Thursday, June 7, 2012

Software Codes, Medical Devices and Cybersecurity or Lack Thereof

Cybersecurity is certainly getting a lot of attention in the media lately, and justifiable so.

At UMass Amherst there have been several initiatives in this area, given interests on, may I say, both sides of our campus (from the Isenberg School of Management located in the southern part of campus to Computer Science and Engineering in the north). I suspect that the campus layout designers thought that we would not collaborate but actually some of the most interesting projects (at least the ones that I continue to be drawn to) are across these schools.

Yesterday, after a morning of working in my office at the School of Business, Economics and Law at the University of Gothenburg, where I am now a Visiting Professor, on what was actually a national holiday in Sweden (and, yet,  several of my colleagues also showed up to work), I picked up the latest issue of The Economist, which included one of my favorite segments -- the technology quarterly.

The article, "When code can kill or cure,"  immediately grabbed my attention and, in the third paragraph, my colleague, Dr. Kevin Fu of the Computer Science Department at UMass was quoted. The article also ended with a quote from Kevin, justifiable so, given the fascinating research that he has been doing in identifying how easy it is to hack into many medical devices.

In fact, Kevin, spoke in our UMass Amherst INFORMS Speakers Series in 2008, the same year that an article that he co-wrote on the topic was published. 

In the article in The Economist, some fascinating facts are highlighted:


1. More than half of the medical devices sold in the US (the world's largest health care market) rely on software.

2. Over 80,000 lines of software code may be needed in a pacemaker.

3. A drug infusion pump may have 170,000 lines of code.

3. An MRI scanner may have more than 7 million lines of code.


I have worked on major projects in industry that have also involved security, but of another kind -- I developed assembly language software for the transiting of submarines. I have written about the importance of coding in the curriculum on this blog.

In medical devices, there are now serious issues of both software correctness and remote accessibility and hacking. Kevin calculates that medical device recalls due to software failures have affected over 15 million individual devices since 2002.  His famous 2008 paper, in turn, demonstrated (and he spoke about this very issue in the presentation that he gave in our Speaker Series), how an implantable defibrillator could be reprogrammed wirelessly and remotely. As he noted in the closing paragraph in The Economist article -- "When a plane falls out of the sky, people notice," "But when one or two people are hurt by a medical device, or even if hundreds are hurt in different parts of the country, nobody notices."

There is a call for a government agency, under the recommendation of the US National Institute of Standards and Technology (NIST) , to have the responsibility for approving and tracking cybersecurity in medical devices. There is also a push from the academic sphere for open source software for such medical applications so that errors can be tracked (but there are then challenges to the regulation).

The more technology advances, the more we need to deal with complexity and vulnerabilities. But now the hardware, that is powered by software, may be residing in our bodies or in our loved ones.