Tuesday, September 29, 2015

Medical Device Security Report at the National Academy of Engineering FOE

Prof. Fu speaking with fellow engineers at the NAE Beckman Center.
Here you can find my newly released report "On The Technical Debt of Medical Device Security" from the National Academy of Engineering web site.

Earlier this month, I spoke about medical device security at the annual "Frontiers of Engineering" event held by the National Academy of Engineering. All the talks were captivating and intellectually stimulating, including topics such as the James Webb Space Telescope, nanostructured metamaterials, and forecasting natural disasters.

One of the more memorable talks was by Jeremy Banik of the Air Force Research Laboratory who demonstrated a high strain composite mechanism by unrolling an innocent looking 1 ft long Carbon Storable Tubular Extendible Member into a sturdy 20+ ft pole. The pole automatically unfurls and makes a rather loud snap as it zips itself up. It's designed for deployment in space where payloads that fit the geometry of a rocket must expand to carry out large-diameter space missions. The audience asked if TSA had ever tried opening the roll, and the answer is no, but it would be tubular, dude.
Carbon Storable Tubular Extendible Member. Photo from Jeremy Banik.

Monday, September 14, 2015

A Musical Interlude to Medical Device Security

We at Archimedes have been busy running security engineering tutorials at medical device manufacturers and hospitals over the past several months, so we have not had the opportunity to post new material lately. We are also in the middle of scheduling various seminars on medical device security at hospitals as part of October's National Cybersecurity Awareness month.

In the meantime...to brighten your day, here is a music video co-authored by yours truly about the woes of compilers, gdb, and autograders for programming homework to the tune of Taylor Swift's "Shake It Off."

Saturday, July 25, 2015

When Will a Medical Device Endure a Cybersecurity Recall?

Cybersecurity for the Internet of Things: A house of cars?
For years, I was wondering which would happen first: a medical device cybersecurity recall or an automotive cybersecurity recall. We now have the answer. By now you must have heard that Fiat Chrysler has earned the honor of the first cybersecurity automotive recall of 1.4 million vehicles.

Issuing a recall is no light matter because there are subtle risk-benefit implications. For instance, a sudden recall on a medical device could have profound risks that outweigh the benefits of a blanket recall. In a non-cybersecurity context, this debate arose not long ago when a defibrillator lead suffered a mechanical design flaw. Because removal of an electrode could pose risks to a patient when the tip had already bound to the cardiac tissue, only certain patients were recommended to replace the electrode. So whereas today automobiles have been recalled for cybersecurity reasons, there will need to be a different debate when eventually some medical device will suffer a clinically relevant cybersecurity flaw. If the flawed device is not implanted and other competing devices are available, then a recall may make sense in the risk-benefit calculus as patients can use another device (e.g., an infusion pump or bedside monitor). On the other hand, blanket recalls are likely not the answer for an implanted device where there are fewer alternatives available for patients already with certain predisposed risks.

The medical device community should consider itself lucky that the automotive community has earned the dubious honor of having the first cybersecurity-only recall. Given the large number of medical devices, it's just a matter of time before some medical device company will receive a painful, late night phone call to confront challenges similar to what Fiat Chrysler is now enduring.