Outcomes of Archimedes Workshop and AAMI Working Group on Improving Medical Device Security

Two innovative events of importance to medical device security happened in the last few weeks in Ann Arbor, MI and Long Beach, CA. While the events are unrelated to each other, several Archimedians are involved with the AAMI working group on medical device security too.

Medical device professionals solving security engineering
problems at the Archimedes workshop in Ann Arbor.

Over 60 professionals from medical device manufacturers and level-I trauma centers and security researchers attended the invitation-only Archimedes Workshop as part of the Ann Arbor Center for Medical Device Security in early May 2013. The goal was to form consensus over technical and managerial recommendations to resolve nine specific barriers to improving medical device security. As a result, medical device engineers were able to take back actionable information to develop smarter and more cost effective strategies to improve medical device security.  

Archimedians roll up their sleeves
to build security consensus.

Archimedes is an industrial membership program for medical device manufacturers and information security companies. While we do not provide consulting, we do provide guidance on the hard questions a manufacturer should ask a prospective security company so as not to end up with hundreds of thousands of dollars of sunk costs on security snake oil. The bleeding-edge briefings and security education help engineers, architects, and management to make better business decisions for securing medical devices and to protect the brand and reputation so that patients receive the care they deserve. The center provides value to members via trust, training, and reputation.

Read more about the Archimedes outcomes in this slide deck.

One engineer felt that meeting in the "C" room
was inappropriate for an AAMI medical device
security working group.  It was recast.

A second medical device security event took place at the annual AAMI conference. AAMI is the Association for the Advancement of Medical Instrumentation, and Kevin Fu serves as one of the co-chairs of this working group on security. Participants came from several major medical device manufacturers as well as FDA and medical safety/security organizations. The humble goal of this first meeting was to identify security enggaps in existing guidance, standards, and best practices. Experts on several efforts and standards related to medical device security (e.g., IEC-80001) made presentations. More important, they identified the intended scope and limitations (by design) of each effort. For instance, some existing initiatives were created in response to US-centric HIPAA requirements on privacy rather than security. Because the terminology is murky, it is easy for an engineer to get confused on how security fits into the design process. The group had a lively discussion, and AAMI will shortly post slides and next steps related to improving the security of medical devices.