USENIX recently released the call for papers for the annual HealthTech workshop to be held in Washington, DC on August 12, 2013. This academic workshop has expanded from its original "HealthSec" scope to now cover safety, security, privacy, and interoperability of health information technologies. Watch some of the past videos of speakers from academia, FDA, patient groups, and industry.
The HealthTech workshop is a blend of peer-reviewed research papers from academia and innovative posters from industry. Several readers and contributors to this blog will be attending. The paper submission deadline is April 9, 2013.
https://www.usenix.org/conference/healthtech13/call-for-papers
When experts claim the sky is falling, we point out that you're just looking at the ground.
Thursday, January 31, 2013
Sunday, January 27, 2013
Ther-Mix-A-Lot-25: Cybersecurity and compounders
This week, students are writing essay responses to a fictional MAUDE report pertaining to cybersecurity of a fictional software-controlled compounder called the Ther-Mix-A-Lot-25. We'll shortly be sharing the best essay response from last week's topic of foreseeable cybersecurity risks.
Thursday, January 17, 2013
Fuzzing Philips X-Ray Equipment, Remote Exploit?
The facts are not entirely clear to me. The capitalization errors in the reports cause me to maintain some skepticism. So I would suggest treating the news as "untrusted input" that needs to be independently verified before rushing to judgement. If I were a clinical engineer or IT administrator at a hospital, I'd keep a calm head and wait for official reports from FDA and the manufacturer.
Last June, we posted a note about some red flags for the cybersecurity language describing a Phillips medical device. So it would not surprise me if such a device falls during Round One of fuzz testing. Getting security right is really hard, and there need to be more students learning the skills and concepts to improve the security of software-controlled medical devices.
"We have a remote unauthenticated exploit for Xper, so if you same see an Xper machine on a network, then you can own it," Cylance researcher Billy Rios told SC.To pass the time, browse MAUDE for adverse events by typing "Philips" into the manufacturer box and "xper" into the brand box. Consider filing a MedWatch 3500 if you discover an adverse event involving cybersecurity. The form is a pain to use, but there are few alternatives available today.
Sunday, January 13, 2013
Graduate Course on Medical Device Security Launched
What better place for a student to absorb material from the Medical Device Security course reader than in a functioning hot tub on the rooftop of the Bob and Betty Beyster Building in Michigan? |
The table of contents of the Medical Device Security course is online, and the course reader itself will be available tomorrow from Dollar Bill Copying. Note that additional online readings will appear later in a revised TOC. Because of copyright licensing, one must purchase materials in paper form rather than electronic. Urge your publishers to go electronic!
Subscribe to:
Posts (Atom)