Lectures: MW 10:30-12:00 in Dow 1010
Attention K-mart shoppers: The first homework assignment will be due Wednesday, January 23. So if you're thinking of adding the course, best to decide by then.
EECS 598-008 is approved as a technical course, satisfying the 500-level requirement for the CSE Masters degree.
Prerequisite: Graduate standing, or permission of instructor.
Upper-level undergraduates with appropriate computing background and registered visitors (listeners) are welcome!
|Course staff:||Office Hours|
|Instructor: Prof. Kevin Fu||Mondays 12:00-1:00 in 4628 Beyster (appointments recommended)|
This course teaches students the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps. Topics span computer engineering, human factors, and regulatory policy. Students will master technical skills in reverse engineering, static analysis, fuzz testing, hazard analysis, validation, requirements engineering, radio-frequency communication, physiological sensing, and fundamental concepts from system engineering that lead to safer and more effective medical devices that are increasingly interconnected and wirelessly controlled.
Students will apply the newly learned concepts and skills by analyzing the security of a real-world medical device in a hands-on term project. Interdisciplinary teams will consist of students from complementary backgrounds to mimic the composition of teams at medical device manufacturers and regulatory bodies. Occasional guest speakers from medical device manufacturers, hospitals, and government will complement the classroom activities with critical lessons from the front lines.
About the Instructor
Prof. Kevin Fu's research spans medical devices, health care, and low-power embedded computing. Kevin earned his Ph.D., M.Eng., and B.S. from MIT EECS. Prior to joining Michigan, he served as an Associate Professor of Computer Science at the University of Massachusetts Amherst. Kevin is a member of the National Institute of Standards and Technology (NIST) Information Security & Privacy Advisory Board and an ORISE Fellow at the Center for Devices and Radiological Health at the Food and Drug Administration. Kevin has testified on cybersecurity in the U.S. Congress House subcommittee on Health, and was previously a visiting researcher at the Beth Israel Deaconess Medical Center of Harvard Medical School, Microsoft Research, and MIT CSAIL. Kevin was recognized with a Sloan Research Fellowship, NSF CAREER Award, best paper awards from top computing conferences, and the distinction of MIT Technology Review TR35 Innovator of the Year. He also holds a certificate of artisanal bread making from the French Culinary Institute.
- House testimony on smart card security and Medicare
- NY Times: A Heart Device Is Found Vulnerable to Hacker Attacks
- MIT Technology Review: Computer Viruses Are "Rampant" on Medical Devices in Hospitals
- Economist: When Code Can Kill or Cure
- medGadget: Jamming System to Prevent Hacking of Cardiac Implants
- Wired: Board Urges Feds to Prevent Medical Device Hacking
- Forbes: What's to Stop Hackers From Infecting Medical Devices?
- LA Times: Medical device software criticized as under-regulated
- Computer and Systems Engineering (Part I)
- Dependability, safety, reliability, security, privacy
- Medical device malware
- Wireless medical device security
- Risk management
- Requirements engineering, hazard analysis, validation
- Static analysis, fuzz testing
- Reverse engineering medical device software
- RF interference: in vivo communication, jamming, physiological sensor security
- Trustworthy implantable medical devices, bedside medical devices, mobile medical apps
- Safety culture
- Analyzing the impact of user interfaces on patient injury and death
- Adverse event reporting
- Clinical engineering
- Usable security
- Responsible disclosure, ethics
- Case studies on Tylenol and Sudafed homicides
- Pre-market clearance and approval processes
- Role, limits, and history of federal and international regulations and standards
- FDA's Good Manafacturing Practices
- Law, court decisions
Grading and Prerequisites
This course is intended for graduate students in Computer Science and Engineering and upper-level undergraduates with appropriate computing background (e.g., excellent grades in EECS 280, EECS 370, or EECS 388 would suffice). Students from Informatics and IOE are especially welcomed, as are medical students with programming experience. Listeners without computing experience are welcome to audit the course.
Students will be evaluated based on a group term project, individual problem sets, in-class exams, and class participation. The assignments will involve a balance of team and individual work ranging from hands-on labs to technical writing.
- Group term project (40%)
- Individual homework/labs (30%)
- Two in-class exams (20%)
- Class participation (10%)
Ethics, Law, and University Policies
To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law and the university's computing practices, or may be unethical. You must respect the privacy and property rights of others at all times, or else you will fail the course. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including civil fines, expulsion, and jail time.
Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusions. This is just one of several laws that govern hacking. Understand what the law prohibits — you don't want to end up like this guy. The EFF provides helpful advice on vulnerability reporting and other legal matters. If in doubt, I can refer you to an attorney.
Please review CAEN's policy document on rights and responsibilities for guidelines concerning use of technology resources at U-M, as well as the Engineering Honor Code. As members of the university, you are required to adhere to these policies.