Tuesday, June 18, 2013

HealthTech (née HealthSec): Now with Posters!

Now that the technical program of HealthTech 2013 has solidified, we want your great ideas in poster form at the HealthTech 2013 poster session!  One-page poster proposals are due June 25.

The HealthTech 2013 poster session will trap stakeholders from medicine and technology in a single room with controversial ideas and a bunch of snacks.  It will look something like this.  (Actual attendees may vary.  Photo from BNL.)

2013 USENIX Workshop on Health Information Technologies
August 12, 2013 — Washington DC
Call for Posters — Proposals due June 25, 2013

The poster session is a great opportunity to discuss new work and propose controversial ideas with stakeholders from academia, industry, government, and medicine in an informal social environment.

Relevant topics in HealthTech areas include, but are not limited to:

  • Preliminary or experimental work that has not yet been published
  • New or emerging technology to improve healthcare
  • Evidence of cross-cutting problems that need solutions
  • Highlights from deployments of health information technology (HIT), including surprising outcomes or unintended consequences
  • Controversial arguments for or against a specific HIT practice or technology

Space at the poster session is limited, so the poster committee will give special preference to exciting new results, projects led by students, and topics that are likely to generate fruitful interactions among attendees.

Refer to the full call for posters for submission instructions.  If you'd like to advertise this to your colleagues, students, families, and pets, here's a printable version (~2MB PDF).

See you there!

Thursday, June 13, 2013

FDA Publishes Draft Guidance on Medical Device Cybersecurity

A screenshot of the password process for a Thoratec Left
Ventricular Assist Device (LVAD) provided to Dr. Kevin Fu by
a physician he met on an airplane. What is the hazard analysis
associated with this security mechanism?
Today the FDA issued long awaited draft guidance on medical device cybersecurity. Engineers can find the cybersecurity document at FDA's website.  The PDF is here.  There is also a safety communication from FDA on cybersecurity. My take away is that this document acknowledges that cybersecurity is a real problem rather than theoretical problem. Unlike previous guidance on cybersecurity for specific types of COTS software, this guidance spells out more detail on cybersecurity responsibilities for a medical device manufacturer ranging from hazard analysis that incorporates cybersecurity to meaningful instructions for end users on malware protection. However, the document is quite short...

I'll update the list below as new information comes in.  Here are some juicy quotes.
Computer viruses and other malware increasingly are infecting equipment such as hospital computers used to view X-rays and CT scans and devices in cardiac catheterization labs, agency officials said. The problems cause the equipment to slow down or shut off, complicating patient care. As more devices operate on computer systems that are connected to each other, a hospital network and the Internet, the potential for problems rises dramatically, they said.
  • WSJ on "Patients Put at Risk by Computer Viruses"

    “We are aware of hundreds of medical devices that have been infected by malware,” or dangerous computer software, said Bill Maisel, a senior official at the FDA’s device unit. Though the agency doesn’t know of deaths or injuries resulting from this, he said, “it’s not difficult to imagine how these types of events could lead to patient harm.”
    For instance, previously unreleased Department of Veterans Affairs records show that since 2009, malware infected at least 327 devices at VA hospitals. More than 40 viruses hit devices including X-ray machines and lab equipment made by companies such as General Electric Co., Philips N.V. and Siemens AG.

    In one case, a VA catheterization laboratory was temporarily closed in January 2010, VA officials said. At that New Jersey facility, records show that malware had infected computer equipment needed for procedures to open blocked arteries after heart attacks. Separately, at a private Boston hospital, a virus caused a device to potentially expose sensitive patient information by sending it to outside servers.

  • WSJ on "Potential Cyberattacks on Implanted Medical Devices Draw Attention"
Worries over medical-device cybersecurity have largely focused on plugged-in equipment primarily used in hospitals, such as computed tomography scanners and heart monitors that are vulnerable to viruses traveling across medical networks.
Reps. Anna Eshoo (D-Calif.) and Edward Markey (D-Mass.) praised the Food and Drug Administration for directing device makers to explain how they will protect their products from hacking or tampering. 
"I welcome the FDA's tightening of security standards for medical devices capable of connecting to each other, hospital networks and the Internet," Eshoo said. "Medical devices have resulted in tremendous benefits, but the demonstrated risk from malicious hackers that comes with enhanced connectivity requires a more stringent effort by the FDA and manufacturers to identify, evaluate and plug the potentially serious security holes that exist."
"We already protect our computers and other communications devices from hackers and other cyber threats, and it makes sense to extend those protections to patients and their medical devices," Markey said. "Patients should only have to worry about getting healthier and not about hackers tampering with their device or accessing their information. I have been concerned about this issue for years, and am encouraged that the FDA is taking action on this issue."
Mark Olson, CISO at Beth Israel Deaconess Medical Center in Boston, calls the FDA announcements "a very positive step." He says the FDA "is placing a requirement on the manufacturers to acknowledge that they need to be part of the solution in protecting their equipment at the customers' location. It is a well-balanced approach, placing joint responsibility on the vendor and the user of the products. For security practitioners, the model of joint responsibility is ideal."
A vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks, federal officials have warned.
Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware. 
"Hundreds of medical devices have been affected, involving dozens of manufacturers," Maisel said, adding that many were infected by malicious software, or malware.

This is a far cry from reporting less than a few years ago when denial of security problems was the norm in the medical device community.  See slide #42 from a talk at MIT for a look back in time, or see my complete list of past talks on medical device security

Friday, June 7, 2013

Hugo Campos, Ten People Who Changed the Medical Device Industry

Medical device innovators may recall the mission of Hugo Campos to get access to his own medical telemetry from his implanted cardiac device. He wanted to know why he could not have access to the information his implant collects about his body. He has been named one of "10 People Who Changed the Medical Device Industry" by MDDI. His mission relates to medical device security because a security engineer needs to understand that security is not the only property for medical device engineering. Shudder to think, it's just one of many. Hugo gave a keynote presentation on his effort when I chaired the ACM MedCOMM Workshop a year ago.  Here's a look back at Hugo's keynote video.

MedCOMM keynote address by Hugo Campos.
Scroll the video to minute 6:00 to see the beginning of Hugo's talk.

Tuesday, June 4, 2013

Outcomes of Archimedes Workshop and AAMI Working Group on Improving Medical Device Security

Two innovative events of importance to medical device security happened in the last few weeks in Ann Arbor, MI and Long Beach, CA. While the events are unrelated to each other, several Archimedians are involved with the AAMI working group on medical device security too.

Medical device professionals solving security engineering
problems at the Archimedes workshop in Ann Arbor.

Over 60 professionals from medical device manufacturers and level-I trauma centers and security researchers attended the invitation-only Archimedes Workshop as part of the Ann Arbor Center for Medical Device Security in early May 2013. The goal was to form consensus over technical and managerial recommendations to resolve nine specific barriers to improving medical device security. As a result, medical device engineers were able to take back actionable information to develop smarter and more cost effective strategies to improve medical device security.  

Archimedians roll up their sleeves
to build security consensus.
Archimedes is an industrial membership program for medical device manufacturers and information security companies. While we do not provide consulting, we do provide guidance on the hard questions a manufacturer should ask a prospective security company so as not to end up with hundreds of thousands of dollars of sunk costs on security snake oil. The bleeding-edge briefings and security education help engineers, architects, and management to make better business decisions for securing medical devices and to protect the brand and reputation so that patients receive the care they deserve. The center provides value to members via trust, training, and reputation.

One engineer felt that meeting in the "C" room
was inappropriate for an AAMI medical device
security working group.  It was recast.
A second medical device security event took place at the annual AAMI conference. AAMI is the Association for the Advancement of Medical Instrumentation, and Kevin Fu serves as one of the co-chairs of this working group on security. Participants came from several major medical device manufacturers as well as FDA and medical safety/security organizations. The humble goal of this first meeting was to identify security enggaps in existing guidance, standards, and best practices. Experts on several efforts and standards related to medical device security (e.g., IEC-80001) made presentations. More important, they identified the intended scope and limitations (by design) of each effort. For instance, some existing initiatives were created in response to US-centric HIPAA requirements on privacy rather than security. Because the terminology is murky, it is easy for an engineer to get confused on how security fits into the design process. The group had a lively discussion, and AAMI will shortly post slides and next steps related to improving the security of medical devices.