Course Asks University Students To Tackle Medical Device Insecurity

chicksdaddy writes "The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices. The course, EECS 598-008 'Medical Device Security' will teach graduate students in UMich's Electrical Engineering and Computer Science program 'the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.' The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the U.S. Food and Drug Administration reported that software failures were the root cause of a quarter of all medical device recalls (PDF)."

Windows 8 powered medical devices

[IcyNeko]

Will give you the Frowny face :( when your patient dies, citing an error in BREATH_INITIALIZATION.

Then it really will be a blue screen of DEATH

Re:

[ByOhTek]

No silly, Macs give you the frowny face.

Windows will just give you a hex string for a memory location that will disappear and try to reboot the patient before you can record it or make sense of it.

Re:

[Synerg1y]

To help troubleshoot, that flashing hex value was: 3a:28 .

Re:

[SonnyDog09]

No. The flashing hex value would be "DEAD"

Re:

[Synerg1y]

Nope, that's 44:45:41:44 .

Try this [dolcevie.com] to get the joke.

Re:

[davester666]

Where exactly am I supposed to insert the Windows 8 DVD?

Device Insecurity

[degeneratemonkey]

"Here I am, brain the size of a planet, and they tell me to take you up to the bridge. Call that job satisfaction? Cause I don't. "

Re:

[ArcadeMan]

Maybe you should replace the diodes down your left side.

Re:

[CCarrot]

Stethoscope: "Yeah, I know we're like, essential for diagnosis...and we have an honorable history and all. Did I ever tell you my granddad worked on Lincoln? Yeah, it's pretty cool to hear him talk about the old days, before there was even stainless steel or replaceable earpieces. But I still feel that the MRI gets all the credit nowadays, you know? It's so hard to measure up to something that big, with all those fancy displays..."

Grad Student: "So, do you feel anger towards the MRI?"

Stethoscope: "Yeah.

It's the vendors who say no OS updates and they ne

[Joe_Dragon]

It's the vendors who say no OS updates and some of them need to phone home as well.

overregulation...

[Anonymous Coward]

Meh... that industry is over-regulated. The excessive regulation is causing the very problems that it proposes to solve. No one can deploy fixes because each iteration has to go through draconian certifications. When a product in this field meets a deadline... that's it... so rather than releasing v1.0 which gets patched, it just goes out un-patched.

It's the classic argument against the waterfall model... hmmm... we planned really hard, but there were still problems... the solution is clearly to plan even harder next time. Doesnt work.

No one will make an innovative product, because they like the status quo. The incumbents are more than happy about the over-regulation, because the barrier to entry stops new entrants from entering the competition and reducing rents.

Take EHR... (electronic health records)... this is an easy problem... just have an electronic notebook and attach tests results as files, prescriptions as records, etc... why has it not been fixed? HIPPA and other regulatory restrictions. Oh no... we cant just save your chest X-Ray as a TIFF file with a date, time, and location... it must be part of an integrated database thing... seriously... the web (just a bunch of linked files) solved this problem decades ago.

Re:

[Synerg1y]

This story feels like a continuation of yesterday's discussion here: Health Care Providers Failing To Adopt e-Records, Says RAND [slashdot.org]

A lot more on EHR difficulties and regulation there. This is more about asking free labor students to fix the problem for senior industry "professionals".

Re:overregulation...

[ByOhTek]

Yeah, but without these regulations, crap designed to be cheap rather than attempted as a design to work would get pushed through, and people would die, while the con artist who did it would funnel the money away and find ways to hide behind the legal system.

At least there is some competition, even if it is slowed down, there are multiple companies in the market, and each will still try to get sales from the other guy.

Does security need improved? Yes. Will it happend? Eventually, when enough people are hurt from the lack of security. Deregulation will just spur a whole new slew of issues. Maybe something should instead be done to streamline the regulations.

Re:

[dkleinsc]

... people would die, while the con artist who did it would funnel the money away and find ways to hide behind the legal system.

It doesn't even have to be a con artist who causes people to die. It could even be a well-meaning developer who's trying to get a patch out quickly to fix a bug they've discovered, combined with a testing staff that failed to run Test 34C(iv) correctly. In other words, malice is not required, only human stupidity.

Re:

[ByOhTek]

I agree, however, I suspect you'd get a lot more issues from the con/fly-by-night groups.

answer to EHR is OSCAR

[Chirs]

OSCAR is an open-source electronic medical record system. My mom used it for years in her midwifery practice.

Unstructured electronic notebooks are no good...you want the important information to be in standardized locations/formats (for efficiency) and readily visible (to avoid mistakes). Ideally you want the web-based forms to look very much like the old paper forms to minimize disruption. OSCAR (and others, to be fair) allow this sort of thing.

Nice that this is a topic, but...

[iced_773]

Is this really newsworthy? CS departments everywhere have graduate seminars that cover hot topics in the field.

Article on Infected Medical Devices at Hospitals

[RandCraw]

Prof. Kevin Fu's course website points to a nice article at MIT Technology Review on the prevalence of S/W virii in medical devices at hospitals:

<URL:http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices-in-hospitals/>

Source code access for medical devices

[twasserman]

I think that the FDA should require medical device makers to submit the source code of any device that is considered for approval. If someone is going to implant a device in my body, then I want the opportunity to see what it does and how it does it. What data is it collecting? What data is it transmitting? Can the operation of the device be modified or shut down over-the-air? As an example, is the algorithm for a heart pacemaker written efficiently so that battery life is maximized, thus reducing the need for repeated surgery?

This proposal raises the question of whether the creator of a device can protect the associated intellectual property if they are required to include source code as part of their submission for approval. I hope that we can have that discussion instead of continuing to treat all medical devices as black boxes.

Re:

[Blinkin1200]

That would be nice, but you are probably not going to have the chance to shop around. The ICD (defib + pacemaker) that gets implanted is going to be selected by your doctor, or their practice. It is going to come from the vendor they selected. The lead(s) that connect the device to your heart are going to come from the same vendor. You did want them to be compatible with your device, didn't you? You know, have the proper connectors to connect to the device, rather than have the doctor or someone in the

Re:

[slash.dt]

you may not have a choice to shop round to select your ICD, but choice of model for insulin pumps is definitely available to the end user. I don't have a general problem with my pump performance, but I would like to be able to make the delivery rate a bit more complex than the three options I currently have.

Re:

[foregather]

It isn't always that way. From back in 2010:

Killed by Code: Software Transparency in Implantable Medical Devices [softwarefreedom.org] (related video [igniteshow.com]) (BBC summary of the main story [bbc.co.uk])

Written primarily by a free software attorney whose doctors also recommended an implanted ICD and who examined 1) the regulatory requirements, 2) what the device makers have to actually submit to the FDA (not source code), and some other relevant security and design characteristics like just how close to you a controller device would need to be befo

Re:

[jpschaaf]

The FDA reported that 75% of recalls did not in any way involve a software failure.

I realize you're saying this tongue-in-cheek, but frankly, it's the better way of looking at it.

Ultimate ransomware

[TheGoodNamesWereGone]

Somewhere in Russia right now, a cybercrook is salivating at the prospect of being able to break into pacemakers and hold their owners' lives for ransom. The solution? DON'T CONNECT THE DAMN THINGS TO THE INTERNET.