Cybersecurity Seminar Series

Terry Rice

Vice President, IT Risk Management and Security & Chief Information Security Officer (CISO), Merck

Biography

2023 - 2024

A Fireside Chat on Testing Like a Hacker

Join Dr. Kevin Fu and Dr. David Brumley for a fireside chat on testing like a hacker.

How do you find and exploit new zero days in software? Hackers answer this question one way, while software development another. No wonder there is a disconnect, and we often ship unsafe software. This talk will focus on offense, and how elite hackers think and work to find new zero days. We’ll show how you can use the same zero-day methodology to put testing like a hacker in your pipeline so that you can ship safer software faster. We’ll also connect this to pen testing, SBOM, and medical device security.
 

The video recording will be posted here soon.

David Brumley, PhD

CEO, ForAllSecure, Inc/Professor of Electrical and Computer Engineering, Carnegie Mellon University

Biography

A Fireside Chat on Strengthening the Cybersecurity of the Healthcare and Public Health Sector and Keeping Patients Safe

Join Dr. Kevin Fu and Dr. Brian Mazanec for a fireside chat on strengthening the cybersecurity of the healthcare and public health sector and keeping patients safe.

Dr. Mazanec is the Deputy Director of the Office of Preparedness within the Administration for Strategic Preparedness and Response (ASPR) at the U.S. Department of Health and Human Services (HHS). He helps lead the office responsible for all aspects of preparation for events such as disease outbreaks, natural disasters, and intentional attacks with chemical, biological, radiological, or nuclear (CBRN) weapons. This work is closely coordinated with other offices within ASPR, as well as other related components within HHS, such as CDC's Office of Readiness and Response, other U.S. government departments and agencies, and international allies and partners. Brian’s responsibilities include oversight and management of the following component offices: Security and Intelligence; Information Management, Data and Analytics; Critical Infrastructure Protection; Health Care Readiness; Medical Reserve Corps; Planning and Exercises; Continuity; and the Secretary’s Operations Center.

Video Recording
 

Brian M. Mazanec, PhD

Deputy Director, Office of Preparedness HHS Administration for Strategic Preparedness and Response

Biography

Overview of FDA’s Medical Device Cybersecurity Authorities and Program

In this presentation, Senior Cybersecurity Policy Advisor and Medical Device Cybersecurity Team Lead Jessica Wilkerson of the US Food and Drug Administration (FDA) will be discussing FDA updates on medical device cybersecurity.

Jessica is a Senior Cyber Policy Advisor and the Medical Device Cybersecurity Team Lead within the Division of Medical Device Cybersecurity (DMDC), housed within the Office of Readiness and Response (ORR) in the Office of Strategic Partnerships and Technology Innovation (OST) in FDA CDRH. As part of DMDC, she examines issues and develops policy related to medical device cybersecurity. 

Video Recording

Jessica Wilkerson, JD

Senior Cyber Policy Advisor and Medical Device Cybersecurity Team Lead, Division of Medical Device Cybersecurity (DMDC)

Biography

A Fireside Chat on ARPA-H and DIGIHEALS

The Advanced Research Projects Agency for Health (ARPA-H) Digital Health Security (DIGIHEALS) initiative supports innovative research that aims to protect the US healthcare system's electronic infrastructure against hostile threats. Focusing on cutting-edge security protocols, vulnerability detection, and automatic patching, DIGIHEALS seeks to reduce the ability for bad actors to attack digital health software and hardware, and to enable the prevention of large-scale cyberattacks.

Video Recording

Andrew Carney, MS

Program Manager, Advanced Research Projects Agency for Health (ARPA-H)

Biography

A Fireside Chat on FDA Updates on Medical Device Cybersecurity

Dr. Suzanne Schwartz directs the Office of Strategic Partnerships and Technology Innovation at FDA's Center for Devices and Radiological Health. Her team is tasked with providing our industry with leadership and strategic direction on medical device cybersecurity, software, and digital health. Today, she will discuss the landscape of medical device security and significant changes to the federal regulatory processes that take full effect on October 1, 2023.
 

Video Recording

Suzanne Schwartz

Director, Office of Strategic Partnerships & Technology Innovation, Center for Devices & Radiological Health, U.S. Food and Drug Administration

Biography

2022 - 2023

Hacking to Healing: How Penetration Testing Improves Cyber Safety

Get beyond buzzwords and hacker cliches to understand how to turn hacking techniques against medical devices into healing tools for physicians and patients. Penetration testing is the practice of emulating security circumvention techniques while simulating accidents and adversaries to identify and mitigate reasonably foreseeable cybersecurity threats to patient safety and clinical effectiveness.

Using storytelling and real-life examples, this session will provide practical framing, hands-on insights, and actionable recommendations for integrating penetration testing and vulnerability assessment into your product lifecycle. By joining this session, you'll learn the methods, tools, and techniques penetration testers use, and understand why regulatory bodies such as the FDA value these as a complement to other parts of the design and development process to ensure compliance and protect patients.

Video Recording

Beau Woods
Founder/CEO, Stratigos Security

Biography

A Fireside Chat on Public and Private Collaboration in Healthcare Cybersecurity Preparedness

Join Dr. Kevin Fu and Greg Garcia, Executive Director for Cybersecurity at the Healthcare Sector Coordinating Council (HSCC), for a fireside chat on public and private collaboration in healthcare cybersecurity preparedness.

With relentless ransomware and other cyber attacks on health providers and companies, how do we protect ourselves, as individual enterprises and as a collective industry sector? Where do volunteer best practices end and government regulations begin? Where is that balance, both politically and operationally? Learn how the nation’s healthcare cybersecurity advisory council mobilizes a collaborative approach to the sector’s cybersecurity preparedness and advises the government about its appropriate partnership role. What have we done so far to move the needle left of boom and what lies ahead?

Video Recording

Greg Garcia
Executive Director for Cybersecurity, Healthcare Sector Coordinating Council (HSCC)

Biography

A Fireside Chat on FDA Updates on Medical Device Cybersecurity

In this fireside chat with Dr. Kevin Fu, Cybersecurity Policy Analyst Matthew Hazelett of the US Food and Drug Administration (FDA) will be discussing FDA updates on medical device cybersecurity.

Matthew started at the FDA as a biomedical engineer within the Implantable Electrophysiology Devices Branch (IEDB) at the Center for Devices and Radiological Health (CDRH). His review areas included pacemakers, defibrillators, leads, and supporting devices (programmers, home monitors, etc.). Since starting at FDA, he developed a review focus in cybersecurity, participates in cybersecurity guidance development, and supports cybersecurity vulnerability assessments and premarket reviews across CDRH. He started his position as the Cybersecurity Policy Analyst in the Office of Product Evaluation and Quality (OPEQ) in February 2020. His role is focused on premarket and postmarket cybersecurity policy development and implementation across the clinical review offices. He also serves as a Digital Health Center of Excellence Program Director for the OPEQ Cybersecurity Focal Point Program.

Video Recording

Matthew Hazelett
Cybersecurity Policy Analyst, U.S. Food and Drug Administration

Biography

A Fireside Chat on Lessons Learned After Two Decades of Medical Device Security Engineering

In this fireside chat with Dr. Kevin Fu, the recently retired Ken Hoyme will offer engineering perspectives on how to design medical devices to manage cybersecurity risks. Ken brings 40 years of experience in designing regulated, safety-critical secure systems as well as his knowledge of medical device security and regulation. Ken recently retired from Boston Scientific as a Senior Product Security Fellow, where he established the company-wide product security program, incorporating security requirements across their Quality System. Ken has been active in many industry initiatives, including (1) co-chairing H-ISAC's Medical Device Security Information Sharing Council (MDSISC); (2) serving as one of the original co-chairs of AAMI's Device Security Working Group, which produced AAMI TIR57, a report outlining the principles of medical device security and risk management; (3) serving as a member of AAMI's BI&T Editorial Board; participating in several HSCC JCWG working groups including the development of the Joint Security Plan; (4) participating and leading cybersecurity projects with the Medical Device Innovation Consortium (MDIC); (5) participating in every meeting of the Archimedes Center for Health Care and Medical Device Cybersecurity now at Northeastern University; (6) instigating the creation of the Center for Medical Device Cybersecurity (CMDC) at the University of Minnesota; (7) and serving as co-instructor for CMDC's initial short courses.

Video Recording

Ken Hoyme
Advisory Board, MedCrypt

Biography

Cyber Risk and Impact to Patient Care: A Medical Device Imperative

As healthcare moves rapidly toward fully integrated care, interoperability, telehealth and cloud based services, our reliance on network and internet connected medical technology has grown exponentially. This adoption and integration of advanced technologies has no doubt improved patient outcomes and increased clinical and business efficiencies. However, this operational and clinical dependency has created cyber risk in two ways – it has increased our digital attack surface and created dependency on the availability of the technology to perform our healthcare mission.  Based upon real world events, learn what happens when high impact ransomware attacks shut down medical technology. We will discuss how to prepare for clinical continuity without the availability of technology. We will also discuss the latest cyber legislative and policy developments, including the new law aimed at improving the cybersecurity of medical devices.

Video Recording

John Riggi
National Advisor for Cybersecurity and Risk, American Hospital Association

Biography

Regulatory Affairs for Medical Device Security

Cybersecurity has proven to be a challenge not only with regard to ensuring the security of medical devices, but also preparing documents for regulatory submissions. Health authorities in many regions, including the US, Australia, Canada, and Japan, have released new cybersecurity guidance documents. In addition to premarket concerns, some of these guidance documents also include expectations for post market expectations. 

Medical device companies struggle to build security programs into quality systems that were likely not designed to address typical security issues such as hardening, vulnerability management, and global incident response. 

Ms. Jump will provide an overall summary of the current regulatory environment, summarize some of the challenges that the industry faces in keeping up with these expectations while also covering the logistical drivers for these expectations. Healthcare is part of every country's critical infrastructure and the security protections in place are essential to protecting that infrastructure.

Video Recording

Michelle Jump
CEO, MedSec

Biography

Virtual Panel on Medical Device Security: Physician Perspectives from Cardiology, Neurosurgery, Emergency Medicine, and Anesthesiology

Moderated by:

Kevin Fu, PhD, Archimedes Center for Healthcare and Medical Device Security, University of Michigan

Biography

Video Recording

Christian Dameff, MD
University of California, San Diego

Biography

Daniel Kramer, MD, MPH
Harvard Medical School

Biography

Erika A. Petersen, MD, FAANS, FACS
University of Arkansas for Medical Sciences

Biography

Jeffrey Tully, MD
University of California, San Diego

Biography

10/20/22

Canceled

N/A

Security Engineering for Medical Products: Sensors, Signals, Semiconductors, Software Systems

Medical devices, healthcare delivery, and other cyber-physical systems depend on sensors to make safety-critical, automated decisions. My research lab investigates the problem of how to protect cyber-physical systems from adversaries who can maliciously control sensor output by subverting its semiconductor physics. Finding principled, systematic solutions is extremely important to give consumers confidence in innovative medical devices and other emerging technology. Unique to our embedded security research contributions is an emphasis on protecting the longevity of implanted batteries and using software-only approaches to mitigate design flaws in legacy hardware. These contributions were important to creating the field of medical device security; advancing the academic community's ability to measurably defend against signal injection attacks on sensors; and changing how international regulators evaluate security of consumer products. In this talk, I will highlight academic research on protecting sensor semiconductors from maliciously modulated sound waves, radio waves, and lasers that can compromise software systems in cyber-physical systems such as pacemakers and vaccine cold-chain transportation.

Video Recording

Kevin Fu, PhD
University of Michigan

Biography

Security Engineering of Machine Learning

Statistical machine-learning techniques have been used in security applications for over 20 years, starting with spam filtering, fraud engines and intrusion detection. In the process we have become familiar with attacks from poisoning to polymorphism, and issues from redlining to snake oil. The neural network revolution has recently brought many people into ML research who are unfamiliar with this history, so it should surprise nobody that many new products are insecure. In this talk I will describe some recent research projects where we examine whether we should try to make machine-vision systems robust against adversarial samples, or fragile enough to detect them when they appear; whether adversarial samples have constructive uses; how we can do service-denial attacks on neural-network models; on the need to sanity-check outputs; and on the need to sanitise inputs. We need to shift the emphasis from the design of "secure" ML classifiers, to the design of secure systems that use ML classifiers as components.

Video Recording

Ross J. Anderson, PhD
Edinburgh University; University of Cambridge

Biography

Unringing the Bell: A Physician's Perspective on the Future Of Medical Device Security

Healthcare delivery across the globe is critically and increasingly dependent on computerized hardware and software including electronic health records and connected medical devices. Healthcare cyber attacks have resulted in technology failure, compromised data integrity, and breaches of sensitive patient information. Though the proliferation of cyber attacks in healthcare has raised serious concerns about patient privacy violations through healthcare data theft, the impacts of cyber attacks on patient safety and clinical outcomes are poorly understood. This talk will discuss historical barriers to developing a strong, data driven foundational body of knowledge in healthcare cyber security, and the impacts cyber attacks may have on patient outcomes. We will discuss novel patient cyber safety risks inherent in digitized clinical workflows, as well as possible sector wide defensive mitigation strategies resulting in safer and more resilient patient care.

Video Recording

Christian Dameff, MD
University of California, San Diego

Biography

Modern Automotive Vulnerabilities: The Science Behind the Fast and the Furious

Over the last decade, a range of research has transformed our understanding of automobiles. What we traditionally envisioned as mere mechanical conveyances are now more widely appreciated as complex distributed systems "with wheels." A car purchased today has virtually all aspects of its physical behavior mediated through dozens of microprocessors, themselves networked internally, and connected to a range of external digital channels. As a result, software vulnerabilities in automotive firmware potentially allow an adversary to obtain arbitrary control over the vehicle. Indeed, led by UC San Diego and the University of Washington, multiple research groups have been able to demonstrate such remote control of unmodified automobiles from a variety of manufacturers. In this talk, I'll highlight how our understanding of automotive security vulnerabilities has changed over time, how unique challenges in the automotive sector give rise to these problems and create non-intuitive constraints on their solutions and, finally, the forces that naturally limit the kinds of automotive attacks seen in the wild.

Video Recording

Stefan Savage, PhD
University of California, San Diego

Biography

What Biomedical Engineering Can Learn from Research and Academic Programs in Embedded Cybersecurity

Biomedical engineering students learn how to ensure the safety and effectiveness of medical products ranging from medical devices to pharmaceutical products. Today, that advanced degree skill set must include embedded cybersecurity because of endemic cyber threats to technology inside medical products. A lot can be learned from advances in Internet of Things (IoT) security education and research. The mission of the Cybersecurity Assurance and Policy (CAP) Center at Morgan State University is to provide the defense and intelligence community with the knowledge, methodology, solutions, and highly skilled cybersecurity professionals to mitigate penetration and manipulation of our nation’s cyber-physical infrastructure. The Internet of Things (IoT) permeates all areas of life and work, with unprecedented economic effects. The IoT is a network of dedicated physical objects (things) whose embedded system technology senses or interacts with its internal state or external environment. Embedded systems perform dedicated functions within larger mechanical or electrical systems. Critical infrastructures in transportation, smart grid, manufacturing, and health care, etc. are highly dependent on embedded systems for distributed control, tracking, and data collection. While it is paramount to protect these systems from hacking, intrusion, and physical tampering, current solutions rely on a patchwork of legacy systems, and this is unsustainable as a long-term solution. Transformative solutions are required to protect these systems. In this talk, we will present our current research that addresses security vulnerabilities in IoT ecosystems to provide secure, resilient, and robust operation.

Video Recording

Kevin T. Kornegay, PhD
Morgan State University

Biography

Security and Privacy for Humans

Traditionally, security and privacy research focused mostly on technical mechanisms and was based on the naive assumptions that Alice and Bob were capable, attentive, and willing to jump through any number of hoops to communicate securely. However, 20+ years ago that started to change when a seminal paper asked "Why Johnny Can't Encrypt" and called for usability evaluations and usable design strategies for security. Today a substantial body of interdisciplinary literature exists on usability evaluations and design strategies for both security and privacy. Nonetheless, it is still difficult for most people to encrypt their email, manage their passwords, and configure their social network privacy settings. In this talk I will highlight some of the research from my lab that evaluates security and privacy for humans and proposes some new solutions.

Recommended Reading:
Fundamentals: Password Research
Intermediate: Humans and computer security failures
User studies: Privacy Choice Indicators

Video Recording

Lorrie Faith Cranor, DSc
Carnegie Mellon University

Biography

Laws for Cybersecurity?

Cyber-security today is focused largely on defending against known attacks. We learn about the latest attack and find a patch to defend against it. Our defenses thus improve only after they have been successfully penetrated. This is a recipe to ensure some attackers succeed---not a recipe for achieving system trustworthiness. We must move beyond reacting to yesterday's attacks and instead start building systems whose trustworthiness derives from first principles--laws that relate attacks, defense mechanisms, and security properties. This talk will explore examples of such laws, suggest avenues for future exploration, and discuss risks implicit in using such a deductive framework.

Related Reading:
Blueprint for a science of cybersecurity
Science of Security

Video Recording

Fred B. Schneider, PhD
Cornell University

Biography

Innocence and Experience: Regulatory Tales

The history of attempts to regulate technology is long and varied. This talk will review examples from a range of technical areas, some successful, some less so, and will draw a few lessons from them. Topic areas will include building construction, automobiles, airplanes, cybersecurity, and perhaps others. Discussion will be encouraged.

Introductory Slides

Presentation Slides with Notes

Video Recording

Carl Landwehr, PhD
University of Michigan

Biography