Slashdot Mirror

← Back to Stories (view on slashdot.org)

Course Asks University Students To Tackle Medical Device Insecurity

Posted by Soulskill on from the putting-your-pacemaker-through-its-paces dept.

chicksdaddy writes "The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices. The course, EECS 598-008 'Medical Device Security' will teach graduate students in UMich's Electrical Engineering and Computer Science program 'the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.' The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the U.S. Food and Drug Administration reported that software failures were the root cause of a quarter of all medical device recalls (PDF)."

10 of 38 comments (clear)

  1. Windows 8 powered medical devices by IcyNeko · · Score: 5, Funny

    Will give you the Frowny face :( when your patient dies, citing an error in BREATH_INITIALIZATION.

    Then it really will be a blue screen of DEATH

    1. Re:Windows 8 powered medical devices by Synerg1y · · Score: 2

      To help troubleshoot, that flashing hex value was: 3a:28 .

  2. Device Insecurity by degeneratemonkey · · Score: 4, Funny

    "Here I am, brain the size of a planet, and they tell me to take you up to the bridge. Call that job satisfaction? Cause I don't. "

    1. Re:Device Insecurity by CCarrot · · Score: 2

      Stethoscope: "Yeah, I know we're like, essential for diagnosis...and we have an honorable history and all. Did I ever tell you my granddad worked on Lincoln? Yeah, it's pretty cool to hear him talk about the old days, before there was even stainless steel or replaceable earpieces. But I still feel that the MRI gets all the credit nowadays, you know? It's so hard to measure up to something that big, with all those fancy displays..."

      Grad Student: "So, do you feel anger towards the MRI?"

      Stethoscope: "Yeah...no...I don't know. It just flaunts it so much, you know? It's all like 'look, look, I can scan the entire body' and 'ooh, found that tumor' and stuff like that. But the basics are still important, right? Heart, lungs, those are still pretty key areas, am I correct?"

      Grad Student: "Of course they're important, we couldn't live without them. Let's circle back a bit and talk about your grand dad some more: did you get along with him and your dad? And how was your relationship with your mom, she was a sphygmomanometer, wasn't she?"

      Stethoscope: "Yeah, she was always pressuring us, but we loved her..."

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
  3. overregulation... by Anonymous Coward · · Score: 4, Insightful

    Meh... that industry is over-regulated. The excessive regulation is causing the very problems that it proposes to solve. No one can deploy fixes because each iteration has to go through draconian certifications. When a product in this field meets a deadline... that's it... so rather than releasing v1.0 which gets patched, it just goes out un-patched.

    It's the classic argument against the waterfall model... hmmm... we planned really hard, but there were still problems... the solution is clearly to plan even harder next time. Doesnt work.

    No one will make an innovative product, because they like the status quo. The incumbents are more than happy about the over-regulation, because the barrier to entry stops new entrants from entering the competition and reducing rents.

    Take EHR... (electronic health records)... this is an easy problem... just have an electronic notebook and attach tests results as files, prescriptions as records, etc... why has it not been fixed? HIPPA and other regulatory restrictions. Oh no... we cant just save your chest X-Ray as a TIFF file with a date, time, and location... it must be part of an integrated database thing... seriously... the web (just a bunch of linked files) solved this problem decades ago.

    1. Re:overregulation... by ByOhTek · · Score: 3, Interesting

      Yeah, but without these regulations, crap designed to be cheap rather than attempted as a design to work would get pushed through, and people would die, while the con artist who did it would funnel the money away and find ways to hide behind the legal system.

      At least there is some competition, even if it is slowed down, there are multiple companies in the market, and each will still try to get sales from the other guy.

      Does security need improved? Yes. Will it happend? Eventually, when enough people are hurt from the lack of security. Deregulation will just spur a whole new slew of issues. Maybe something should instead be done to streamline the regulations.

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
    2. Re:overregulation... by dkleinsc · · Score: 2

      ... people would die, while the con artist who did it would funnel the money away and find ways to hide behind the legal system.

      It doesn't even have to be a con artist who causes people to die. It could even be a well-meaning developer who's trying to get a patch out quickly to fix a bug they've discovered, combined with a testing staff that failed to run Test 34C(iv) correctly. In other words, malice is not required, only human stupidity.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
  4. answer to EHR is OSCAR by Chirs · · Score: 2

    OSCAR is an open-source electronic medical record system. My mom used it for years in her midwifery practice.

    Unstructured electronic notebooks are no good...you want the important information to be in standardized locations/formats (for efficiency) and readily visible (to avoid mistakes). Ideally you want the web-based forms to look very much like the old paper forms to minimize disruption. OSCAR (and others, to be fair) allow this sort of thing.

  5. Source code access for medical devices by twasserman · · Score: 4, Insightful
    I think that the FDA should require medical device makers to submit the source code of any device that is considered for approval. If someone is going to implant a device in my body, then I want the opportunity to see what it does and how it does it. What data is it collecting? What data is it transmitting? Can the operation of the device be modified or shut down over-the-air? As an example, is the algorithm for a heart pacemaker written efficiently so that battery life is maximized, thus reducing the need for repeated surgery?

    This proposal raises the question of whether the creator of a device can protect the associated intellectual property if they are required to include source code as part of their submission for approval. I hope that we can have that discussion instead of continuing to treat all medical devices as black boxes.

    1. Re:Source code access for medical devices by Blinkin1200 · · Score: 2

      That would be nice, but you are probably not going to have the chance to shop around. The ICD (defib + pacemaker) that gets implanted is going to be selected by your doctor, or their practice. It is going to come from the vendor they selected. The lead(s) that connect the device to your heart are going to come from the same vendor. You did want them to be compatible with your device, didn't you? You know, have the proper connectors to connect to the device, rather than have the doctor or someone in the room cut off the connections and solder on the correct ones for your device before they implant it. Yes, I'm sure they can solder coax in a sterile environment.

      My ICD was strongly suggested because my ejection fraction (how much your heart pumps out when it beats) was such that there was a high probability that I could fall over dead at some point. I didn't go car shopping to see which one got the best gas mileage, had XM radio, 4WD, etc. I didn't ask for the source code, as I didn't when we bought our last car - you did get the source code to your cars' computer, didn't you? I went with the device the doctor had selected. Later I found out other cardiologist groups in the area used several different manufacturers and were not familiar with mine.

      BTW - communications with all ICDs is wireless - you do not have a bunch of wires and a connector hanging out of your chest (usual location is upper left on chest). The programming and monitoring is performed over the air so to say. I have been able to communicate with my device up to about 10 M. It does make a rather loud noise whenever I place a magnet over it to disable it temporarily (there are times when I did not want it to fire unexpectedly). Some devices, not mine, have the ability to communicate with a local device / base station that collects data sensed by the device and relays that data to a remote server so someone can monitor your device. The base station could be sitting on a night stand next to your bed and collect data while you sleep, others collect the data when you enter the room.

      RE: battery life and repeated surgery - when I last looked, the batteries in these devices are expected to last 5 to 7 years. That said, my device is on a watch list where the battery life may be shorter than expected.

      As a comment to a post above regarding 'over-regulation' - take a look at the FDA web site and the approval process. It is difficult to get the first one approved. When you produce the second / next generation, all you have to do is say that it is 'like' the first one and the approval process is a lot less difficult.