices have resulted in tremendous benefits, but the demonstrated risk from malicious hackers that comes with enhanced connectivity requires a more stringent effort by the FDA and manufacturers to identify, evaluate and plug the potentially serious security holes that exist."
    "We already protect our computers and other communications devices from hackers and other cyber threats, and it makes sense to extend those protections to patients and their medical devices," Markey said. "Patients should only have to worry about getting healthier and not about hackers tampering with their device or accessing their information. I have been concerned about this issue for years, and am encouraged that the FDA is taking action on this issue."
    Mark Olson, CISO at Beth Israel Deaconess Medical Center in Boston, calls the FDA announcements "a very positive step." He says the FDA "is placing a requirement on the manufacturers to acknowledge that they need to be part of the solution in protecting their equipment at the customers' location. It is a well-balanced approach, placing joint responsibility on the vendor and the user of the products. For security practitioners, the model of joint responsibility is ideal."
    A vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks, federal officials have warned.
    Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware. 
    "Hundreds of medical devices have been affected, involving dozens of manufacturers," Maisel said, adding that many were infected by malicious software, or malware.

    This is a far cry from reporting less than a few years ago when denial of security problems was the norm in the medical device community.  See slide #42 from a talk at MIT for a look back in time, or see my complete list of past talks on medical device security

    Friday, June 7, 2013

    Hugo Campos, Ten People Who Changed the Medical Device Industry

    Medical device innovators may recall the mission of Hugo Campos to get access to his own medical telemetry from his implanted cardiac device. He wanted to know why he could not have access to the information his implant collects about his body. He has been named one of "10 People Who Changed the Medical Device Industry" by MDDI. His mission relates to medical device security because a security engineer needs to understand that security is not the only property for medical device engineering. Shudder to think, it's just one of many. Hugo gave a keynote presentation on his effort when I chaired the ACM MedCOMM Workshop a year ago.  Here's a look back at Hugo's keynote video.


    MedCOMM keynote address by Hugo Campos.
    Scroll the video to minute 6:00 to see the beginning of Hugo's talk.


    Tuesday, June 4, 2013

    Outcomes of Archimedes Workshop and AAMI Working Group on Improving Medical Device Security

    Two innovative events of importance to medical device security happened in the last few weeks in Ann Arbor, MI and Long Beach, CA. While the events are unrelated to each other, several Archimedians are involved with the AAMI working group on medical device security too.

    Medical device professionals solving security engineering
    problems at the Archimedes workshop in Ann Arbor.

    Over 60 professionals from medical device manufacturers and level-I trauma centers and security researchers attended the invitation-only Archimedes Workshop as part of the Ann Arbor Center for Medical Device Security in early May 2013. The goal was to form consensus over technical and managerial recommendations to resolve nine specific barriers to improving medical device security. As a result, medical device engineers were able to take back actionable information to develop smarter and more cost effective strategies to improve medical device security.  

    Archimedians roll up their sleeves
    to build security consensus.
    Archimedes is an industrial membership program for medical device manufacturers and information security companies. While we do not provide consulting, we do provide guidance on the hard questions a manufacturer should ask a prospective security company so as not to end up with hundreds of thousands of dollars of sunk costs on security snake oil. The bleeding-edge briefings and security education help engineers, architects, and management to make better business decisions for securing medical devices and to protect the brand and reputation so that patients receive the care they deserve. The center provides value to members via trust, training, and reputation.



    One engineer felt that meeting in the "C" room
    was inappropriate for an AAMI medical device
    security working group.  It was recast.
    A second medical device security event took place at the annual AAMI conference. AAMI is the Association for the Advancement of Medical Instrumentation, and Kevin Fu serves as one of the co-chairs of this working group on security. Participants came from several major medical device manufacturers as well as FDA and medical safety/security organizations. The humble goal of this first meeting was to identify security enggaps in existing guidance, standards, and best practices. Experts on several efforts and standards related to medical device security (e.g., IEC-80001) made presentations. More important, they identified the intended scope and limitations (by design) of each effort. For instance, some existing initiatives were created in response to US-centric HIPAA requirements on privacy rather than security. Because the terminology is murky, it is easy for an engineer to get confused on how security fits into the design process. The group had a lively discussion, and AAMI will shortly post slides and next steps related to improving the security of medical devices.

    Wednesday, May 22, 2013

    Stop the sensationalism of medical device security

    There have been some recent blog posts that sensationalize research on electromagnetic inference and medical devices. Worse, some statements are just factually wrong and misleading to the public. For instance, we did not use a Weezer song in any experiments involving defibrillators or pacemakers, and we did not conclude that listening to any music could harm medical devices. For an accurate non-technical summary of this work, read the MedGadget story.

    The full technical paper on mitigating the risks of electromagnetic interference on analog sensors appeared at the 34th Annual IEEE Symposium on Security and Privacy. The sky is not falling, and we're quite clear that patients can remain confident in the safety of their devices. Medical devices do a world of good.

    Thursday, March 28, 2013

    Health IT Week in Congress

    Several hearings on Health IT took place in the U.S. House last week. These discussions relate to medical device security because security is a property inextricable from other system properties such as safety. So that you don't have to dig thru hours of exciting YouTube videos more exciting than midnight CSPAN, here are a few interesting interactions I observed.

    Health IT: Harnessing Wireless Innovation

    Energy & Commerce Committee majority website.  Democrats website.

    Where do we draw the line on regulating mobile medical device apps? Bradley Merrill Thompson of the mHealth Regulatory Coalition offered a concise summary of his coalition's position, which is especially interesting because his organization represents a bag of diverse and potentially competing views (medical device manufactures, telecomm, mobile app developers, etc.). The consensus across all the witnesses appears to be: yes, regulation is necessary for things that meet the definition of a medical device. Some witnesses sought clarity on low-risk devices on to what degree they would be regulated.

    My understanding: Devices are regulated based on intended use. So if a device is marketed as performing medical diagnosis, it's almost certainly a medical device in the legal sense. And the witnesses agreed that medical devices ought to have regulatory review. For instance, diagnosis of melanoma with an iPhone would be hard to argue as not a medical device subject to review.




    Health Information Technologies: Administration Perspectives on Innovation and Regulation

    Energy & Commerce Committee website.  Democrats website.

    The hearing included witnesses from two groups within HHS. From a computer science and medical device interoperability perspective, the most interesting exchange was perhaps some baiting over getting hospital systems to have more interoperability between devices and clinical information systems. To paraphrase, the Chairman asked "can't you just fix that?" when quizzing officials the issue of interoperability. Readers can chime in on why it's so challenging to "just fix that" from both an engineering and procurement perspective. To the arm chair engineer, it may seem easy. Upon more careful inspection, one finds the problem turns out to be quite hard.



    Culture Clash of the Titans

    Innovation is important, but I sense a culture clash brewing between my discipline of computer science and that of safe medical device manufacturing. In computer science, we expect exponential increases in everything. Hockey stick economics!  In my humble but correct opinion, we're not arrogant; we're right. Sure. Problem with the software? The users are our beta testers.  Code, compile, regression test, ship, done. In medical device manufacturing of safety-critical devices, the culture is more reserved, measured, and safety focused. Hazard analysis, requirements engineering, validation, oh my! The culture of medical device manufacturing is more cautious for good historical reasons. I wonder what the persons killed or harmed by these past innovations would have said:
    • Thalidomide (innovative drug for morning sickness!  Unfortunately, the drug caused birth defects and missing limbs.)
    • Shoe fitting fluoroscopes (quite innovative!  But there were some post facto iss-shoes with safety and bone cancer.)

    Wednesday, March 13, 2013

    And Then There's MAUDE

    Students in the first graduate course in the nation on Medical Device Security would like to share their solutions to recent homework assignments. Feel free to augment with your own solutions or use in your own classes, but please do credit the students in Michigan's Medical Device Security course. Enjoy!


    Sunday, February 3, 2013

    Don't Type! Software Defects

    Don't Type!  That which holds the image of a bug becomes itself a bug.
    Today I learned a lesson on software defects while transcribing my handwritten lecture notes on, paradoxically, software defects in medical devices. I attempted to highlight recent examples of software defects.  The lesson can be summed up with this screenshot.

    Warning: reproduce at your own risk.  My moleskin notebook also appears to have spontaneously combusted after writing the magic eight characters.




    Thursday, January 31, 2013

    Call for Papers: USENIX HealthTech 2013

    USENIX recently released the call for papers for the annual HealthTech workshop to be held in Washington, DC on August 12, 2013. This academic workshop has expanded from its original "HealthSec" scope to now cover safety, security, privacy, and interoperability of health information technologies. Watch some of the past videos of speakers from academia, FDA, patient groups, and industry.

    The HealthTech workshop is a blend of peer-reviewed research papers from academia and innovative posters from industry. Several readers and contributors to this blog will be attending. The paper submission deadline is April 9, 2013.

    https://www.usenix.org/conference/healthtech13/call-for-papers

    Sunday, January 27, 2013

    Ther-Mix-A-Lot-25: Cybersecurity and compounders


    This week, students are writing essay responses to a fictional MAUDE report pertaining to cybersecurity of a fictional software-controlled compounder called the Ther-Mix-A-Lot-25. We'll shortly be sharing the best essay response from last week's topic of foreseeable cybersecurity risks.



    Thursday, January 17, 2013

    Fuzzing Philips X-Ray Equipment, Remote Exploit?

    Today there are news reports [Dark Reading, SC Magazine] about security problems found in a Philips medical device related to X-ray care delivery.

    The facts are not entirely clear to me. The capitalization errors in the reports cause me to maintain some skepticism. So I would suggest treating the news as "untrusted input" that needs to be independently verified before rushing to judgement. If I were a clinical engineer or IT administrator at a hospital, I'd keep a calm head and wait for official reports from FDA and the manufacturer.

    Last June, we posted a note about some red flags for the cybersecurity language describing a Phillips medical device. So it would not surprise me if such a device falls during Round One of fuzz testing. Getting security right is really hard, and there need to be more students learning the skills and concepts to improve the security of software-controlled medical devices.
    "We have a remote unauthenticated exploit for Xper, so if you same see an Xper machine on a network, then you can own it," Cylance researcher Billy Rios told SC.
    To pass the time, browse MAUDE for adverse events by typing "Philips" into the manufacturer box and "xper" into the brand box. Consider filing a MedWatch 3500 if you discover an adverse event involving cybersecurity. The form is a pain to use, but there are few alternatives available today.


    Sunday, January 13, 2013

    Graduate Course on Medical Device Security Launched

    What better place for a student to absorb material
    from the Medical Device Security course reader
    than in a functioning hot tub on the rooftop of the
    Bob and Betty Beyster Building in Michigan? 
    Last week, students at the University of Michigan joined an elective course on Medical Device Security to understand more about the challenges for improved medical device security. My academic colleagues who are security traditionalists may be shocked to see that the course will cover much more than just what appears at the top security conferences such as USENIX Security, IEEE Security and Privacy, and ACM CCS. I selected the course readings based on my belief that meaningful security only makes sense when considered in the context of other system properties like safety and dependability.  (Sorry if I did not list your favorite -ility.)

    The table of contents of the Medical Device Security course is online, and the course reader itself will be available tomorrow from Dollar Bill Copying. Note that additional online readings will appear later in a revised TOC. Because of copyright licensing, one must purchase materials in paper form rather than electronic. Urge your publishers to go electronic!