This Wednesday, I'll be testifying in a U.S. House hearing to examine options to combat health care waste, fraud and abuse. This service has rustled up memories of my time as a tech gopher at Holland Community Hospital in the 1990s when the hospital deployed second-factor authentication tokens for clinicians (i.e., 2nd factor = something you have rather than something you know). One of my tasks was to write software to quickly and effectively detect incorrect entries in the hospital's voluminous general ledger. Medical billing records. So exciting. I remember replacing lost "authentication keys" for nurses and physicians who would visit my tiny time-shared desk next to machine room for the soon-to-be-retired VAXen, line printer, and reel-to-reel backup. At the time, the authentication keys were literally shaped as plastic keys. Each clinical computer had a key reader connected via serial port. Clinicians would insert and twist the key in order to access the clinical computing systems. Removing the key resulted in automatic log out. I am told that the system lives on today in some form nearly 17 years later.
What's changed across the nation in terms of health care cybersecurity since the 1990s? Malware spreads by USB sticks and IP networks rather than 3.5" disks. Medical devices depend much more on networks and software. There are now so many layers of software dependencies, it's hard to even inventory what's in the trusted computing base.
I still have the wooden shoe presented to the staff who helped "go live" with this clinical computing system in Holland. Stored on a shelf right above my IHTFP propeller hat.
How do we begin to improve the information security of increasingly interconnected and wirelessly controlled medical devices? Starting with highly trained engineers who also appreciate the complexities of human factors and regulatory affairs. My upcoming Winter 2013 course at the University of Michigan on Medical Device Security will be the first of its kind in the nation to teach students about this topic. Students will learn the timeless concepts and cutting-edge skills in computer engineering, human factors, and regulatory policies that determine the safety and effectiveness of manufacturing software-controlled medical devices.
Students will apply the newly learned concepts and skills by analyzing the security of a real-world medical device in a hands-on term project. Interdisciplinary teams will consist of students from complementary backgrounds to mimic the composition of teams at medical device manufacturers and regulatory bodies. Occasional guest speakers from medical device manufacturers, hospitals, and government will complement the classroom activities with critical lessons from the front lines.