EECS 598-008 Winter 2013

Medical Device Security


Lectures: MW 10:30-12:00 in Dow 1010

Credits: 3

Textbook: Coursepack from Dollar Bill Copying ($55.38). See table of contents.

Attention K-mart shoppers: The first homework assignment will be due Wednesday, January 23. So if you're thinking of adding the course, best to decide by then.

EECS 598-008 is approved as a technical course, satisfying the 500-level requirement for the CSE Masters degree.

Prerequisite: Graduate standing, or permission of instructor.
Upper-level undergraduates with appropriate computing background and registered visitors (listeners) are welcome!

Course staff: Office Hours
Instructor: Prof. Kevin Fu Mondays 12:00-1:00 in 4628 Beyster (appointments recommended)

Email staff. Print the posters.

This course teaches students the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps. Topics span computer engineering, human factors, and regulatory policy. Students will master technical skills in reverse engineering, static analysis, fuzz testing, hazard analysis, validation, requirements engineering, radio-frequency communication, physiological sensing, and fundamental concepts from system engineering that lead to safer and more effective medical devices that are increasingly interconnected and wirelessly controlled.

Students will apply the newly learned concepts and skills by analyzing the security of a real-world medical device in a hands-on term project. Interdisciplinary teams will consist of students from complementary backgrounds to mimic the composition of teams at medical device manufacturers and regulatory bodies. Occasional guest speakers from medical device manufacturers, hospitals, and government will complement the classroom activities with critical lessons from the front lines.

About the Instructor

Prof. Kevin Fu's research spans medical devices, health care, and low-power embedded computing. Kevin earned his Ph.D., M.Eng., and B.S. from MIT EECS. Prior to joining Michigan, he served as an Associate Professor of Computer Science at the University of Massachusetts Amherst. Kevin is a member of the National Institute of Standards and Technology (NIST) Information Security & Privacy Advisory Board and an ORISE Fellow at the Center for Devices and Radiological Health at the Food and Drug Administration. Kevin has testified on cybersecurity in the U.S. Congress House subcommittee on Health, and was previously a visiting researcher at the Beth Israel Deaconess Medical Center of Harvard Medical School, Microsoft Research, and MIT CSAIL. Kevin was recognized with a Sloan Research Fellowship, NSF CAREER Award, best paper awards from top computing conferences, and the distinction of MIT Technology Review TR35 Innovator of the Year. He also holds a certificate of artisanal bread making from the French Culinary Institute.


Preliminary syllabus

  1. Computer and Systems Engineering (Part I)
    • Dependability, safety, reliability, security, privacy
    • Medical device malware
    • Wireless medical device security
    • Risk management
    • Requirements engineering, hazard analysis, validation
    • Static analysis, fuzz testing
    • Reverse engineering medical device software
    • RF interference: in vivo communication, jamming, physiological sensor security
    • Trustworthy implantable medical devices, bedside medical devices, mobile medical apps
  2. Human Factors (Part II)
    • Safety culture
    • Analyzing the impact of user interfaces on patient injury and death
    • Adverse event reporting
    • Clinical engineering
    • Usable security
    • Responsible disclosure, ethics
  3. Regulatory Policy (Part III)
    • Case studies on Tylenol and Sudafed homicides
    • Pre-market clearance and approval processes
    • Role, limits, and history of federal and international regulations and standards
    • FDA's Good Manafacturing Practices
    • Law, court decisions

Grading and Prerequisites

This course is intended for graduate students in Computer Science and Engineering and upper-level undergraduates with appropriate computing background (e.g., excellent grades in EECS 280, EECS 370, or EECS 388 would suffice). Students from Informatics and IOE are especially welcomed, as are medical students with programming experience. Listeners without computing experience are welcome to audit the course.

Students will be evaluated based on a group term project, individual problem sets, in-class exams, and class participation. The assignments will involve a balance of team and individual work ranging from hands-on labs to technical writing.

Ethics, Law, and University Policies

To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law and the university's computing practices, or may be unethical. You must respect the privacy and property rights of others at all times, or else you will fail the course. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including civil fines, expulsion, and jail time.

Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusions. This is just one of several laws that govern hacking. Understand what the law prohibits — you don't want to end up like this guy. The EFF provides helpful advice on vulnerability reporting and other legal matters. If in doubt, I can refer you to an attorney.

Please review CAEN's policy document on rights and responsibilities for guidelines concerning use of technology resources at U-M, as well as the Engineering Honor Code. As members of the university, you are required to adhere to these policies.

Web site originally designed by Ben Ransford.