May 4–5, 2015: Archimedes Workshop in Ann Arbor, MI

Register now!

The 3rd Annual Archimedes Workshop on Medical Device Security will hold its annual workshop on May 4–5, 2015 at the University of Michigan in Ann Arbor. This invitation-only event brings together solution-oriented experts in medical device manufacturing and computer security to meet and discuss effective ways to improve information security and the new FDA guidance on cybersecurity.

The event is NOT open to the media, and all discussion will be considered off the record unless a speaker expressly gives permission to share. The primary goals are to: (1) introduce experts to each other to solve common problems, and (2) provide engineers with knowledge and anecdotes that help with internal processes to convince executive management on the ROI of improved medical device security.

Tutorials will follow the workshop during the afternoon of May 5, 2015. April 24 is the deadline for hotel reservations and early bird registration.

Please direct any questions to our staff at archimedes@umich.edu.

Hotels and Travel

Hotel Reservations: Note the new location. We have arranged for a group rate at the Ann Arbor Sheraton adjacent to the Briarwood Mall. To get the group rate, reserve by phone at (734) 996-0600 and mention the registration code "Archimedes Room Block." We will provide a scheduled shuttle to/from the hotel and workshop events. For those not taking the shuttle, here are directions from the Sheraton to the Lurie Engineering Center, and here are directions from the gala venue (the Hands-On Museum) back to the Sheraton.

For flights, we recommend arriving on Sunday, May 3rd. We will begin with a reception Sunday evening at the hotel. The technical agenda begins the morning of May 4th and ends by noon on May 5th. Tutorials take place on the afternoon of May 5th. DTW is the closest airport, about 25 minutes from Ann Arbor. All meetings will take place at the University of Michigan College of Engineering. U-M parking passes are available for $10 per day for those who do not wish to take advantage of the free shuttle. Please note your parking/shuttle preference on the registration page.

Speakers

  • Bill Aerts (Director of Information and Product Security, Medtronic)
    How to Work with Security Researchers
  • Mike Ahmadi (Global Director, Critical Systems Security, Codenomicon)
    From Vulnerability to Remediation--Harnessing Academic Knowledge
  • Homa Alemzadeh (PhD Student, University of Illinois)
    Robotic Tele-Surgical Systems: From Safety to Cybersecurity
  • Matt Braun (Director, Networking and Infrastructure, University of New Mexico Hospitals IT)
    Veni, Vidi, Vendors
  • Debra Bruemmer (Principal Information Security Analyst, Office of Information Security, Mayo Clinic)
    Cybersecurity Viewpoint from a Large Provider
  • Seth D. Carmody (Staff Fellow, Division of Chemistry and Toxicology Devices, U.S. Food and Drug Administration)
    I Can Has Cybersecurity
  • Christopher Clark (Codenomicon)
    Hands-On Fuzz Testing Tutorial
  • David Hasselbach (Applications Sys Analysis & Pgrm Manager, University of Michigan Health System MCIT)
    CyberArk Deployment with Duo Token Interface
  • Patrick Jungles (Security Program Manager, Microsoft)
    Building-In Security at Microsoft
  • Chandu Ketkar (Technical Manager, Cigital) and Dan Lyon (Senior Consultant, Cigital)
    Technical and Economic Tradeoffs for Medical Device Security
  • Zach Lanier (Accuvant)
    The Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right
  • Carl Landwehr (George Washington University)
    A Building Code for Software
  • Kevin McDonald (Director, Clinical Information Security, Office of Information Security, Mayo Clinic)
    Cybersecurity Viewpoint from a Large Provider
  • Michael McNeil (Global Product Security & Services Officer, Philips Healthcare)
    How to Work with Security Researchers
  • Soundharya Nagasubramanian (Director of Embedded Software, WelchAllyn)
    How to Work with Security Researchers
  • Ben Ransford (CTO, Virta Labs)
    Non-Intrusive Malware Detection for Embedded Systems
  • Kalpesh Unadkat (IT Monitoring Lead, University of Michigan Health System MCIT) and
    Joe Kryza (Executive Director, Infrastructure & System Operations, University of Michigan Health System MCIT and CIO)
    Enterprise Connected Inventory Using Splunk and Cisco Prime
  • Jenna Wiens (Assistant Professor, University of Michigan)
    Leveraging Data Across Time and Space to Build Predictive Models for Healthcare-Associated Infections
  • Fubin Wu (GessNet™)
    Tutorial on Risk Management and Cybersecurity

Tentative Schedule of Events

Archimedes begins at 8AM Monday, May 4 and runs thru Tuesday, May 5 at noon. Following the workshop is a separate set of tutorials on the afternoon of May 5.

Most attendees come from large or small medical device manufacturers and level-I trauma centers. Most attendees have backgrounds in system engineering, regulatory affairs, and/or patient safety. Attendees recognize the growing problem of medical device security, but seek to meaningfully define the problem such that it becomes technically solvable, scientifically measurable, humanly acceptable, and economically feasible.

All discussion will be considered OFF THE RECORD unless a speaker expressly gives permission to share. The primary goals are to: (1) introduce experts to each other to solve common problems, and (2) provide engineers with knowledge and anecdotes that show the ROI of improved medical device security. The agenda consists of presentations by invited speakers as well as small break-out groups on focused topics to define problem spaces and find common ground. Registration include the following meals: Monday, May 4th: Breakfast, Lunch, and Dinner; Tuesday, May 5th: Breakfast and Lunch. Attendees may optionally register for a technical tutorial on the afternoon of May 5th.

This workshop is by invitation only.

Workshop principles: No buying, no selling. Check your corporate and institutional affiliations at the door. This event is for technical problem solving and learning how to explain security engineering needs to executive management. Develop a support network of colleagues who are facing the same managerial and technical challenges.

The meetings will take place in the Lurie Engineering Center on the North Campus of the University of Michigan. We will be on the 3rd floor in the Johnson Conference Rooms. Here is a marked-up map of Lurie and nearby landmarks.

Sunday, May 3
Time Event
6:30PM
Welcome Reception at Sheraton Hotel
Monday, May 4
Time Event
7:45AM
Bus leaves Sheraton Hotel
8:15AM
Registration and Breakfast
8:45AM
Introductions
9:00AM
Session 1: The Practitioner/Researcher Interface
Talk: Mike Ahmadi (Global Director, Critical Systems Security, Codenomicon): From Vulnerability to Remediation—Harnessing Academic Knowledge
Panel: How to Work with Security Researchers
10:15AM
Coffee Break and Open Mic
Carl Landwehr (George Washington University): A Building Code for Software
10:45AM
Session 2: FDA Perspectives on Cybersecurity
Seth D. Carmody (Staff Fellow, Division of Chemistry and Toxicology Devices, U.S. Food and Drug Administration): I Can Has Cybersecurity
11:15AM
Session 2: Clinical Perspectives
Debra Bruemmer (Principal Information Security Analyst, Office of Information Security, Mayo Clinic) and Kevin McDonald (Director, Clinical Information Security, Office of Information Security, Mayo Clinic): Cybersecurity Viewpoint from a Large Provider
Matt Braun (Director, Networking and Infrastructure, University of New Mexico Hospitals IT): Veni, Vidi, Vendors
12:00PM
Lunch
1:00PM
Group Photo
1:15PM
Session 3: Operational and Security Engineering Perspectives
Kalpesh Unadkat (IT Monitoring Lead, University of Michigan Health System MCIT) and Joe Kryza (Executive Director, Infrastructure & System Operations, University of Michigan Health System MCIT and CIO): Enterprise Connected Inventory Using Splunk and Cisco Prime
David Hasselbach (Applications Sys Analysis & Pgrm Manager, University of Michigan Health System MCIT): CyberArk Deployment with Duo Token Interface
2:30PM
Coffee Break
2:45PM
Session 4: Cybersecurity Industry Perspectives
Patrick Jungles (Security Program Manager, Microsoft): Building-In Security at Microsoft
Chandu Ketkar (Technical Manager, Cigital) and Dan Lyon (Senior Consultant, Cigital): Technical and Economic Tradeoffs for Medical Device Security
Zach Lanier (Accuvant): The Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right
4:00PM
Session 5: Break Out I: Discussions
5:00PM
Bus to Sheraton Hotel
6:15PM
Bus leaves Sheraton Hotel for dinner
6:30PM
Gala Dinner at the Ann Arbor Hands-On Museum. Dress code: business casual. (For those not taking the shuttle, directions to the museum and directions from the museum to the hotel.)
9:45PM
Bus to Sheraton Hotel
Tuesday, May 5
Time Event
8:00AM
Bus leaves Sheraton Hotel
8:15AM
Breakfast
9:00AM
Session 6: Medical Device Security Frontiers
Homa Alemzadeh (PhD Student, University of Illinois): Robotic Tele-Surgical Systems: From Safety to Cybersecurity
Jenna Wiens (Assistant Professor, University of Michigan): Leveraging Data Across Time and Space to Build Predictive Models for Healthcare-Associated Infections
Ben Ransford (CTO, Virta Labs): Non-Intrusive Malware Detection for Embedded Systems
10:15AM
Coffee Break
10:30AM
Session 7: Break Out II: Writing and Reporting Out
12:00PM
Box Lunch
1:00PM
First bus to Sheraton Hotel
1:00PM
Membership Meetings and Optional Tutorials
Christopher Clark (Codenomicon): Hands-On Fuzz Testing Tutorial
Fubin Wu (GessNet™): Tutorial on Risk Management and Cybersecurity
3:00PM
Coffee Break
3:30PM
Tutorials Resume
5:00PM
Second bus to Sheraton Hotel

Tutorials

Tutorial: Hands-On Fuzz Testing of Real Medical Devices by Christopher Clark of Codenomicon

Who should attend:

Engineers, regulators, or providers who wish to better understand how to apply fuzz testing technology to medical device security.

Description:

In this hands-on tutorial, participants will use live fuzz testing on real medical devices to understand how to test for vulnerabilities in medical devices. Because this tutorial involves a large amount of physical equipment, the tutorial is limited to 20 people. We will assign teams to each fuzz testing workstation.

About the speaker:

Christopher Clark is a Security Engineer at Codenomicon.


Tutorial: Integrate Cybersecurity into Medical Device Risk Management by Fubin Wu of GessNet™

Who should attend:

Managers, engineers, researchers, regulators, and any other stakeholders who are interested in cybersecurity risk analysis for medical devices and how it relates to safety risk management. A basic understanding of medical device safety risk management is preferred, but not required for attending the tutorial.

Description:

The Food and Drug Administration (FDA) issued final guidance in October 2014, entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices." The guidance lays out FDA’s expectations and requirements for cybersecurity information in medical device premarket submissions. In addition to the FDA, there are many other parties, such as hospitals and patients, concerned about cybersecurity as well. How to technically address cybersecurity risk and how to document it and communicate it among stakeholders is a new challenge. Many medical device manufacturers and healthcare organizations have established their safety risk management practices in compliance with applicable regulations or standards, such as ISO 14971 risk management standard. How can cybersecurity risk analysis leverage the existing safety risk management framework? What is the relationship between cybersecurity and safety for medical devices? How to effectively document and communicate cybersecurity to meet the needs of various stakeholders? This tutorial provides examples using GessNet™ TurboAC™ software to illustrate how medical device cybersecurity risk analysis can be comprehensively performed, and how the cybersecurity risk analysis results can be documented and communicated to assure various stakeholders that cybersecurity risk is adequately controlled. The tutorial will first take a quick look at medical device safety risk management practices, and then provide more detailed instructions on how to perform cybersecurity risk analysis for an example device, including how to manage interconnections between cybersecurity and safety risk analysis. The tutorial will also introduce assurance case methods and provide examples of how cybersecurity assurance cases can be generated and used as a communication vehicle to stakeholders. After completing this tutorial, participants will have learned the fundamentals on how medical device cybersecurity risk analysis can be practically performed, how it can be integrated with safety risk analysis, and how it can be documented and communicated to relevant stakeholders.

About the speaker:

Fubin Wu is the Co-founder of GessNet™ (http://www.gessnet.com), a software solution and consulting service provider for medical device safety and cybersecurity risk management. He has designed the TurboAC™ risk management & assurance case software, in close communications with FDA - Office of Science & Engineering Lab (OSEL) and Office of Device Evaluation (ODE), and in collaboration with non-profit organizations, device manufacturers, hospitals, and industry experts. He is a voting member of AAMI Medical Device Security working group in developing guidance for the application of ISO 14971 to security risk management. Fubin spent over 16 years on medical device quality management systems, hardware/software reliability engineering and risk management, serving various roles from quality engineer to quality manager and quality director, and working on various medical device platforms – implantable devices and remote monitoring systems at Medtronic, infusion pumps at Hospira, and blood management standalone software devices at Haemonetics. Fubin has a MS degree in Electrical and Computer Engineering from Oregon Health & Science University (OHSU), and was a software developer at Intel prior to his career with the medical device industry.

Platinum Members:


Medtronic
Philips Healthcare
WelchAllyn
Siemens



Workshop Sponsors:


Codenomicon TUV

Register now!