![Page 1: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/1.jpg)
Kevin FuAssociate Professor
Security & Privacy Research LabUMass Amherst Computer Science http://spqr.cs.umass.edu/
UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science
Improving the Securityof Medical Devices
IFIP 10.4 WG, Rockport, MA June 29, 2012
Supported in part by a Sloan Research Fellowship, NSF CNS-0831244, HHS 90TR0003/01.
Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the NSF.
![Page 2: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/2.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Acknowledgments•CS faculty and physicians
-Prof. Dina Katabi, MIT Computer Science and AI Lab-Prof. Tadayoshi Kohno, University of Washington CSE-Dr. Daniel Kramer, BIDMC, Harvard Med School-Dr. William Maisel, BIDMC, Harvard Med School (fmr)-Dr. Matthew Reynolds, BIDMC, Harvard Med School-Prof. Dawn Song, UC Berkeley Computer Science Div.
•Research assistants-Shane Clark, Benessa Defend, Tamara Denning, Shyamnath Gollakota, Dan Halperin, Steve Hanna, Haitham Hassanieh, Tom Heydt-Benjamin, Andres Molina-Markham, Will Morgan, Pongsin Poosankam, Ben Ransford, Rolf Rolles, Mastooreh Salajegheh, Quinn Stewart
2
![Page 3: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/3.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
SPQR Lab
3
[Security & Privacy Research Lab]
§ Cybersecurity§ Medical devices, RFID
§ Stochastic computing§ Rethinking HW-SW interfaces to reduce energy§ Probabilistic storage in low-voltage NOR flash§ Zero-power clocks for smartcards
magni!ed 10x
Time
Volta
ge
Today’s slice of research
![Page 4: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/4.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Disclosuresn Support from NSF, HHS, DHS, IOM, Microsoft Research,
Symantec, McAfeen Visiting scientist, FDAn Board member, NIST ISPABn Patent pending technology:
§ Ultra-low power flash memory§ Zero-power security
n This presentation is based on both my own research and the research of others. None of the opinions, findings, or conclusions necessarily reflect the views of my past or present employers.
4
Hat
: za
zzle
.com
![Page 5: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/5.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Accumulative Risks of...
5
Accidents
Sabotage
Threat-o-meter
UnsafePractices
![Page 6: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/6.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Managerial issues:Diffusion of responsibility
![Page 7: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/7.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security 7
Dirty Secrets: SW Maintenance
![Page 8: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/8.jpg)
![Page 9: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/9.jpg)
9
n Health Information Technology (HIT) devices globally rendered unavailable
n Cause: Automated software update went haywiren Numerous hospitals were affected April 21, 2010
§ Rhode Island: a third of the hospitals were forced ``to postpone elective surgeries and stop treating patients without traumas in emergency rooms.”
§ Upstate University Hospital in New York: 2,500 of the 6,000 computers were affected.
Software Update Woes
![Page 10: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/10.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Users are Helpless
10
![Page 11: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/11.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Still Not It: Hospitals, Manufacturers
11
![Page 12: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/12.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Managerial issues:Diffusion of responsibility
Who’s covered whenSecure Health IT hits the fan?
![Page 13: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/13.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Accumulative Risks of...
13
Accidents
Sabotage
Threat-o-meter
UnsafePractices
![Page 14: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/14.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Security Analysis
14
1. Vulnerabilities2. Threats3. Exploits
![Page 15: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/15.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Phot
o by
Kev
in F
u @
Med
tron
ic m
useu
m
Benefits of Wireless
15
![Page 16: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/16.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Device Programmer
Implantation of Defibrillator
1. Doctor sets patient info2. Surgically implants3. Tests defibrillation4. Ongoing monitoring
Home monitor
Photos: Medtronic; Video: or-live.com16
![Page 17: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/17.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
n 402-405 MHz MICS band, nominal range several metersn Command shock sends 35 J in ~1 msec to the T-waven Designed to induce ventricular fibrillationn No RF amplification necessary
17
Wirelessly Induce Fatal Heart Rhythm
[Halperin et al., IEEE Symposium on Security & Privacy 2008]
![Page 18: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/18.jpg)
![Page 19: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/19.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Wireless medical devices: great benefits.
subtle inconvenient risks.
![Page 20: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/20.jpg)
Wireless Makes Everything Better?
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
[Pho
tos:
unc
yclo
pedi
a.w
ikia
.com
/wik
i/Bac
on &
Cis
co &
bac
ondu
jour
.blo
gspo
t.co
m]
20
Eliminative induction: variety of reasons for doubt (Baconian thinking) - John Goodenough
![Page 21: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/21.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
What aboutInternet-related
risks?
![Page 22: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/22.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
"These days, everything is much safer. It is easier to navigate thanks to modern technical instruments and the Internet."
-Captain Schettino, Captain of Costa Concordia
![Page 23: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/23.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Medical devicesecurity threats?
![Page 24: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/24.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security 24
Achoo!
The
Wee
kly
Wor
ld N
ews:
wor
ld’s
only
rel
iabl
e jo
urna
l
![Page 25: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/25.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Viruses on Radiology Equipment?
25
“over 122 medical devices have been compromised by malware over the last 14 months”Statement of The Honorable Roger W. Baker[House Committee on Veterans' Affairs, Subcommittee on Oversight and Investigations, Hearing on Assessing Information Security at the U.S. Department of Veterans Affairs]
![Page 26: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/26.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Security of 156 VA Med. Centersn Every 8 seconds, the VA found usernames and
passwords unprotected on networks
n VA has ~600,000 connected computing devices, of which ~50,000 are considered medical devices
n VA implemented VLANs with 3,270 different ACLs
n Manual maintenance of ACLs prone to human errorn ACLs broke network security tools that detect intrusions
n Why? My opinion: Unable to procure medical devices that provide meaningful security
26
![Page 27: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/27.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Slid
e fr
om H
owie
Shr
obe
and
othe
rs
Disease to Malware:Days to Hours
27
FluT
E: C
hao
et a
l., P
LoS C
ompu
tatio
nal B
iolo
gy,
2010
![Page 28: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/28.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
How significant areintentional,malicious
malfunctionsin software?
![Page 29: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/29.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
21 CFR 211.132 and Security
29
(a)General. The Food and Drug Administration has the authority under the Federal Food, Drug, and Cosmetic Act (the act) to establish a uniform national requirement for tamper-evident packaging of OTC drug products that will improve the security of OTC drug packaging
![Page 30: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/30.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
The Tylenol Scare of 1982
30
[Source: truTV crime library]
![Page 31: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/31.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Bad People Do Exist: Vandals
31
![Page 32: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/32.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Sour
ce:
Andy
Gre
enbe
rg, F
orbe
s
Lack of Exploits is Not Assurance
32
19 Days in April 2012
Pre-April 2012: No Mac threats,
therefore never will be.
Oh, Crap.
Malware rarely has precursor
![Page 33: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/33.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
http
://to
bacc
o.sta
nfor
d.ed
u/
Information Assurance or Bliss?
33
"This is an evolution from having to think about security and
safety as a healthcare company, and really about keeping
people safe on our therapy, to this different question about keeping people
safe around criminal or malicious intent."
[Catherine Szyman, President, Medtronic diabetes division, Reuters, October 26, 2011]
![Page 34: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/34.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Shoot P0wn Foot w/ Software Update
34
![Page 35: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/35.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Shoot P0wn Foot w/ Software Update
35
![Page 36: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/36.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Shoot P0wn Foot w/ Software Update
36
[Pho
to:
Care
Fusi
on],
Nie
ls P
rovo
s]
![Page 37: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/37.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Power Analysis of Medical Devicesn Power analysis for good!
n Detect malware on medicaldevices that cannot runconventional anti-virus SW
n “Potentia est Scientia: Energy Proportionality Enables Whole-System Power Analysis” by Clark, Shane S., Ransford, Benjamin, and Fu, Kevin. In Proceedings of the 7th USENIX Workshop on Hot Topics in Security. August 2012. To appear.
37
![Page 38: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/38.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Read More...
38
blog.secure-medicine.orgspqr.cs.umass.edu
![Page 39: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/39.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Semmelweis to Software Sepsis1. Implantable medical devices should be trustworthy2. Improved security will enable medical device innovation
39
Dr. Ignaz Semmelweis1818-1865
Dr. Charles Meigs1792-1869
Physicians should their wash
hands.
Doctors are gentlemen and
therefore their hands are always clean.
![Page 40: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/40.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Semmelweis to Software Sepsis1. Implantable medical devices should be trustworthy2. Improved security will enable medical device innovation
39
Dr. Ignaz Semmelweis1818-1865
Dr. Charles Meigs1792-1869
Physicians should their wash
hands.
Doctors are gentlemen and
therefore their hands are always clean.”
Medical devices should be
secure.
You’re so negative. There’s no ROI on security anyway.
![Page 41: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/41.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
←Ways Forward ➚Security shouldbe designed in
not bolted on
![Page 42: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/42.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
omdrl.org
![Page 43: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/43.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
tinyurl.org/medcomm
ACM MedCOMMWorkshop on Medical
Communication SystemsAugust 13, 2012, Helsinki, Finland
![Page 44: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/44.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Summary: Problem=Unavailabilityn Biggest risk:
§ Hackers breaking into medical devices§ Wide-scale unavailability of patient care
n Security can’t be bolted on. Build it in: requirements, design, implementation, post-market surveillance, etc.
43
[Pho
to:
Med
ical
Rea
l Est
ate
Advi
sors
]
![Page 45: UNIVERSITY OF MASSACHUSETTS AMHERST - LAASwebhost.laas.fr/TSF/IFIPWG/Workshops&Meetings/62/workshop/5.Fu.pdf · 1818-1865 Dr. Charles Meigs 1792-1869 Physicians should their wash](https://reader031.vdocuments.us/reader031/viewer/2022022600/5b3fd43e7f8b9a5e528c934d/html5/thumbnails/45.jpg)
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Summary: Problem=Unavailabilityn Biggest risk:
§ Hackers breaking into medical devices§ Wide-scale unavailability of patient care
n Security can’t be bolted on. Build it in: requirements, design, implementation, post-market surveillance, etc.
44
As you are aware, [...] an unknown virus was found in the [Cath Lab] system. Our [vendor] worked late into Christmas Eve in order to keep the infected [Cath Lab devices] isolated. As a proactive measure and to prevent our patients from inappropriate release of protected healthcare information the hospital immediately blocked our access to the internet. Today [it was] announced that they have traced the virus path from [a] nursing workstation. Apparently pictures were uploaded from a USB drive to yahoo.
[Pho
to:
Med
ical
Rea
l Est
ate
Advi
sors
]