RIP Barnaby Jack

We were sad to hear that Barnaby Jack, a skilled ethical hacker who applied his keen intellect and infectious enthusiasm to medical-device security, died in San Francisco on July 25.  Among other accomplishments, he got a lot of technically inclined people interested in medical devices—which can only be good for the world.  May he rest in peace.  (Donations.)

WattsUpDoc: Detecting malware on medical devices via an instrumented power outlet

I will be presenting research results on how to detect malware on medical devices at USENIX HealthTech in Washington, D.C. on August 12th. Below is a summary of our research (lightly edited from the final paper). I would be happy to discuss the project at the workshop or before. We are particularly interested in collaborating with manufacturers and hospitals to further field test our prototype.

Health care networks are composed of general-purpose computers (e.g., desktop workstations) and embedded devices that perform specific functions and connect to the network for centralized control or configuration.  A primary drawback of increasing connectivity is that all devices on the network---including embedded devices---are increasingly exposed to malware [1,2]. The U.S. Food and Drug Administration has recently acknowledged these risks by issuing a safety communication concerning cybersecurity.

This pharmaceutical compounder is a medical device running Windows XP Embedded. In a controlled lab, we repeatedly infected such devices with malware to evaluate the effectiveness of WattsUpDoc.

Unfortunately, there are no simple solutions to this problem. Many embedded devices are incompatible with conventional software-based anti-malware mechanisms such as antivirus (AV) programs or networked intrusion-detection systems (NIDS). Traditional embedded devices commonly use custom firmware or OSes for which no antivirus program exists.  Other embedded medical devices are built with commodity hardware and software and are thus compatible with AV or NIDS, but some manufacturers explicitly forbid device owners to install OS security updates or antivirus software[3].

A high-level illustration of system deployment. WattsUpDoc monitors system behavior without affecting any inputs, outputs, or software. No software or hardware change is required on the device under observation.

Our paper addresses the challenge of malware on embedded systems by introducing WattsUpDoc, a behavior-monitoring system for embedded devices. WattsUpDoc relies on the side channel of systemwide power consumption, which leaks information about the system's computing activity without requiring any hardware or software modifications. WattsUpDoc uses machine-learning techniques to match patterns of power consumption. In our experiments, WattsUpDoc detected previously known malware with at least 94% accuracy and previously unknown malware with at least 85% accuracy on several embedded devices.

Using WattsUpDoc, device owners can gain greater visibility into the behavior of the systems they own.  WattsUpDoc can provide preliminary evidence of abnormal behavior, such as malware problems, signaling the need for further investigation. WattsUpDoc may also help to detect general abnormalities such as a failing hardware component or misconfigured software. With better visibility and earlier warnings, WattsUpDoc can help to detect problems that otherwise could lead to hazardous situations and harm.

--Shane Clark

USENIX HealthTech hosts medical device security panel from FDA, VA, and industry in DC

I am pleased to announce that representatives from FDA, the VA, and medical device manufacturing have agreed to participate in a technical panel on recent activity in the medical device security space. Early registration for the USENIX HealthTech Workshop ends on July 22. Note, this is a technical and research workshop. With a bit of policy to spice things up.

USENIX HealthTech Workshop on Safety, Security, Privacy, and Interoperability of Health Information Technologies

Monday, August 12, 2013
Hyatt Regency Washington on Capitol Hill
Washington, DC

The panel on "Health Data and Device Perspectives from Industry, Government, and Health Providers" takes place at 11AM and will focus on security and privacy related to recent news over the past year. Confirmed panelists include:


Brian Fitzgerald, Deputy Division Director, Division of Electrical and Software Engineering, U.S. Food & Drug Administration Center for Devices & Radiological Health

Ken Hoyme, Medical Device Consultant and Co-chair, AAMI Medical Device Security Working Group; Former Senior Fellow, Boston Scientific, Cardiac Rhythm Management

Lynette Sherrill, Deputy Director, Office of Information Security, Field Security Office, Health Information Security Division, Department of Veterans Affairs

Kevin Fu (moderator), Associate Professor and Director, Archimedes Center for Medical Device Security, Computer Science & Engineering, College of Engineering, University of Michigan






For a refresher course, look back at the video recordings from the predecessor workshop, HealthSec.

-Kevin Fu

Covered entities and medical device security

Mac McMillan has an interesting quote in a recent article, "FDA Warnings About ‘Cyberattacks’ Give CEs Leverage to Demand Better Security."

So where is OCR in all this? McMillan says the agency has been putting “pressure” on FDA and the Office of the National Coordinator for Health Information Technology (ONC) about this issue. However, OCR spokeswoman Rachel Seeger would say only that OCR had no “substantive” or “direct role in FDA’s guidance or warning.” 

McMillan says there is talk of creating some kind of system for assessing medical device security features akin to HHS’s meaningful use certifications that apply to electronic health records. Only those that meet certain criteria, which include certain access controls, can be purchased with federal funds (RPP 9/12, p. 4). CMS and ONC maintain a list of certified EHRs.

A version of this question was discussed by panelists from CMS and FDA (audio recording conveniently below).  In February 2012, I moderated a panel at the NIST Information Security & Privacy Board on the topic of economic incentives to improve medical device security.  The audio recording and discussion questions can be downloaded from our blog post.  The high bit: at the time, there were very few economic levers for covered entity to incentivize better cybersecurity in manufacturing of medical devices.  The draft guidance from FDA may provide an important lever for covered entities so that patients ultimately have safer and more effective medical devices.

-Kevin Fu

Public radio's Marketplace on medical device security

Radio is hip.

Yesterday, APM Marketplace presented a short audio segment on medical device cybersecurity that I presume aired on NPR. The piece is obviously not intended for digestion by an engineer, but instead presents the latest regulatory issues of medical device security for the layperson.

I presume the research that Dr. Castellanos refers to is this one from 2008. But there are plenty of other non-implantable devices that arguably bear more risk to public health by virtue of sheer quantity and area of attack surface. For instance, the incidents documented in our blog archive.