Research responsible for establishing field of medical device security recognized by IEEE
Defibrillator security paper receives Test of Time Award from IEEE Security & Privacy
In 2006 Prof. Kevin Fu, at the time faculty at the University of Massachusetts Amherst, was invited to an operating room to oversee a standard defibrillator implant procedure. The device was commonplace by then as a means to automatically correct irregular heart rhythms that could lead to death in vulnerable patients. After the procedure, the cardiologist stood back and announced a wireless test of the device.
This test, also standard at the time, was to simply have the device induce a deadly heart rhythm, called ventricular fibrillation, and then promptly deliver a life saving electrical shock to restore the heart to its normal sinus rhythm. This was all done wirelessly after surgery was complete.
“The patient’s chest rose as they received the command shock, their heart stopped pumping blood normally, and a capacitor charged up,” Fu says of the process. The life-saving shock shortly followed, and the slightly sedated patient painlessly resumed a normal heart rhythm.
After Fu watched this unfold, he asked how the medical providers authenticated the wirelessly controlled shock that induced a deadly heart rhythm.
“They didn’t know,” Fu concluded. Shortly after, he and some of his collaborators explored the technology and discovered that there were no cryptographic protections authenticating that test shock signal. They were able to issue replayed commands to induce fatal heart rhythms and disable the life-saving return shock. “That was the initial wakeup call.”
The story comes from a time when it was “really taboo” to talk about security in the field of medical devices.
“15 years ago, you didn’t ask those questions,” Fu says. “Even questioning whether the devices might be hackable or not was a controversial subject.”
But as the experiment performed by Fu and collaborators across three universities demonstrated, the life-saving devices being implanted in patients globally were every bit as vulnerable to malicious instructions as any other computer. So when the team finally cracked the subject wide open – thanks to their landmark 2008 paper called “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses” – the world finally had to address the elephant in the room.
The paper has now been recognized from a pool of submissions spanning 40 years with the inaugural IEEE Security and Privacy Test of Time Award, and its impact can be felt in every corner of the medical devices industry.
In the paper, Fu and the team developed a wireless transmitter that could exploit a pacemaker or defibrillator’s lack of authentication to send it malicious control signals. Included in the signals they tested was one that could induce the deadly shock, but they could also extract the patient’s personal information stored on the devices.
In the 11 years since the paper’s publication, Fu and others in his field have worked on solutions. Many of these have been technical, but most of the larger impact the paper has had has been in leadership.
“A lot of it is about community building and standards development,” Fu says, “which is sometimes a foreign concept in academia. But it’s really important to industry.”
According to Ken Hoyme, Director of Product and Engineering Systems Security at Boston Scientific Corporation, the paper sent shockwaves through the medical device industry. As a result, the industry has seen increased activity from regulators, implementation of formal security standards, new hiring initiatives in industry to meet these standards, and a renewed interest in industry-researcher collaboration.
The ripple effect began when the Federal Food and Drug Administration (FDA) began to strongly engage with the topic, providing both pre- and post-market guidance on how they view medical device security and its role in creating safe and effective devices. With time the administration came to provide constant pressure towards industry improvement. Alongside this, standards were developed to address how to develop secure medical devices. AAMI created the Device Security Working Group, which Fu and Hoyme initially co-chaired. That resulted in the development of a set of principles that took inspiration from NIST security methods.
The governments of Germany, Japan, and China recently incorporated a standards document co-led by Fu in their medical device regulations, and in the US Fu led a multi-year effort by a federal advisory committee to urge specific actions to address policy gaps in medical device security. The effort led to the first medical device security standard recognized by FDA.
The medical device manufacturing community embraced the new requirements, building security programs and reaching out to security researchers through direct contact and security contact sites on their external web pages.
“The face of medical device security is dramatically different in the decade since publication,” says Hoyme. “At the outset there was a sense of antagonism between researchers and manufacturers – based on a fear of the basic intent of the other side of the discussion. Through many engagements, and specifically the leadership of Dr. Kevin Fu, a bridge has been created between these groups and we have come to understand we are all working for the same thing – patient safety.”
We have come to understand we are all working for the same thing – patient safety.Ken Hoyme, Boston Scientific Corporation
Fu and his collaborators have remained active in the field amidst these developments, chiefly through the formation of the Archimedes Center for Medical Device Security. This center was the first of its kind to bring together all of the different stakeholders from the industry – health care providers, medical device manufacturers, security researchers, and regulators – for the purpose of solving challenges in medical device security.
“We noticed the key stakeholders weren’t talking to each other about computer security,” says Fu. “So we put them all together in a room and had an off-the-record discussion about how to move the needle.”
Their early discussions raised important questions for the first time, including how to effectively disclose vulnerabilities to providers and the public, how to engineer out risks from the beginning so problems don’t arise later in the pipeline, and how to determine the baseline security any patient should come to expect.
In the years since its founding, Archimedes has educated and trained many executives, engineers, and cross-functional teams on the techniques to securely design medical devices, says Soundharya Nagasubramanian, Director of R&D, Software Architecture, and Cybersecurity at Welch Allyn. Among those teams are engineers from Nagasubramanian’s own organization.
“When I first became aware of this area in 2014, there was no platform to discuss the challenges,” says Nagasubramanian. “It almost seemed overwhelming for one stakeholder to solve the challenge of designing secure medical devices.”
With Archimedes at the intersection of the field’s diverse voices, medical device security continues to expand and open discussion on more issues.
Chris Tyberg, Divisional Vice President, Product Security at Abbott, says that it creates “a collaborative environment where stakeholders from across the healthcare ecosystem can discuss and debate the most current healthcare cybersecurity challenges with an emphasis on finding solutions.”
Fu’s own work has similarly evolved as the scope of the field has expanded. As he puts it, his work in the field since has grown “more mission-centric rather than method-centric.”
“Instead of asking what a project has to do with computer science, we ask what it has to do with making healthcare more trustworthy,” says Fu. “Sometimes we engage with the practice of medicine, sometimes we engage with classic computing research, sometimes we engage in law and public policy; it’s really broadened our perspectives and caused us to work with many people outside the field of computing research to maximize benefits to society.”
Fu’s work has been recognized by the federal government and many other bodies. In 2013, the US federal government recognized him with a Fed100 Award. In 2014, he was chosen for a Young Scientist Award by the World Economic Forum. In 2017, the AAMI medical device standards body selected Prof. Fu to receive its annual Dr. Dwight Harken Memorial Lecturer Award. That same year, the University of Michigan recognized him with the Regents’ Award for Distinguished Public Service.
Fu and his PhD students co-founded the healthcare cybersecurity startup Virta Labs to help hospitals manage cybersecurity risks to medical devices on clinical networks. The company sells BlueFlow, a software product, for hospitals to assess risks of their medical device inventory on clinical networks.