Slashdot Mirror

← Back to Stories (view on slashdot.org)

Course Asks University Students To Tackle Medical Device Insecurity

Posted by Soulskill on from the putting-your-pacemaker-through-its-paces dept.

chicksdaddy writes "The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices. The course, EECS 598-008 'Medical Device Security' will teach graduate students in UMich's Electrical Engineering and Computer Science program 'the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.' The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the U.S. Food and Drug Administration reported that software failures were the root cause of a quarter of all medical device recalls (PDF)."

38 comments

  1. Windows 8 powered medical devices by IcyNeko · · Score: 5, Funny

    Will give you the Frowny face :( when your patient dies, citing an error in BREATH_INITIALIZATION.

    Then it really will be a blue screen of DEATH

    1. Re:Windows 8 powered medical devices by Lawrence61 · · Score: 0

      Ban windows o/s as an operating system on any medical device...

    2. Re:Windows 8 powered medical devices by IcyNeko · · Score: 0

      Meanwhile, the iMedical Device will either throw you a worthless message with a skull and crossbones, then lock itself out until you reboot it... or it will spontaneously melt itself when you run too many monitoring devices. But hey, that's why you bought AppleCare for $50 billion, right?

    3. Re:Windows 8 powered medical devices by ByOhTek · · Score: 1

      No silly, Macs give you the frowny face.

      Windows will just give you a hex string for a memory location that will disappear and try to reboot the patient before you can record it or make sense of it.

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
    4. Re:Windows 8 powered medical devices by Synerg1y · · Score: 2

      To help troubleshoot, that flashing hex value was: 3a:28 .

    5. Re:Windows 8 powered medical devices by SonnyDog09 · · Score: 1

      No. The flashing hex value would be "DEAD"

      --
      Your "fair share" is NOT in my wallet.
    6. Re:Windows 8 powered medical devices by Synerg1y · · Score: 1

      Nope, that's 44:45:41:44 .

      Try this to get the joke.

    7. Re:Windows 8 powered medical devices by davester666 · · Score: 1

      Where exactly am I supposed to insert the Windows 8 DVD?

      --
      Sleep your way to a whiter smile...date a dentist!
    8. Re:Windows 8 powered medical devices by darkgrayknight · · Score: 0

      Windows 8 blue screen has :( in the new blue screen.

  2. Device Insecurity by degeneratemonkey · · Score: 4, Funny

    "Here I am, brain the size of a planet, and they tell me to take you up to the bridge. Call that job satisfaction? Cause I don't. "

    1. Re:Device Insecurity by ArcadeMan · · Score: 1

      Maybe you should replace the diodes down your left side.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:Device Insecurity by CCarrot · · Score: 2

      Stethoscope: "Yeah, I know we're like, essential for diagnosis...and we have an honorable history and all. Did I ever tell you my granddad worked on Lincoln? Yeah, it's pretty cool to hear him talk about the old days, before there was even stainless steel or replaceable earpieces. But I still feel that the MRI gets all the credit nowadays, you know? It's so hard to measure up to something that big, with all those fancy displays..."

      Grad Student: "So, do you feel anger towards the MRI?"

      Stethoscope: "Yeah...no...I don't know. It just flaunts it so much, you know? It's all like 'look, look, I can scan the entire body' and 'ooh, found that tumor' and stuff like that. But the basics are still important, right? Heart, lungs, those are still pretty key areas, am I correct?"

      Grad Student: "Of course they're important, we couldn't live without them. Let's circle back a bit and talk about your grand dad some more: did you get along with him and your dad? And how was your relationship with your mom, she was a sphygmomanometer, wasn't she?"

      Stethoscope: "Yeah, she was always pressuring us, but we loved her..."

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
  3. Easy class :) by Anonymous Coward · · Score: 0

    Not much there to study. :(

    Now, a class on what security in such devices SHOULD be, and why it isn't that way now and what politically- and economically-feasible solutions already exist or could be researched would be a great class.

  4. It's the vendors who say no OS updates and they ne by Joe_Dragon · · Score: 1

    It's the vendors who say no OS updates and some of them need to phone home as well.

  5. overregulation... by Anonymous Coward · · Score: 4, Insightful

    Meh... that industry is over-regulated. The excessive regulation is causing the very problems that it proposes to solve. No one can deploy fixes because each iteration has to go through draconian certifications. When a product in this field meets a deadline... that's it... so rather than releasing v1.0 which gets patched, it just goes out un-patched.

    It's the classic argument against the waterfall model... hmmm... we planned really hard, but there were still problems... the solution is clearly to plan even harder next time. Doesnt work.

    No one will make an innovative product, because they like the status quo. The incumbents are more than happy about the over-regulation, because the barrier to entry stops new entrants from entering the competition and reducing rents.

    Take EHR... (electronic health records)... this is an easy problem... just have an electronic notebook and attach tests results as files, prescriptions as records, etc... why has it not been fixed? HIPPA and other regulatory restrictions. Oh no... we cant just save your chest X-Ray as a TIFF file with a date, time, and location... it must be part of an integrated database thing... seriously... the web (just a bunch of linked files) solved this problem decades ago.

    1. Re:overregulation... by Synerg1y · · Score: 1

      This story feels like a continuation of yesterday's discussion here: Health Care Providers Failing To Adopt e-Records, Says RAND

      A lot more on EHR difficulties and regulation there. This is more about asking free labor students to fix the problem for senior industry "professionals".

    2. Re:overregulation... by ByOhTek · · Score: 3, Interesting

      Yeah, but without these regulations, crap designed to be cheap rather than attempted as a design to work would get pushed through, and people would die, while the con artist who did it would funnel the money away and find ways to hide behind the legal system.

      At least there is some competition, even if it is slowed down, there are multiple companies in the market, and each will still try to get sales from the other guy.

      Does security need improved? Yes. Will it happend? Eventually, when enough people are hurt from the lack of security. Deregulation will just spur a whole new slew of issues. Maybe something should instead be done to streamline the regulations.

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
    3. Re:overregulation... by Anonymous Coward · · Score: 0

      They could just leave everything in beta and charge a bunch more money. That is once it gets to human testing with the device.

    4. Re:overregulation... by Anonymous Coward · · Score: 0

      I can't wait to bring the glorious results of our deregulated financial system to health care.

    5. Re:overregulation... by dkleinsc · · Score: 2

      ... people would die, while the con artist who did it would funnel the money away and find ways to hide behind the legal system.

      It doesn't even have to be a con artist who causes people to die. It could even be a well-meaning developer who's trying to get a patch out quickly to fix a bug they've discovered, combined with a testing staff that failed to run Test 34C(iv) correctly. In other words, malice is not required, only human stupidity.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    6. Re:overregulation... by Anonymous Coward · · Score: 0

      Insightful? It reads like it's written by someone who has never been involved with clinical IT - an "electrobic notebook" with test results as files FFS.

    7. Re:overregulation... by Anonymous Coward · · Score: 0

      No one can deploy fixes because each iteration has to go through draconian certifications.

      That's actually not true. Another post on the same blog debunks that myth. It says that most updates will fall under the review threshold.
        See the post here

    8. Re:overregulation... by ByOhTek · · Score: 1

      I agree, however, I suspect you'd get a lot more issues from the con/fly-by-night groups.

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
  6. Softers by Anonymous Coward · · Score: 0

    The course is run by a Softer. It will be nothing but BS and excuses.

  7. Possible starting points... by Anonymous Coward · · Score: 0

    First, devices use different interfaces. Something that uses radio (such as a modern pacemaker that really can't be plugged in to much) has to have more thought than a device that is plugged in 24/7, such as an electrode that is attached via sticky tape and removed when done.

    Second, denial of use can be just as much a threat as getting access. For example, if a device will turn itself off if it gets too many failed access attempts, someone wanting to wreak havoc could just run random guesses in a hospital and lock everyone out there.

    Third, limit the functions. If the device does not need read/write access, make it read only. If the device does not need to be monitored, then have access turned off. Limiting access and separation/compartmentalization will go a long way with ensuring security as opposed to lots of coding and the QA/debugging required, especially on a life-critical item.

  8. Nice that this is a topic, but... by iced_773 · · Score: 1

    Is this really newsworthy? CS departments everywhere have graduate seminars that cover hot topics in the field.

  9. answer to EHR is OSCAR by Chirs · · Score: 2

    OSCAR is an open-source electronic medical record system. My mom used it for years in her midwifery practice.

    Unstructured electronic notebooks are no good...you want the important information to be in standardized locations/formats (for efficiency) and readily visible (to avoid mistakes). Ideally you want the web-based forms to look very much like the old paper forms to minimize disruption. OSCAR (and others, to be fair) allow this sort of thing.

  10. JHU anyone? by Anonymous Coward · · Score: 0

    Ever heard of Johns Hopkins Information Security Institute?

  11. Article on Infected Medical Devices at Hospitals by RandCraw · · Score: 1

    Prof. Kevin Fu's course website points to a nice article at MIT Technology Review on the prevalence of S/W virii in medical devices at hospitals:

    <URL:http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices-in-hospitals/>

  12. Source code access for medical devices by twasserman · · Score: 4, Insightful
    I think that the FDA should require medical device makers to submit the source code of any device that is considered for approval. If someone is going to implant a device in my body, then I want the opportunity to see what it does and how it does it. What data is it collecting? What data is it transmitting? Can the operation of the device be modified or shut down over-the-air? As an example, is the algorithm for a heart pacemaker written efficiently so that battery life is maximized, thus reducing the need for repeated surgery?

    This proposal raises the question of whether the creator of a device can protect the associated intellectual property if they are required to include source code as part of their submission for approval. I hope that we can have that discussion instead of continuing to treat all medical devices as black boxes.

    1. Re:Source code access for medical devices by Blinkin1200 · · Score: 2

      That would be nice, but you are probably not going to have the chance to shop around. The ICD (defib + pacemaker) that gets implanted is going to be selected by your doctor, or their practice. It is going to come from the vendor they selected. The lead(s) that connect the device to your heart are going to come from the same vendor. You did want them to be compatible with your device, didn't you? You know, have the proper connectors to connect to the device, rather than have the doctor or someone in the room cut off the connections and solder on the correct ones for your device before they implant it. Yes, I'm sure they can solder coax in a sterile environment.

      My ICD was strongly suggested because my ejection fraction (how much your heart pumps out when it beats) was such that there was a high probability that I could fall over dead at some point. I didn't go car shopping to see which one got the best gas mileage, had XM radio, 4WD, etc. I didn't ask for the source code, as I didn't when we bought our last car - you did get the source code to your cars' computer, didn't you? I went with the device the doctor had selected. Later I found out other cardiologist groups in the area used several different manufacturers and were not familiar with mine.

      BTW - communications with all ICDs is wireless - you do not have a bunch of wires and a connector hanging out of your chest (usual location is upper left on chest). The programming and monitoring is performed over the air so to say. I have been able to communicate with my device up to about 10 M. It does make a rather loud noise whenever I place a magnet over it to disable it temporarily (there are times when I did not want it to fire unexpectedly). Some devices, not mine, have the ability to communicate with a local device / base station that collects data sensed by the device and relays that data to a remote server so someone can monitor your device. The base station could be sitting on a night stand next to your bed and collect data while you sleep, others collect the data when you enter the room.

      RE: battery life and repeated surgery - when I last looked, the batteries in these devices are expected to last 5 to 7 years. That said, my device is on a watch list where the battery life may be shorter than expected.

      As a comment to a post above regarding 'over-regulation' - take a look at the FDA web site and the approval process. It is difficult to get the first one approved. When you produce the second / next generation, all you have to do is say that it is 'like' the first one and the approval process is a lot less difficult.

    2. Re:Source code access for medical devices by slash.dt · · Score: 1

      you may not have a choice to shop round to select your ICD, but choice of model for insulin pumps is definitely available to the end user. I don't have a general problem with my pump performance, but I would like to be able to make the delivery rate a bit more complex than the three options I currently have.

    3. Re:Source code access for medical devices by foregather · · Score: 1

      It isn't always that way. From back in 2010:

      Killed by Code: Software Transparency in Implantable Medical Devices (related video) (BBC summary of the main story)

      Written primarily by a free software attorney whose doctors also recommended an implanted ICD and who examined 1) the regulatory requirements, 2) what the device makers have to actually submit to the FDA (not source code), and some other relevant security and design characteristics like just how close to you a controller device would need to be before being able to connect with and control your implanted device, in order to make an informed decision about the surgery.

      One of the most important issues discovered during this process was just how little doctors had through of these issues, if at all. If your doctor is recommending an implanted device, whatever you decide about the treatment, it is important to discuss these issues with your doctors and help them understand your concerns.

  13. You're holding it upside down by Anonymous Coward · · Score: 0

    The FDA reported that 75% of recalls did not in any way involve a software failure. From which one may conclude that the platform is robust and mature. So all of you smartasses bashing Windows to make yourselves look 1337 have just made the case that it is mature and robust.

    1. Re:You're holding it upside down by jpschaaf · · Score: 1

      The FDA reported that 75% of recalls did not in any way involve a software failure.

      I realize you're saying this tongue-in-cheek, but frankly, it's the better way of looking at it.

  14. Ultimate ransomware by TheGoodNamesWereGone · · Score: 1

    Somewhere in Russia right now, a cybercrook is salivating at the prospect of being able to break into pacemakers and hold their owners' lives for ransom. The solution? DON'T CONNECT THE DAMN THINGS TO THE INTERNET.