From Medical Device Cybersecurity to Physics of Embedded Security

Abstract

As Acting Director of Medical Device Cybersecurity for FDA's Center for Devices and Radiological Health (CDRH), Kevin will introduce the audience to FDA's guidance documents on expectations for medical device cybersecurity in manufacturers' pre-market submissions and post-market surveillance. The CDRH regulates over 6,500 different medical device product categories with $68 billion in imports and $59 billion in exports. These medical devices must remain safe and effective for patient care throughout their use in the face of emerging cybersecurity risks. These risks pose challenges to the availability and integrity of software- based diagnostics and therapeutics.

As a professor, Kevin investigates how to protect sensors from analog security threats. Medical devices, autonomous vehicles, small satellites, factory floors, and the Internet of Things depend on the integrity and availability of trustworthy data from sensors to make safety-critical, automated decisions. How can such cyber-physical systems remain secure against an adversary using intentional interference to fool sensors? Building upon classic research in cryptographic fault injection and side channels, research in analog sensor cybersecurity explores how to protect digital computer systems from physics-based attacks. Analog cybersecurity risks can bubble up into operating systems as bizarre, undefined behavior. For instance, transduction attacks exploit vulnerabilities in the physics of semiconductors to manipulate sensor output. Transduction attacks using audible acoustics, ultrasound, RF, and even lasers can inject chosen signals into sensors found in devices ranging from Fitbits to implantable medical devices to smartphones to voice controlled assistants. Defenders can fight back with physics, more trustworthy software APIs and a shift in thinking toward system engineering. With his professor hat, Kevin will explain how to respect von Neumann’s 1956 admonition to design reliable organisms from unreliable components in the context of embedded security. Based on joint work published at USENIX Security 2020; ACM CCS 2019; IEEE Security & Privacy 2020, 2019, 2018, 2013, & 2008; IEEE Euro Security & Privacy 2017, and others.

Bio:

Kevin Fu is Associate Professor of EECS at the University of Michigan where he direct the Security and Privacy Research Group (SPQR.eecs.umich.edu). During 2021, Fu is also Acting Director of Medical Device Cybersecurity at FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity, Digital Health Center of Excellence (DHCoE). He is most known for the original 2008 cybersecurity research paper showing vulnerabilities in an implantable cardiac defibrillator by sending specially crafted radio waves to induce uncontrolled ventricular fibrillation via an unintended wireless control channel. https://www.secure-medicine.org/hubfs/public/publications/icd-study.pdf The prescient research led to over a decade of revolutionary improvements at medical device manufacturers, global regulators, and international healthcare safety standards bodies just as ransomware and other malicious software began to disrupt clinical workflow at hospitals worldwide.

Kevin was recognized as an IEEE Fellow, Sloan Research Fellow, MIT Technology Review TR35 Innovator of the Year, Fed100 Award recipient, and recipient of an IEEE Security and Privacy Test of Time Award. Fu has testified in the U.S. House and Senate on matters of information security and has written commissioned work on trustworthy medical device software for the U.S. National Academy of Medicine. He co-chaired the AAMI cybersecurity working group to create the first FDA-recognized standards to improve the security of medical device manufacturing. He founded the Archimedes Center for Healthcare and Device Security (secure-medicine.org). He is a founding member of the N95decon.org team for emergency reuse decontamination of N95 masks during PPE shortages. Fu served as a member of the U.S. NIST Information Security and Privacy Advisory Board and federal science advisory groups. Eleven years ago, Fu served as a visiting scientist at the U.S. Food & Drug Administration. Fu received his B.S., M.Eng., and Ph.D. from MIT. He earned a certificate of artisanal bread making from the French Culinary Institute and is an intermediate level salsa dancer.

Please join the meeting in Sococo VH 102, or Zoom.

Join Zoom Meeting: https://tufts.zoom.us/j/98610939077

PASSWORD: See colloquia email

Dial by your location: +1 646 558 8656 US (New York)

Meeting ID: 986 1093 9077

PASSCODE: See colloquia email