Tuesday, September 30, 2014

NBC Chicago interviews patients, physicians, and researchers on medical device security

The TV headline is hyperbolic, but the content is level headed.

Tammy Leitner of NBC Chicago interviewed a number of patients, physicians, and researchers about the challenges of medical device security. Here's a link to the full video.

Had this interview happened in 2008, the tone would have likely been more confrontational. Remember when Archimedes researchers demonstrated radio-controlled security flaws in pacemaker/defibrillators (also see the Schneier commentary)? Back in 2008, manufacturers and FDA were not accustomed to interacting with security researchers reporting such software-based flaws. It's completely understandable. Imagine if an unfamiliar person showed up at your front door to point out security problems of your house. The outcome might be unpleasant. Thus, interactions initially got off to a rocky start. But that's the past.

Fast forward to 2014, and times have changed significantly for the better. The forward-thinking manufacturers, influential researchers, and health care providers regularly interact and help each other to improve medical device security. A few positive examples that brought researchers, clinicians, manufacturers, and regulators together include the draft technical information report on medical device cybersecurity by AAMI (the IETF equivalent of the medical manufacturing world), the Archimedes workshop, and the upcoming FDA workshop on medical device security.

So if you're a future graduate student or budding security researcher, I'd encourage you to read the technical papers from the short history of medical device security. It's no longer a cat-and-mouse game of pointing out buffer overflows and SQL injection attacks. The future is about interdisciplinary computing and health care research to produce technology, best practices, and policies that improve medical device security without interfering with the workflow or delivery of health care.

Sunday, September 28, 2014

FDA to hold workshop on medical device security

Every workshop needs a bench and a good dremel.
Photo credit: Travis Goodspeed
Update: The FDA workshop on medical device security filled to capacity, so there is now a wait list. But the webcast remains available.

Unless you've been living under a rock, you have probably heard the announcement about the FDA Workshop on Collaborative Approaches for Medical Device and Healthcare Cybersecurity. Or as the Google translation service explains (select translate Government-ese to English): it's an FDA workshop on medical device security.

This workshop is a follow up to the draft FDA guidance on cybersecurity published in 2013 [here and here].

FDA workshops typically provide time to hear from a broad set of interest groups and stakeholders. In the hallways, you will likely see representatives or lobbyists from manufacturing associations, patient groups, physician groups, the cybersecurity industry, and more. And what might be surprising to the jaded reader: most attendees want the same thing, improved medical device security.

I will be moderating one of the technical panels at the FDA workshop, but I look forward to hearing the perspectives from all the panels.

Here's a quick look back at selected moments in medical device security history so you can prepare for the meeting of minds:
This list is far from complete, so feel free to suggest other moments of medical device security history by posting a comment on this blog along with a link to primary sources of written reports, videos, etc.  Keep the bulleted text to one line.

Several other research papers on medical device security can be found on the http://secure-medicine.org/publications archive. You can also find all the secure-medicine.org blog postings indexed at http://blog.secure-medicine.org/p/index.html.