UCSF

Cybersecurity Seminar Series

UCSF-Stanford CERSI-FDA Distinguished Speaker Series on Cybersecurity for Biomedical Engineering

Takes place monthly, on the third Thursday of each month from 9-10 am Pacific time

 

Overview

This joint FDA and UCSF-Stanford Center of Excellence in Regulatory Science and Innovation (CERSI) speaker series consists of one-hour virtual lectures on cybersecurity topics with application to medical device security and biomedical engineering. The key goal is to introduce key concepts of cybersecurity science and engineering via distinguished academic speakers to the biomedical engineering and manufacturing communities. Topics covered include human factors for cybersecurity, trustworthy medical device software, security engineering for machine learning, cybersecurity of computer vision, threat modeling, software bills of materials, software safety, cybersecurity regulations, and the science of cybersecurity. This speaker series is an educational opportunity, not intended to discuss FDA policy.

 

Schedule

2022 - 2023

Date Talk Title Speaker(s)
12/15/22

Regulatory Affairs for Medical Device Security

Cybersecurity has proven to be a challenge not only with regard to ensuring the security of medical devices, but also preparing documents for regulatory submissions. Health authorities in many regions, including the US, Australia, Canada, and Japan, have released new cybersecurity guidance documents. In addition to premarket concerns, some of these guidance documents also include expectations for post market expectations. 

Medical device companies struggle to build security programs into quality systems that were likely not designed to address typical security issues such as hardening, vulnerability management, and global incident response. 

Ms. Jump will provide an overall summary of the current regulatory environment, summarize some of the challenges that the industry faces in keeping up with these expectations while also covering the logistical drivers for these expectations. Healthcare is part of every country's critical infrastructure and the security protections in place are essential to protecting that infrastructure.

 

Registration Link coming soon

 

Michelle Jump
CEO, MedSec

Biography

11/17/22

Virtual Panel on Medical Device Security: Physician Perspectives from Cardiology, Neurosurgery, Emergency Medicine, and Anesthesiology

 

Video Recording

 

Moderated by:

Kevin Fu, PhD, Archimedes Center for Healthcare and Medical Device Security, University of Michigan

Biography

Christian Dameff, MD
University of California, San Diego

Biography

Daniel Kramer, MD, MPH
Harvard Medical School

Biography

Erika A. Petersen, MD, FAANS, FACS
University of Arkansas for Medical Sciences

Biography

Jeffrey Tully, MD
University of California, San Diego

Biography

 

10/20/22

 

Canceled

 

 

N/A

9/15/22

Security Engineering for Medical Products: Sensors, Signals, Semiconductors, Software Systems

Medical devices, healthcare delivery, and other cyber-physical systems depend on sensors to make safety-critical, automated decisions. My research lab investigates the problem of how to protect cyber-physical systems from adversaries who can maliciously control sensor output by subverting its semiconductor physics. Finding principled, systematic solutions is extremely important to give consumers confidence in innovative medical devices and other emerging technology. Unique to our embedded security research contributions is an emphasis on protecting the longevity of implanted batteries and using software-only approaches to mitigate design flaws in legacy hardware. These contributions were important to creating the field of medical device security; advancing the academic community's ability to measurably defend against signal injection attacks on sensors; and changing how international regulators evaluate security of consumer products. In this talk, I will highlight academic research on protecting sensor semiconductors from maliciously modulated sound waves, radio waves, and lasers that can compromise software systems in cyber-physical systems such as pacemakers and vaccine cold-chain transportation.

Video Recording

 

Kevin Fu, PhD
University of Michigan

Biography

2021 - 2022

Date Talk Title Speaker
5/19/2022

Security Engineering of Machine Learning

Statistical machine-learning techniques have been used in security applications for over 20 years, starting with spam filtering, fraud engines and intrusion detection. In the process we have become familiar with attacks from poisoning to polymorphism, and issues from redlining to snake oil. The neural network revolution has recently brought many people into ML research who are unfamiliar with this history, so it should surprise nobody that many new products are insecure. In this talk I will describe some recent research projects where we examine whether we should try to make machine-vision systems robust against adversarial samples, or fragile enough to detect them when they appear; whether adversarial samples have constructive uses; how we can do service-denial attacks on neural-network models; on the need to sanity-check outputs; and on the need to sanitise inputs. We need to shift the emphasis from the design of "secure" ML classifiers, to the design of secure systems that use ML classifiers as components.

 

Video Recording

 

Ross J. Anderson, PhD
Edinburgh University; University of Cambridge

Biography

4/21/2022

Unringing the Bell: A Physician's Perspective on the Future Of Medical Device Security

Healthcare delivery across the globe is critically and increasingly dependent on computerized hardware and software including electronic health records and connected medical devices. Healthcare cyber attacks have resulted in technology failure, compromised data integrity, and breaches of sensitive patient information. Though the proliferation of cyber attacks in healthcare has raised serious concerns about patient privacy violations through healthcare data theft, the impacts of cyber attacks on patient safety and clinical outcomes are poorly understood. This talk will discuss historical barriers to developing a strong, data driven foundational body of knowledge in healthcare cyber security, and the impacts cyber attacks may have on patient outcomes. We will discuss novel patient cyber safety risks inherent in digitized clinical workflows, as well as possible sector wide defensive mitigation strategies resulting in safer and more resilient patient care.

 

Video Recording

 

Christian Dameff, MD
University of California, San Diego

Biography

3/17/2022

Modern Automotive Vulnerabilities: The Science Behind the Fast and the Furious

Over the last decade, a range of research has transformed our understanding of automobiles. What we traditionally envisioned as mere mechanical conveyances are now more widely appreciated as complex distributed systems "with wheels". A car purchased today has virtually all aspects of its physical behavior mediated through dozens of microprocessors, themselves networked internally, and connected to a range of external digital channels. As a result, software vulnerabilities in automotive firmware potentially allow an adversary to obtain arbitrary control over the vehicle. Indeed, led by UC San Diego and the University of Washington, multiple research groups have been able to demonstrate such remote control of unmodified automobiles from a variety of manufacturers. In this talk, I'll highlight how our understanding of automotive security vulnerabilities has changed over time, how unique challenges in the automotive sector give rise to these problems and create non-intuitive constraints on their solutions and, finally, the forces that naturally limit the kinds of automotive attacks seen in the wild.

 

Video Recording

 

Stefan Savage, PhD
University of California, San Diego

Biography

2/17/2022

What Biomedical Engineering Can Learn from Research and Academic Programs in Embedded Cybersecurity

Biomedical engineering students learn how to ensure the safety and effectiveness of medical products ranging from medical devices to pharmaceutical products. Today, that advanced degree skill set must include embedded cybersecurity because of endemic cyber threats to technology inside medical products. A lot can be learned from advances in Internet of Things (IoT) security education and research. The mission of the Cybersecurity Assurance and Policy (CAP) Center at Morgan State University is to provide the defense and intelligence community with the knowledge, methodology, solutions, and highly skilled cybersecurity professionals to mitigate penetration and manipulation of our nation’s cyber-physical infrastructure. The Internet of Things (IoT) permeates all areas of life and work, with unprecedented economic effects. The IoT is a network of dedicated physical objects (things) whose embedded system technology senses or interacts with its internal state or external environment. Embedded systems perform dedicated functions within larger mechanical or electrical systems. Critical infrastructures in transportation, smart grid, manufacturing, and health care, etc. are highly dependent on embedded systems for distributed control, tracking, and data collection. While it is paramount to protect these systems from hacking, intrusion, and physical tampering, current solutions rely on a patchwork of legacy systems, and this is unsustainable as a long-term solution. Transformative solutions are required to protect these systems. In this talk, we will present our current research that addresses security vulnerabilities in IoT ecosystems to provide secure, resilient, and robust operation.

 

Video Recording

 

Kevin T. Kornegay, PhD
Morgan State University

Biography

1/20/2022

Security and Privacy for Humans

Traditionally, security and privacy research focused mostly on technical mechanisms and was based on the naive assumptions that Alice and Bob were capable, attentive, and willing to jump through any number of hoops to communicate securely. However, 20+ years ago that started to change when a seminal paper asked "Why Johnny Can't Encrypt" and called for usability evaluations and usable design strategies for security. Today a substantial body of interdisciplinary literature exists on usability evaluations and design strategies for both security and privacy. Nonetheless, it is still difficult for most people to encrypt their email, manage their passwords, and configure their social network privacy settings. In this talk I will highlight some of the research from my lab that evaluates security and privacy for humans and proposes some new solutions.

Recommended Reading:
Fundamentals: Password Research
Intermediate: Humans and computer security failures
User studies: Privacy Choice Indicators

 

Video Recording

 

Lorrie Faith Cranor, DSc
Carnegie Mellon University

Biography

12/16/2021

Laws for Cybersecurity?

Cyber-security today is focused largely on defending against known attacks. We learn about the latest attack and find a patch to defend against it. Our defenses thus improve only after they have been successfully penetrated. This is a recipe to ensure some attackers succeed---not a recipe for achieving system trustworthiness. We must move beyond reacting to yesterday's attacks and instead start building systems whose trustworthiness derives from first principles--laws that relate attacks, defense mechanisms, and security properties. This talk will explore examples of such laws, suggest avenues for future exploration, and discuss risks implicit in using such a deductive framework.

Related Reading:
Blueprint for a science of cybersecurity
Science of Security

 

Video Recording

 

Fred B. Schneider, PhD
Cornell University

Biography

11/18/2021

Innocence and Experience: Regulatory Tales

The history of attempts to regulate technology is long and varied. This talk will review examples from a range of technical areas, some successful, some less so, and will draw a few lessons from them. Topic areas will include building construction, automobiles, airplanes, cybersecurity, and perhaps others. Discussion will be encouraged.

PDF iconIntroductory Slides

PDF iconPresentation Slides with Notes

Video Recording

 

Carl Landwehr, PhD
University of Michigan

Biography

Moderator

Kevin Fu, PhD
Associate Professor, University of Michigan
Director, Archimedes Center for Healthcare and Device Security

 

Disclaimer

This seminar series does not represent official FDA policy or guidance. The contents are those of the speaker(s) and do not necessarily represent the official views of, nor an endorsement by, FDA/HHS or the U.S. Government.

 

Contact

Please email [email protected] or [email protected] with any questions.