Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Medicine Security

Ask Professor Kevin Fu About Medical Device Security 57

Kevin Fu is a professor of electrical engineering and computer science at the University of Michigan. He heads a research group on medical-device security, Archimedes, that works to find vulnerabilities in medical equipment. WattsUpDoc, a system that can detect malware on medical devices by monitoring changes in power consumption, is based on his work. Professor Fu has agreed to put down the pacemakers for a moment and answer your questions about his work and medical device security in general. As usual, ask as many as you'd like, but please, one question per post.
This discussion has been archived. No new comments can be posted.

Ask Professor Kevin Fu About Medical Device Security

Comments Filter:
  • Cochlear Implants (Score:4, Interesting)

    by mcspoo ( 933106 ) on Monday October 07, 2013 @12:05PM (#45059821) Homepage
    How secure are Cochlear implants and their processors? Any chance I'm going to hear the voice of God (without the tooth implant, ala Real Genius?)
    • Re: (Score:3, Funny)

      How secure are Cochlear implants and their processors? Any chance I'm going to hear the voice of God (without the tooth implant, ala Real Genius?)

      That depends: Did you recently vote Republican?

  • Hello!

    Have you explored changing the dosages on drug pumps? Either through exploiting the device directly or by exploiting the database backend? I reference the Hospira pumps that run Linux, allowing one to telnet to them as root with no password authentication. Hospira did issue an update to that but since pumps are so numerous, I'm sure that many hospitals have been slow to update.


  • Most clinics, hospitals, insurance companies and dental offices are extensively computerized and networked. Based on your experience, how often are these systems compromised?

  • How have recent issues like sequestration, reduced NSF and NIH funding, and the government shutdown impacted your research?
  • Say I have an implant that could be hacked, what can I do to protect myself? Are any vendors more reputable than others when it comes to security? Is tinfoil effective? Should I demand my doctor replaces known vulnerable equipment?

  • Are you following any medical device start-ups [If so what is your favorite]? As I see more low-power bluetooth implementations, I see the possibilty for bluesnarfing, any pointers for good software/electrical security design?
  • My pacemaker should be replaced in 2-3 years, what should I ask my cardiologist about the new one to address security concerns? Are there vendors, models or features I should request?
  • In commercial aircraft, there used to be a rule that the aircraft could be flown entirely by hand. Yes, you can even fly a 747 by hand if the systems fail. Is it feasible to have such a rule for medical devices? Does such a rule exist?
    • There is a difference between "fly by hand" and "fly without depending on the computer" -- in today's modern fly-by-wire aircraft, there are still computers/electronics between the pilot and the control surfaces even when the flight management system, auto-pilot and even primary flight controls are "down".

      The question is what failure modes, considering the presence of security threats, require simple back-up systems? How would such back-up systems be invoked?

  • Dieing Caps and other parts in systems that old may lead to higher power use

  • Question! (Score:1, Offtopic)

    by war4peace ( 1628283 )

    Have you ever considered changing your first name to "Kung"?

  • Should the local IT team have full control over any system in place / should vendors be forced to let systems have AV and OS updates installed on them with out delays?

    • This is usually not possible. Many of these medical devices don't run Windows or Linux. They are embedded systems with real time operating systems, embedded operating systems, a home grown operating system, and sometimes no OS at all. Other times the applications are statically linked with the OS so that it is unable to be upgraded independently.

      That is different from medical turnkey systems that are basically generic computers overlaid with specialized applications (hospital records keeping, image manag

  • How do you create incentives for the companies that make these devices to make them secure?

    The current comments on the draft for "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" pertaining to 21 CFR 820.30(g) have a disturbing trend of focusing on "unauthorized access" of these devices to be considered criminal (CFAA) instead of trying to protect against said access. Furthermore, I find any discussion of encrypting the data immediately turns to data bloat due to encr
  • So, Professor, tell us about medical device security.

  • What can those of us that have an implanted medical device do to protect ourselves now? I have Boston Scientific ICD, but due to the circumstances in which I was given the device it's not like I was able to make a choice in the matter. I couldn't do any research to determine which might be the most secure device to go with. So I am stuck with what I have, with no real knowledge of how secure it is and what my risks may be.
  • by skids ( 119237 ) on Monday October 07, 2013 @01:41PM (#45061183) Homepage

    Being a highly regulated industry, I could see the eventual evolution of a competent security culture in medical IT/manufacturing. We certainly don't have it quite together now, but if and when that comes to pass, do you see the lessons learned in that sector promulgating out to other industries, or will the environment of high regulation (and high stakes) produce too alien a solution set for general application?

  • What does the inside of a used implantable defib smell like? I know Kevin knows :)

  • Is it feasible, for at least some devices, to embed in them a closed set of commands that are acceptable and have them automatically reject any other commands (e.g., prevent buffer overflow and sql injection sorts of things)?
  • I work in data acquisition and some of the equipment we have, digital multimeters, digital spectroscopes, run things like Win2K SP1 or XP SP1... Security updates were never 'though of' for those things. If we were to put them on an unsecured network they'd get owned in 20 seconds flat. It's terrifying but we know how to deal with it: don't even connect them to the internal subnet ! Is it as bad with medical devices ?
  • Besides the obvious "Pumps are easy hacking targets," and "It's a CGM, not an artificial pancras you marketing schmuck,"... It's obvious we need better firmware and 3rd party testing for these devices. Medtronic in particular seems to be challenged [richthediabetic.com] in the data-accuracy [diabetesdaily.com] department. Their Continuous Glucose Monitors [medtronicdiabetes.com] seem to be the most expensive and most inaccurate glucometers manufactured in the past 20 years. Although I'd like to know what legislative hurdles remain for the creation of more open devices for
  • So, what happened? Where is the amazing Mr. Fu and his wonderful, dazzling insights? All I hear is crickets.
  • I have in mind soliciting donations of Implantable Medical Devices, building a Programmer such as you describe in some of the papers you've published, then holding an annual hackathon of the IMD's. Figure out how to crack them and control them, then give the results to the manufacturers. Each year, we publish last year's results and crack another batch. I'm sure this plan presents ethical dilemmas in some peoples' minds but to me those are nothing compared to the even worse ethics of letting crappy code s

It's fabulous! We haven't seen anything like it in the last half an hour! -- Macy's