The full technical paper on mitigating the risks of electromagnetic interference on analog sensors appeared at the 34th Annual IEEE Symposium on Security and Privacy. The sky is not falling, and we're quite clear that patients can remain confident in the safety of their devices. Medical devices do a world of good.
Ann Arbor Research Center for Medical Device Security
Official blog of the Ann Arbor Research Center for Medical Device Security, a cross-disciplinary research initiative on medical device security, privacy, safety, and effectiveness.
Wednesday, May 22, 2013
Stop the sensationalism of medical device security
There have been some recent blog posts that sensationalize research on electromagnetic inference and medical devices. Worse, some statements are just factually wrong and misleading to the public. For instance, we did not use a Weezer song in any experiments involving defibrillators or pacemakers, and we did not conclude that listening to any music could harm medical devices. For an accurate non-technical summary of this work, read the MedGadget story.
Thursday, March 28, 2013
Health IT Week in Congress
Several hearings on Health IT took place in the U.S. House last week. These discussions relate to medical device security because security is a property inextricable from other system properties such as safety. So that you don't have to dig thru hours of exciting YouTube videos more exciting than midnight CSPAN, here are a few interesting interactions I observed.
Where do we draw the line on regulating mobile medical device apps? Bradley Merrill Thompson of the mHealth Regulatory Coalition offered a concise summary of his coalition's position, which is especially interesting because his organization represents a bag of diverse and potentially competing views (medical device manufactures, telecomm, mobile app developers, etc.). The consensus across all the witnesses appears to be: yes, regulation is necessary for things that meet the definition of a medical device. Some witnesses sought clarity on low-risk devices on to what degree they would be regulated.
My understanding: Devices are regulated based on intended use. So if a device is marketed as performing medical diagnosis, it's almost certainly a medical device in the legal sense. And the witnesses agreed that medical devices ought to have regulatory review. For instance, diagnosis of melanoma with an iPhone would be hard to argue as not a medical device subject to review.
Health IT: Harnessing Wireless Innovation
Energy & Commerce Committee majority website. Democrats website.Where do we draw the line on regulating mobile medical device apps? Bradley Merrill Thompson of the mHealth Regulatory Coalition offered a concise summary of his coalition's position, which is especially interesting because his organization represents a bag of diverse and potentially competing views (medical device manufactures, telecomm, mobile app developers, etc.). The consensus across all the witnesses appears to be: yes, regulation is necessary for things that meet the definition of a medical device. Some witnesses sought clarity on low-risk devices on to what degree they would be regulated.
My understanding: Devices are regulated based on intended use. So if a device is marketed as performing medical diagnosis, it's almost certainly a medical device in the legal sense. And the witnesses agreed that medical devices ought to have regulatory review. For instance, diagnosis of melanoma with an iPhone would be hard to argue as not a medical device subject to review.
Health Information Technologies: Administration Perspectives on Innovation and Regulation
Energy & Commerce Committee website. Democrats website.
The hearing included witnesses from two groups within HHS. From a computer science and medical device interoperability perspective, the most interesting exchange was perhaps some baiting over getting hospital systems to have more interoperability between devices and clinical information systems. To paraphrase, the Chairman asked "can't you just fix that?" when quizzing officials the issue of interoperability. Readers can chime in on why it's so challenging to "just fix that" from both an engineering and procurement perspective. To the arm chair engineer, it may seem easy. Upon more careful inspection, one finds the problem turns out to be quite hard.
The hearing included witnesses from two groups within HHS. From a computer science and medical device interoperability perspective, the most interesting exchange was perhaps some baiting over getting hospital systems to have more interoperability between devices and clinical information systems. To paraphrase, the Chairman asked "can't you just fix that?" when quizzing officials the issue of interoperability. Readers can chime in on why it's so challenging to "just fix that" from both an engineering and procurement perspective. To the arm chair engineer, it may seem easy. Upon more careful inspection, one finds the problem turns out to be quite hard.
Culture Clash of the Titans
Innovation is important, but I sense a culture clash brewing between my discipline of computer science and that of safe medical device manufacturing. In computer science, we expect exponential increases in everything. Hockey stick economics! In my humble but correct opinion, we're not arrogant; we're right. Sure. Problem with the software? The users are our beta testers. Code, compile, regression test, ship, done. In medical device manufacturing of safety-critical devices, the culture is more reserved, measured, and safety focused. Hazard analysis, requirements engineering, validation, oh my! The culture of medical device manufacturing is more cautious for good historical reasons. I wonder what the persons killed or harmed by these past innovations would have said:- Thalidomide (innovative drug for morning sickness! Unfortunately, the drug caused birth defects and missing limbs.)
- Shoe fitting fluoroscopes (quite innovative! But there were some post facto iss-shoes with safety and bone cancer.)
Wednesday, March 13, 2013
And Then There's MAUDE
- The whole class used crowd sourcing to search for interesting MAUDE reports that pertain to software and security problems [Google Doc] in response to And Then There's MAUDE
- Tejaswi Worlikar [PDF] shared her excellent essay in response to the Ther-Mix-A-Lot-25
- Nathan Roberts [PDF] shares his excellent essay in response to Foreseeable Cybersecurity Risks
Subscribe to:
Posts (Atom)