The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices.
The course, EECS 598-008 “Medical Device Security” will teach graduate students in UMich’s Electrical Engineering and Computer Science program “the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.” It comes amid heightened scrutiny of the security of medical device hardware and software, as more devices connected to IP-based hospital networks and add wireless monitoring and management functionality.
The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the US Food and Drug Administration (FDA) reported that software failures were the root cause of a quarter of all medical device recalls.
Security researches have taken note. In February, 2012, security researcher Barnaby Jack demonstrated a method for hacking an implantable insulin pump by the firm Medtronic using a remote attack that could be used to deliver a fatal dose of insulin to diabetics. And this week at the annual S4 conference, researchers Billy Rios and Terry McCorkle will demonstrate glaring vulnerabilities in medical devices and management tools by prominent device makers. Reports about lax security in medical devices has prompted the Information Security and Privacy Advisory Board to send a letter (PDF) to the U.S. Office of Management and Budget (OMB) demanding that the U.S. government assign some body clear responsibility for the security of medical devices. So far, however, there has not been progress on that front.
The graduate course, taught by UMich Professor Dr. Kevin Fu, will cover both the engineering concepts at work in modern medical devices, but also “human factors” and laws and regulations shaping the market. Students will develop their skills for understanding devices security, including reverse engineering, static analysis, fuzz testing, hazard analysis and requirements engineering. They’ll also study the security aspects of wireless, radio-frequency communications that have become a staple of many medical devices.
In an interview with The Security Ledger, Fu said that medical devices present a unique challenge for those interested in studying IT security. Unlike desktop and server systems, he said, medical devices are “high confidence” machines. “These devices aren’t supposed to fail in the same way that a desktop computing device does. There’s a lot more thought that goes into the safety and dependability of the device – it’s really closer to avionics,” he said.
That said, lax software security is common in the field and awareness of the downstream consequences of insecure design are only just dawning on manufacturers, which haven’t faced the same scrutiny on security as publishers of general purpose business and consumer software, Fu said. “Requirements engineering is not as common in this space as it should be,” he said. And few vendors talk about device and data security as integral elements of their products, he said. “Its a complicated space,” he said.