University Course Will Teach Medical Device Security

The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices.

Medical Device Security Poster
A graduate course at the University of Michigan will teach students about securing software-based medical devices.

The course, EECS 598-008 “Medical Device Security” will teach graduate students in UMich’s Electrical Engineering and Computer Science program “the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.” It comes amid heightened scrutiny of the security of medical device hardware and software, as more devices connected to IP-based hospital networks and add wireless monitoring and management functionality.

The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the US Food and Drug Administration (FDA) reported that software failures were the root cause of a quarter of all medical device recalls.

Security researches have taken note. In February, 2012, security researcher Barnaby Jack demonstrated a method for hacking an implantable insulin pump by the firm Medtronic using a remote attack that could be used to deliver a fatal dose of insulin to diabetics. And this week at the annual S4 conference, researchers Billy Rios and Terry McCorkle will demonstrate glaring vulnerabilities in medical devices and management tools by prominent device makers. Reports about lax security in medical devices has prompted the Information Security and Privacy Advisory Board  to send a letter (PDF) to the U.S. Office of Management and Budget (OMB) demanding that the U.S. government assign some body clear responsibility for the security of medical devices. So far, however, there has not been progress on that front.

Medical Device Security Poster
A graduate course at the University of Michigan will teach students about securing software-based medical devices.

The graduate course, taught by UMich Professor Dr. Kevin Fu, will cover both the engineering concepts at work in modern medical devices, but also “human factors” and laws and regulations shaping the market. Students will develop their skills for understanding devices security, including reverse engineering, static analysis, fuzz testing, hazard analysis and requirements engineering. They’ll also study the security aspects of wireless, radio-frequency communications that have become a staple of many medical devices.

In an interview with The Security Ledger, Fu said that medical devices present a unique challenge for those interested in studying IT security. Unlike desktop and server systems, he said, medical devices are “high confidence” machines. “These devices aren’t supposed to fail in the same way that a desktop computing device does. There’s a lot more thought that goes into the safety and dependability of the device – it’s really closer to avionics,” he said.

That said, lax software security is common in the field and awareness of the downstream consequences of insecure design are only just dawning on manufacturers, which haven’t faced the same scrutiny on security as publishers of general purpose business and consumer software, Fu said.  “Requirements engineering is not as common in this space as it should be,” he said. And few vendors talk about device and data security as integral elements of their products, he said. “Its a complicated space,” he said.


  1. Any chance of procuring the material for this class for a self-study?

    I am a Security Manager of IT Compliance & Policies and work for Beaumont Health Systems. I would love to be able to at have the material or arrangefor Dr. Tu to come speak to our folks.

    Geri Hanspard, MA, CHS III, CISM, CRISC
    Corporate Information Services & Information Security
    Manager, Governance & IT Compliance
    Beaumont Health Systems
    100 E. Big Beaver, Suite 815
    Troy, MI 48083

  2. Pingback: For Industrial, Medical Systems: Bugs Run In The Family | The Security Ledger

  3. Pingback: Enterprise Efficiency - Andrew Froehlich - A Proactive Approach to Healthcare IT Security

  4. I assume That we can certainly blog this inquiry at this site. I have a horrible personal pc problem That I want to get resolved very fast. I came across a only a handful of places that stand out but also want to ask around someone has got word about Computer Guru Consulting, 2942 N 24th St #114, Phoenix, AZ 85016, (602) 903-5666. Any sort of specifics will likely be truly valuable. Appreciate it.