Thursday, January 31, 2013

Call for Papers: USENIX HealthTech 2013

USENIX recently released the call for papers for the annual HealthTech workshop to be held in Washington, DC on August 12, 2013. This academic workshop has expanded from its original "HealthSec" scope to now cover safety, security, privacy, and interoperability of health information technologies. Watch some of the past videos of speakers from academia, FDA, patient groups, and industry.

The HealthTech workshop is a blend of peer-reviewed research papers from academia and innovative posters from industry. Several readers and contributors to this blog will be attending. The paper submission deadline is April 9, 2013.

Sunday, January 27, 2013

Ther-Mix-A-Lot-25: Cybersecurity and compounders

This week, students are writing essay responses to a fictional MAUDE report pertaining to cybersecurity of a fictional software-controlled compounder called the Ther-Mix-A-Lot-25. We'll shortly be sharing the best essay response from last week's topic of foreseeable cybersecurity risks.

Thursday, January 17, 2013

Fuzzing Philips X-Ray Equipment, Remote Exploit?

Today there are news reports [Dark Reading, SC Magazine] about security problems found in a Philips medical device related to X-ray care delivery.

The facts are not entirely clear to me. The capitalization errors in the reports cause me to maintain some skepticism. So I would suggest treating the news as "untrusted input" that needs to be independently verified before rushing to judgement. If I were a clinical engineer or IT administrator at a hospital, I'd keep a calm head and wait for official reports from FDA and the manufacturer.

Last June, we posted a note about some red flags for the cybersecurity language describing a Phillips medical device. So it would not surprise me if such a device falls during Round One of fuzz testing. Getting security right is really hard, and there need to be more students learning the skills and concepts to improve the security of software-controlled medical devices.
"We have a remote unauthenticated exploit for Xper, so if you same see an Xper machine on a network, then you can own it," Cylance researcher Billy Rios told SC.
To pass the time, browse MAUDE for adverse events by typing "Philips" into the manufacturer box and "xper" into the brand box. Consider filing a MedWatch 3500 if you discover an adverse event involving cybersecurity. The form is a pain to use, but there are few alternatives available today.

Sunday, January 13, 2013

Graduate Course on Medical Device Security Launched

What better place for a student to absorb material
from the Medical Device Security course reader
than in a functioning hot tub on the rooftop of the
Bob and Betty Beyster Building in Michigan? 
Last week, students at the University of Michigan joined an elective course on Medical Device Security to understand more about the challenges for improved medical device security. My academic colleagues who are security traditionalists may be shocked to see that the course will cover much more than just what appears at the top security conferences such as USENIX Security, IEEE Security and Privacy, and ACM CCS. I selected the course readings based on my belief that meaningful security only makes sense when considered in the context of other system properties like safety and dependability.  (Sorry if I did not list your favorite -ility.)

The table of contents of the Medical Device Security course is online, and the course reader itself will be available tomorrow from Dollar Bill Copying. Note that additional online readings will appear later in a revised TOC. Because of copyright licensing, one must purchase materials in paper form rather than electronic. Urge your publishers to go electronic!