Upload
khangminh22
View
1
Download
0
Embed Size (px)
Citation preview
Kevin FuAssociate Professor
Security & Privacy Research LabUMass Amherst Computer Science
http://spqr.cs.umass.edu/
UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science
Trustworthy MedicalDevice Software
MIT CSAIL seminarNovember 2011
1
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
The Next Hour...! Modern complexity of software-controlled medical devices
! Policies that were not designed for big d(technology)/dt
! A bit of technology
2
2
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Acknowledgments•CS faculty and physicians
-Prof. Dina Katabi, MIT Computer Science and AI Lab
-Prof. Tadayoshi Kohno, University of Washington CSE
-Dr. Daniel Kramer, BIDMC, Harvard Med School
-Dr. William Maisel, BIDMC, Harvard Med School (fmr)
-Dr. Matthew Reynolds, BIDMC, Harvard Med School
-Prof. Dawn Song, UC Berkeley Computer Science Div.
•Graduate research assistants-Shane Clark, Benessa Defend, Tamara Denning, Shyamnath Gollakota, Dan Halperin, Steve Hanna, Haitham Hassanieh, Tom Heydt-Benjamin, Andres Molina-Markham, Will Morgan, Pongsin Poosankam, Ben Ransford, Rolf Rolles, Mastooreh Salajegheh, Quinn Stewart
3
3
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Disclosures! Support from NSF, HHS, DHS, IOM, Microsoft Research,
Symantec, McAfee! Visiting scientist at FDA! Board member of NIST ISPAB! Patent pending technology:
" Low-power flash memory" Zero-power security
! This presentation is based on both my own research and the research of others. None of the opinions, findings, or conclusions necessarily reflect the views of my past or present employers.
! This publication was made possible in part by Grant Number HHS 90TR0003/01. Its contents are solely the responsibility of the authors and do not necessarily represent the official views of the HHS. This material is supported by the NSF under CNS-0831244. Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the NSF.
4
Hat
: za
zzle
.com
4
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
What are the benefits of software in medical devices?
5
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Benefits of Medical Device Software
6
“Recent reports show improvement over the earlier model
mechanical hearts”
ComputerJuly 19, 2010
Source: NY Times, Thoratec
6
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Without software, many medical treatments
could not exist.
7
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Medical Devices 101:A 10-minute residency
for the computer scientist
8
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science 9
Networking + Wireless !
Photos from: Medtronic
9
Photo by Kevin Fu @ Medtronic museum
10
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science 11
Pacemakers: Regulate heartbeat
11
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science 11
> Energy spent on radio & computing, etc.
overhead!
< Energyfor pacing!
Pacemakers: Regulate heartbeat
11
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Overconfidence in Software
12
IEEE
Com
put
er 1
99
3
12
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Overconfidence in Software
12
IEEE
Com
put
er 1
99
3
``...the machine could not possibly over treat a patient and ... no similar complaints were submitted...” [Leveson & Turner, 1993]
12
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
How Much SW in Medical Devices?
13
[Sou
rces
: Bl
izna
kov
et a
l. 20
06, Fa
ris 2
006,
Mai
sel e
t al
. 20
02, W
alla
ce &
Kuh
n 20
01, Co
mpu
ter
hist
ory
mus
eum
, eu
rogr
amer
.net
, w
ikip
edia
, bu
sine
sspu
ndit.
com
, im
db.c
om, co
verb
row
ser.c
om, th
efilm
talk
.com
]
! 1983-1997" 6% of all recalls attributed to SW
! 1999-2005" Almost doubled: 11.3% of all recalls attributed to SW" 49% of all recalled devices relied on software (up from 24%)
! 1991-2000" Doubled: # of pacemakers and ICDs recalled because of SW
! 2006" Milestone: Over half of medical devices now involve software
! 2002-2010" 537+ recalls of SW-based devices affecting 1,527,311+ devices
13
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Why Is Software Different?! Discrete (not continuous)
" 0.9999 inch nail vs. 1.0001 inch nail: Small error usually OK" Single error in software: 20mL versus 200mL infusion" Generally no analogous notion of safety margin
! Cannot be tested thoroughly
(radiation therapy)
``'...there is not enough time ... to check the behavior of a complicated device to every possible, conceivable kind of input,' said Dr. Williamson....''[Walt Bogdanich, NY Times, 1/26/2010]
14
[Source: Parnas 1985, Pfleeger et al. 2001]
14
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
(1) Software breeds overconfidence,(2) is not thoroughly testable, but(3) is flooding into medical devices.
15
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
FDA Center for Devices and Radiological Health
Regulatory pathways
It’s complicated.http://www.iom.edu/Activities/PublicHealth/510KProcess/2010-MAR-01.aspx
Pre-market approval
Cre
dit:
Mad
hero
88
16
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
FDA Center for Devices and Radiological Health
Regulatory pathways
It’s complicated.http://www.iom.edu/Activities/PublicHealth/510KProcess/2010-MAR-01.aspx
Pre-market notification
[510(k) clearance]
Cre
dit:
Nem
o's
grea
t un
cle
16
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
510(k) Substantial Equivalence! “One of the interesting classes is
radiation equipment...Even the software, which I wonder where they got the first predicate for software.”
-David FeigalFmr. Director, FDA Center for Devices and Radiological Health (CDRH)[Institute of Medicine Meeting 2, June 2010:Public Health Effectiveness of the FDA 510(k) Clearance Process]
17
17
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Recurring themesin untrustworthymedical devices
18
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Specification of Requirements
19
! Risk not unique to medical devices, just ignored
``Perhaps the most striking [difference] is the almost complete lack of regard, in the medical-device software domain, for the specification of requirements.''
[NITRD Report on High-Confidence Medical Devices: Cyber-Physical Systems for 21st Century Health Care, Feb 2009]
19
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Symptom: Implementation Errors
20
20
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Symptom: Implementation Errors! Infusion pump: Underdosed patient experienced
" increased intracranial pressure " followed by brain death
! Factor: Buffer overflow shut down infusion pump" Failure difficult to reproduce during service" Software upgrade tickled the coding error
! Caused failure of drug infusion" propofol (sedation/anesthetic) " levophed (blood pressure) " insulin
20
20
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
COLLEAGUE Volumetric Infusion Pump K O G3 1 Page1 of5510(k) Premarket Notification Section 5.0, 510(k) Summary
5.510(K) SUMMARY FEB 2 7 2007Submitter/Contact Name: Jeme Wallace
Address: 1620 Waukegan Rd., MPGR-AL
McGaw Park, IL 60085
Phone: (847) 473-6273
Fax: (847) 785-5116
Date Prepared: 12/08/06
Trade Name: COLLEAGUE, COLLEAGUE 31
COLLEAGUE CX, COLLEAGUE 3 CX 1
COLLEAGUE CXE, COLLEAGUE 3 CXE
COLLEAGUE CX to CXE Pump Upgrade Kit
COLLEAGUE 3 CX to 3 CXE Pump Upgrade Kit
Common Name: COLLEAGUE Volumetric Infusion Pump
Classification Name: Infusion Pump as defined in 21 CFR 880.5725
Class: II
Procode: 80 FRN
Equivalent Predicate: COLLEAGUE Volumetric Infusion Pump, currentlymarketed models: COLLEAGUE, COLLEAGUE CX,COLLEAGUE 3, COLLEAGUE 3 CX
Device Description: The COLLEAGUE Volumetric Infusion Pump product is asoftware controlled, electromechanical, large volumetricinfusion pump that includes either one or three infusion
'COLLEAGUE pumps will be upgraded to include either COLLEAGUE GUARDIAN functionality (forCOLLEAGUE and COLLEAGUE 3) or COLLEAGUE Enhanced GUARDIAN functionality (forCOLLEAGUE CX and COLLEAGUE 3 CX).
Baxter Confidential
248
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Sample 510(k) Summary! Where is software mentioned?
" “Non-clinical testing associated with compliance and safety, software, and intended use claims were performed according to the Baxter Healthcare Corporation Product Development Process.”
" “Human Factors evaluation and use scenario testing was performed under simulated use and environmental conditions utilizing clinical care personnel from hospital environments.”
" “All tests successfully passed the acceptance criteria.”
22
! Requirements specification? Systems engineering? Modern software engineering? Software validation? Formal methods? Type safe languages? Static analysis?
22
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
What about human factors and software?
23
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Infusion Pump UI and Software! Used safely and effectively every day, but...! Linked to 500+ deaths and 56,000 adverse events
24
Pump
Me
Baby
[US
Reca
ll N
ews]
24
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Pump+SW Problems=Deadly Cocktail
!“... 710 patient deaths linked to problems with the devices ... either because a hospital worker entered incorrect dosage data into a pump or because the device’s software malfunctioned.”
[Barry Meier, NY Times, 4/23/2010]
25
25
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
Photo by Kevin Fu @ Medtronic museum
26
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
User Interface: Timing is Everything
27
[Pho
tos:
Med
tron
ic]
27
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
User Interface: Timing is Everything
27
FDA: “...software... did not provide a label for the hours/minutes/seconds fields; the new software has this labeling.”
[Pho
tos:
Med
tron
ic]
HCP: “discovered a bolus was given in20 min versus the intended 20 hrs”
27
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
``There is nothing on the machine that tells the technologist that they've dialed in
a badly incorrect radiation exposure.''! -Dr. James Thrall! Chairman of the American College of Radiology! Professor of Radiology, Harvard Medical School! [Source: Walt Bogdanich & Rebecca R. Ruiz, NY Times, 2/9/2010]
Human Factors: User Interface
[Cre
ativ
e Co
mm
ons
licen
se, In
dyD
ina
with
Mr.
Won
derf
ul's
pho
tost
ream
]
[Pho
to:
Jero
me-
Park
s fa
mily
and
Wal
t Bo
gdan
ich,
NY
Tim
es, 1/
23/2
010]
[US
Reca
ll N
ews]
28
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Better analysis of human factors in SW could
prevent injury and death.
29
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Wireless medical devices: great benefits, but
subtle, inconvenient risks
30
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Alert: Patient Expired. Yesterday.! Overconfidence in wireless technology! Cardiac monitor did not transmit until 10 hours later! Wireless: Great benefits, subtle risks
31
31
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Wireless: Pump Batteries Deplete?! Network “heartbeat” causes device to consume power?! Wireless: Great benefits, subtle risks
32
32
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
[Pho
tos:
htt
p://
uncy
clop
edia
.wik
ia.c
om/w
iki/Ba
con
& C
isco
& S
ysco
]
Wire ess Makes Everything Better?
33
33
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
for information security and privacy:
managerial, physical safeguards, administrative, technical
Emergingissues
34
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Managerial issues:Diffusion of responsibility
35
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science 36
Dirty Secrets: SW Maintenance
36
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
37
! Health Information Technology (HIT) devices globally rendered unavailable
! Cause: Automated software update went haywire! Numerous hospitals were affected April 21, 2010
" Rhode Island: a third of the hospitals were forced ``to postpone elective surgeries and stop treating patients without traumas in emergency rooms.”
" Upstate University Hospital in New York: 2,500 of the 6,000 computers were affected.
Software Update Woes
37
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Losing Patience with a Computer! Endlessly rebooting machine caused distraction! HCPs did not notice cardiac infarction in patient! Electronic Health Records carry similar risks of distraction
39
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Users are Helpless
40
40
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Users are Helpless
40
40
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Operating System: HCPs Problem! Radiological computers infected with computer virus! Report of potential to cause harm or death! Conclusion: Not our problem
41
41
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Not It! Olly Olly Oxen Free!!Security falls outside the purview of the Food and Drug Administration, [FDA spokeswoman Karen Riley] said, unless mandated measures taken to protect data end up causing problems....“We don’t weigh in on security per se, but on measures like encryption that might affect or could have an impact on product safety and effectiveness, we might look at it.’’[E. Cooney, “Security of medical devices is a concern,” Boston Globe, July 5, 2010]
42
42
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Still Not It: Hospitals, Manufacturers
43
43
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Managerial issues:Diffusion of responsibility
Who’s covered whenSecure Health IT hits the fan?
44
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Physical safeguard issues
45
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
The Tylenol Scare of 1982
46
[Source: truTV crime library]
46
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
21 CFR 211.132 and Security
47
(a)General. The Food and Drug Administration has the authority under the Federal Food, Drug, and Cosmetic Act (the act) to establish a uniform national requirement for tamper-evident packaging of OTC drug products that will improve the security of OTC drug packaging
47
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Security issues
48
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science 49
Achoo!
The W
eekl
y W
orld
New
s: th
e on
ly re
liabl
e jo
urna
l
49
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Viruses on Radiology Equipment?
50
“over 122 medical devices have been compromised by malware over the last 14 months”Statement of The Honorable Roger W. Baker[House Committee on Veterans' Affairs, Subcommittee on Oversight and Investigations, Hearing on Assessing Information Security at the U.S. Department of Veterans Affairs]
50
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Disease to Malware:Days to Hours
51
FluT
E: C
hao
et a
l., P
LoS C
om
puta
tional
Bio
logy,
2010
51
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Slid
e fr
om H
owie
Shr
obe
and
othe
rs
Disease to Malware:Days to Hours
51
FluT
E: C
hao
et a
l., P
LoS C
om
puta
tional
Bio
logy,
2010
51
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Computer Security
• Computer Security (Informal Definition):
Study of how to design systems that behave as intended in the presence of determined, malicious third parties
• Security is different from reliability
‣The malicious third party controls the probability distribution of malfunctions
‣Security researchers focus on understanding, modeling, anticipating, and defending against these malicious third parties
[This description drawn from the work of Prof. Yoshi Kohno with permission]52
52
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
How significant areintentional,malicious
malfunctionsin software?
53
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
http
://to
bacc
o.sta
nfor
d.ed
u/
Information Assurance or Bliss?
54
54
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
“To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide,” a Medtronic spokesman, Robert Clark[B. Feder, “A Heart Device Is Found Vulnerable to Hacker Attacks” NY Times, March 12, 2008]
http
://to
bacc
o.sta
nfor
d.ed
u/
Information Assurance or Bliss?
54
54
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
“To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide,” a Medtronic spokesman, Robert Clark[B. Feder, “A Heart Device Is Found Vulnerable to Hacker Attacks” NY Times, March 12, 2008]
http
://to
bacc
o.sta
nfor
d.ed
u/
Information Assurance or Bliss?
54
Since January 2009, the VA has detected that 181 medical devices have been infected with a virus, but "none has resulted in any major harm to our patients, to our knowledge," Ledsome says.[VAʼs acting director of field security operations][H. Anderson, HealthcareInfoSecurity.com, June 21,2011]
54
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
“To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide,” a Medtronic spokesman, Robert Clark[B. Feder, “A Heart Device Is Found Vulnerable to Hacker Attacks” NY Times, March 12, 2008]
http
://to
bacc
o.sta
nfor
d.ed
u/
Information Assurance or Bliss?
54
Since January 2009, the VA has detected that 181 medical devices have been infected with a virus, but "none has resulted in any major harm to our patients, to our knowledge," Ledsome says.[VAʼs acting director of field security operations][H. Anderson, HealthcareInfoSecurity.com, June 21,2011]
St. Jude Medical, the third major defibrillator company, said it used “proprietary techniques” to protect the security of its implants and had not heard of any unauthorized or illegal manipulation of them. [B. Feder, “A Heart Device Is Found Vulnerable to Hacker Attacks” NY Times, March 12, 2008]
54
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
“To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide,” a Medtronic spokesman, Robert Clark[B. Feder, “A Heart Device Is Found Vulnerable to Hacker Attacks” NY Times, March 12, 2008]
http
://to
bacc
o.sta
nfor
d.ed
u/
Information Assurance or Bliss?
54
Since January 2009, the VA has detected that 181 medical devices have been infected with a virus, but "none has resulted in any major harm to our patients, to our knowledge," Ledsome says.[VAʼs acting director of field security operations][H. Anderson, HealthcareInfoSecurity.com, June 21,2011]
St. Jude Medical, the third major defibrillator company, said it used “proprietary techniques” to protect the security of its implants and had not heard of any unauthorized or illegal manipulation of them. [B. Feder, “A Heart Device Is Found Vulnerable to Hacker Attacks” NY Times, March 12, 2008]
Boston Scientific said it used encryption in its defibrillators, and doubted its devices could be hacked.[K. Winstein, “Heart-Device Hacking Risks Seen” WSJ, March 12, 2008]
54
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
“To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide,” a Medtronic spokesman, Robert Clark[B. Feder, “A Heart Device Is Found Vulnerable to Hacker Attacks” NY Times, March 12, 2008]
http
://to
bacc
o.sta
nfor
d.ed
u/
Information Assurance or Bliss?
54
Since January 2009, the VA has detected that 181 medical devices have been infected with a virus, but "none has resulted in any major harm to our patients, to our knowledge," Ledsome says.[VAʼs acting director of field security operations][H. Anderson, HealthcareInfoSecurity.com, June 21,2011]
St. Jude Medical, the third major defibrillator company, said it used “proprietary techniques” to protect the security of its implants and had not heard of any unauthorized or illegal manipulation of them. [B. Feder, “A Heart Device Is Found Vulnerable to Hacker Attacks” NY Times, March 12, 2008]
Boston Scientific said it used encryption in its defibrillators, and doubted its devices could be hacked.[K. Winstein, “Heart-Device Hacking Risks Seen” WSJ, March 12, 2008]
"This is an evolution from having to think about security and
safety as a healthcare company, and really about keeping
people safe on our therapy, to this different question about keeping people
safe around criminal or malicious intent."
[Catherine Szyman, President, Medtronic diabetes division, Reuters, October 26, 2011]
54
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Bad People Do Exist
55
55
!"##"$%&'%"()!"#$!%&'$!()*!+),-&*$!+$%.*/01!23&4.&5)6'!)(!7$8/%&4!9$3/%$':!;+2<=>!?$&40#+$%
@29!A/*B-&*$!C$D4&%$B$60• 9$3/%$!&%%$D0'!.6&.0#$65%!E*B-&*$!.D8&0$'
• ?)-!8)!*/'F'!%#&6G$!-#$6!@29'!H$%)B$!-/*$4$''!-/0#!=60$*6$0IH&'$8!'),-&*$!.D8&0$'J
*+,-.+%./012/0-3+*
KL
56
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
text size A A A
Insulin Pumps, Monitors Vulnerable To Hackingby THE ASSOCIATED PRESS
LAS VEGAS August 5, 2011,12:03 pm ET
Even the human bloodstream isn't safe fromcomputer hackers.
A security researcher who is diabetic hasidentified flaws that could allow an attacker toremotely control insulin pumps and alter thereadouts of blood-sugar monitors. As a result,diabetics could get too much or too little insulin,a hormone they need for proper metabolism.
Jay Radcliffe, a diabetic who experimented onhis own equipment, shared his findings with TheAssociated Press before releasing themThursday at the Black Hat computer securityconference in Las Vegas.
"My initial reaction was that this was really coolfrom a technical perspective," Radcliffe said."The second reaction was one of maybe sheerterror, to know that there's no security aroundthe devices which are a very active part ofkeeping me alive."
Increasingly, medical devices such aspacemakers, operating room monitors andsurgical instruments including deep-brainstimulators are being made with the ability totransmit vital health information from a patient'sbody to doctors and other professionals. Somedevices can be remotely controlled by medicalprofessionals.
Although there's no evidence that anyone hasused Radcliffe's techniques, his findings raisefears about the safety of medical devices asthey're brought into the Internet age. Seriousattacks have already been demonstrated againstpacemakers and defibrillators.
Medical device makers downplay the threat fromsuch attacks. They argue that the demonstratedattacks have been performed by skilled securityresearchers and are unlikely to occur in the real
Associated PressHackers and digital security personnel attend the annualBlack Hat conference for digital self defense Thursday, Aug.4, 2011, in Las Vegas. Even the human bloodstream isn'tsafe from computer hackers. A security researcher who isdiabetic has identified flaws that could allow an attacker toremotely control insulin pumps and alter the readouts ofblood-sugar monitors. As a result, diabetics could get toomuch or too little insulin, a hormone they need for propermetabolism.Â
Associated PressHackers and digital security personnel attend the annualBlack Hat conference for digital self defense Thursday, Aug.4, 2011, in Las Vegas. Even the human bloodstream isn'tsafe from computer hackers. A security researcher who isdiabetic has identified flaws that could allow an attacker toremotely control insulin pumps and alter the readouts ofblood-sugar monitors. As a result, diabetics could get toomuch or too little insulin, a hormone they need for propermetabolism.Â
57
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Device Programmer
Implantation Scenario
1. Doctor sets patient info2. Surgically implants3. Tests defibrillation4. Ongoing monitoring
Photos: Medtronic; Video: or-live.com58
58
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
Privacy??DiagnosisImplanting
physician
Hospital
Also:Device statePatient nameDate of birthMake & modelSerial no.... and more
59
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Privacy: Wardrobe Malfunctions
60
60
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Wirelessly Induce Fatal Heart Rhythm
ICD software allows wireless induction of ventricular fibrillation
61
[Halperin et al., IEEE Symposium on Security & Privacy 2008]
61
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
How to attract hackers to medical
devices:[h
ttp:
//w
ww
.sur
fers
am.c
om/f
unny
-pic
ture
s/ha
cker
s.jp
g]• Increase software complexity• Add radio communication• Trust the Internet for clinical decision making
62
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Technical issuesVulnerabilities are in plain sight.
When will risk become a tangible threat?
63
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
←Ways Forward !
k
[htt
p://
en.w
ikip
edia
.org
/wik
i/W
ashi
ngto
n_St
ate_
Rout
e_51
0]
for Software?
64
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Trustworthy Medical Device SW! Software:
" breeds overconfidence, " is not thoroughly testable, but " is flooding into medical devices
! Manufacturers could mitigate risks with known technology" Avoid hardware as a predicate for software" Adopt modern software engineering & systems engineering tech." Create more meaningful specification of requirements" Better analyze human factors" Develop safety net for security and privacy
! Need: Better surveillance of SW, clearer responsibility, convenient reporting mechanisms
65
65
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
omdrl.org
66
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
3!4213%1"56789"6#:%-#;6'<6=#;
# ;6/3$*'/01!)(!=44/6)/'!&0!;*H&6&IM#&BD&/G6!
# M&*6$G/$!7$44)6!;6/3$*'/01!
# 9&*0B).0#!M)44$G$!
# ?&*3&*8!;6/3$*'/01!&68!N$0#!='*&$4!9$&%)6$''!7$8/%&4!M$60$*!!
# O)#6'!?)DF/6'!;6/3$*'/01!&68!M#/48*$6P'!7$8/%&4!@68!+.*G/%&4!M$60$*
# <$-!Q)*F!;6/3$*'/01
# <)*0#-$'0$*6!;6/3$*'/01!&68!7$B)*/&4!?)'D/0&4!
# +0&6()*8!;6/3$*'/01!
# ;6/3$*'/01!)(!M&4/()*6/&:!N$*F$4$1!
# ;6/3$*'/01!)(!7&''&%#.'$R'!@B#$*'0!
# ;6/3$*'/01!)(!S&'#/6G0)6
# T&68$*H/40!;6/3$*'/01
3!4213%2"6=#"(&
# M1H$*!'$%.*/01!&68!D*/3&%1!U+VWX!*/'F'!&*$!&!'/G6/E%&60!H&**/$*!0)!0#$!8$D4)1B$60!&68!B$&6/6G(.4!.'$!)(!#$&40#!/6()*B&5)6!0$%#6)4)G1Y
# 7&61!F$1!%#&44$6G$'!/6!0#$'$!&*$&'!%&6!H$!&88*$''$8!-/0#!$B$*G/6G!&68!6$-!0$%#6)4)G/$'!/6!+VWY
# +?@CW+!0$&B'!%)BD.0$*!'%/$65'0'!-#)!'D$%/&4/Z$!/6!+VW!-/0#!#$&40#%&*$!'D$%/&4/'0'!/60$*$'0$8!/6!+VW!()*!?="Y!!"#$!&/B!/'!0)!D*)8.%$!6$-!4$3$4'!)(!%)BB.6/%&5)6!&68!0$%#!0*&6'($*Y
3!4213%+#>85=#?&#';
# +!2![!24$%0*)6/%!?$&40#!C$%)*8':!B&6&G/6G!D&5$60!*$%)*8'!-/0#/6!&6!$60$*D*/'$
# !-+![!?$&40#!=6()*B&5)6!2\%#&6G$:!'#&*/6G!*$%)*8'!H$0-$$6!$60$*D*/'$'!)*!H$0-$$6!&6!$60$*D*/'$!&68!&!D&5$60!/6!0#$!()*B!)(!&!W$*')6&4!?$&40#!C$%)*8
# @+A![!"$4$B$8/%/6$:!B)6/0)*/6G!*$B)0$41:!%)BB.6/%&56G!-/0#!B.45B$8/&:!&68!%)60*)44/6G!/BD4&60$8!B$8/%&4!8$3/%$'
+0*&0$G/%!?$&40#%&*$!@83&6%$8!C$'$&*%#!W*)]$%0'!B3!421C%/'!'D)6')*$8!H1!0#$!^_%$!)(!0#$<&5)6&4!M))*8/6&0)*!)(!0#$!;6/0$8!+0&0$'!!9$D&*0B$60!)(!?$&40#!&68!?.B&6!'$*3/%$'Y!
N$G&6!/6!@D*/4!`aba!&68!4&'0'!c!1$&*' 3!421%5&;&"57D%"5&";E#+$%.*/01!&68!W*/3&%1!B3!4213C#W&5$60IM$60$*$8!M)G6/53$!+.DD)*0#?$&40#!@DD4/%&5)6'!&68!<$0-)*F/6G!W4&d)*B'#+$%)68&*1!;'$!)(!?$&40#!C$%)*8'
#RDeff?$&40#="Y??+YG)3f'#&*D
Strategic Healthcare Advanced Research Projects for Security
---Y'#&*D'Y)*G!
67
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Wireless + Internet Can Improve Healthcare
But not without fully understanding trustworthy computing
Insulin pump
Artificial pancreas
NeurostimulatorsObesity control
Artificial vision
Programmable Vasectomy
Phot
os: M
edga
dget
, Tak
ahat
a La
b
Smart stent
68
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Further Reading! Steve Hanna, Rolf Rolles, Andres Molina-Markham, Pongsin Poosankam, Kevin Fu, and Dawn Song. Take two software updates and see me in
the morning: The case for software security evaluations of medical devices. In Proceedings of 2nd USENIX Workshop on Health Security and Privacy (HealthSec), August 2011.
! Shyamnath Gollakota, Haitham Hassanieh, Benjamin Ransford, Dina Katabi, and Kevin Fu. They can hear your heartbeats: Non-invasive security for implanted medical devices. In Proceedings of ACM SIGCOMM, August 2011.
! Kevin Fu. Software issues for the medical device approval process. Statement to the Special Committee on Aging, United States Senate, Hearing on a delicate balance: FDA and the reform of the medical device approval process, Wednesday, April 13, 2011.
! Kevin Fu. Trustworthy medical device software. In Public Health Effectiveness of the FDA 510(k) Clearance Process: Measuring Postmarket Performance and Other Select Topics: Workshop Report, Washington, DC, 2011. IOM (Institute of Medicine), National Academies Press.
! Benessa Defend, Mastooreh Salajegheh, Kevin Fu, and Sozo Inoue. Protecting global medical telemetry infrastructure. Technical report, Institute of Information Infrastructure Protection (I3P), January 2008.
! Sinjin Lee, Kevin Fu, Tadayoshi Kohno, Benjamin Ransford, and William!H. Maisel. Clinically significant magnetic interference of implanted cardiac devices by portable headphones. Heart Rhythm Journal, 6(10):1432–1436, October 2009.
! Kevin Fu. Inside risks, reducing the risks of implantable medical devices: A prescription to improve security and privacy of pervasive health care. Communications of the ACM, 52(6):25–27, June 2009.
! Mastooreh Salajegheh, Andres Molina, and Kevin Fu. Privacy of home telemedicine: Encryption is not enough. Journal of Medical Devices, 3(2), April 2009. Design of Medical Devices Conference Abstracts.
! Tamara Denning, Kevin Fu, and Tadayoshi Kohno. Absence makes the heart grow fonder: New directions for implantable medical device security. In Proceedings of USENIX Workshop on Hot Topics in Security (HotSec), July 2008.
! Daniel Halperin, Thomas!S. Heydt-Benjamin, Benjamin Ransford, Shane!S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William!H. Maisel. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In Proceedings of the 29th Annual IEEE Symposium on Security and Privacy, pages 129–142, May 2008.
! Daniel Halperin, Thomas!S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and William!H. Maisel. Security and privacy for implantable medical devices. IEEE Pervasive Computing, Special Issue on Implantable Electronics, 7(1), January 2008.
69
http://spqr.cs.umass.edu/publications.php
69
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
Extra Material
70
70
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
spqr.cs.umass.edu • Prof. Kevin Fu • UMass Amherst Computer Science
http://spqr.cs.umass.edu/moo/
71
RFID-Scale Computing Platforms
100 million times less energy than
AA battery
71
Smarter Storage for Low-Power Devices
CPU
Flash
High
Ideal Actual
HighLow
CPU
Flash
--- ---
---
- -
34%Energy Savings
In-Place Writes
Low Voltage
http://spqr.cs.umass.edu/half-wits/[Salajegheh et al. USENIX FAST 2011]
72
This work is licensed under a Creative Commons Attribution 3.0 Unported License.