Thursday, October 30, 2014

Hot Topic: Ebola, Technology, and Science

Is your IR camera giving you accurate
temperature readings to diagnose Ebola??
Maybe, maybe not.  Re-calibration and angle
causes a 9 degree difference on this IR camera.


This post diverges from medical device security for a moment to address some technical issues related to persons asymptomatic of Ebola. I happen to carry an infrared camera wherever I go. My lab uses it in research, and to leave secret thermal handprint messages on walls (they last about 5 minutes at my office).  I'd like to demonstrate why one should take with a grain of salt the accuracy of temperature readings from infrared imaging to diagnose Ebola.

Reports claim that nurse Kaci Hickox registered an elevated temperature on an infrared scan, but then showed negative for fever with an oral thermometer.  This is not surprising, given that infrared cameras are prone to inaccurate results for all sorts of reasons ranging from reflected light, improper or poorly trained use, calibration, thermal changes on the surface of the sensor, or the condition of the subject.  (Did you just hear a dirty joke and blush?  Or were you upset by an overzealous agent?)   Different IR cameras have different sensitivities, and liquid-cooled sensors will have different properties as well. So I surmise that an IR camera used by an airport security guard will have a higher probability of detecting dirty jokes with low false positives than detecting Ebola with low false positives. Thermal cameras are just tools, but one must choose the right tool for diagnosis. Try taking an IR photo of a row of recently used toilets if you want to feel especially squeamish in exercising the least recently used principle.

Don't trust the digital readings from an infrared camera unless you are trained on its measurement and experimental error.  The absolute numbers are meaningless on their own. Watch MIT Prof. Walter Lewin's physics lecture on measurement error for certainty on this subject.

"Any measurement that you make without the knowledge of its uncertainty is completely meaningless." -Professor Walter Lewin, MIT

Thursday, October 23, 2014

Medical device cybersecurity actions and outcomes

After two days of vigorous discussion at the FDA workshop on medical device cybersecurity, Dr. Suzanne Schwartz ended by challenging attendees to commit to (1) a specific cybersecurity action to take in the next week, and (2) a specific cybersecurity outcome to achieve in the next year.

My action for the next week is to create a meme for security engineering.  Here's my attempt.

Original image from here.


Saturday, October 18, 2014

FDA visits NIST federal advisory committee on security and privacy



Suzanne Schwartz (FDA), Key Hoyme (Adventium Labs),
Gary McGraw (Cigital), and Kevin Fu (Univ. Michigan)
Update 11/6/2014: The audio recording is now available below.


On Friday, October 24, 2014 at 9AM in Washington, DC, the NIST Information Security and Privacy Advisory Board (ISPAB) will hold a public panel on "Updates on Embedded Device Cybersecurity: Medical Devices to Automobiles."

Coming on the heels of the FDA workshop on cybersecurity, this panel will provide cutting edge updates on federal policies and industry perspectives on embedded security. The panelists include:

What will the three PhDs and MD say? For details on the meeting agenda and location, see the following PDF.

Tuesday, October 14, 2014

3rd Annual Archimedes Workshop on Medical Device Security

Dozens of medical device and security experts
converge in Ann Arbor each summer.
Engineers from medical device manufacturers, safety and security officers from health care providers, Archimedes members, and special guests will converge in Ann Arbor, Michigan for the 3rd Annual Archimedes Workshop on Medical Device Security May 4-5, 2015. This invitation-only event brings together solution-oriented experts in medical device manufacturing and computer security to discuss the new FDA cybersecurity guidance and how to improve information security.

Friday, October 3, 2014

EHR software and ebola, what could possibly go wrong?

Forget malware on medical devices. Try ebola. The Atlantic is reporting that software flaws in the exchange of Electronic Health Records (EHRs) is partly to blame for an ebola patient being sent home from Texas Health Dallas.  More information appears on the hospital's website.

According to Bloomberg news, the EHR software at Texas Health Dallas is made by Epic Systems Corp.

Wednesday, October 1, 2014

FDA issues final version of long-awaited cybersecurity guidance

The long-awaited guidance will help resolve past
uncertainties about expectations of cybersecurity
in the pre-market review of medical devices.
Today, FDA issued its long-awaited cybersecurity guidance for pre-market review of medical devices.  This is a document years in the making.

A PDF of the actual guidance document appears here.

A second draft cybersecurity guidance document on post-market practices (e.g., vulnerability and incident reporting) is expected later this year.